What Is Email Encryption: How It Works, Key Protocols, Regulatory Requirements, and Best Practices for Organizations

Email encryption scrambles message content using cryptographic algorithms so that only authorized recipients can decrypt and read it, protecting business communications that would otherwise travel the internet in plaintext. The gap between the protection organizations assume they have and what encryption actually delivers is where breaches take root. According to the Verizon 2026 Data Breach Investigations Report, 62% of confirmed incidents involve a human element, a category of risk that no encryption protocol touches, because encryption secures the transmission channel and not the human decision-making that cyberattackers exploit.
This guide covers:
- How TLS, PGP, and S/MIME work at the protocol level, the foundation of what is email encryption in practice.
- The regulatory frameworks that mandate email encryption for compliance across healthcare, finance, defense, and privacy law.
- Practical steps for sending and receiving encrypted email across major platforms.
- The deployment models organizations use to scale email encryption without relying on individual employee judgment.
Most organizations treat encryption as a finished defense while cyberattackers walk straight through the human layer it never covered. Adaptive Security pairs technical controls with cybersecurity awareness training that closes the gap encryption leaves open.
What Is Email Encryption and Why Email Needs It
Email encryption is the process of scrambling message content with cryptographic algorithms so that only the recipient holding the correct decryption key can read it. It exists because the Simple Mail Transfer Protocol (SMTP), the foundation of email delivery since 1982, was designed to transmit messages in plaintext by default, leaving every unencrypted email readable to anyone who intercepts it in transit.
Modern email encryption addresses two of the three states of data: in transit, as a message travels between mail servers, and at rest, while it is stored on a server or device. Mainstream solutions rarely protect data in use, the moment a message is being composed or displayed on screen. Encryption locks the envelope, but it does not verify that the contents are safe or that the sender is trustworthy.

The Plaintext Problem: Why Email Needs Encryption
SMTP routes messages across the internet by treating every email like a postcard, with contents fully visible to any mail server, network operator, or cyberattacker positioned along the delivery path. As Google's Transparency Report explains, email has traveled the internet unencrypted for decades, as if written on a postcard rather than sealed in an envelope.
This architectural reality creates an interception problem at every hop. An email sent from a corporate account in New York to a client in London might pass through a dozen servers, any one of which could be compromised, misconfigured, or operated by an adversary. Without encryption, a cyberattacker performing a man-in-the-middle attack on unsecured Wi-Fi, a rogue administrator at an intermediate relay, or a state-sponsored actor tapping undersea cables can read the full contents of every message crossing that segment of the network.
Transport Layer Security (TLS) has improved this landscape considerably. TLS encrypts the connection between mail servers, wrapping each message in a temporary envelope while it moves from sender to recipient, and it applies automatically when both servers support the protocol. TLS is not universal, however. If either server does not support it, the message silently falls back to plaintext with no warning to the sender, and once the email reaches the destination server, TLS releases its hold and the message sits on disk in whatever state the recipient's provider has configured.
This is where end-to-end encryption enters the picture. Rather than encrypting the connection, end-to-end encryption protects the message itself: protocols like Pretty Good Privacy (PGP) and S/MIME encrypt content at the sender's device and decrypt it only at the recipient's device, so no intermediate server can read it. The tradeoff is usability, because both parties must manage cryptographic keys, and the friction of key exchange has kept adoption low across three decades of availability.
Organizations handling sensitive data, including financial records, legal documents, healthcare information, and trade secrets, cannot rely on TLS alone and must evaluate when end-to-end encryption is warranted. According to Apricorn's 2025 Encryption Survey, 23% of organizations cited a lack of encryption as the primary reason for a data breach within their organization.
Silent TLS downgrades expose sensitive messages without a single alert reaching the sender. Adaptive Security helps teams recognize where technical controls end and human vigilance must begin.
Confidentiality, Integrity, and Authentication: What Encryption Delivers
Properly implemented email encryption provides three distinct security properties, and understanding each clarifies exactly what encryption does and what it leaves unaddressed.
Confidentiality is the property most people associate with encryption: only the intended recipient can read the message. Whether delivered through TLS in transit, PGP end-to-end, or a secure message portal, confidentiality ensures that an intercepted email yields nothing but ciphertext to anyone lacking the decryption key. A 2025 publication by the Canadian Centre for Cyber Security identifies encryption as a foundational control for protecting sensitive data in email, particularly for organizations subject to frameworks such as HIPAA, GDPR, and PCI DSS.
Integrity ensures that a message has not been altered in transit. Cryptographic hashing and digital signatures allow the recipient to detect even a single character of tampering, whether a cyberattacker modified an invoice amount, changed a routing number, or inserted a malicious link into an otherwise legitimate thread. Integrity transforms encryption from passive protection into active assurance that what the sender wrote is exactly what the recipient reads.
Authentication verifies the sender's identity. Through digital certificates, public key infrastructure (PKI), and domain-level protocols like DKIM and DMARC, authentication answers whether a message genuinely came from its claimed sender. This prevents a cyberattacker from encrypting a fraudulent message with a stolen or spoofed key and passing it off as legitimate. A message can be signed without being encrypted, but the two work best together, since an encrypted message from an unverified sender remains a risk and an authenticated but unencrypted message remains exposed.
Together, these three pillars let the recipient trust that a message is private, unaltered, and genuinely from the stated sender. This model operates entirely within the scope of the message itself, and everything outside that scope remains unprotected.
How Does Email Encryption Work?
Understanding how email encryption works means tracing readable plaintext as it becomes scrambled ciphertext through cryptographic algorithms and key pairs, so that no one outside the intended pair of correspondents can decode the message. The process pairs asymmetric encryption for secure key exchange with symmetric encryption for efficient bulk data protection, and the architecture underneath each hop determines whether a message is genuinely private or merely protected in transit.
Symmetric vs. Asymmetric Encryption: Two Models, One Goal
Email encryption depends on two cryptographic models that solve complementary problems. Symmetric encryption uses one shared secret key for both encrypting and decrypting data: the sender locks the message with the key, and the recipient unlocks it with the same key. Algorithms like AES-256 execute at hardware speed, which makes symmetric encryption the workhorse for encrypting large message bodies and attachments.
The problem is logistical, because the sender must deliver that single shared key to the recipient without a cyberattacker intercepting it. If the key travels alongside the encrypted message, anyone who captures both can read the plaintext immediately. Asymmetric encryption solves this by splitting the operation across a mathematically linked key pair: one key encrypts and a different, related key decrypts. The encryption key is published openly and the decryption key is guarded privately. Algorithms like RSA and Elliptic Curve Cryptography (ECC) power this model, though asymmetric operations run thousands of times slower than symmetric encryption on equivalent hardware.
Email encryption systems never use asymmetric encryption for the message body itself. Instead, they use it to safely deliver a one-time symmetric session key, then switch to symmetric encryption for the actual content. Asymmetric handles key exchange, symmetric handles bulk encryption, and neither is sufficient alone.
Public and Private Keys: How Key Pairs Secure Email
A public-private key pair is the cryptographic foundation of email encryption. The keys are generated together through a mathematical algorithm that creates two enormous numbers sharing a one-way relationship, so deriving the private key from the public key is computationally infeasible even with substantial computing power. The public key can be distributed freely on a key server, in an email signature, or in a corporate directory, while the private key must remain on the owner's device, protected by a passphrase, and never transmitted across the network.
When someone sends an encrypted email, the sending client retrieves the recipient's public key and uses it to encrypt a randomly generated symmetric session key, which then travels alongside the ciphered message body. On arrival, the recipient's client decrypts the session key using the private key, then uses the recovered session key to decrypt the message itself. A cyberattacker who intercepts the transmission possesses only the encrypted session key and the encrypted body, neither of which is readable without the private key. Even if every SMTP relay between sender and recipient logs the message in transit, the content stays opaque to anyone but the private key holder.
The security of the entire system reduces to a single requirement: the private key must never be exposed. Once a private key is compromised, every message ever encrypted to its corresponding public key becomes potentially readable.
