The Security of Email

Written 16/05/16

For while now I've been meaning to write something about the security, or otherwise of email. For us and our customers email is now the primary means of communicating with customers, suppliers, colleagues, and service users and it's largely taken over from the letter and, to a great extent, from the phone call. Certainly for us days can go by without the phone ringing whereas emails come in thick and fast.

It's easy to forget in all of this that email is basically insecure. It's insecure in two main ways.

Firstly in transit. Generally speaking email is transmitted across the Internet completely unencrypted. The only exception is that many people now connect to their "smarthost", the outgoing mail server, using an encrypted connection so the first leg is secure but from there on as it hops across the Internet to its destination it's unencrypted so anyone who can intercept it can read its contents.

The second area for concern is the incoming mail server, the place from which you read your email either via POP or, more commonly IMAP. Again this leg can be secure so long as you use an encrypted connection and that's what we offer at The Hug for people with a mail account with us. However if you choose to connect unencrypted (IMAP on port 143 rather that IMAPS on port 993) then both your password and the emails are again transmitted across the Internet unencrypted.

It follows from this that if you use encryption sending email to your mail server and you're sending it to someone of the same mail server (so a colleague working for the same organisation) then the email is probably encrypted end to end but that's very much the exception to the rule and even this isn't certain as sometimes the incoming and outgoing servers are on different physical servers and then it depends how they are connected1.

So in summary then:

  1. generally speaking email is not secure and you should assume that third parties can and may read it.
  2. mail between colleagues may be secure, but check with your ISP or IT department before assuming that it is.
  3. you can can reduce the risk of your mail being read in transit by:
    1. using a secure connection to send mail to your outgoing mail server
    2. using a secure connection to read mail from your incoming mail server
    3. avoiding compromising passwords by sending them via email, especially with the word "password" close to it as that makes the perp's life way too easy.
  1. It is secure here at The Hug as our SMTP and IMAP servers run on the same physical server.
« »