Is email private?

The answer is No to the question "Is Email Private". We see the following issues with email privacy

  • By default the body of the email message transmitted in the clear, so anybody having access to the network can read the text of the email
  • If the body of the email is encrypted using an email encryption program like PGP, email headers are still transmitted in the clear, so who we are communicating with can easily be gathered.
  • Email client programs and email servers add additional headers to emails that they process. These headers can give away IP address, location or other information.
  • There is danger of inadvertent disclosure of information through signatures, and forwarded mail.

A possible solution to email privacy

Here are the steps you must follow to secure your email

  1. Encrypt your email using a solution like PGP, or GPG. The mail is encrypted using recipient's public key which can be sent in the clear.
  2. Use an encrypted, anonymizing SMTP serverThe connection the the SMTP server is over an encrypted channel like SSL which ensures that the traffic cannot spied on. The anonymizing SMTP server strips your email of all identifying headers and then forwards it the recipient's SMTP server.

The recipient's SMTP server will receive the message over clear channels, however the body of the message is encrypted using the method that you used in 1. All any possible snooper will gather is that the recipient received an email message from someone who uses the anonymizing SMTP server.

This solution provides a good example of layered security. Even if the anonymizing SMTP server is compromised the body of the message is still protected by encryption.

Partial solutions for email privacy

Encrypt mail and send it over normal SMTP servers

The body of the email is encrypted however any sniffer with access to network traffic can see you are sending a message to the recipient.

Use a web based secure email drop with notifications being sent in the clear

Each user has a unique password on the secure email drop that he knows. When you need to send a message to the recipient you send it using a web interface. All interaction with the web interface takes over https so that the traffic cannot be snooped upon. When a user receives an message, an email is sent to the user in the clear saying that a message is waiting. He can then log in over the secure web interface and read the message.

The security and privacy of the messaging server is important here in addition to the security of the sender and the recipient.

I hope we answered your questions Is email private? How to keep email private?" Return from Is Email Private to Security and Privacy Software