The academics who invented email aimed to improve and expedite communication between people. They clearly didn’t think a lot about restricting that communication to the right people. Read someone else’s email? How rude! In the modern world, most of us are aware that email isn’t a secure means of communication. Hackers, snoops, and even your email provider could be reading anything you write. Unless, that is, you encrypt that email to protect your privacy. Fortunately, there are utilities to help with email encryption, some are free, some are simple to use, and some are both.
Wait, Isn’t My Email
You may remember a while ago when Google tweaked Gmail so that it always uses a secure HTTPS connection. That means it uses the standard Transport Layer Security (TLS) for encryption. This is good, but it’s the bare minimum. Every website should use HTTPS.
As of a couple years ago, Google says it no longer reads your mail. However, it’s easy to accidentally give mail-reading permission to third-party apps. And Google doesdoes read your messages sufficiently to do things like automatically put airline flight notifications in your calendar. Google also has a policy explaining when it will release your email to government entities, one that clearly indicates that it can do so if compelled.
Apple Mail supports full-on encryption and digital signatures. To enable these features, you must obtain a security certificate. There used to be quite a few sources for free certificates, but the list is shrinking. We used Actalis to obtain a cert for testing. With the certificate installed in your keychain, your emails are digitally signed by default. And if all the recipients of a message also have certs, you can click the lock icon to send the message encrypted.
A quick survey of my PCMag colleagues turned up exactly nobody who had installed an email security certificate, and this is a technically minded group. You’d expect even fewer ordinary consumers to have encryption enabled for their Apple Mail…except that you can’t go lower than zero.
In any case, Apple has had some glitches with encryption. Researchers in 2019 discovered unencrypted copies of secure emails in the database that Siri uses to better serve you. I think we can agree that Siri does not need to read our encrypted emails.
The point here is that your email provider’s goals aren’t centered on security and privacy. If you really want to protect your emails from prying eyes, look to a third-party company that puts security first.
Do I Have to Pay for Email Encryption?
Maybe you’re convinced that encrypting your email is a good thing, but are you convinced enough to pay for it with your hard-earned cash? Don’t worry: You don’t have to pay.
Preveil and Virtru are totally free. Both are simplified consumer-focused editions of enterprise-level products. Their “big brother” products bring in the cash.
You can also use ProtonMail and Private-Mail for free, but you must accept certain limitations. Smart consumers will set up a free account and see if the limitations chafe. If they do, converting to a paid account is simple. StartMail is the only product covered here that doesn’t have a free tier, though it does offer a 7-day free trial.
Do I Have to Change My Email Address?
On the one hand, starting fresh with a never-before-seen email address can be freeing. You know that the new address hasn’t been bandied about on the Dark Web or hoovered up by data aggregators. On the other hand, you must let all your contacts know that your address changed and reconfigure all your online accounts to use the new address.
ProtonMail, Private-Mail, and StartMail all require that you switch to a brand-new email address. As with any other webmail system, it must be unique within the system. But since these services don’t have the millions or even billions of users that a Gmail or Yahoo does, you may well be able to get your own name without tagging on a bunch of numbers or other characters. Wouldn’t you rather have a johndoe@ address than a johndoe18592@ one?
With Preveil and Virtru, you keep your existing email. In fact, Virtru requires that you use a Gmail address, and access it in Chrome. Preveil doesn’t limit you to any specific email provider. It integrates with Gmail and Outlook on Windows and Apple Mail on macOS, and with the native mail app on your mobile devices.
Who Can I Email?
Encrypting your messages does no good unless the recipient can decrypt them. Different products handle that end of the equation in a variety of ways.
The recipient of a Preveil message must install Preveil to read it, period. But since the product is free and easy to install, that’s not much of a limitation. Your communication is secured with military-level encryption, but you don’t have to remember passwords or do anything beyond choosing to encrypt the message.
Virtru also manages encryption keys outside your view. The recipient of a Virtru message clicks a link to view and reply to the message in a browser window, with no need to install Virtru.
StartMail, Private-Mail, and ProtonMail all use an encryption system called Pretty Good Privacy (PGP) to secure messages between users of their respective services. That means they can also exchange encrypted mail with users of other email systems that support PGP. Setting up the necessary key exchange to enable third-party PGP messaging can be difficult, though.
Those same three products also include a provision for securely communicating with those who both don’t use the service and don’t have a PGP key. While the implementations differ, the overall method is the same. You encrypt your message with a password and transmit the password to the recipient using a text, a phone call, or some other non-email communication.
How Is My Email Protected?
Using PGP encryption requires that you enter the PGP passphrase for your encryption key. When you send non-PGP encrypted messages, each can have its own password. Preveil and Virtru don’t require a password—your possession of a trusted device is enough for basic authentication. And yes, you can revoke trust for a lost device.
Whether basic authentication relies on a password or trusted device, you can crank up security by enabling two-factor authentication, when available. ProtonMail, Private-Mail, and StartMail all support two-factor authentication using Google Authenticator or any work-alike that can provide a standard Time-based One-Time Password (TOTP).
With Preveil, you need access to a trusted device (something you have), the password for your email account (something you know), and whatever authentication method you use to open the trusted device, typically a passcode or biometric system. It’s a form of multi-factor authentication, though not the traditional password-plus-TOTP type.
What Else Do I Get?
As noted, with some services you start fresh with a brand-new email address. But once you start using that address, once many different merchants and websites have it, it won’t stay pristine. That is, unless you never tell anybody your email address.
How can you email without giving away your address? By using a Disposable Email Address (DEA) service, that’s how. Such a service generates a one-off DEA every time you need to give out your address. Messages to that DEA show up in your regular inbox, and replies seem to come from the DEA. And if one of your DEAs starts to get spam or other problems, you can just delete it.
Private-Mail and StartMail can both create and manage DEAs. However, they’re rather limited compared to dedicated DEA utilities such as Burner Mail and ManyMe. Abine Blur goes beyond those two, letting you shop while hiding not only your actual email address but your credit card number and phone number.
With most of these services, you can share a file securely by attaching it to an encrypted message; Private-Mail is the exception, as it supports only plain text. It makes up for that lack by giving you encrypted cloud storage, along with the ability to securely share files from your encrypted storage. Preveil also offers cloud storage with secure sharing.
You can set ProtonMail and Virtru messages to expire after a given time. Private-Mail and ProtonMail let you set an away message when you won’t have email access. These two also include the ability to define filtering rules.
What’s the Best Service for Encrypting Your Email?
As you can see, all these products have their virtues, and each offers a different set of features. For its weapons-grade encryption, ease of use, and low price (free!), Preveil is our top pick and our Editors’ Choice winner. However, if you want a new email address for your encrypted messages, support for third-party PGP communication, or another unusual feature, you’ve got plenty of choices.
While you’re thinking about security, you should read our roundup of the best encryption software for protecting the data on your drives.
