This is the Trace Id: 9381ed3a4e0d3633250b21e3fd76bf95
Skip to main content
Microsoft Security
A man sitting down working on his laptop.

What is email encryption?

Email encryption using Microsoft Purview Information Protection masks the contents of your messages to prevent bad actors from intercepting sensitive data.
Learn more

Email encryption defined

Email encryption is a security measure that encodes an email message so that only the intended recipients can read it. Encrypting, or obscuring, emails is a process designed to keep cybercriminals—especially identity thieves—from getting hold of valuable information that they can use for monetary gain.

It's common to use email to send sensitive or confidential information that could be exploited by thieves. When an email is in transit to your recipient, it can be intercepted by malicious actors looking for data such as:
 

  • Names, addresses, and other personally identifiable information (PII).
  • Financial account numbers and other data.
  • Customer or employee information.
  • Login credentials.
  • Legal contracts.
  • Intellectual property.
  • Patient health information.

Using encryption for email security ensures that only the authorized recipient can decode and consume messages containing sensitive information. If a bad actor were to intercept an encrypted message, they would open it only to find scrambled, unreadable text inside. Email encryption is an important way to protect your data because gaining access to confidential information through email is a primary tactic of cybercriminals.

How email encryption works

Basic email encryption involves an exchange of encryption keys that are generated by mathematical algorithms called one-way functions. Each encoded communication uses a paired public key, available to anyone on the internet, and a private key, known only to the recipient. This kind of email encryption system is called public key infrastructure, or PKI.

In a PKI model, an encrypted email’s journey typically works like this:

  • A message is sent using a public key, which transforms the contents from a readable format, or plaintext, into a scrambled format, or ciphertext.
  • The message remains in cyphertext while it’s in transit from server to server over the internet.
  • When the email gets to its destination, the intended recipient decrypts the ciphertext email back into plaintext using a unique private key.

The recipient’s machine will use the private key to decrypt the message unless the recipient has an enterprise-grade email encryption service. In that case, a central server may decrypt the message on behalf of the recipient after validating their identity.

Email encryption by itself doesn’t prevent malicious parties from intercepting messages. Without the private key, however, the data inside will appear jumbled and unreadable to the unauthorized person.

It’s possible to have multiple layers of encryption in place at the same time. For example, encrypting the communication channels through which your email flows will provide even better protection than email encryption alone.

The benefits of using email encryption

Email is such a common way to communicate that it’s easy to forget how incredibly vulnerable it is. Hackers who surveil or steal PII from your email traffic can not only gain access to information related to your business and employees, but to customer data as well.

Email encryption services can block a significant avenue of attack for cybercriminals and protect the privacy of those who have entrusted you with their sensitive information. Avoiding security breaches and building customer trust protects both your bottom line and your reputation.

Using email encryption will also keep you compliant with legal and industry regulations. Compliance guidelines vary based on where in the world your business operates. But no matter what industry you are in or where you do business, you’re likely to handle a combination of PII, financial data, transaction data, or even sensitive patient health information that is regulated. Protecting this data is the law in many countries based on applicable privacy regulations. And many compliance guidelines strictly require that emails containing sensitive data are encrypted.

Another way email encryption can protect you is that it helps employees identify which emails are genuine and which are phishing or spam schemes. An email encryption service that includes digital signing gives an extra layer of proof that an email comes from an authentic sender, lessening the risk that your system is infected through routine employee communications.

Types of email encryption

There are several different protocols email encryption services can use to protect sensitive information in transit.

Pretty Good Privacy (PGP)

PGP has been around since the 1990s and was the first free encryption software available. It uses both asymmetric cryptography, or public/private key pairs, and symmetric cryptography, in which the same key is used for both encryption and decryption. It also uses hashing and data compression to achieve a level of encryption that is more secure than its “pretty good” name might suggest. Its main drawback is that it isn’t always easy to use.

Secure Sockets Layer (SSL)

SSL is an encryption protocol first developed in 1995. It’s the predecessor of the modern Transport Layer Security (TLS) encryption used today. SSL initiates an authentication process called a handshake between two communicating devices to ensure their identities. SSL also digitally signs data to provide data integrity, verifying that it has not been tampered with in transit. There were several iterations of SSL over the years before it was updated to become TLS.