The TLS Handshake: Step-by-Step Connection Encryption
Transport Layer Security encrypts the SMTP connection hop by hop, and understanding what it does and does not protect is essential to email encryption. Each server along the delivery path decrypts the message, processes it, and re-encrypts it before forwarding to the next server, so TLS does not provide end-to-end encryption of the message itself. An email traveling from a Microsoft 365 user to a Gmail recipient might traverse three or four SMTP hops, and at each hop the message exists momentarily in plaintext on the relay server. This is the critical distinction between transport-layer encryption and message-level encryption.
The TLS handshake establishes this hop-level tunnel through a four-phase negotiation. First, the client sends a Client Hello message containing the highest TLS version it supports, a list of cipher suites, and a randomly generated number. Second, the server responds with a Server Hello that selects the TLS version and cipher suite, provides its own random number, and delivers its digital certificate.
That certificate contains the server's public key and is signed by a trusted Certificate Authority (CA), and the client's software verifies this signature against its built-in CA trust store to confirm the server's identity. Third, the key exchange phase begins: in modern TLS 1.3 deployments, the client and server use an Elliptic Curve Diffie-Hellman (ECDHE) exchange, each generating an ephemeral key pair and independently computing an identical pre-master secret. Forward secrecy is built into this approach because the ephemeral keys are discarded after the session ends, so compromising the server's long-term private key cannot retroactively decrypt past sessions. Fourth, both sides derive symmetric session keys from the pre-master secret and exchange Finished messages encrypted under those keys, establishing the tunnel through which all subsequent SMTP traffic flows.
When the message leaves the receiving SMTP server and is delivered to the recipient's mailbox, TLS has done its job and the transport layer no longer protects it. Any subsequent retrieval via IMAP or POP3 requires its own separate TLS negotiation. Every intermediary server can also see the message metadata, including sender, recipient, subject line, and timestamps, because SMTP envelope information is not encrypted by TLS at the transport layer. This is why organizations handling sensitive data cannot treat TLS as a complete encryption strategy.
The Full Encryption-to-Decryption Lifecycle
The complete email encryption lifecycle moves through four stages, and understanding each reveals exactly where protection holds and where it breaks.
Stage one is key generation. The user's email client generates a public-private key pair, storing the private key locally under a passphrase and publishing the public key to a directory, key server, or contact. Without this step, no encrypted email can be sent to that user.
Stage two is message encryption at the sender's side. The sender composes the email, attaches files, and triggers encryption. The client generates a random 256-bit AES session key, encrypts the message and its attachments with it, then retrieves the recipient's public key, encrypts the session key with it, and packages both the ciphertext and the encrypted session key into the email. The symmetric key protects the content while the asymmetric wrapper protects the symmetric key.
Stage three is encrypted transmission across the network. The sender's client transmits the encrypted message to the outgoing SMTP server over a TLS connection, which relays it through potentially multiple intermediate mail transfer agents, each hop protected by its own TLS session. The message body remains unreadable ciphertext throughout because it was encrypted at the message level before transmission began.
Stage four is decryption at the recipient's side. The recipient's client identifies the message as encrypted and uses the private key, unlocked by the passphrase, to decrypt the session key. That session key then decrypts the message and attachments into readable plaintext, completing the operation in milliseconds. If any component fails, whether an expired certificate, a missing private key, or an incompatible algorithm, the message remains permanently unreadable.
The cryptography is not the fragile part of this chain; key management is. How organizations generate, store, distribute, and revoke keys determines whether email encryption is a reliable safeguard or an archive of messages nobody can open. That operational discipline, more than the strength of the cipher, separates protected communication from exposure.
Encryption fails quietly when key management breaks, turning protected archives into inaccessible ones. Adaptive Security equips teams to treat operational discipline as a core part of their cybersecurity awareness training program.
What Does Email Encryption Protect Against?
Email encryption shields message content from interception as it travels across the internet, but organizations that treat it as a comprehensive defense inherit a dangerous blind spot. TLS and end-to-end encryption stop network-level eavesdroppers cold, yet they offer no protection against the phishing links, social engineering lures, and credential theft attempts that arrive neatly inside those very encrypted messages. According to Verizon's 2026 Data Breach Investigations Report, stolen credentials were involved in 13% of all breaches, a category of exposure that encryption cannot reach.

Cyber Threats Email Encryption Defeats
Email encryption directly neutralizes several categories of network-layer attack that would otherwise expose message contents to anyone positioned between sender and recipient. The most fundamental protection is against man-in-the-middle interception of unencrypted SMTP traffic. Without encryption, every relay hop transmits the message body in cleartext, readable by any adversary on the network path, whereas TLS encrypts the channel between each hop and turns intercepted packets into indecipherable ciphertext.
Passive eavesdropping at the ISP, Wi-Fi, or backbone level is similarly defeated. A cyberattacker on a public coffee-shop network, a compromised router at an internet exchange, or a tapped fiber backbone gains nothing from capturing TLS-encrypted SMTP packets, because the tunnel negotiates session keys using asymmetric cryptography before switching to symmetric encryption for bulk data. SMTP was standardized in 1982 with RFC 821 and transmitted email in plaintext for decades, so legacy mail servers that still lack TLS support remain vulnerable to exactly this class of passive surveillance.
Email tampering in transit is a third cyber threat that encryption defeats through integrity verification. TLS includes message authentication codes that let the recipient detect any alteration to the encrypted payload, so a cyberattacker who intercepts an SMTP connection and tries to modify the message body, insert a malicious link, or alter a bank account number breaks the cryptographic integrity check and the tampered message is rejected. Without encryption, no such integrity guarantee exists, and a man-in-the-middle attacker can silently rewrite email content as it traverses intermediate relays.
Message replay attacks, where an adversary captures a legitimate encrypted email and retransmits it later to duplicate transactions, are also mitigated by modern TLS. TLS sessions include nonces and sequence numbers that prevent captured ciphertext from being replayed in a different session context, so a recorded SMTP exchange cannot simply be re-sent days or weeks later once the session-specific parameters have expired.
End-to-end encryption, implemented via PGP or S/MIME, goes further than TLS by protecting against a cyber threat that transport encryption cannot address: unauthorized access to email content stored on intermediary mail servers. With TLS alone, the message is decrypted at each hop and stored in plaintext on the receiving server, so any compromise of that server, a malicious administrator, or a lawful data request exposes the full contents. End-to-end encryption encrypts the message body with the recipient's public key so that only the private key holder can decrypt it, and intermediate servers never see the plaintext regardless of how many hops the message traverses or how long it sits in storage.
Cyber Threats Encryption Cannot Stop
The most consequential limitation of email encryption is its complete inability to defend against phishing. A phishing message crafted to steal credentials, deliver malware, or trick an employee into wiring funds arrives encrypted over TLS between mail servers and decrypts perfectly into a malicious message on the recipient's screen. The UK Government's Cyber Security Breaches Survey 2025 found phishing was the most prevalent form of cyber crime, affecting 93% of businesses that experienced an incident. Encryption does not inspect content, evaluate sender reputation, or flag social engineering indicators, and the padlock icon can paradoxically lend phishing messages undeserved credibility when recipients conflate transport encryption with message safety.
Defending against phishing requires a fundamentally different set of controls: employee cybersecurity awareness training, simulated phishing exercises, and other human-layer defenses that fall outside encryption's original scope. Organizations investing heavily in encryption without corresponding investment in phishing readiness are protecting the pipe while ignoring what flows through it.
The scale of this exposure is well documented. According to the FBI Internet Crime Complaint Center's 2025 Internet Crime Report, phishing and spoofing generated 191,561 complaints, the highest number of reports for any single crime type.
Compromised endpoints represent another entire attack surface encryption cannot cover. If a cyberattacker installs a keylogger or remote access trojan on a recipient's device, they can capture the decrypted content after it arrives, regardless of whether it traveled under TLS, PGP, or S/MIME. The encryption boundary ends at the endpoint, and once the legitimate user decrypts and reads the message, screen-capture malware, clipboard sniffers, and file-exfiltration tools all operate below the encryption layer, reading plaintext directly from memory, disk, or display buffers.
