In our increasingly digitized world, the business landscape relies less and less on analog solutions with every passing day. What we now call “snail mail” was once the only way to officially communicate via written documents. Now, virtually all businesses use email for important communications. And just as it’s always been extremely important to safeguard physical mail, many types of email encryption for security purposes have become vital for all businesses.
We’re far removed from the first fax machines, first invented in 1843. Over 100 years later, in 1971, the first email was sent. Fast forward to 2020, and the sheer volume of emails sent every day makes protecting them a key element of any business’s cybersecurity. To protect an email’s contents, and the security of both its senders and recipients, you need encryption.
5 Different Types of Email Encryption
Email encryption is an amazing innovation in cybersecurity. It uses the technology of cryptography, which has been around for millenia, and adapts it to protect communications in the digital age. At its base, cryptography works by generating a secret code. However, unlike passwords of old, this code is undecipherable by a human. At least, without the proper access.
Encryption is absolutely essential for keeping your emails—and company—safe.
But it’s also a complex arena of cyberdefense, with different kinds of best practices to consider. In the sections that follow, we’ll break down five of the most essential types of email encryption. Then, we’ll also take a deeper look into some other methods of email security to be used in addition to, or instead of, the most robust encryption options.
Thus, it’s worth noting that encryption is not the only way to keep your emails safe. There are also other mechanisms used by individuals and companies to prevent cyberattack via email.
What Types of Email Security Are There?
Encryption is a way to safeguard email in the event that it has been compromised and has fallen into the possession of someone who was not supposed to have it—whether by outright theft or as a result of negligence. But there are also measures in place to prevent emails from reaching cybercriminals and other parties who shouldn’t read them.
The most common and useful forms of email security fall into three categories:
Of these three, the biggest and most important part is encryption. Gateways and authentication are attempts at preventing email from being stolen. But without encryption, any email that is intercepted or otherwise compromised would become an immediate security hazard.
With encryption enabled, even stolen mail may not be readable by the thief.
Encryption also comes in several different forms, and there are multiple tools and protocols that can come into play, sometimes even in combination with each other.
Every Encryption Security Type for Email
Encryption is an extremely complex and dynamic field. It has to be, as it relies upon the inability of humans to crack the codes used for encryption. That said, the baseline mechanics of how encryption works break down into relatively straightforward parameters.
Overall, there are actually only two main variants of email encryption. These then break down into several similar but distinct tools or protocols. The two main categories are:
- Transport level encryption – Wherein the emails’ contents are secured during their transport between sender and receiver, but not (necessarily) before or after transit. This form of encryption is slightly less robust, but is also often more affordable.
- End to end encryption – Wherein the emails’ contents are safeguarded at the end points. Any outgoing email is encrypted when it leaves the sender and is then only unencrypted when the recipient receives the email. This is the more robust option, but the extra protection it provides also typically comes at a steeper price.
In discussing the various tools and protocols that use either one of these types of encryption, we’ll provide more details about how each model works in practice.
This is one of the most prolific forms of transport level encryption.
It uses forms S”of Transport Layer Security (TLS), which is the successor to the now deprecated Secure Sockets Layer (SSL) protocol. Specifically, STARTTLS is an opportunistic TLS command that can upgrade a plain text connection to a secure, encrypted one.
The STARTTLS command for the Simple Mail Transfer Protocol (SMTP) is defined in RFC 3207. SMTP is a standard that’s long been used to define standard email sending practices, and receipt of emails is also often guided by the Internet Message Access Protocol (IMAP) and the Post Office Protocol (POP3). STARTTLS is defined for IMAP and POP3 in RFC 2595.
How does it work? The STARTTLS command requests encryption for messages while they are in transit, so neither the sender nor recipient (nor their resources) need take any actions to view the message’s contents. This is a great way to counter attacks like passive monitoring, but it can leave email contents vulnerabile to “man in the middle” attacks.
To address this vulnerability, there’s…
#2: DANE or MTA-STS
As noted above, STARTTLS encryption is a great baseline measure for any email communication. Protecting messages while in transit can even be layered with other kinds of encryption that we’ll detail below. However, it does leave your messages vulnerable to interception by an attacker who’s taken over control of the system.
There are two countermeasures available to help maximize the security of STARTTLS and all transport level encryption:
- DNS based Authentication of Named Entities (DANE)
- Message Transfer Agent Strict Transport Security (MTA-STS)
The first, DANE, is a key component of a (DNSSEC). DANE is defined for SMTP in RFC 7672. It prevents “STRIPTLS” (literally a stripping away of TLS by hackers) by enabling a requirement for sender and recipient to use TLS.
The second, MTA-STS, was drafted by a group including some of the biggest and most widely used email providers in the market. It functions like DANE, but uses the certificate authority (CA) and trust on first use (TOFU) systems rather than DNSSEC.
Most email is protected by STARTTLS or another form of transport level encryption. But when these measures aren’t enough, strong end to end options also offer premium protection.
