I’m finding more and more that most clients (people for that matter) don’t recognize that email is not a secure medium in its normal use.  Most people send emails without stopping to think about the sensitive nature of what they *think* they are sharing only with the recipient.  However, it is very easy for a would-be snoop or hacker to intercept email and read it.  In fact, passwords are usually sent to the server “in the clear.”

Here are a couple of ways that you can secure your email.

1.  Use TLS encryption on your mail server (or at least ensure you have an SSL connection when you send or check mail).  This only works for emails that are sent internally and received internally, such as on a corporate server, or between two servers that communicate directly with no servers relaying the mail in between points A and B that are not TLS enabled.  One example of this is when two employees working for company X both login directly to company X’s mail server to send / download email.  If they use a mail client, such as Microsoft Outlook or Mozilla’s Thunderbird then they need to specify the proper settings in the connection’s configuration in order to take advantage of SSL or TLS, as supported by the server.  If they use Webmail by going to a Website to send and receive mail then they must make sure the connection uses the https protocol when visiting the email site and that the lock appears in the browser near the bottom right corner of the screen.  Companies concerned about email security internally should not even allow employees to visit an internal Webmail site without the SSL connection, since one of them could easily expose the mail by accidentally reading a sensitive message with a normal connection via http . . . but I digress.

Therefore, if the mail is encrypted during the login process and never leaves the server’s secure communications chain then your mail is deemed secure, provided the recipient is also using TLS encryption.  Keep in mind that email travels across multiple servers on the Internet before reaching its destination most of the time.  That means if you use TLS and so does your recipient you must still make sure all server relays are done so with TLS, otherwise the security benefit of TLS encryption is lost during the delivery process.  Talk to your ISP or IT department.  The direct connection chain of communicating with someone that you intend to email securely based upon using TLS is something that has to be verified by your IT staff if you are on different servers.  There is another solution however (without having to trust GMAIL or another similar public Webmail provider to protect your info).

2.  Install a certificate into your email program and have your recipient do the same in order to set-up use of digital signatures.  You can then exchange keys (secret encryption information that unlocks your email content) that ensures your mail arrives encrypted and protected despite its travel path.  For more on this you can simply Google “email encryption certificates.”  There are free ones, and there are others for commercial use that range in price and level of security.  Each person will need a key installed.  It’s a fairly painless process to install them, and you will be much safer if you use this process with your recipient.  Basically, what happens in this key exchange is a person with a certificate installed for email initially sends a “signed” message to the recipient which attaches their key’s secret data.  The recipient then confirms and adds the sender’s certificate to their local certificate store by adding the person to their address book, thus trusting the sender’s certificate and storing their secret key.  The recipient then obtains their own key and shares it with the original sender.  Once both have added the keys to their address books they can encrypt email between each other and decrypt the message to be read upon receipt.  Any person in the middle who receives the message on another computer cannot read it.  You can learn more about email encryption techniques here.

Without taking these steps you are likely exposing your emails to prying eyes.