One of the first methods of online communication, email is still a go-to for many. Because email is free, almost everyone has an email address they can be reached at.
Still, email is insecure by design. It’s built to transmit information in text, and via attachments to those messages, but often isn’t secured by default. In the past few years, encrypted email has become more popular, and many email providers and services are taking steps in the right direction. But not all of them.
Here we’ll show you how to encrypt email, how to send secure email, and how some of the most popular email providers do (or don’t) secure your communications.
How email encryption works
When you create an email, you’re putting information into an app like Gmail or Mail. That information is sent along to the recipient. Now, imagine if that sensitive note were intercepted. Someone could gain insight on very sensitive content, which could lead them to discover something you didn’t want them to know.
This is why encrypted email is so important. It may not be able to stop people from intercepting emails, but it can prevent them from being able to read your messages. If you wanted to send secure notes, you might create your own encryption method only you and the recipient understood.
Encrypted email works the same way. Both sender and receiver utilize something called a public key cryptography, which scrambles the email’s contents into a coded string only the sender and receiver can decode. There’s also a private key on your computer that actually decodes the message, ensuring that only the right people can read each message.
How to encrypt emails in Mail app
It might seem like email encryption is a complicated under-the-hood thing that is either there or not there. Well, that’s not really true. You can add encryption to your emails yourself. Apple’s native Mail app makes it relatively easy.
Mail supports S/MIME, one of the most popular email encryption certificates, so all you have to do to encrypt mail in the Mail app is to get a certificate and add it to your keychain. After that, you’ll be able to send signed emails. And if you want to send an encrypted email, a recipient’s certificate should be in your keychain.
Let’s go into details on how to encrypt an email.
How to use an encryption certificate
You can request an S/MIME certificate through Keychain Access. Here’s how it works:
- Open Keychain Access
- In the app menu, click Certificate Assistant > Request a Certificate from a Certificate Authority (CA)
- Type your email address, name, and the email address of the CA (check with services that do verification and encryption certificates, such as VeriSign)
- Customize key pair information if you want to
- Review your certificate and click Done.
Once the CA approves your certificate, it will be issued to you. You can find it in Keychain Access, under the login keychain: open the Certificates tab and see the list of all certificates you’ve received. Found the right one? Right-click on it > Export > Save to the selected location on your Mac. Make sure to add a strong pass-phrase for extra security. This will enable you to transfer your certificate across devices and to a third-party drive.
How to receive digitally signed and encrypted emails in Mail
For the new certificate to work with your email address, restart Mail. The next time you open it, Mail will automatically sign your emails using the public key — you’ll see the checkmark icon in the Subject field. Make sure you use the email address you have a certificate for!
If you have a certificate for the given recipient, you’ll also see the encryption icon (a lock) appear next to the checkmark in the Subject field. Enable it to send an encrypted email.
What happens when a certificate expires?
The problem with S/MIME certificates is that they have due dates. It’s impossible to just renew the certificate. Once it expires, you should get the new one. So simply repeat the process we’ve described above.
Note: you should never delete the keys used with your old certificates, because it will prevent you from being able to read your old messages (unless that’s the goal).
How to encrypt emails in Gmail
Is Gmail encrypted? Yes and no. If you’re wondering how to send encrypted email Gmail, the answer is a bit complex. Google uses TLS, or Transport Layer Security, on all Gmail messages. This encrypts emails coming in or leaving your inbox, but doesn’t work for everyone. TLS is only successful if the email providers for the sender and receiver use TLS by default. Long story short, you have to use TLS and know the recipient uses TLS for the encryption to be effective.
Google Workspace Suite account owners who are wondering how to encrypt Gmail, we have good news for you. You’re eligible for a free S/MIME encryption, which is a slightly more advanced protection layer. Still, you should know that both TLS and S/MIME only work if both parties have the encryption enabled — and the encryption doesn’t protect you from Google being able to scan the contents of your emails once they arrive on a device.
Are Gmail attachments encrypted?
TLS applies to everything sent via Gmail. Because attachments are simply part of an email, they also fall under the TLS rules. But again, to encrypt Gmail attachments, both a sender and a recipient should be using TLS (or S/MIME for that matter).
What about Gmail Confidential Mode?
The term ‘confidential mode’ is a bit misleading from an encryption standpoint. What the confidential mode does is it allows you to have more granular control over emails you send. With Gmail confidential mode, you can do the following:
- Set an email to expire. You can opt to set an expiration date for an email. This provides an artificial deadline for the email you send.
- Remove access. If you no longer want someone to have access to an email, you can choose to remove their access to an email sent in Confidential Mode.
- Require a passcode. You can choose to have Google generate a passcode for the recipient, which will then require them to use that passcode to open the email you send them.