Malicious insiders with legitimate access bypass encryption entirely. An employee in finance who opens an encrypted invoice and forwards it to a personal account, an administrator who accesses the mail server's plaintext store, or a departing employee who downloads sensitive correspondence before resigning is impeded by neither transport nor end-to-end encryption, because the insider already possesses the access and decryption keys needed to read the content. Encryption protects data from unauthorized external parties on the network path; it does nothing to control what authorized users do with data once they hold it.
Social engineering that tricks recipients into acting on decrypted content is equally invisible to encryption. A CFO who receives a perfectly encrypted email from what appears to be the CEO requesting an urgent wire transfer, in reality a deepfake spear-phishing attack that passed SPF, DKIM, and DMARC checks, will act on the content regardless of how securely it was transmitted, because the psychological manipulation operates on the plaintext after decryption.
These impersonation tactics are accelerating. According to Sumsub's 2025–2026 Identity Fraud Report, deepfake attacks increased 2,100% globally, part of a broader surge in sophisticated fraud that encryption does nothing to detect.
Metadata exposure persists even with strong encryption. With PGP and S/MIME the message body is encrypted, but the To, From, Subject, Date, and routing headers travel in cleartext because mail servers need them to route messages. An adversary conducting traffic analysis can build detailed communication graphs from this metadata alone, mapping who talks to whom, when, and how frequently, without ever reading a line of body text.
Flawless encryption still delivers a deepfake wire-transfer request straight to an executive's inbox. Adaptive Security trains employees to recognize the social engineering that encryption cannot filter out.
How Encrypted Emails Can Still Be Compromised
Even with email encryption in place, messages can still be compromised through failure modes at the protocol, infrastructure, and endpoint layers. The most widespread is the opportunistic TLS and STARTTLS downgrade attack. Because SMTP was not designed with mandatory encryption, the sending server offers STARTTLS as an optional upgrade transmitted in cleartext, and a man-in-the-middle attacker on the network path can strip or corrupt that command so the sending server concludes the recipient does not support TLS and falls back to plaintext. Security researcher Elie Bursztein documented this vector in 2015, noting that because SMTP must fail open to maintain backward compatibility with legacy servers that lack TLS support, there is no simple protocol-level fix, an observation that still holds given how little MTA-STS and DANE adoption has changed since.
Compromised or fraudulently issued TLS certificates create a second path. If a cyberattacker obtains a valid certificate for the recipient's mail domain, through a compromised certificate authority, stolen administrator credentials, or a domain-validation loophole, they can intercept and decrypt TLS-encrypted SMTP traffic while the victim's server believes it is talking to the legitimate destination. Certificate Transparency logs have reduced but not eliminated this risk, as adversaries have shifted to compromising existing certificates rather than requesting new ones.
Stolen private keys for end-to-end schemes cut deeper still. With PGP or S/MIME, a cyberattacker who obtains a user's private key, through endpoint malware, a compromised key server, passphrase brute-forcing, or physical device theft, can decrypt every message ever encrypted to the corresponding public key, past and future. Unlike ephemeral TLS session keys, end-to-end private keys are long-lived assets whose compromise retroactively exposes historical communications, so organizations that deploy end-to-end encryption without disciplined key management, hardware security modules, and strong revocation infrastructure trade one vulnerability for another.
The endpoint remains the most practical attack surface. When a cyberattacker compromises a recipient's device through a phishing-delivered trojan, an unpatched browser flaw, or a malicious extension, they gain the same access to decrypted content as the legitimate user. The encryption did its job, delivering the message intact and unreadable to network eavesdroppers, but the moment the user opens it the plaintext exists in memory, in the client's local cache, and on screen, all accessible to malware with user-level privileges. Once an endpoint is breached, speed compounds the damage. According to the CrowdStrike 2026 Global Threat Report, the average adversary breakout time, the window between initial access and lateral movement, dropped to 29 minutes, with the fastest measured at just 27 seconds. Organizations defending against modern cyber threats need to invest as heavily in phishing readiness that trains employees to recognize manipulation as they do in the infrastructure that secures the channel.
Email Encryption and Regulatory Compliance
Email encryption functions less as a single requirement than as a thread woven through nearly every major data protection framework in force today. Regulators across healthcare, finance, defense, education, and privacy law have converged on a common expectation: sensitive data crossing network boundaries must be rendered unreadable to anyone without authorized access. The nuance organizations often miss is that these requirements are rarely absolute mandates; they are typically addressable or risk-based specifications that leave room for judgment, and regulators consistently interpret that judgment against organizations that chose not to encrypt and then suffered a breach. Oversight is intensifying at the top as well: according to the World Economic Forum's 2026 Global Cybersecurity Outlook, 52% of organizations indicate that board members receive regular cybersecurity updates, reflecting the personal liability leaders now carry for security failures.
Healthcare: HIPAA Email Encryption Requirements
The HIPAA Security Rule classifies email encryption as an addressable implementation specification for protecting electronic protected health information (ePHI) in transit. Addressable does not mean optional. It means a covered entity must implement encryption unless it documents a reasoned determination that an alternative measure provides equivalent protection or that encryption is not reasonable and appropriate for its circumstances.
The HIPAA Breach Notification Rule provides a critical safe harbor. If ePHI is encrypted in accordance with NIST Special Publication 800-52 and 800-77 guidance, a lost or stolen device containing that data does not trigger notification obligations. Without encryption, the entity must notify affected individuals, HHS, and, in cases involving more than 500 individuals, local media.
Enforcement consequences are substantial and rising. According to the HHS Office for Civil Rights enforcement data, OCR settled 21 cases in 2025 alone, the second-highest annual total on record, with civil monetary penalties ranging from $145 to approximately $2,190,294 per violation category per year, current as of the January 2026 Federal Register inflation adjustment. A single unencrypted email containing ePHI sent across the open internet can constitute a violation, and if that email reaches multiple recipients or contains multiple patient records, penalties multiply quickly. Beyond financial penalties, OCR routinely requires corrective action plans mandating enterprise-wide encryption, policy rewrites, and years of external auditing, operational burdens that often exceed the fine itself.
One unencrypted email carrying patient records can turn a minor exposure into a reportable breach with seven-figure penalties. Adaptive Security reinforces the human habits that keep sensitive data inside its protective envelope.

Finance and Payments: PCI DSS, FTC Safeguards Rule, and GLBA
The financial services sector operates under multiple overlapping encryption mandates, each with distinct scope and enforcement. PCI DSS Requirement 4, as updated under PCI DSS 4.0.1, mandates that organizations protect cardholder data with strong cryptography during transmission over open, public networks. This is the current active standard. It is an explicit, non-negotiable obligation rather than an addressable one, and Requirement 4.2.1 further specifies that cardholder data must never be sent via end-user messaging technologies, including email, SMS, and instant messaging, unless rendered unreadable through strong cryptography before transmission. For any merchant transmitting primary account numbers via email, the encryption must occur at the application layer rather than merely via opportunistic TLS, to satisfy assessor scrutiny. The financial stakes extend well beyond fines: according to the FBI's Internet Crime Report 2025, business email compromise losses reached $3.046 billion in the U.S. alone, virtually all routed through manager-level approvers.
The FTC Safeguards Rule, issued under the Gramm-Leach-Bliley Act (GLBA) and enforced by the Federal Trade Commission, imposes parallel encryption obligations on a broader range of financial institutions, including mortgage brokers, tax preparers, auto dealers, and fintech platforms not directly subject to PCI DSS. Section 314.4(c)(3) requires covered institutions to protect by encryption all customer information held or transmitted both in transit over external networks and at rest. Where encryption is determined to be infeasible, the institution must document that determination and implement compensating controls, and regulators have shown limited appetite for accepting infeasibility claims during enforcement actions.
Breach notification safe harbor provisions amplify the operational importance of encryption across both frameworks. The FTC Safeguards Rule's 2023 amendment expanded the definition of a notifiable security event to include any unauthorized acquisition of unencrypted customer information, removing the earlier limitation to sensitive information only. Under most state-level financial data breach laws, encrypted data is exempt from notification requirements, which transforms encryption from a compliance line item into the single most effective mechanism for containing the operational and reputational blast radius of an incident. According to the DLA Piper GDPR Fines and Data Breach Survey, European data protection authorities issued over €1.2 billion in GDPR fines in 2025 alone.