Transport Layer Security

TLS is a widely adopted security protocol for email encryption. It was initially proposed by the Internet Engineering Task Force, an international standards organization. Built on SSL, it’s an updated version that protects more thoroughly against eavesdropping, tampering, and message forgery. Some TLS-based encryption services include STARTTLS, a command issued between an email program and a server that encrypts emails in transit and decrypts them on arrival, which means the recipient doesn’t need to take any special action to read the message.

Advanced Encryption Standard (AES)

AES is a symmetric encryption protocol that the U.S. and other governments use to safeguard classified information. It’s also the encryption method of choice for financial institutions. Its cyphers rely on exceptionally long keys, making them difficult to hack. AES is complicated to use but the right email encryption service can do most of the work for you. It’s one of the world’s most frequently used free, open-source encryption software.

Secure/Multipurpose Internet Mail Extensions

Secure/Multipurpose Internet Mail Extensions (S/MIME) is a certificate-based encryption solution that allows you to both encrypt and digitally sign a message. To use S/MIME, you must have public keys on file for each recipient. Recipients have to maintain their own private keys, which must remain secure. If a recipient's private keys are compromised, the recipient needs to get a new private key and redistribute public keys to all potential senders.

Choosing an email encryption service

When you choose an email encryption service, consider your broader cybersecurity needs, the compliance requirements in your industry, and the size of your organization. Your employees may only deal with sensitive information a few times a day—or perhaps all your emails are highly sensitive and subject to complex regulations.

First, look at the available features within the email platforms you already use. You may have a certain level of encryption available by default, and it may only take a modest subscription upgrade or a plug-in to meet or exceed your privacy requirements. Building on tools that are already familiar to your employees has the advantage of reducing your training needs.

Second, consider ease of use. Try to find a cost-effective way to encrypt emails that doesn’t involve having employees logging in to a portal to read encrypted messages or follow complicated steps to attach files to an email.

Last, consider the size of your company. Larger organizations are best served by an enterprise-level encryption solution that provides end-to-end email protection. Enterprise-grade communication, collaboration, and security platforms sometimes have advanced message encryption included. These types of solutions can automate much of the encryption process for admins and users alike.

Some enterprise-grade solutions can fortify your email security posture by automatically encrypting sensitive emails. They may also send and request digital signatures to thoroughly verify identity or offer users advanced options such as prohibiting the forwarding, printing, or copy/pasting of emails.

Protect against email threats

Choosing an email encryption service is an important way to improve your overall security posture. Start by reviewing the types of email encryption available to you, the security needs of your organization, and what email protections can integrate with the platforms and solutions you already use. Consider how your needs can be met by:
A woman is looking at the tab.

Understand email threats

Read about cyberattacks that target email—and how to stop them.
Learn more
A person holding a phone and using a laptop while sitting on a bench.

Strengthen password protection

Find out about password spray attacks and strategies to avoid them.
Learn more
A close-up of hands typing on a keyboard.

Shield against email breaches

Learn email best practices to protect against business email compromise and phishing attacks.
Read the blog
A man holding a phone.

Microsoft Purview Message Encryption

Explore the email encryption capabilities already included in Microsoft 365.
Learn more
Back to Related products section
FAQ

Frequently asked questions

  • Email encryption is used to encode messages containing sensitive information so it can’t be intercepted by malicious actors. An encrypted email will appear scrambled and undecipherable to anyone other than the intended recipient.
  • Emails are not protected by encryption unless you have an email encryption service and deliberately use it. Your email provider might furnish some level of protection, and some productivity solutions have encryption capabilities built in.
  • Hacking encrypted emails is extremely difficult and time consuming, requiring advanced expertise on the part of the hacker. Certain email encryption protocols make it virtually impossible. Encrypting dramatically reduces the likelihood that a hacker will try to access information from your emails.
  • Email encryption with AES or S/MIME are both exceptionally safe. The safest practice is to encrypt data both in transit and at rest—that is, when it’s stored on your email platform—and to encrypt the connection itself.
  • Encryption gives a very high level of protection against hackers. Email encryption ensures that hackers who intercept a message will be forced to spend a great deal of time to glean any information other than the sender, the recipient, and the send time—making it likely they will give up and turn their attention to an easier target.

Follow Microsoft Security