Email was invented in 1971 and has changed very little since then. In that time, it’s managed to become a major security risk to individuals, governments, and private companies around the world. This might explain the rising popularity of so-called “secure email” providers.
So what exactly makes secure email different from regular email?
What Is Secure, Encrypted Email?
Secure email is essentially regular email with a few security enhancements on top. The technology behind the scenes is ultimately the same, which means that you already know how to use a secure email provider. You still send messages to named addresses with an @ and a domain, and you still get plenty of spam.
For that reason, anyone can call themselves a secure email provider. There’s no dictionary definition, and most major email providers like Gmail and Outlook would also consider themselves “secure” despite falling short of the mark.
Most providers who use the term to describe their service go much further than requiring a strong password or using two-factor authentication. Security, in this sense, isn’t only about stopping someone from gaining access to your account, it’s also about keeping your data and identity safe.
A truly secure email provider is unable to read your email conversations. They should ideally be located in a jurisdiction that’s not subject to data sharing between intelligence agencies. The technology itself would ideally be built on open standards for a “crowdsourced” approach to security. The service shouldn’t profile you, serve personalized ads, or log metadata.
This is why Gmail, Outlook, Yahoo, and most other free, mainstream email providers are not regarded as being truly secure. A secure email provider is “better” than Gmail in terms of data security, but you will miss out on Google’s features and deep integrations. Let your priorities decide which is the better option.
How Do Secure Email Providers Protect You?
End-to-end encryption is essential in building a truly secure email system. While services like Gmail encrypt the connection between your computer and the server, any information you send to the server (including the contents of your messages) is not encrypted when it gets there.
Any private conversations (or state secrets) you’re discussing will sit on Google’s servers in an unencrypted format. If that data is stolen, for example, in a data leak, it doesn’t need to be decrypted before it can be read. A secure provider will encrypt data on the server, making it useless to any third parties.
The lack of end-to-end encryption means that email providers can access the contents of your messages, and they’ve used this access in the past. Google previously scanned the contents of Gmail messages for advertising purposes but stopped the practice in 2017. The company continued scanning email to power services like (the now-defunct) Google Now. How else will Google’s assistant be able to remind you about the trip you’ve got coming up?
Where those servers are located could also impact how that data is treated. As is the case with VPNs, the most secure email services are usually located in remote or historically neutral countries. ProtonMail, for example, is located in Switzerland, where privacy laws are notoriously strict.
Email services located in the United States can be challenged in court to hand over data. The United States is a part of the Five Eyes intelligence alliance, alongside Australia, Canada, the United Kingdom, and New Zealand. Data is routinely passed between different authorities in different jurisdictions under the guise of national security.
The kind of data that is logged alongside your email can also say a lot about you. Metadata is essential “data about data,” like timestamps on an email or the user agent “signature” left by the browser you are using. You don’t consciously create metadata, but it serves as a paper trail for almost anything you do online.
Secure email services will be sure to strip as much metadata out of the email being sent as possible. This makes it harder to trace the origin of a message and further protects the identity of the person sending it.
Some secure email providers also integrate tools like Pretty Good Privacy (or PGP for short) into their interfaces. PGP lets you “lock” the contents of a message so that it can only be read by someone with the correct private key. When set up correctly, your email will look normal, as legible plain text. If someone without the key were to intercept the message, it would look like gibberish.
Finally, there’s an argument to be made for building security-focused products on open-source software. Source code that has been released to the public can be put to the test in a way that closed source code cannot.
Which Secure Email Service Is the Best?
There is no one-size-fits-all approach to secure email. There are many different providers, all offering differing levels of security at a variety of price points. Budget is something you will likely have to consider since most services do not offer a generous free option like Gmail or Outlook.com.
ProtonMail (free account available) is one of the best-known encrypted providers, and one of the most mature. Data is encrypted on servers located in Switzerland, with the company conducting audits to ensure that users can trust its protections. The service is built on open-source technology, and there’s a dedicated mobile app for iPhone and Android (but no support for default mail apps, unfortunately).
Tutanota (free account available) is another highly recommended secure email provider, with a feature set (and auditing) that’s similar to ProtonMail. Servers are located in Germany (the company has explained why), and the service is built on many open-source foundations. There’s a similar caveat with mobile access in that you need to use a dedicated app to decrypt your email.
Posteo (no free accounts) is also located in Germany and has made a bit of a name for itself for being a cheaper alternative to both ProtonMail and Tutanota. Everything is encrypted end-to-end, with support for PGP implementation to provide additional peace of mind. There’s also no need for a name, backup email, or other identifying information to create an account.
There are many other secure email providers to choose from (way too many to list here), including Mailfence, mailbox.org, Fastmail, and CounterMail. You should give some serious thought to the secure email service you choose, just as you would if you were picking a VPN.
It’s best to choose an established provider with a solid track record given the nature of this kind of service. One such Iceland-based provider, called UnSeen, disappeared without a trace in late 2020, only to reappear with a Taiwanese domain name, which has led to all sorts of speculation and distrust.
Do You Need a Secure Email Provider?
If you need a secure email provider, you probably already know it. Maybe you’re a journalist and are worried about subpoenas exposing sources and private materials. Maybe you’re the next Edward Snowden.
For most people, a secure email provider probably isn’t necessary. It will provide peace of mind at the cost of some features, convenience, and money. Your email provider won’t be able to see the contents of your messages, and it will be easier to communicate with people with end-to-end encryption. (You could, of course, just use Signal to communicate with end-to-end encryption, too.) Whether that’s worth it is up to you.
But if your primary motivation is security, understand that you’re more likely to fall victim to social engineering attacks than email data breaches.