Government and Defense: CMMC 2.0, ITAR, and CJIS
Defense contractors and government agencies face the most technically prescriptive encryption requirements of any sector. The Cybersecurity Maturity Model Certification (CMMC) 2.0, which operationalizes the controls in NIST SP 800-171 Revision 2, requires contractors handling Controlled Unclassified Information (CUI) to implement cryptographic protections for data in transit. Control families 3.13 and 3.1 together mandate that CUI transmitted across networks be protected using FIPS-validated cryptography, and for CMMC Level 2 the assessment standard expects AES-256 for data at rest and TLS 1.2 or higher with FIPS-validated cipher suites for data in transit.
ITAR imposes an even more stringent cryptographic regime for export-controlled technical data. Under the International Traffic in Arms Regulations, sending unclassified technical data outside the United States, including via email to a foreign subsidiary, constitutes an export requiring a license. The ITAR encryption carve-out, formally adopted by the State Department in 2020, provides a critical exception. No export license is required if the data is protected using end-to-end encryption employing FIPS 140-2 validated cryptographic modules. The cryptographic keys must be managed exclusively by the U.S. data owner, and the cloud provider or intermediary must have no ability to decrypt the data. Organizations that fail any condition trigger licensing requirements with potential criminal penalties for willful violations.
The CJIS Security Policy, which governs access to criminal justice information, adds another layer of specificity. Version 6.0, released in December 2024, reinforced that any transmission of criminal justice information across a public network must be protected by encryption meeting FIPS 140-2 or 140-3 standards, and it spans key management obligations including generation, distribution, storage, and destruction. Agencies that fail CJIS audits can lose access to federal criminal databases, a sanction far more operationally crippling than a fine for most organizations.
Privacy Regulations: GDPR and State-Level Education Laws
GDPR Article 32 establishes encryption as one of the technical measures organizations must consider when implementing data protection by design and by default. Unlike sector-specific U.S. frameworks, GDPR does not prescribe a specific encryption standard; it requires that the level of security be appropriate to the risk, taking into account the state of the art, implementation costs, and the nature and purposes of processing. This risk-based framing means European Data Protection Authorities evaluate encryption failures in context, with GDPR fines capable of reaching €20 million or 4% of global annual revenue, whichever is higher.
The breach notification calculus under GDPR makes encryption a strategic investment. Article 34 exempts controllers from notifying affected data subjects if appropriate technical measures, specifically including encryption, render the data unintelligible to unauthorized parties. This safe harbor means an organization that suffers a breach of properly encrypted data may avoid the reputational damage and class-action exposure that follow direct data subject notification across EU member states, and with GDPR class-action activity accelerating under Article 80, the litigation-avoidance value of encryption now rivals its compliance value.
State-level education privacy laws impose encryption requirements narrower in scope but equally enforceable. New York Education Law 2-D requires educational agencies and their third-party contractors to implement encryption for student personally identifiable information in transit and at rest, and its enforcement provisions include contract termination, civil penalties, and injunctive relief. FERPA does not explicitly mandate encryption in its statutory text, but the Department of Education's guidance treats encryption as an essential safeguard, and failure to encrypt student records has been cited in enforcement actions as evidence of inadequate data protection. Several other states, including California, Colorado, and Connecticut, have enacted comparable expectations, pushing any organization handling multi-state student data toward universal encryption as the most practical compliance posture.
How to Send and Open Encrypted Emails
Sending an encrypted email means choosing the right method for the platform, configuring it once, and confirming it works before relying on it. The steps differ between Gmail and Outlook, but the objective is identical: ensure that no one but the addressee can read the message, even if it is intercepted in transit. After one successful encrypted send, the workflow becomes routine rather than a technical hurdle.
1. How to Encrypt Email in Gmail and Google Workspace
Gmail offers two distinct email encryption paths. Gmail confidential mode provides a lightweight, recipient-friendly option that works with any email provider, while S/MIME delivers certificate-based message-level protection for organizations on Google Workspace Enterprise, Education, or G Suite Business that need to satisfy stricter compliance requirements.
Gmail confidential mode is the fastest way to add protection to a sensitive message without requiring the recipient to install anything. The sender composes a new message, clicks the padlock-and-clock icon at the bottom of the compose window, sets an expiration date ranging from one day to five years, and chooses whether to require an SMS passcode. When the sender selects SMS passcode, Google sends a one-time code to the recipient's phone number, and the recipient must enter it before the message body becomes visible, which prevents anyone with access to the recipient's inbox from reading it because the code arrives on a separate device. The trade-off is that confidential mode does not encrypt attachments end-to-end and Google retains access to message content on its servers, so while it stops forwarding, copying, printing, and downloading, it is not true end-to-end encryption.
For organizations that need cryptographic message protection, S/MIME in Google Workspace is the appropriate choice. S/MIME encrypts the message and attachments using the recipient's public certificate, so only the private key holder can decrypt them. A Google Workspace admin must first upload user certificates to the Admin Console under Apps, Google Workspace, Gmail, User Settings, S/MIME. Once configured, users see a lock icon in the compose window: a green lock means the recipient's certificate is trusted and encryption is available, a gray lock means a certificate is present but not fully validated, and no lock means S/MIME is unavailable for that recipient. Clicking the lock toggles S/MIME encryption on before the message is sent, adding the message-level protection that TLS alone cannot provide once the email reaches the recipient's mail server.
2. How to Encrypt Email in Outlook and Microsoft 365
Microsoft 365 supports two encryption methods for different use cases. Microsoft 365 Message Encryption (OME) is built into most business and enterprise plans and requires no certificate configuration on the sender's side, while S/MIME in Outlook provides certificate-based encryption for organizations that manage their own public key infrastructure or use third-party certificate authorities.
Microsoft 365 Message Encryption is the simpler path. In Outlook, the sender composes a new message, navigates to the Options tab, and clicks the Encrypt button, which offers several permissions levels: Encrypt-Only allows the recipient to read and forward but not copy or print, while Do Not Forward prevents forwarding entirely. OME uses Azure Rights Management to encrypt the message, and recipients on Microsoft 365, Outlook.com, or Gmail can read OME messages directly in their browser after verifying identity through a one-time passcode or account authentication. This is the most frictionless option for external communications because the recipient does not need to install certificates or plugins.
S/MIME in Outlook requires more upfront configuration but provides stronger cryptographic guarantees. The sender first obtains a digital certificate from an organizational certificate authority or a public CA such as DigiCert or GlobalSign, then goes to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted Email, the sender clicks Settings, names a security settings profile, selects signing and encryption certificates from the dropdown menus, and confirms. To send an encrypted message, the sender needs the recipient's public certificate, which is shared automatically when the recipient sends a digitally signed message first. Once that certificate appears in the address book, the Encrypt button becomes active for that contact, and Outlook encrypts the message using the recipient's public key before transmission.
3. How to Open and Read Encrypted Emails as a Recipient
What a recipient sees depends entirely on the encryption method the sender used. Each experience requires different steps, and knowing what to expect removes the confusion that often causes people to ignore encrypted messages or report them as spam.
OME-encrypted messages from Microsoft 365 arrive with a subject line that includes "[Encrypted]" and a body containing a link to read the message. Clicking the link opens a browser page hosted by Microsoft, where the recipient signs in directly with an Outlook.com, Gmail, or Microsoft account, or chooses to receive a one-time passcode. Entering the code displays the decrypted message, and attachments download normally within the browser session.
PGP-encrypted messages arrive as a block of ciphertext beginning with "-----BEGIN PGP MESSAGE-----" that the email client cannot display as readable text. The recipient needs a PGP client such as Gpg4win, GPG Suite, or the Mailvelope browser extension, after which they import their private key, enter their passphrase, select the ciphertext block, and choose Decrypt from the client menu. This workflow works with any email provider because PGP encrypts the message body independently of the transport layer, but it requires both parties to have exchanged public keys beforehand.
S/MIME-signed or encrypted messages behave differently depending on the client. In Outlook, a signed message displays a red ribbon icon that reveals certificate details on click, and an encrypted message opens directly when the recipient's private certificate is installed. In Gmail on a Workspace account with S/MIME enabled, encrypted messages show a green lock icon next to the sender's name, and in Apple Mail they display a lock icon in the message header. A recipient who has not installed the required certificate sees an error rather than the content, which is by design, since decryption is mathematically impossible without the private key.
