wait, my email is no longer encrypted?
You may remember a few years ago when Google changed Gmail to always use a secure https connection. that means it uses standard transport layer security (tls) for encryption. this is good, but it is the minimum. all websites must use https (opens in a new window).
currently, google says it doesn’t read your mail. however, it is easy to accidentally grant third-party apps read mail permission. And Google reads your messages enough to do things like automatically put airline flight notifications on your calendar. Google also has a policy that explains when it will hand over your email to government entities, a policy that clearly states that you can do so if forced to.
apple mail supports full encryption and digital signatures. To enable these features, you must obtain a security certificate. There used to be quite a few free certificate sources, but the list is shrinking. We use a third party service to obtain a certificate for testing. With the certificate installed in your keychain, your emails are digitally signed by default. and if all recipients of a message also have certificates, you can click the lock icon to send the encrypted message.
A quick survey of my colleagues at pcmag showed exactly that no one had installed an email security certificate, and this is a technically minded bunch. I’d expect even fewer ordinary consumers to have encryption enabled for their apple mail… except you can’t go below zero.
In any case, apple has had some problems with encryption. In 2019, researchers discovered unencrypted copies of secure emails in the database that Siri uses to serve you better. I think we can agree that siri doesn’t need to read our encrypted emails.
The point here is that your email provider’s goals are not focused on security and privacy. If you really want to protect your emails from prying eyes, look for a third-party company that puts security first.
what is the best free email encryption service?
Maybe you’re convinced that encrypting your email is a good thing, but convinced enough to pay for it with your hard-earned money? don’t worry: you don’t have to pay.
preveil and virtru are totally free. both are consumer-focused stripped down editions of enterprise-grade products. their “big brother” products bring the cash. skiff gives you encrypted email, secure file storage and sharing, and private collaboration, all free of charge.
You don’t have to pay for securemyemail if you use it to encrypt a single gmail, yahoo, or microsoft account, and there are no limits on features. a paid account allows you to protect multiple accounts, up to eight, and also adds support for other email providers. Signing up for a free account or a 30-day trial of the paid service doesn’t require a credit card or any personal information beyond your email address.
On the free tier, tutanota allows you to send and receive unlimited messages that are fully encrypted using open source technology. you even get a secure calendar to accompany your secure inbox. upgrading to the affordable premium edition lets you create multiple calendars, define up to five aliases (alternate emails), and set filter rules to handle incoming messages.
You can also use protonmail and private-mail for free, but you must accept certain limitations. savvy consumers will set up a free account and see if the limitations bother. if they do, conversion to a paid account is simple. startmail is the only product covered here that doesn’t have a free tier, though it does offer a 7-day free trial.
Do I have to change my email address for encryption?
For one thing, starting over with an email address you’ve never seen before can be liberating. knows that the new address has not been spread on the dark web or taken over by data aggregators. otherwise, you must notify all of your contacts that your address has changed and reconfigure all of your online accounts to use the new address.
protonmail, private-mail, skiff, startmail and tutanota require you to change to a new email address. as with any other webmail system, it must be unique within the system. but since these services don’t have the millions or even billions of users that gmail or yahoo have, you might be able to get your own name without tagging a bunch of numbers or other characters. Wouldn’t you rather have an [email protected] address than an [email protected]?
with preveil, securemyemail and virtru, you keep your existing email. in fact, virtru requires you to use a gmail address. preveil doesn’t limit you to any specific email provider. Integrates with Gmail and Outlook on Windows and Apple Mail on Mac, and with the native Mail app on your mobile devices. also, securemyemail can handle accounts from any email provider that supports imap.
who can I send an encrypted email to?
encrypting your messages is useless unless the recipient can decrypt them. different products handle that end of the equation in a variety of ways.
The recipient of a preveil message must install preveil to read it, period. but since the product is free and easy to install, that’s not much of a limitation. your communication is protected with military-grade encryption, but you don’t have to remember passwords or do anything other than choose to encrypt the message.
skiff is also free, but it’s up to you to evangelize and get your contacts to try it out. messages between skiff users are encrypted end-to-end, while messages outside the network are only encrypted between you and the skiff servers.
virtru also manages encryption keys out of your sight. the recipient of a virtru message clicks a link to view and reply to the message in a browser window, without the need to install virtru.
