For much communication this is fine. For sensitive information, however, email is not generally considered suitable. (For example, it is far more secure to give your credit card number over the phone or, even better, via a properly secured and encrypted e-commerce site). If you cannot avoid sending sensitive and financial information via email, then your best option is to encrypt your email.

How does encryption work?

Email encryption works by scrambling the message so that it cannot be read without the proper key. Thus, this requires that the recipient has the key, called a ‘private key’ to decode the message. This key is matched with the public key used by the sender to encrypt. In theory, this means that the email is as safe as the private key is.

There are two common methods used to encrypt email:

  • PGP, which stands for Pretty Good Privacy. It compresses the text, including a session key, and then sends it. The recipient uses their private key to retrieve the session key, which then decrypts and decompresses the message. One advantage of PGP is that by compressing the email it helps reduce storage and bandwidth use.
  • S/MIME, which stands for Secure Multi-Purpose Internet Mail Extension. This uses a digital signature, which proves the identity of the person sending the email. The signatures have to match before the message can be read. This method is particularly useful for people who are concerned their messages may be spoofed.

What are the limitations of email encryption?

Email encryption is only as secure as the keys and digital signatures used to encrypt and decrypt it. If your PGP private key is stolen, you will have to change it quickly.

Some encryption services also require that the recipient have an account with the service or enter a password every time they need to read an email.

For example, Gmail has built-in encryption, but it only works properly if you are sending to another Gmail user. Additionally, it doesn’t prevent Gmail itself from scanning your emails to target advertising.

Your login credentials can still be intercepted, which may give somebody access to your keys or access to the service you are using. Because of this, you should use a VPN connection any time you send secure email.

VPN also helps block the EFAIL exploit. This works by using active content of html emails to obtain the plaintext (meaning that if you send all of your emails in plain text, it should also block this exploit).

EFAIL can also be mitigated by using an email encryption client separate from your regular mail client. Most of the vulnerability is in your email client, not the encryption methods.

Email also needs to be encrypted when it is stored, otherwise hackers may still get into your archive and read your messages.

Finally, too many users fall to the temptation of encrypting only the most sensitive emails. This tells hackers exactly which emails they should be trying to get into and can actually make their lives easier.

How do I get access to email encryption tools?

Obviously, it is possible to code your email server to use encryption. For smaller businesses without their own server or for individuals, though, your best bet is to subscribe to a secure email service.

Gmail, as mentioned above, offers some limited encryption capability, but it is insufficient for most people who are truly concerned about the sensitivity of the emails they are sending. Five of the best secure email services are listed below:



ProtonMail is perhaps the best known of the specific secure email services. It is based in Switzerland, and is so secure that if you lose your password even they can’t retrieve your emails (You should set up recovery information)


  • Free of charge (you can pay for more space and built-in VPN)
  • Does not keep any IP address information
  • Allows you to download your PGP keys
  • Works from any device


  • You have to have a paid account to personalize your signature
  • Does not support IMAP, SMTP, or POP3, meaning you have to use the web interface if working from a desktop. Given the EFAIL vulnerability this may be more secure, but…



CounterMail is a Swedish company that offers a very high level of security, and is designed for people who deal with financial information and other highly-sensitive information.


  • Does not keep any IP address information
  • Stores the cached emails on CD-ROMs, making it much harder for thieves to access them
  • Uses USB drive authentication
  • Supports IMAP and SMTP
  • Includes a password manager
  • Uses anonymous headers


  • Free trial only lasts a week, which may not be enough time for proper evaluation
  • The recipient also has to have an account for the email to be encrypted
  • Limited storage space
  • Some people may find the USB drive authentication a pain, especially when traveling



Hushail has been around since 1999 and has an excellent reputation. It has both business and personal options, a modern web interface, and keeps your email secure enough that even hushmail can’t read it.


  • Supports IMAP and POP
  • Offers two-step authentication
  • Includes a spam filter
  • Imports contacts


  • You have to hand over your phone number as well as an alternate email address to sign up



Mailfence is an OpenPGP based service, that provides end-to-end encryption. It is based in Belgium.


  • Includes digital signatures, which prevent email spoofing
  • Includes a spam filter
  • Imports contacts
  • Includes a calendar
  • Supports IMPA and SMTP as long as you use a secure connection
  • No ads
  • Sends mail through the address you used to sign up (rather than through their address)
  • Can be used to send faxes and text messages, albeit at a cost


  • Limited storage unless you pay
  • Requires an alternate email address
  • Stores the private keys on its own servers
  • Can only send to people with an OpenPGP key
  • Does not allow others to inspect their code


Tutanota is similar to ProtonMail. It is located in Germany, for legal and regulatory purposes. It has end-to-end encryption.


  • Apps for iOS and Android
  • Supports spam filters
  • Supports file attachments
  • Salts and hashes passwords with bcrypt for extra security


  • Only supports plain text emails
  • Does not support IMA
  • Cannot import contacts
  • When sending to people who are not Tutanota users, they will need a password to view the email, and they will only be able to view it in a web browser

Our overview

Using one of these services will help you keep your email secure from prying eyes. Adding a VPN will keep the email from being as easily intercepted by hackers who might find a way to decrypt it.

Either way, make sure you are not sending sensitive information through unsecure email. Again, it is a postcard, not a letter, and almost anyone can read it.

What encrypted email service is your favorite?

Secure your digital life with Surfshark

Only $1.99/mo. 30-day money-back guarantee with every plan