Portal-based encrypted messages, common in healthcare, legal, and financial services, arrive as a notification email with a link to a secure web portal. The recipient either creates an account on first use or signs in with existing credentials, after which the portal displays messages in a web-based inbox and attachments download through the portal interface. Portal encryption is the most universally compatible method because it requires no client-side software, but it also creates the most friction, since each sender often uses a different portal and recipients end up managing multiple accounts.
4. How to Verify Email Encryption Is Actually Working
Sending an encrypted email and confirming that email encryption actually took effect are two separate disciplines. TLS protects messages in transit between mail servers, but it is opportunistic: it protects the pipe rather than the message and falls back to plaintext if the receiving server does not support encryption. Relying on TLS without verification is a common blind spot.
Checking for visible lock icons is the first line of verification. In Gmail, the sender opens the message from the Sent folder and looks for a lock icon next to the recipient's name, where a red lock indicates unencrypted delivery, a gray lock means TLS was used, and a green lock means S/MIME was applied. In Outlook, the sent message's InfoBar displays confirmation for OME messages or a certificate icon for S/MIME. These indicators confirm the method the client attempted to apply, but they reflect only what happened on the sending side and do not prove the message stayed encrypted after leaving the outbox.
Inspecting the message headers provides stronger verification. In Gmail, the recipient opens the message, clicks the three-dot menu, and selects Show Original, then searches the headers for TLS; a line reading "Received: from [server] with esmtps (TLS1.3)" confirms the message arrived at its next hop over an encrypted connection, and multiple Received headers trace encryption status across every hop. In Outlook, the message properties display internet headers such as "X-MS-Exchange-Organization-MessageEncrypted: true" for OME messages or "Content-Type: application/pkcs7-mime" for S/MIME content, both generated by the sending server and not forgeable by an intermediary.
Running a secure recipient test before sending anything sensitive is the most reliable check. The sender encrypts a test message to a personal account at a different provider, Gmail to Outlook.com or the reverse, then confirms the receiving experience matches expectations against the lock icons and header details above. If the message arrives in plaintext or prompts an unexpected authentication flow, the configuration needs revisiting. Because certificate expirations, admin console changes, and provider policy updates can silently disable encryption without warning, repeating this test quarterly is the only dependable defense against those gaps.
Lock icons confirm intent on the sending side but never guarantee protection held all the way to the recipient. Adaptive Security builds the verification habits that keep sensitive email from silently traveling in the clear.
Email Encryption Deployment Methods and Models
Choosing an email encryption deployment model is not a one-size-fits-all decision. Every organization balances different tradeoffs: where encryption keys live, who controls them, how much friction end users tolerate, and what happens to email content at each hop between sender and recipient. Gateway-based encryption centralizes protection at the network perimeter, client-side encryption moves cryptographic operations to the sender's device, and server-side encryption delegates trust to the email provider. The critical distinction is whether plaintext ever exists outside the sender's control before encryption is applied, which determines the chain of custody and which cyberattackers a model protects against.
Gateway-Based vs. Client-Side vs. Server-Side Encryption
Gateway-based encryption places an appliance or cloud service at the organization's email perimeter. Every outbound message passes through the gateway, where a policy engine inspects content, recipient domain, and classification tags before applying encryption automatically, so no endpoint software is required and employees do not decide which emails to encrypt. Inbound encrypted mail is decrypted at the gateway before delivery, which lets the security team scan decrypted content for malware, phishing links, and data loss policy violations.
Client-side encryption shifts cryptographic operations to the sender's device before the email touches the network. Standards like PGP and S/MIME generate and manage keys locally, and the client encrypts the message and attachments with the recipient's public key so that only the recipient's private key can decrypt them. No intermediary can read the plaintext, whether the email provider, a gateway appliance, or a cloud service, which makes the chain of custody unambiguous. The tradeoff is operational complexity, since key generation, distribution, revocation, and recovery fall entirely on users or IT administrators, and lost private keys render encrypted archives permanently inaccessible.
Server-side encryption relies on the email provider to encrypt messages after they arrive on the provider's servers. Microsoft 365, Google Workspace, and similar platforms encrypt messages at rest using provider-managed keys, which protects against physical theft of server hardware and certain infrastructure-level insider threats. With server-side encryption, users send and receive email normally with no visible change, but the model offers no protection if the provider's infrastructure is compromised, an insider at the provider acts maliciously, or a cyberattacker breaks into the provider's key management system, because the provider holds the keys and can decrypt messages under lawful data requests or its own administrative access policies.
The choice between these three architectures maps directly to the threat profile. Gateway TLS is sufficient if the primary concern is wire-level eavesdropping. If the concern includes a compromised email provider, only client-side encryption guarantees the provider never sees plaintext. If physical server theft is the scenario that keeps leadership awake, server-side encryption addresses it. Each model solves a different problem, and organizations that conflate them deploy encryption that passes an audit checkbox without mitigating the risks they actually face.
Encrypted PDF and Web Portal Delivery Methods
When the recipient's email infrastructure does not support the sender's chosen encryption standard, the delivery method must bridge the gap. Encrypted PDF and web portal delivery are the two most common fallback mechanisms for email encryption, and they serve fundamentally different trust and usability models.
Encrypted PDF delivery converts the email body and attachments into a password-protected PDF attached to a standard unencrypted email. The recipient opens the attachment using a password shared through a separate channel, typically a phone call, SMS, or a pre-arranged shared secret. This method requires no recipient-side encryption infrastructure, since any device that can open a PDF can read the message, but the security of the exchange hinges entirely on the strength of the password and the security of the out-of-band channel used to transmit it. A weak password intercepted through the same email thread as the PDF provides no security at all.
Web portal encryption sends the recipient a notification email containing a link to a secure HTTPS portal. The recipient must authenticate, typically by creating an account or entering a one-time code, before reading the message and downloading attachments, and all content remains on the sender's encryption server so nothing sensitive enters the recipient's inbox. This gives the sender granular control, since messages can be revoked after sending, read receipts are logged, and administrators can audit who accessed what and when. The downside is recipient friction, because portal delivery pulls recipients out of their email client into a separate authenticated session, and some recipients refuse to click portal links, creating delivery failures that senders must resolve through other channels.
The operational distinction between these two methods matters most at scale. An encrypted PDF workflow generates a password-distribution problem that grows with volume, because each new message requires a new password exchange, which quickly becomes unmanageable. A web portal centralizes access control but creates a user-experience problem, since recipients who receive notifications from multiple senders end up managing credentials across several portals and grow more likely to ignore the notification entirely.
Automated Policy-Based Encryption: How It Works
Automated policy-based email encryption removes the human decision from the workflow. Instead of relying on employees to recognize which emails contain sensitive data and manually trigger encryption, a rules engine inspects every outbound message against a configurable policy set and applies encryption automatically when conditions are met.
The policy engine evaluates multiple signals simultaneously. Content inspection scans the body and attachments for patterns matching sensitive data such as Social Security numbers, credit card numbers, or protected health information terms. Keyword triggers activate on terms like "confidential" or "attorney-client privileged," recipient-domain policies automatically encrypt all mail to specific partner or client domains, and data loss prevention classifications integrate with existing DLP tools to inherit tags applied at the endpoint or network level. Regulatory tags tied to compliance frameworks such as HIPAA, GDPR, and PCI DSS trigger encryption based on the data category rather than any specific content match.
When a policy trigger fires, the rules engine selects the appropriate encryption method based on the recipient domain's capabilities. If the recipient's mail server advertises TLS support with valid certificates, the gateway negotiates opportunistic or forced TLS depending on policy strictness; if the domain supports S/MIME and a valid certificate exists, the engine applies certificate-based encryption; and if neither condition is met, it falls back to encrypted PDF or web portal delivery. This selection happens in milliseconds, invisible to the sender.
