IT Blog


Email Encryption – in a nutshell

What and Why?

Encryption is the transformation of something (usually plain text) into some sort of unreadable code.

Decryption is the opposite. Take that unreadable code and turn it back into a plain text that you can read.

The Why seems obvious, but let’s just say that in simple terms, you don’t want anyone to intercept your email and read it. You also don’t want to have your email intercepted and altered.

If you’re a Microsoft 365 user (or with most of the big email providers) the servers that handle your email will encrypt your email at rest (while it’s sitting in your mailbox) and will try to negotiate an encrypted connection (so that the email is encrypted in transit) with the mail servers it communicate with. You can’t guarantee this though. However, suppose you are communicating with a recipient that uses Microsoft 365, then your email will be encrypted over the entire journey and in both the mailbox of the sender and the recipient.

There are a few ways to encrypt email.

Some are :

  • Digital certificates
  • Third party encryption service
  • Encryption from your mail provider

Like everything in IT, there’s a tradeoff between ease of use and functionality.

Digital certificates are probably the most complicated to deploy. You purchase a certificate which will need to be renewed each year. You then pass the public portion of this to anyone that wants to send you an encrypted email. They use this, as anyone can, to encrypt and send an email. However, the only person that can decrypt this email is you, even if it gets sent to the wrong person. It’s “for your eyes only”!

You can also use a certificate to “sign” an email. The recipient is then assured it it genuine and has come from you. If anyone tries to pretend to be you, or an email is altered on route, the certificate becomes invalid and this is shown to the recipient.

Third party encryption services are simple to use though many will require you pay a subscription. One way or another your confidential content (could be an email, with or without an attachment) is usually uploaded to their servers and then the recipient has to go through a procedure to access that. Usually by providing a code, which is sent to them in another email, and mostly by creating an account too. It’s a little clunky for the odd email but less taxing subsequently. Somewhat annoying is that the email content isn’t in your mailbox for you to refer to easily later.

Your mail provider may have an encryption service. With Microsoft 365 this is called “Message Encryption”. Once the license has been added to a user they just use the “Encrypt” button and that’s it. No complicated steps by the recipient if they are also on Microsoft 365; and for recipients using other mail services they just request an authentication code and once entered can see the email.

Another option? Don’t send anything that you wouldn’t want anyone else to see by email. If you have something confidential, then share it via OneDrive or SharePoint. Advantages include :

  • No extra license costs.
  • Collaborate editing or just ready only – you choose.
  • You can update whatever you are sharing with full history.
  • Rescind access as and when you need.

As always, please get in touch if you need further explanation, advice or would like to implement or trial anything on this post.