When it comes to email security, there are two main areas to consider: security in transit, and security at rest. Email transit security protects your message as it moves across the Internet, from the moment you hit send to the moment it hits your recipient’s inbox. At rest security typically involves protecting all stored versions of your email content. An additional concern is identity validation, which provides proof that an email you receive (or more importantly, that your customers and prospects receive from you) was actually sent by the person or company in the “From” field.
While it is certainly important to protect your own confidential information when sending email, it is perhaps even more important to ensure that your small business customers trust the email you send to them. Use the following tips to ensure that your email is secure and trusted from inbox to outbox.
Email Encryption at Rest
At rest security typically involves protecting all stored versions of your email content, including the copy in your Sent mail box, and copies in your recipient’s mailbox, or copies of your email they save to their computer. That’s why you are constantly reminded not to send confidential information of any type, including your social security number, bank account number, credit card number, driver’s license, proprietary business information, or anything else you wouldn’t want to land in unscrupulous hands, via email that is unencrypted at rest. If you do need to send this type of information via email, or if you need your customers to send this type of information to you via email, you’ll both need to agree on a solution for encryption at rest. You can do this by encrypting the entire email itself, or by including the confidential information in an encrypted attachment, so that it cannot be read without providing a password (which you SHOULD NOT send via email). For more information, see Does Your Small Business Practice Secure Email?, a Tip post from last year, which includes resources for encrypting email at rest.
Email Encryption in Transit
While making smart choices about the content you send via email, and about properly encrypting any confidential information you send via email to secure it at rest, is a personal responsibility, encrypting email in transit is a responsibility shared by all email providers—and it can only work optimally when everyone in the delivery chain participates in the process.
The technology used is called Transport Layer Security (TLS), and in simple terms it makes email content unreadable as it moves through the Internet, but does not protect it when it is stored. The most common analogy is that TLS-secured email is like a letter in an envelope which is hidden from view throughout the delivery process, but can be viewed by anyone before it is placed in the envelope and after the envelope is opened; while unencrypted email is like a postcard that can be read by anyone at all points, including as it moves along the postal mail chain. (See this post from Google for a great explanation of the encryption process.)
However in order for TLS to work for email security, both the sending service provider and the receiving provider must support it. If either side does not, then your email is a postcard.
Many major email service providers will warn you when you are sending or receiving email from someone using a provider that does not support TLS for transit encryption. The following are examples from Google.
This screen capture is an email that was encrypted in transit, and for which the sender is authenticated. This is what you want all of your emails to look like when they hit the recipient’s inbox.
This next example is what Gmail users will see when they receive an email from a provider that does not encrypt email in transit. Note the red unlock icon, and the question mark in place of the sender image. You can mouse over each of these for more information on the errors.
If a Gmail user enters an email address in the TO field, and Google determines that the receiving domain does not support TLS, it will send an unencrypted email. (This is because your recipient could not read your email if it were sent encrypted.) Google warns you that security is not optimal for this email by displaying a red unlocked icon to the far right of the TO field. Clicking that lock opens a message describing the problem, as shown in the screen capture below.
Does Your Email Service Provider Support Encryption in Transit?
Google reports that 74% of the email its servers receive, and 84% of the email its servers send, uses encryption. That’s a pretty high number. So, chances are your email service provider supports it. But, there is no reason to leave it to chance. The worst way to find out that your email service provider is not encrypting email in transit is to get a complaint from a customer. The best way is to check yourself before that happens. Luckily, it is easy to do.
Just go to the Google Email encryption in transit post, and scroll down to the “Explore the data” section in the middle of the page. Enter the domain of your service provider in the search field, and Google will tell you whether or not it supports encrypted email.
So for example, if your email address is email@example.com, you would enter “yahoo.com” in the box, and would find that Yahoo uses encrypted email just about 100% of the time. If you use your own company domain for email, you would enter the service provider via which you actually send and receive mail. For example, if your email address is firstname.lastname@example.org but you use Gmail as your service provider, you would enter “gmail.com.” The results would not show your particular domain, because your company is likely too small to register in the results, but you would see that just about all email sent from an “American” region via “gmail.com” uses encryption.
The good news is that most major email providers are using encryption, including Gmail, Outlook, Yahoo Mail, GMX, AOL Mail, Zoho Mail, Lycos Mail, Hushmail, Mail.com, Yandex, iCloud Mail, and Fastmail. However, the popular inbox.com service, and the mindspring.com service from the screen captures above, do not yet support TLS. (See this TopTenReview of Free Email Services for details on and reviews of many of these services.)
If you send marketing email for your small business, it may not be critical that the content is encrypted—after all you actually want as many people as possible to see your messages. But, if you use the same services to send periodic messages to customers, it is important that your provider supports encryption, for no other reason than that it makes your company appear more reputable. Be sure to check your current provider in the Google tool, and consider switching if it does not support TLS. For example, major providers like Constant Contact and Salesforce encrypt most email they send on behalf of customers, while MailChimp supports TLS but only uses it 50% of the time, and GetResponse not at all.
Are Your Small Business Marketing Emails Authenticated?
Even more important for marketing emails, and other automated emails sent to customers via a third party service, is authentication. Email authentication enables your email provider to know that a message is from the address it claims to be from; and not a spam or phishing email intended to fool and defraud.
The sample of an Authenticated Encrypted Email (above) shows what a properly authenticated email will look like in Gmail. If the sender is not authenticated, even if it is encrypted, you’ll see a ? in place of the sender image, as shown below:
Authentication can be accomplished via an SPF record which specifies which hosts are allowed to send messages from a given domain. It can also be accomplished via a DKIM signature, which enables emails to be electronically signed in a way that can be verified by recipients using a public-key.
If you are going to send marketing email, you need to utilize either SPF or DKIM records to establish your identity as a sender. Your email marketing service provider will typically manage this for you, to minimize your bounce rates. Similarly, if you are using a third party to send and receive emails for your company domain (i.e. if you use Gmail to send and receive for email@example.com), that service provider can manage authentication for you. So, if you’re not sure it is being done, definitely ask. If you want to learn more, or to set up your own authentication signatures if you are handling all of your own email, this Google post will provide all the information you need.