This has several issues. First, generating a passcode requires you to give Google the recipient’s phone number. Second, confidential mode is not encryption. Unless both parties use TLS for email, Google will still be able to read an email sent in confidential mode so long as it’s in your sent folder, even after an expiration date passes.
We will stop short of calling Gmail’s confidential mode unsafe. It has features that provide a level of assurance the right people read your emails in an appropriate time, but this is not encryption by any standard.
Apps to encrypt emails
Which utility should you use to encrypt emails, digitally sign emails, and encrypt documents (attachments) on Mac? Surprisingly, there’s an easy answer to this question.
Canary Mail is a mail app that has an option to encrypt emails by default. It’s actually Canary Mail’s default setting: you have to toggle encryption off manually to send unsecured emails!
Here’s how it works:
- Open Canary Mail
- Click the pen-and-paper icon in the top bar to send a new email
- Enter the recipient’s email, subject, and body of the email
- Click the bright blue ‘send’ icon on the top right corner when you’re done with your email
Because Canary Mail encrypts emails automatically, that’s all you need to do to send an encrypted email.
If you like, you can also manage encryption keys manually with Canary Mail. If you’ve generated keys with a service like GPGTools or Symantec, you can simply import the list via the built-in key manager for Canary Mail. Those private keys are stored on-device, too, so there’s no risk of them being available to anyone who has hacked your cloud accounts.
Otherwise, you can generate keys for users per email by clicking the ‘lock’ icon and adding a key to the list for the recipient. Quite honestly, most users won’t want to bother with creating and managing encryption keys. This is why Canary Mail is so nice! You don’t have to worry, you can just email people. And if you use Canary Mail through Setapp, you also get the iOS version.
What sensitive data should be email encrypted?
Now that you know how to encrypt email Gmail, Mail, and Canary, let’s see what should be encrypted. Because email is so widely used, we tend to forget it’s actually a vulnerability for most of us. We send and receive data we probably shouldn’t, at least electronically. Here’s some common sensitive data transferred via email:
- Bank information. Often, we include details of our bank account data in emails. Without encryption, someone could get into your account and take all of your money!
- Address. One of the most widely transmitted pieces of data is an address. Though many of us don’t quite hide where we live, many don’t associate their email with their ‘personal’ life.
- Signatures. How often have you sent an attachment with your signature? That’s something a hacker could use to forge all kinds of documents in your name!
- Personal plans. How often do you receive details of a plane trip, hotel stay, or other travel info in email? This is confidential data about where you go and what you do.
- Info about others. You may have meant well, but sharing personal info about others will backfire if your unencrypted email is intercepted.
Pretty scary! There are ways to secure your info beyond email encryption, though. We really like CleanMyMac X’s Shredder feature. It completely destroys files from your computer, leaving no trace of them anywhere. It’s safe to use because you have to decide which files to shred, but it’s thorough. If you’ve ever worried your data was lingering in a file somewhere, CleanMyMac X can get rid of all traces once and for all.
What’s more, CleanMyMac X can help you take care of your privacy (aside from its malware protection and decluttering features). Mainly, it has a dedicated Privacy tab where you can clear the traces of your browsing activities, delete chat history, and more. One click and you’re clean.
Even with encryption enabled, there’s another point of vulnerability on your Mac. Passwords. We like Secrets for keeping your passwords and private data safe and sound on Mac.
Secrets is a good idea for a few reasons related to email encryption:
- Create and store unique passwords for your accounts. No more reusing passwords, which is really handy in the event you send your credentials via email. If someone were to get hold of your password for one account, they couldn’t gain access to other accounts because you didn’t reuse a password.
- Generate new, secure passwords as quickly as possible. When changing your password, many platforms have rigid rules for how your password should be created, and Secrets can meet those needs with ease.
- Secure bank statements and other sensitive data. We understand why so many people wonder if one can encrypt Gmail attachments. Very often, bank details, agreements, and important legal notes are sent over email. Apart from storing your passwords, Secrets can also store those sensitive notes for you.
It may not be something you consider every day, but encrypted email is actually pretty important. So much data flows through our email inbox daily it really should be secured, and encrypted email protects both the message and the attachments.
When you’re ready to take data privacy a bit more seriously, the right set of tools is important. But let’s be honest that most of us don’t want to learn cryptography just to send a secure email!
That’s why we suggest Canary Mail, CleanMyMac X, and Secrets. These three apps do a great job of securing your email, clearing sensitive data from your device, and managing secure passwords.
Best of all, they’re free with a seven-day trial of Setapp, the leading suite of productivity apps for Mac and iPhone. Along with these three apps, a Setapp subscription provides you with unlimited access to dozens of other amazing apps across a wide range of categories like lifestyle, creativity, developer tools, education, finance, and more!
When your week-long trial of Setapp is finished, the entire suite is only $9.99 per month for unlimited access. If you prepay for a full year, the price drops 10 percent to $8.99 per month. Give it a try!