Email: Overview

Why Encrypted Email?

Everyone needs email. Everyone has email.

What is end-to-end encryption (E2EE) encryption in email?

End-to-end encryption (E2EE) is a way of encrypting email contents so that nobody but the recipient(s) can read the email message.

How can I encrypt my email?

The standard way to do email E2EE and have it work between different email providers is with OpenPGP. There are different implementations of the OpenPGP standard, the most common being GnuPG and OpenPGP.js.

There is another standard that was popular with business called S/MIME, however it requires a certificate issued from a Certificate Authority (not all of them issue S/MIME certificates). It has support in G Suite Enterprise/Education and Office 365 Business or Exchange Server 2016, 2019.

What software can I use to get E2EE?

Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the email clients we recommend. This can be less secure as you are now relying on email providers to ensure that their encryption implementation works and has not been compromised in anyway.

How do I protect my private keys?

A smartcard (such as a Yubikey or Nitrokey) works by receiving an encrypted email message from a device (phone, tablet, computer etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device.

It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device.

Email metadata

Who can see the email metadata?

Email metadata is able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients. Sometimes email servers will also use external parties to protect against spam.

What is email metadata?

Email software will often show some visible headers that you may have seen such as: To, From, Cc, Date, Subject.

When is email metadata used?

Client software may use it to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among other purposes not transparent to the user.

Where is the email metadata?

Email metadata is stored in the message header of the email message.

Why can't email metadata be E2EE?

Email metadata is is cruicial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally and is also optional, therefore, only the message content is protected.

How is my metadata protected?

When emails travel between email providers an encrypted connection is negotiated using Opportunistic TLS. This protects the metadata from outside observers, but as it is not E2EE, server administrators can snoop on the metadata of an email.

Why PGP?

There are many reasons to use PGP over other email providers:

  • You can use it with any email service, even Gmail and Hotmail.
  • You can create the encryption and decryption keys on your own, so you don't have to trust anyone or any service if you don't want to.
  • PGP has the largest network for email encryption.


When using end-to-end encryption (E2EE) technology like PGP, email will still have some metadata that is not encrypted in the header of the email.

OpenPGP also does not support forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed.

Thus, when the highest security is needed, use the instant messaging system Signal

Last updated on