The measurable benefit of policy-based automation is consistency. Industry analyses of the email encryption market point to gateway and cloud-based encryption as among the fastest-growing deployment types, driven by organizations seeking to eliminate reliance on individual employee judgment. When encryption depends on the sender recognizing sensitivity, the failure rate tracks directly with human error, fatigue, distraction, and time pressure, whereas policy-based engines enforce the same rules on the thousandth email as on the first.
How to Choose the Right Email Encryption Deployment Model
The right email encryption deployment model solves the actual cyber threat an organization faces rather than the one that is easiest to address. Selection starts by defining what the organization is protecting against and which compliance obligations it carries, because each architecture answers those questions differently.
Organizations whose primary concern is regulatory compliance, HIPAA for healthcare, GDPR for EU personal data, or PCI DSS for payment card data, can often satisfy requirements with gateway-based encryption combined with automated policy enforcement. Regulators typically require that protected data be encrypted in transit and that the organization demonstrate consistent, auditable controls, so a gateway that logs every encryption decision and provides proof of TLS negotiation satisfies both without imposing workflow changes on end users. Organizations facing strict data residency requirements need gateway models deployed within the approved geographic boundary, which may rule out cloud-hosted gateways that process email outside the required region.
Organizations with an active insider threat concern or a threat profile that includes a compromised email provider must adopt client-side encryption, because no other model prevents a malicious administrator at the provider from reading plaintext. This requirement is common in legal firms handling privileged communications, defense contractors, journalism organizations protecting sources, and financial institutions guarding merger discussions. The operational overhead of PGP or S/MIME key management is substantial, but it is the only architecture where the encryption boundary truly ends at the recipient's device.
Most mid-market and enterprise organizations land on a hybrid model: gateway-based encryption with automated policies for routine protected communication, supplemented by client-side encryption for a small subset of high-sensitivity users such as the executive team, legal department, and finance group. The gateway handles the overwhelming majority of encrypted volume with zero user friction, while the client-side deployment covers the narrow set of communications where the threat profile demands it, avoiding the organizational disruption of a full client-side rollout while closing the gap a gateway-only model leaves open.
Testing the deployment against a worst-case scenario matters more than the average day. Security teams should confirm whether the model protects the plaintext stored on a stolen executive laptop, whether the provider could hand over decrypted messages under a lawful access request, and whether a cyberattacker who compromises an employee's credentials could read encrypted messages in the inbox. Each model answers these questions differently, and the right choice is the one whose failure modes the organization can accept.
Deployments that pass an audit can still leave the exact cyber threat an organization faces wide open. Adaptive Security helps teams match human readiness to the deployment model their risk profile demands.
Challenges and Limitations of Email Encryption
Email encryption promises confidentiality, but the gap between that promise and real-world usability has been documented for decades. In 1999, Carnegie Mellon researchers Alma Whitten and J.D. Tygar published their landmark study "Why Johnny Can't Encrypt," demonstrating that even technically inclined users failed to correctly send encrypted email using PGP 5.0. Participants accidentally sent plaintext they believed was encrypted, exposed private keys, and misunderstood the public key model, and the findings remain relevant because the tension between cryptographic rigor and ordinary human workflows has never been resolved, even as the software has improved.
Usability and the 'Why Johnny Can't Encrypt' Problem
The Whitten-Tygar study revealed a harsh truth about email encryption: PGP's interface made concepts like public-key encryption, key signing, and trust models inscrutable to non-specialists. Participants took an average of 90 minutes attempting to send a single encrypted email, and a majority failed outright by sending messages in the clear or making errors that rendered the encryption useless. The core problem was design rather than intelligence or motivation, because the software forced users to reason about cryptographic primitives rather than their communication goals, expecting them to navigate key servers, trust models, and passphrase management that presumed a working knowledge of asymmetric cryptography.
This usability gap has narrowed as modern clients increasingly surface encryption as a toggle rather than a configuration ordeal, but it has not closed. As security engineer Soatok detailed in a 2026 analysis of email encryption's persistent failures, the reply-in-plaintext footgun remains in the hot path of everyday use. A hurried employee who hits Reply All on an encrypted thread can leak the entire chain, because quoting the original message is default behavior and encryption must be deliberately re-engaged. The asymmetry is punishing, since one encrypted conversation requires sustained vigilance from every participant across every reply, while one lapse by any participant exposes everything. Good security defaults protect the user automatically, yet email encryption defaults to exposure and requires conscious effort to maintain protection.
The psychological burden compounds in organizational settings. Cybersecurity awareness training teaches employees to scrutinize suspicious emails for phishing indicators, mismatched domains, and urgent language, yet the same employees are then asked to navigate public key fingerprints, judge whether a certificate authority is trustworthy, and understand why a padlock icon in an email client means something different from the padlock in a browser. When cognitive load exceeds a user's threshold, the user stops engaging with the security mechanism and defaults to whatever behavior completes the task fastest. That disengagement compounds an existing blind spot: according to the National Cybersecurity Alliance's 2025–2026 Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report, 52% of employed participants reported receiving no training on the security or privacy risks of AI tools, even as adoption of those tools climbs.
Metadata, Key Management, and Lost Access
The encryption that PGP and S/MIME provide covers the message and its attachments, while everything else travels in the clear: the To, From, Cc, and Bcc fields, the subject line, timestamps, attachment filenames, and the IP addresses of sending and receiving servers. This metadata exposure is a structural limitation of how email protocols were designed, because SMTP routing requires visible envelope headers to deliver messages, so encryption standards were layered on top of a system never architected for confidentiality. A passive adversary or any intermediate mail server can learn who is communicating with whom, when, how frequently, and with what subject lines, even when the body itself is unreadable.
The subject line is the most dangerous metadata vector because users treat it as content, writing subjects like "Re: Acquisition Target, Confidential" that effectively transmit sensitive information through a channel encryption never touches. As Soatok observed in the same analysis, knowing the subject line and which person replied to whom at what time can reveal a great deal even when the message contents stay unreadable. A government agency or private intelligence firm analyzing this metadata can construct a detailed picture of organizational decision-making without cracking a single ciphertext.
Key management introduces a separate category of operational burden. For email encryption to function at organizational scale, every employee needs a key pair, and those public keys must be distributed to every correspondent, verified for authenticity, stored securely, revoked when compromised, and rotated on a schedule. If a private key lives on a single device and that device is lost, stolen, or wiped without a backup, every encrypted email the employee ever received becomes permanently inaccessible, because there is no password reset for a lost private key. The mathematical design that makes the encryption strong also makes recovery impossible without an explicit key escrow mechanism, which itself creates a centralized target for cyberattackers and a compliance headache for organizations under data residency requirements.
Cross-border cryptography laws add a regulatory dimension to these technical challenges. Several jurisdictions restrict the import, export, or domestic use of strong encryption, including China's Commercial Cryptography Law and Russia's requirements for encryption tool registration. For multinational organizations, an encryption policy compliant in one jurisdiction may be illegal in another, and the employee sending an encrypted email rarely knows which regulatory regime governs the recipient's geography.
Deliverability, Forwarding, and Cross-Platform Compatibility Issues
Encrypted emails look like noise to automated content filters. An email gateway that cannot inspect a properly encrypted body cannot determine whether the message contains malware, phishing links, or spam, so encrypted messages are more likely to be flagged, quarantined, or silently dropped by recipient mail servers. Organizations that rely on email encryption for sensitive communications may never learn their messages were never delivered, because the mechanism that protects confidentiality also prevents reliable delivery confirmation.
Forwarding an encrypted email introduces a cascade of compatibility failures. If Alice sends an encrypted message to Bob and Bob forwards it to Carol, the forwarded copy is encrypted with Bob's public key, which Carol cannot decrypt, so forwarding almost always breaks encryption and the message arrives as an unreadable attachment or a garbled block of ciphertext. The workflow business users take for granted, forwarding to legal, looping in a manager, copying the client, is fundamentally incompatible with end-to-end email encryption as it exists today.
Multi-device access magnifies these problems. An employee who sends encrypted email from a desktop expects to read replies on a phone, but the private key that decrypts those replies must be present on both devices. Different clients implement S/MIME and PGP differently, with variations in supported algorithms, certificate handling, and UI behavior, so an encrypted message composed in Apple Mail may display differently, or fail to decrypt, in Microsoft Outlook. The interoperability that makes plain email universally functional across providers is precisely what encryption sacrifices.