When you send a message to someone outside of the tutanota network, the recipient receives a notification with a link, just like with virtru. you must transmit a password to the recipient by some means other than email. the link opens what is effectively a simplified tutanota, with the ability to send secure responses but not much else.
startmail, private-mail, and protonmail use an encryption system called pretty good privacy (pgp) to protect messages between users of their respective services. That means they can also exchange encrypted mail with users of other pgp-compliant email systems. however, setting up the key exchange required to enable third-party pgp messaging can be difficult.
Those same three products also include a provision to communicate securely with those who don’t use the service and don’t have a pgp key. although the implementations differ, the general method is the same. encrypt your message with a password and transmit the password to the recipient via text message, phone call, or other non-email communication.
When you send mail outside the network from securemyemail, it automatically generates keys and sets the message to expire after 30 days. after authentication, the recipient sees the message on a web page, with the option to reply securely. you can choose to shorten the expiration time or add a password for protection. securemyemail can also import existing pgp keys and has no problem with a mix of on and off network recipients of the same message.
how does encryption protect my email?
Use of pgp encryption requires that you enter the pgp passphrase for your encryption key. when you send non-pgp encrypted messages, each can have its own password. preveil and virtru do not require a password: your possession of a trusted device is sufficient for basic authentication. and yes, you can revoke trust for a lost device.
tutanota encrypts everything, including message headers, subject lines, and contacts. You use a password to log into your account, so make it secure. As stated, communicating with contacts who don’t already use Tutanota requires you to create a password for each contact and transmit it through some channel other than email. tutanota securely stores that password along with the contact record.
Whether basic authentication is based on a password or a trusted device, you can increase security by enabling multi-factor authentication, where available. protonmail, private-mail, skiff, startmail, and tutanota support multi-factor authentication using google authenticator or any other similar device that can provide a standard time-based one-time password (totp).
tutanota also supports authentication using yubikey or another u2f (universal second factor) authentication key. you can register multiple keys and even use u2f in conjunction with a totp application. if you don’t have your u2f key handy, authentication goes to the totp app.
with preveil, you need access to a trusted device (something you have), your email account password (something you know), and whatever authentication method you use to open the trusted device, usually a passcode access or a biometric system. it’s a form of multi-factor authentication, though not the traditional kind of password plus totp.
what else do I get with email encryption services?
As noted, with some services you start fresh with a new email address. but once you start using that address, once many different merchants and websites have it, it won’t stay flawless. that is, unless you never tell anyone your email address.
How can you send an email without revealing your address? By using a disposable email address (DEA) service, here’s how. this service generates a unique dea every time you need to give your address. messages to that dea appear in your usual inbox, and replies seem to come from the dea. and if one of your desas starts getting spam or other problems, you can simply delete it.
private-mail can manage desas, but is quite limited compared to dedicated desas utilities like burner mail and manyme. email aliases in skiff and tutanota are even more limited, as you only get a handful and you can’t change them after creation. startmail used to suffer from similar limitations, but today it offers full data management along with its email encryption. abine blur goes beyond mere offers, allowing you to shop while hiding not only your real email address, but also your credit card number and phone number.
With most of these services, you can securely share a file by attaching it to an encrypted message; private-mail is the exception, as it only supports plain text. it makes up for that lack by giving you encrypted cloud storage, along with the ability to securely share files from your encrypted storage. preveil also offers cloud storage with secure sharing, and has a variety of options for what recipients can do, from editing and re-sharing to simply looking at the data in a viewer window. a similar protonmail feature is now in beta, available to all users.
skiff offers collaboration at scale, with simultaneous editing and end-to-end encryption. you can also use skiff to share files securely.
You can set protonmail and virtru messages to expire after a specified time. private-mail and protonmail allow you to set up an away message when you won’t have access to email. these two also include the ability to define filter rules. As noted, securemyemail’s out-of-network messages automatically expire in no more than 30 days, but there is no expiration option for in-network messages.
As stated, you get a secure calendar with the free edition of tutanota, which syncs across all your devices. paying a premium account allows you to create multiple calendars. protonmail’s associated protoncalendar is also available in the free tier. private-mail also offers a calendar function. however, in testing, the private mail system for synchronizing that calendar proved too complex for the average user.
what is the best email encryption?
As you can see, all of these products have their strengths and each offers a different set of features. For its weapons-grade encryption, ease of use, and low price (free!), preveil is a top pick and an Editors’ Choice winner. Combining easy encrypted email skiff with equally secure collaboration and file sharing makes it the choice of other publishers. when it comes to the connection, your choice may come down to whether you want to keep your existing email with preveil or accept a new, secure email from skiff.
While you’re thinking about security, you should read our roundup of the best encryption software to protect the data on your drives.