The what, why and how of email encryption – a 2022 guide for businesses

The what, why and how of email encryption – a 2022 guide for businesses

In July 1586, the imprisoned Mary, Queen of Scots, received a letter from a rebel named Anthony Babington. He asked her to support a plot to assassinate the Protestant Elizabeth I and proposed to put Mary on the throne as the new Queen of England. Although the letters were coded, they were discovered and deciphered by the Queen's spymaster, Sir Francis Walsingham. But he didn’t stop there. Changing Mary’s response, he asked Babington to name his co-conspirators. He did. In just a few days, they were all put on trial, including Mary, bringing a somber end to the Babington Plot , one of history’s most famous – not to mention oldest – man-in-the-middle attacks.

Man-in-the-middle, or MitM, attacks, however, are still alive and kicking. Except they’ve moved from beer barrel corks to the digital space, where attackers are looking to intercept communications to steal sensitive data, spy on victims or sabotage conversations, among other things. But that’s just one of the many ways decrypted – let alone unencrypted – messages can put companies’ data, systems and reputation at risk. When an email is sent from one user to another, it takes several stops before it arrives – even if its journey is no longer than a few seconds. If it “travels” unencrypted, each of these stops becomes an entry point for malicious actors.

In this article, we’ll explore what email encryption is and how it works, and most importantly, how encrypted emails can help organizations protect their critical data assets without causing friction in everyday workflows. Let’s dive in!

What is email encryption – and why encrypt emails anyway?

Email encryption is a mechanism that prevents the contents of an email message from being read by anyone besides its intended recipients. Mostly relying on public key cryptography, it allows users to publish a public key that others can use to encrypt their messages and, at the same time, to keep a secret private key for decrypting messages or signing and digitally encrypting other messages.

Who could benefit from secure emails?

Based on the latest work-from-home statistics, most enterprises fall into this category. In McKinsey’s 2022 American Opportunity Survey , for example, 58% of respondents said they had the opportunity to work from home at least one day a week. Thirty-five percent reported having the option to work from home Monday through Friday. And that comes from 25,000 employees across regions, segments and positions, working in both traditionally “blue collar” and “white collar” professions.

Not to mention that thanks to milestone data protection regulations such as the EU’s General Data Protection Regulation (GDPR), personal data today isn’t something that the HR department handles, the IT departments safeguards and only industries like healthcare should be concerned about. Under the GDPR’s definition of personal data, for example, it is any information that is attributable to a specific individual independently of the nature of the information.

How does email encryption protect – and benefit – enterprises?

As we’ve previously explained, email encryption essentially shields messages from eavesdroppers by rendering their contents unreadable to them. In doing so, enterprise email encryption solutions can:

1. Mitigate the risk of human error

According to Verizon’s 2022 Data Breach Investigations Report , 82% of the 5,200 breaches examined involved the human element, with 13.5% coming down to someone making a mistake and sensitive information ending up in the wrong hands. An email encryption service can serve as the first line of defense for businesses to prevent individual mistakes from snowballing into organization-wide problems.

2. Protect sensitive data against man-in-the-middle attacks

“MitM attacks are attacks where the attacker is actually sitting between the victim and a legitimate host the victim is trying to connect to,” explains SANS Technology Institute’s Johannes Ullrich. Perpetrators often target email exchanges between banks and customers so they can spoof the bank’s email address and send customers their own messages, asking for login credentials or payment card details.

3. Boost the efficiency of your compliance efforts

As we’ve pointed out in a previous deep dive into HIPAA technical safeguards, encryption is a must-have for minimizing the risk of PII and PHI exposure. Stopping short of requiring it, the HHS recommends HIPAA-covered entities to assess how and how often they transmit e-PHI, and if encryption is needed to protect e-PHI in transit, as well as what encryption methods would be best to protect the transmission.

4. Build client trust, along with a culture of vigilance

In PwC's 2022 Global Data Trust Insights Survey , senior executives’ top response when asked to frame their organization’s cybersecurity mission was “a way to establish trust with our customers with respect to how we use their data ethically and protect their data”. Encryption can help them do just that, protecting high-value customer and insider information from prying eyes, whether at rest or in transit.

