Skip to content Skip to navigation Skip to footer

What Is Email Encryption?

Email Encryption Definition

Email encryption is an authentication process that prevents messages from being read by an unintended or unauthorized individual. It scrambles the original sent message and converts it into an unreadable or undecipherable format. Email encryption is necessary when sharing sensitive information via email. 

Hackers use email to target victims and steal data, such as personal information like names, addresses, and login credentials, then commit crimes like identity theft or identity fraud. Furthermore, most sent emails are encrypted while the data is transmitted, but the information is stored in clear text, making the content readable by email providers. Popular free-to-use email services typically do not provide end-to-end encryption, which means hackers can easily intercept sent messages.

Email encryption solutions use public-key cryptography and digital signature mechanisms to encrypt email messages. This process ensures email security and guarantees only the intended recipient can open the email.

How Does Email Encryption Work?

Email encryption services transform a plaintext email message into a scrambled ciphertext format. This works through public-key infrastructure, which ensures that even if a cyber criminal manages to intercept a sent message, they will not be able to read it.

An example of email encryption using public-key cryptography is when a user publishes a public key that other people can use to encrypt the email messages they send. The user also has a private key that only they can use to decrypt the messages they receive. The private key also allows the user to encrypt and digitally sign their sent messages.

Email Encryption Architecture

Email encryption solutions do not typically follow a standard architecture but rely on gateway software that enables the enforcement of policy-based encryption. This enables organizations to implement policies that define which emails need to be encrypted and in what circumstances messages should be encrypted. For example, organizations will typically specify that any email message containing personally identifiable information (PII), financial data, or other sensitive information sent by any user be encrypted.

Some email encryption software will be in the form of a client installed on users’ computers, laptops, or mobile devices. This service can use policy-based encryption to protect specific email messages or enable users to choose which emails to encrypt, or a combination of both. Other email encryption solutions may focus on protecting the device rather than the email gateway, which targets potential security threats on local networks.

But there is increasingly no requirement for users to install email encryption services on their devices. Instead, they can now access web-based interfaces that decrypt and read encrypted messages. These email encryption solutions will either be hosted privately by the organization or, increasingly frequently, a cloud-based service through an email encryption software vendor. 

Types of Email Encryption

Email encryption software typically uses three types of encryption formats. These include the following email encryption types:

Pretty Good Privacy (PGP)

PGP is a security program that encrypts and decrypts email messages using digital signatures and file encryption techniques. The software was released in 1991 and was one of the first free, publicly available public-key cryptography solutions. PGP is now widely used to protect people and organizations, providing cryptographic authentication and privacy to secure online communication, such as email and text messaging. 

PGP uses a combination of cryptography, data compression, symmetric and asymmetric key technology, and other hashing techniques to encrypt data in motion. It also offers a take on the public key infrastructure (PKI) approach. When a user sends a message using their public key, PGP encrypts the data and decrypts it when the recipient unlocks it with their private key. 

Secure Multi-purpose Internet Mail Extension (S/MIME)

S/MIME is an Internet Engineering Task Force (IETF) standard used to deliver public-key encryption and digital signatures. It was developed by RSA Data Security and is now built into most modern email software services. S/MIME provides similar functionality to PGP, but it requires users to obtain keys directly from a specific Certificate Authority (CA).

Transport Layer Security (TLS)

TLS is a cryptographic protocol that succeeded the secure sockets layer (SSL). Also an IETF standard, TLS was first introduced in 1999 and built on the original SSL specifications. It enables messages to pass over a computer network securely and is commonly used for email and other communications formats like instant messaging and Voice over Internet Protocol (VoIP). 

TLS aims to ensure data integrity and privacy between computer application communications. It runs in the application layer and comprises the TLS record and TLS handshake protocols.

A common form of TLS is STARTTLS, a command that upgrades plaintext messages to secure, encrypted communications. STARTTLS requests encryption as emails are in transit, which means neither the sender nor the recipient needs to take action to view the message. This approach is ideal for countering attack vectors like passive monitoring but can leave organizations open to other threats like man-in-the-middle (MITM) attacks.

Enterprise Email Encryption: How It Protects Your Organization

Protocols like TLS do not typically protect email by default, which means messages can be transmitted in plaintext if email encryption is not applied. This leaves email messages, including their content and attachments, open to being intercepted, read, and stolen as they are transmitted from the sender to the recipient, which becomes even more critical when users share sensitive information via unencrypted email. 

Furthermore, a hacker can infect a user’s machine with malware, enabling them to intercept future messages and exfiltrate further sensitive information from corporate networks.

Organizations, therefore, need to carry out email risk assessment and deploy enterprise email encryption that secures all outgoing and incoming email communication. This enables users to encrypt every message they send—or at least all emails containing sensitive information or attachments—and recipients to decrypt received messages.

Email encryption has traditionally been difficult for end-users due to challenges with cryptographic key management. But it is now much easier for users to understand how to send encrypted email without time-consuming training processes. 

Who Should Use Email Encryption?

Email encryption solutions are ideal for organizations that host their own email services. Any enterprise that transmits sensitive information can be at significant risk of a cyberattack or data breach if they send unsecured email messages. So paying for an email encryption service to secure email is a far more cost-effective approach than the potential financial and reputational damage resulting from a breach.

Organizations that hold highly sensitive data or are subject to stringent regulatory compliance standards must deploy the best email encryption to protect their incoming and outgoing communications. 

How Fortinet Can Help

Fortinet helps organizations secure all their email communications with industry-leading email security solutions. Fortinet FortiMail is an email gateway solution that protects user inboxes, detects and prevents incoming and outgoing email traffic threats, and enforces policies to protect data and ensure compliance. The solution is simple to use, does not force users to install additional hardware and software, and does not require user provisioning.

FortiMail is compatible with popular cloud and on-premises infrastructures and provides antispam and antivirus capabilities to prevent all email-borne threats. It uses a multi-layered email security approach that enables organizations to identify and block malware, phishing attempts, and spam. It secures their defenses against advanced attack vectors, such as business email compromise (BEC), spoofing, and whaling.

FortiMail also offers identity-based encryption (IBE), a public-key cryptography format that generates public keys using unique user information. Fortinet IBE is crucial to delivering policy-based encryption. FortiMail is one of the few products to provide push and pull IBE, which means it can be delivered to users directly or on the platform itself.

The FortiMail solution is supported by FortiGuard Labs, which provides industry-leading intelligence into real-time threats and global traffic patterns to prevent the latest security attacks.