The net effect is an environment where email encryption works best in homogeneous, technically sophisticated, tightly managed deployments and worst in the heterogeneous, cross-organizational, time-pressured reality where most business email actually happens. The protection is real, and so is the friction. Organizations that recognize these structural limits stop treating encryption as a standalone solution and start building the human-layer defenses that catch what the technology does not address.
Every encrypted thread is one hurried Reply All away from leaking an entire conversation. Adaptive Security turns the human habits encryption depends on into a measured cybersecurity awareness training program.
Email Encryption Best Practices for Organizations
Effective email encryption demands a defense-in-depth approach that removes human guesswork, enforces transport-level protection, and prepares for cryptographic threats still on the horizon. Security and IT leaders must take four steps. Enforce TLS across all mail servers with MTA-STS and DANE to block downgrade attacks. Deploy S/MIME or PGP with structured key management for sensitive communications. Automate policy-based encryption triggered by DLP rules and compliance tags. Build crypto agility, the ability to swap cryptographic algorithms without rebuilding the underlying infrastructure, into systems now so the transition to post-quantum algorithms does not become a crisis later. Encryption alone cannot defend a compromised endpoint, so every deployment must sit alongside multi-factor authentication, strong password policies, and endpoint protection.
1. Enforce TLS with MTA-STS and DANE
Transport Layer Security encrypts email in transit between mail servers, but opportunistic TLS, the default on most systems, falls back to plaintext if the receiving server does not advertise TLS support. A cyberattacker positioned between two mail servers can strip the encryption negotiation entirely and read every message in cleartext. This is not a theoretical attack; it is a well-understood downgrade vector that opportunistic TLS cannot prevent on its own.
MTA-STS (Mail Transfer Agent Strict Transport Security), defined in RFC 8461, closes this gap. It allows domain owners to publish a policy via HTTPS declaring that their mail servers support TLS and that sending servers must refuse delivery if a secure connection cannot be established. The policy file lives at a well-known URL and is cached by sending servers for the duration specified in the policy's max_age directive. When a sending server encounters a TLS negotiation failure against an MTA-STS-protected domain, it queues the message and retries or generates a non-delivery report rather than falling back to plaintext, and either outcome is better than delivering sensitive content over an unprotected channel.
DANE for SMTP (DNS-Based Authentication of Named Entities), defined in RFC 7672, reaches the same destination by a different path. Instead of relying on HTTPS and certificate authorities, DANE publishes a TLSA record in the domain's DNSSEC-signed DNS zone that specifies exactly which certificate or public key the receiving server must present, eliminating the certificate authority as a single point of trust failure. This model appeals to organizations with strict cryptographic sovereignty requirements.
Adoption of both protocols remains low. According to a 2025 URIports survey of the top 1 million domains, only 5,609 domains, just 0.6%, published an MTA-STS policy, up from 0.4% a year prior. DANE adoption is even lower because it requires DNSSEC, which remains far from universal among large enterprises. The overwhelming majority of domains still accept plaintext email delivery when a TLS negotiation fails, and most organizations would never know the downgrade occurred.
Implementation starts with publishing an MTA-STS policy in testing mode with a short max_age value. Testing mode reports TLS failures via TLS-RPT without blocking delivery, giving administrators visibility into connection problems before enforcement begins, and TLS-RPT aggregates failure data into daily JSON reports that reveal which sending servers are failing TLS and why, whether expired certificates, mismatched hostnames, or protocol mismatches. Once the reports show clean delivery across all legitimate senders, administrators switch the policy to enforce mode and extend max_age to weeks or months. For DANE, the prerequisite is a DNSSEC-signed zone, after which TLSA records can be published for each MX host. Both protocols run simultaneously for defense in depth, since they are complementary rather than mutually exclusive.
A lapsed certificate on a single edge server can silently downgrade an entire domain to plaintext. Adaptive Security keeps human oversight sharp where automated encryption controls fail quietly.
2. Automate Email Encryption with Policy-Based Rules
Manual email encryption, asking employees to decide whether a message seems sensitive enough to encrypt, fails every time it is tested at scale. People underestimate sensitivity under time pressure, forget to click the encrypt button, or do not realize a routine-looking message contains regulated data. The only reliable approach is to take the decision away from the sender entirely.
Policy-based encryption engines integrate with data loss prevention systems to scan outbound content, attachments, and metadata in real time. A policy trigger can be a credit card number pattern, a HIPAA-covered diagnosis code, a SOC 2 control identifier, a keyword like "confidential" or "attorney-client privileged," or a compliance tag applied by the sender or an upstream system. Whenever a message matches one of these rules, the encryption gateway applies the appropriate cryptographic envelope automatically before the message leaves the organization's boundary, so the sender never touches a button and the recipient receives an encrypted message regardless of whether the sender considered encryption relevant.
Rules should be configured hierarchically. Broad organization-wide policies, such as encrypting all messages containing Social Security numbers, sit at the top, and department-level rules overlay them, so finance encrypts external messages with invoice attachments, legal encrypts anything tagged with matter numbers, and HR encrypts communications containing employee ID numbers. Role-based exceptions handle edge cases without weakening the default. A CFO who regularly sends non-sensitive press commentary externally should not carry the same blanket rules as an accounts payable clerk handling vendor banking details.
For internal and high-trust external communications, organizations should deploy S/MIME or PGP with a structured key management lifecycle. S/MIME integrates natively with most enterprise clients, including Outlook, Apple Mail, and many mobile clients, while PGP offers greater flexibility for cross-organizational and non-Microsoft environments. The operational burden lies in key issuance, renewal, revocation, and recovery rather than in the encryption itself. Organizations should issue certificates through an internal certificate authority or a managed PKI service, automate certificate renewal at least 30 days before expiration, and maintain an escrowed recovery key so encrypted emails remain accessible during e-discovery and compliance audits even when an employee leaves or loses a private key. Without key escrow, encrypted email becomes a compliance liability the moment a custodian becomes unavailable.
3. Train Users and Audit Email Encryption Configurations
Encryption technology fails when the people using it do not understand what it protects and what it leaves exposed. Employees must recognize the visual and behavioral indicators of encrypted versus unencrypted email, including the lock icon, the banner text, and the absence of those signals, and understand exactly what each state means for the sensitivity of the information they are about to share.
A message sent over TLS between two MTA-STS-protected domains is encrypted in transit but sits in plaintext in both the sender's sent items and the recipient's inbox. An S/MIME-encrypted message is protected end-to-end, but only if both parties hold valid certificates. A message labeled encrypted by a gateway appliance may have traveled the first hop securely and the final hop in cleartext. Organizations should show employees what encrypted and unencrypted messages actually look like in their specific client and reinforce these signals through ongoing security awareness training. Tabletop exercises where employees classify realistic scenarios, such as judging whether a wire-instruction email showing a lock icon is safe to send, turn abstract encryption states into decisions people can make under pressure. As NIST computer scientist Julie Haney and University of Maryland Associate Professor Wayne Lutters concluded in their peer-reviewed analysis published in Computer (October 2020), compliance metrics do not tell the whole story and fail to measure whether a program produces sustained change in employee attitudes and behaviors.
Configurations should be audited quarterly. Security teams pull TLS-RPT aggregate reports and review failure rates by sending domain, verify that every mail server, gateway, and relay enforces TLS 1.2 or higher with deprecated cipher suites disabled, and check certificate expiration dates across all SMTP endpoints, because a single expired certificate on an edge server can silently downgrade an entire domain to plaintext. Teams also validate that MTA-STS policies are reachable, syntactically valid, and in enforce mode for production domains, and confirm that S/MIME and PGP certificates are current, revocation lists are published, and escrowed recovery keys are accessible.
Supplementary measures close the gaps encryption cannot address. Multi-factor authentication prevents a cyberattacker who steals credentials from reading plaintext messages directly, strong password policies reduce the credential-theft attack surface, and endpoint protection with full-disk encryption ensures that a stolen laptop does not surrender its locally cached email store. Encryption protects data on the wire; these controls protect data at rest and at the point of access, and each is only half a defense without the other.