The anatomy of email encryption: how does email encryption work?

It’s important to note that there are no must-have components for email encryption products and services. That said, the most common feature they share is a type of gateway software that enforces policy-based encryption, TechTarget explains . These policies define which emails should be encrypted under what conditions, for example outgoing emails that contain sensitive personally identifiable information.

Some solutions involve an email encryption client to be installed on sender devices, which either uses a policy-based encryption or leaves it to users to choose which emails should be encrypted. Or in some cases, both. Most encryption solutions, however, run through a web-based interface where emails are decrypted, which is hosted by the sender or available through a third-party cloud-based service.

Another key difference between the two approaches is that the latter supports end-to-end encryption, the gold standard for protecting email communication. Tresorit, for example, encrypts every file and relevant file metadata on your devices with unique randomly generated encryption keys. These keys are never sent to our servers in an unencrypted format. Accessing files is only possible with a user's unique decryption key.

PGP, MIME, TLS: the most common types of email encryption, explained


Pretty Good Privacy (PGP) is an encryption program that provides users with cryptographic authentication and privacy for data communication and transfer when signing, encrypting, and decrypting texts, emails, files, directories, or entire disk partitions. When user data is encrypted with PGP, it also gets compressed, meaning that this encryption methodology improves email security and saves disk space at the same time.

Taking a public key infrastructure, or PKI, approach, PGP first creates a secret, single-use session key and includes it with the encrypted text. This is done with the help of the public key of the message’s intended recipient, which is assigned to a specific person’s identity. Once the message is sent and received, the recipient uses a private key to decrypt the public key needed to decrypt the actual message.


Short for Secure/Multipurpose Internet Mail Extensions, S/MIME is a widely used protocol for public encryption and signing of MIME data. Multipurpose Internet Mail Extensions, or MIME, is a standard that extends the email message format to support sending single or multiple text and non-text attachments, such as graphics, audio, and video files.

S/MIME allows users to protect the content of emails through encryption and verify themselves as the legitimate senders of their messages with the help of digital signatures.

Digital signatures also prevent senders from disavowing message ownership and provide assurance that the original message has not been altered while in transit. Encryption ensures that the information exchanged cannot be deciphered unless changed back into a readable and understandable form, whether it’s in transit or in storage.


Arguably the most widely accepted cryptographic protocol on the web, Transport Layer Security, or TLS , relies on a combination of cryptographic processes to secure communication over a network against eavesdropping and tampering. More specifically, it uses public-key cryptography for authentication, along with secret-key cryptography with hash functions to ensure privacy and data integrity. This way, TLS email encryption strikes a balance between performance and security when transmitting data.

Tough defense against email threats: secure email encryption service by Tresorit

The newest addition to our secure and user-friendly workplace and collaboration solutions, Tresorit’s email encryption tool helps businesses of all profiles and sizes safeguard their messages with end-to-end email encryption. Here’s how.

● Switch to secure emails easily and effortlessly
Share sensitive data and attachments up to 5GB securely without key exchange, additional software and convoluted workflows. Once the plugin is installed, you can compose messages as usual and encrypt it along with the attachment in a single click.

● Automate the encryption process with rules
Enjoy stricter control over the confidential data you send via email. Administrators can set up rules based on recipients, attachment availability to enforce and automate encrypting emails or to use encrypted links instead of attachments.

● Reduce human error with email recall
Did your message accidentally end up in the wrong mailbox? Unlike regular emails, messages sent with Tresorit allow you to revoke access to the message content for all recipients and keep control of your data throughout the whole lifecycle of your email.

● Get more visibility with encryption and access reports
Administrators gain an in-depth view of encrypted email communication within the organization, including who’s shared what with whom, what access control features were used, and who has accessed email data.

● Benefit from improved UX and customization
Include branded elements in your encrypted email templates for a professional look on top of end-to-end security. Using the Outlook plugin? Turn email encryption on and off with one click of a button and add encrypted attachments with ease.

● Swift access with Microsoft and Google
External users can easily access encrypted email content using their existing Microsoft or Google accounts.