Email is the most widely used form of digital communication in the world, yet one of the least secure. By default, emails travel across the internet in plain text, readable by many intermediaries. Here's how to change that.
Why Standard Email Isn't Secure
An ordinary email is like a postcard: anyone who intercepts it can read it. Here's what intermediate actors can see:
Your email provider (Gmail, Outlook, Yahoo) can read the content of all your emails. Gmail analyzes your email content to personalize ads. Outlook can be compelled to hand over your emails to US authorities (CLOUD Act).
Your network: on an unsecured public WiFi, an attacker can intercept your communications if they aren't encrypted.
Relay servers: an email often passes through multiple servers between sender and recipient. Each server is a potential interception point.
Email Encryption Solutions
S/MIME and PGP: "Classic" End-to-End Encryption
These two standards enable end-to-end email encryption. The principle: each user has a key pair (public and private). You encrypt an email with the recipient's public key. Only the recipient, with their private key, can decrypt it.
Advantages: open standard, compatible with most email clients. Disadvantages: complex setup, the recipient must also use PGP/S/MIME, key management can be tricky.
How to get started with PGP: use Thunderbird with the OpenPGP extension (built in since Thunderbird 78) for encrypted desktop email.
ProtonMail: The Simple and Secure Solution
ProtonMail is the reference for consumer encrypted email. Created in Geneva by CERN researchers, it offers:
- Automatic end-to-end encryption between Proton users
- Encryption at rest for all emails
- Swiss hosting under Swiss law
- Simple interface, similar to Gmail
- Free plan available
Between two ProtonMail users, encryption is transparent and automatic. To send to a non-Proton user, you can use a shared password.
Tutanota: Open Source Alternative
Tutanota offers an approach similar to ProtonMail with end-to-end encryption. Based in Germany, open source, and particularly privacy-conscious.
Best Practices for Everyone
Even if you don't adopt a complete encryption solution, here are the minimum measures to apply:
Enable two-factor authentication on your email account. It's the most effective protection against account hacking.
Use a strong, unique password for your email. Your email is the key to all your other accounts (password recovery).
Be wary of phishing emails: see our anti-phishing guide.
Never send sensitive information via standard email: passwords, credit card numbers, medical data.
Encrypt sensitive attachments before sending: use GnuPG or a secure file-sharing service.
Email and Digital Legacy: A Central Role
Your primary email address is the master key to your entire digital life. If your loved ones access it after your death, they can reset passwords for most of your other accounts.
That's why access to your email is one of the most important pieces of information to include in your digital will or in your EchoPass messages.
Secure access to your primary email will allow your loved ones to:
- Recover access to your other accounts
- Access your communication history if necessary
- Manage incoming emails (subscriptions, bills, notifications)
- Notify your contacts of your death
Include in the information you transmit via EchoPass:
- Email address and password
- 2FA recovery code
- Instructions on what you want your loved ones to do with your email