Integration with archiving and e-discovery deserves specific attention, because encrypted email has a habit of breaking compliance tools. Most archiving systems index and search plaintext email by default, but an S/MIME-encrypted message stored in a journal mailbox is opaque, so the archive cannot read the body, index attachment contents, or respond to legal hold queries that depend on keyword matching. Organizations solve this by decrypting messages at the gateway before journaling or by storing decrypted copies in a secure, access-controlled archive separate from the user-facing mailbox, preserving encryption benefits in transit while remaining able to respond to litigation and regulatory inquiries.

4. Prepare Email Encryption for Post-Quantum Cryptography
The algorithms protecting email today, RSA, ECDH, and ECDSA, are secure against classical computers but will crumble under a sufficiently powerful quantum computer running Shor's algorithm. The question is when this will happen, and whether an organization will have migrated before it does.
In August 2024, NIST released its first three finalized post-quantum cryptography standards. FIPS 203, known as ML-KEM, is a key encapsulation mechanism built on lattice-based cryptography. FIPS 204, known as ML-DSA, is a lattice-based digital signature algorithm. FIPS 205, known as SLH-DSA, is a stateless hash-based digital signature algorithm that serves as a backup in case lattice-based approaches are broken. NIST has urged administrators to begin integration immediately because full migration will take years, and the CNSA 2.0 timeline from the U.S. government requires purely post-quantum algorithms in national security systems by 2035, with commercial adoption likely to accelerate ahead of that deadline.
For email encryption specifically, the implications are straightforward but operationally significant. S/MIME and PGP both depend on public-key cryptography that will need quantum-resistant replacements, TLS will require post-quantum key exchange algorithms, and every certificate in the infrastructure, mail server, client, signing, and root CA, will need reissuing under quantum-resistant algorithms. Organizations that built their encryption around a single algorithm or a hard-coded certificate format will face a forklift upgrade, while organizations that prepared for crypto agility will make the transition with far less disruption.
Crypto agility should be built now, even if post-quantum algorithms feel years away. Organizations should select encryption products and libraries that support algorithm negotiation and modular cipher suites rather than hard-coded RSA-2048, choose a public key infrastructure that supports algorithm agility through its certificate templating and issuance workflows, and monitor NIST's ongoing standardization process, since additional algorithms are under evaluation and the final portfolio may shift before commercial products stabilize. The most expensive mistake an organization can make today is architecting an encryption deployment that assumes RSA and ECC will remain viable indefinitely, because they will not, and NIST has already published the replacements.
How Adaptive Security Closes the Gap Email Encryption Leaves Open
Email encryption protects messages in transit and at rest, yet the majority of breaches begin with phishing and social engineering that exploit human decision-making rather than weak cryptography. The controls that stop a well-crafted phishing email, a deepfake wire-transfer request, or a hurried Reply All that leaks an encrypted thread live in the human layer, exactly where encryption offers no coverage. Closing that gap is a matter of building measurable readiness in the people who send, receive, and act on email every day.
Adaptive Security addresses the human layer that technical controls cannot reach, combining a cybersecurity awareness training program with realistic phishing simulations that build genuine detection skills across email, SMS, and voice. Rather than treating awareness as an annual compliance exercise, the platform surfaces where risk actually concentrates, targets reinforcement to the employees and behaviors that need it most, and turns abstract encryption states into decisions employees can make correctly under pressure. The outcome is a workforce that recognizes and reports the cyber threats that pass every cryptographic check.
Organizations that pair strong email encryption with sustained human-layer defense stop breaches that neither control could prevent alone. Encryption secures the channel, and Adaptive Security secures the judgment of the people on either end of it, so a single lapse no longer undoes an entire security investment.
No cryptographic control can stop a phishing email that decrypts perfectly into a convincing lure. Adaptive Security builds the human readiness that catches what encryption cannot filter.
Frequently Asked Questions About Email Encryption
Can Encrypted Emails Still Be Intercepted or Hacked?
Yes, encrypted emails can still be intercepted and compromised, because encryption protects message content without making email invulnerable. According to Microsoft Security, common cyber threats include man-in-the-middle attacks on improperly configured connections, compromised private keys that let cyberattackers decrypt stored messages, and TLS downgrade attacks that force a connection back to plaintext. Email using opportunistic TLS rather than enforced TLS is especially vulnerable, and if a cyberattacker breaks into the recipient's endpoint through malware or credential theft, they can read decrypted messages directly. Email encryption secures the transmission channel but cannot defend against endpoint compromise, stolen keys, or misconfigured servers.
What Happens If an Organization Loses Its Private Encryption Key?
In most cases, losing a private encryption key means permanent loss of access to the associated encrypted emails. With PGP and OpenPGP, the private key is the only mechanism capable of decrypting messages encrypted to the corresponding public key, and as eM Client states plainly, a lost private key cannot decrypt messages and no central authority can recover it. S/MIME offers more recovery options in enterprise settings, where organizations running a centralized public key infrastructure can implement key escrow or recovery processes that let administrators restore access, and some S/MIME certificate authorities offer key backup services. The most reliable protection against permanent data loss is generating and securely storing a revocation certificate and a private key backup at the time of creation.
Does Email Encryption Prevent Phishing Attacks?
No, email encryption does not prevent phishing attacks. Encryption scrambles message content so that only the addressee can read it, yet it does nothing to verify whether that content is malicious, so a phishing email containing a fraudulent link or attachment can travel over a fully encrypted TLS connection and still reach the inbox looking legitimate. The cyber threat lies in the content and the recipient's decision to engage with it rather than in whether the transmission channel was secured. According to the FBI Internet Crime Complaint Center's 2025 Internet Crime Report, internet crime drove $20.877 billion in reported losses, a 26% jump over the prior year, much of it beginning with exactly this kind of message.
According to the Microsoft Security 101 guide, encryption reduces risk without eliminating threats entirely. Stopping phishing requires a separate layer of defense, combining cybersecurity awareness training that teaches employees to recognize social engineering with phishing simulations that build real-world detection skills.
What Is the Difference Between Secure Email and Encrypted Email?
Secure email is a broad term for an ecosystem with multiple layers of protection, while encrypted email refers specifically to the cryptographic scrambling of message content. A secure email system includes encryption plus access controls, multi-factor authentication, spam filtering, data loss prevention, and audit logging. According to Paubox, secure email is the overarching framework and encrypted email is one technical component within it. An email can travel over an encrypted TLS connection without the overall environment being truly secure, which matters because organizations sometimes assume enabling encryption alone makes their email secure, when human-layer defenses are equally necessary to address the phishing and social engineering that no encryption protocol can stop.
Key Takeaways on What Is Email Encryption
- Email encryption scrambles message content so only authorized recipients can decrypt it, protecting communications in transit and at rest while leaving data in use unaddressed.
- Understanding what is email encryption at the protocol level means recognizing that TLS secures the connection between mail servers hop by hop, while PGP and S/MIME secure the message itself end-to-end.
- Email encryption defeats network-layer cyber threats such as man-in-the-middle interception, passive eavesdropping, and tampering, but it cannot stop phishing, compromised endpoints, malicious insiders, or social engineering.
- Nearly every major regulatory framework, including HIPAA, PCI DSS, GLBA, GDPR, and CMMC, treats email encryption as an expected control, often paired with a breach-notification safe harbor for encrypted data.
- Choosing an email encryption deployment model, gateway-based, client-side, or server-side, depends on which cyberattackers the organization must defend against and where plaintext is allowed to exist.
- The hardest part of email encryption is rarely the cryptography itself; key management, usability, and metadata exposure are what demand operational discipline more than stronger ciphers do.
- Sustained cybersecurity awareness training is what closes the human-layer gap encryption cannot cover, turning employees into a reliable line of defense against the phishing that arrives inside encrypted messages.
Strong encryption still leaves the human layer exposed to every phishing email that decrypts cleanly. Adaptive Security pairs technical controls with cybersecurity awareness training that turns employees into the defense encryption cannot provide.
As experts in cybersecurity insights and AI threat analysis, the Adaptive Security Team is sharing its expertise with organizations.
Get started with Adaptive Security
Get started


