What do you mean my email is not secure?

Diagram showing the normal unsecure process of delivering email through a series of servers to its final destinationEmail security is a challenging topic to understand. While progress has been made to improve that security, there are many, many variables that make it impossible for you to know if the email you are sending is being delivered securely to its final destination. Yes, I did say impossible. Even a seasoned server administrator could not tell you that 100% of emails delivered by the servers they managed are being delivered securely, and have not been intercepted.

Emails Are Like Snail Mail

You can think of emails in much the way that snail mail is handled. There’s a fairly straightforward process that is followed. And it goes pretty much like this :

  1. You write a letter
  2. You put the letter in an envelope, and address the envelope.
  3. You put the letter in a mailbox
  4. The first postal carrier picks up your letter and takes it to their post office
  5. Another mail handler picks up your letter and decides if your mail stays in the post office, or goes to another post office
  6. If it goes to another post office, your letter goes on a truck to that post office
  7. That post office picks up your letter and decides if it needs to go to yet another post office.
  8. Eventually, your letter reaches the correct post office.
  9. A mail carrier picks up your letter, and delivers it to your mailbox
  10. The person receiving your letter retrieves it from the mailbox and opens it.

In this basic snail mail scenario, your letter has been handled by at least three, and up to dozens of people before it ever reached its destination. Anything could have happened to the letter along the way. Someone could have deliberately opened it. An equipment malfunction could have torn it open. Someone could have used something to read your mail without opening it.

Your Email Could be on one, or hundreds of servers

Just like in the snail mail scenario, when you write an email and send it off, there is a standard process that is followed, and it goes a little like this :

  1. You write your email and send it
  2. Your email program connects to the server you chose
  3. Your email server receives the email from you
  4. Your email server looks to see if you are sending the email to someone on the same server
  5. If not, your email server asks the world where their email server is
  6. If it finds their email server, your email server asks another server to help transfer the message
  7. That email server asks another server to help
  8. On and on it goes until the a complete chain is created, from your server to their server
  9. Then your email server starts talking to their email server, relaying the information through all the servers that helped it
  10. Piece by piece, your email is delivered, like a bucket brigade, through that chain of servers, up there in the cloud, to their server.
  11. The person you emailed opens the email.

While your server and their server have several different options for talking back and forth, usually, none of that information makes its way back to you – unless the process fails. So, you know very little – not even if the email was even successfully delivered.

But I have to use an email address and password!

When you use your email address and password to login and read your email messages, all you are really doing is telling your server whose mail you want to look at. It is even possible for your login ID and password to be sent in an unsecure way, along with any messages you are reading.

But that’s just the beginning. Your login id (usually your email address) and password is only between your computer, or phone/tablet etc., and your email server. That information is not used after your server gets the message you wants to send. This “NO PASSWORD” method of servers sending email messages is what allows you to send messages to so many different people. Otherwise, your server could only send email messages to the servers it knows about.

Is Secure Email Possible?

Yes! Secure email is possible. I will cover that more in depth at a later date. However, here are a few brief pointers

  1. If you are logging in to read your email using a web browser, like Chrome, Firefox, Safari, Opera, Internet Explorer etc., make sure the address at the top starts with https or has a picture of a lock. If not, you may be using an secured connection
  2. If you are using an email program, like on your phone or tablet, or a desktop/laptop program like Mac mail, Outlook, Windows Mail, or something similar, then check to make sure that your account is using SSL or TLS to connect to BOTH your SMTP (outbound – for sending) and POP or IMAP (inbound, for you to receive emails) accounts.
    1. If you find that your account is not using TLS, or says something about port 25, or port 110, then you are probably not using security (encryption) to send and receive emails. Contact your email provider to find out which settings to change.
  3. Contact an IT Professional if you are really concerned, and find out what you can, and cannot, do to secure your email messages.

Computers, smart phones, tablets, and our other high tech gadgets do bring us a great deal of benefit. Keeping the information on them secure, however, can be a challenge. You’ll have to decide for yourself how much to worry about just how secure your information is, and now important it is to address the issue. Even then, there will be limits to what you can do, or even a technical expert can do, and at a certain point we all have to accept that we’ve done what we can do. But if you haven’t yet done what you can, consider what “a bad guy” could do with the information in your email, and then decide what to do next.