Here are a few more articles to help you:
This protocol has been a major player in encryption since just after it was first released in November of 2012. Its original author, Jonathan Warren, based the system’s overall design on the then-novel cryptocurrency Bitcoin. It was released under the liberal MIT license.
Shortly afterward, it experienced a surge in popularity following 2013’s revelations of US governmental surveillance of email. Concerned individuals and businesses sought a simple way to prevent agencies like the National Security Agency (NSA) from spying on them. Enter Bitmessage’s revolutionary peer to peer authentication.
Some qualities of Bitmessage that make it a powerful security tool include:
- Hermetic encryption
- Hidden sender and recipient
- Trustless (zero trust) framework
- Proof of Work (POW) requirement
Bitmessage is extremely useful and popular, but it’s far from the only end to end encryption option. It’s often best suited for individuals or smaller businesses rather than bigger companies.
#4: GNU Privacy Guard
Also known as GnuPG or GPG (not to be confused with one of the next items on this list), GNU Privacy Guard is an intricate hybrid model for encryption. How does it work, exactly?
It uses both public key and symmetric key cryptography, for ease and speed respectively. It works by generating asymmetric pairs of keys—one for the sender, and one for the recipient. Public keys may still be exchanged, and therefore compromised, so it’s important to practice safe identity protection to avoid a hacker posing as either party and stealing email contents.
GnuPG is notably a free software developed as part of the GNU Project. As such, it shares the principles of that overarching framework, including freedom of use, share, study, and modification. Also, it’s received a large share of its funding from the German government. GnuPG is compliant with the protocols established in RFC 4880, which also govern PGP.
Which brings us to our next point.
#5: PGP and S/MIME
These are two of the most important and widely used protocols for end to end email encryption—the vast majority of email clients enable some combination of PGP and S/MIME.
PGP stands for “Pretty Good Privacy,” but its reputation far exceeds its name. PGP was developed by Phil Zimmerman and first released in 1991. Now, it’s a gold standard for email encryption worldwide. It works by mobilizing a series of algorithms to combine hashing, compression, and cryptography using both symmetric and public keys.
What does that all mean? The process of encrypting and decrypting looks like this:
- It starts with a piece of data and a randomly generated key
- The data is encrypted using the random key, locking it away
- The random key is also encrypted with the receiver’s own public key
- The locked data and encrypted key are now collectively an encrypted message
- The receiver’s private key unlocks the data, enabling random key decryption
PGP is powered by a web of trust concept that establishes the legitimacy of a public key’s ownership by degrees of separation between individuals. This is a decentralized model, but there are also centrally managed public key models available.
Enter Secure/Multipurpose Internet Mail Extensions, also known as S/MIME.
S/MIME requires an individual user to obtain a key directly from a particular CA, whether internal to the company or public. In this way, its relationship to PGP is similar to that of MTA-STS to DANE: it’s essentially the same functionality, just using a different paradigm.
Encryption is one part of email security, but it isn’t the only thing to invest in.
Other Types of Email Security
Email encryption exists to protect the contents of your email from being stolen and used to harm your company and its stakeholders. That includes both the text and media contents of emails, as well as important metadata that might not be obvious to the naked human eye.
But this form of theft isn’t the only danger posed by email. Another big one? Social engineering.
Often, emails are sent by attackers in an attempt to coax important information out of an employee. These emails are disguised to look like regular emails they would receive from superiors, peers, or any other innocuous party. But downloads and links within them can lead to breaches of security that could do irreversible damage to the individual—and the company.
To protect yourself from “phishing” and other similar attacks, you’ll need a firewall to begin with. But that’s often not enough. You should also consider architectural solutions.
Robust Web Filtering
RSI Security’s proactive web filtering services go beyond the basic functionality of a firewall. By using the innovative Cisco Umbrella technology, which was once known as OpenDNS, you can prevent media and links found in emails from launching malicious websites. That way, even if a careless error leads to an errant click, your company may not be hurt by one small mistake.
Cisco Umbrella proactively screens all incoming data beyond the cursory check it needs to pass through your firewall. It’s an effective and affordable solution for businesses of all sizes. However, in order to optimize it for your needs, you’ll need intensive analysis and training.
That’s where we come in. RSI Security will provide an in-depth consultation to fully prepare your company for Cisco Umbrella, walking you through the entire implementation process.
Professional Cybersecurity You Can Trust: RSI Security
RSI Security is dedicated to assisting businesses of all sizes with cyberdefense practices and solutions. We know how important email security is, and we also know just how easy it can be to have an email intercepted or otherwise compromised.
We’re your first and best option when it comes to securing your email. But that’s not all. We’re industry leaders with over a decade of experience providing a wide variety of cybersecurity services, including but not limited to:
- Architecture and implementation
- Compliance advisory services
- Incident management
- Penetration testing
- Virtual CISO
No matter what kind of cybersecurity concerns you have, we can help you—whether it’s understanding your system intuitively or patching up known vulnerabilities.
Contact RSI Security today for powerful guidance in all types of email encryption and security, as well as robust solutions to any cyberdefense issues facing your organization.