Email security protocols are the structures that protect your email from outside interference. Your email needs additional security protocols for a very good reason. The Simple Mail Transfer Protocol (SMTP) has no built-in security. Shocking, right?
Numerous security protocols work with SMTP. Here’s what those protocols are and how they protect your emails.
1. How SSL/TLS Keep Emails Secure
Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are the most common email security protocols that protect your email as it travels across the internet.
SSL and TLS are application layer protocols. In internet communication networks, the application layer standardizes communications for end-user services. In this case, the application layer provides a security framework (a set of rules) that works with SMTP (also an application layer protocol) to secure your email communication.
From herein, this section of the article discusses TLS as its predecessor, SSL, was fully deprecated in 2015.
TLS provides additional privacy and security for communicating computer programs. In this instance, TLS provides security for SMTP.
When your email client sends and receives a message, it uses the Transmission Control Protocol (TCP—part of the transport layer, and your email client uses it to connect to the email server) to initiate a “handshake” with the email server.
The handshake is a series of steps where the email client and the email server validate security and encryption settings and begin the transmission of the email itself. At a basic level, the handshake works like so:
- Client sends “hello,” encryption types, and compatible TLS versions to Email Server.
- Server responds with the server TLS Digital Certificate and the server public encryption key.
- Client verifies the certificate information.
- Client generates a Shared Secret Key (also known as the Pre-Master Key) using the server public key and sends it to the server.
- Server decrypts the Secret Shared Key.
- Client and Server can now use the Secret Shared Key to encrypt the data transfer, in this case, your email.
TLS is very important as the overwhelming majority of email servers and email clients use it to provide a base-level of encryption for your emails.
Opportunistic TLS and Forced TLS
Opportunistic TLS is a protocol command that tells the email server that the email client wants to turn an existing connection into a secure TLS connection.
At times, your email client will use a plain text connection instead of following the aforementioned handshake process to create a secure connection. Opportunistic TLS will attempt to start the TLS handshake to create the tunnel. However, if the handshake process fails, Opportunistic TLS will fall back to a plain text connection and send the email without encryption.
Forced TLS is a protocol configuration that forces all email transactions to use the secure TLS standard. If the email cannot transit from the email client to the email server, then on to the email recipient, the message will not send.
2. Digital Certificates
A Digital Certificate is an encryption tool you can use to secure an email cryptographically. Digital Certificates are a type of public key encryption.
(Unsure about public key encryption? Read sections 7 and 8 of the most important encryption terms everyone should know and understand. It will make the rest of this article make much more sense!)
The certificate allows people to send you encrypted emails using a predefined public encryption key, as well as encrypting your outgoing mail for others. Your Digital Certificate, then, works somewhat like a passport in that it is bound to your online identity and its primary use is to validate that identity.
When you have a Digital Certificate, your public key is available for anyone that wants to send you encrypted mail. They encrypt their document with your public key, and you decrypt it with your private key.
Digital Certificates aren’t limited to individuals. Businesses, government organizations, email servers, and almost any other digital entity can have a Digital Certificate that confirms and validates an online identity.
3. Domain Spoofing Protection With Sender Policy Framework
The Sender Policy Framework (SPF) is an authentication protocol that theoretically protects against domain spoofing.
SPF introduces additional security checks that enable a mail server to determine whether a message originated from the domain, or whether someone is using the domain to mask their true identity. A domain is a part of the internet that falls under a single name. For example, “makeuseof.com” is a domain.
Hackers and spammers regularly mask their domain when attempting to infiltrate a system or scam a user because a domain can be traced by location and owner, or at the very least, blacklisted. By spoofing a malicious email as a healthy working domain, they stand a better chance of an unsuspecting user clicking through or opening a malicious attachment.
The Sender Policy Framework has three core elements: the framework, an authentication method, and a specialized email header conveying the information.
4. How DKIM Keeps Emails Secure
DomainKeys Identified Mail (DKIM) is an anti-tamper protocol that ensures your mail remains secure in transit. DKIM uses digital signatures to check that the email was sent by a specific domain. Furthermore, it checks if the domain authorized the sending of the email. In that, it is an extension of SPF.
In practice, DKIM makes it easier to develop domain blacklists and whitelists.
5. What Is DMARC?
The final key in the email security protocol lock is Domain-Based Message Authentication, Reporting & Conformance (DMARC). DMARC is an authentication system that validates the SPF and DKIM standards to protect against fraudulent activity stemming from a domain. DMARC is a key feature in the battle against domain spoofing. However, relatively low adoption rates mean spoofing is still rampant.
DMARC works by preventing the spoofing of the “header from” address. It does this by:
- Matching the “header from” domain name with the “envelope from” domain name. The “envelope from” domain is defined during the SPF check.
- Matching the “header from” domain name with the “d= domain name” found in the DKIM signature.
DMARC instructs an email provider on how to handle any incoming emails. If the email fails to meet the SPF check and/or the DKIM authentication, it is rejected. DMARC is a technology that allows domains of all sizes to protect their name from spoofing. It isn’t foolproof, however.
Got an hour to spare? The video above details SPF, DKIM, and DMARC in great detail using real-world examples.
6. End-to-End Encryption With S/MIME
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a long-standing end-to-end encryption protocol. S/MIME encrypts your email message before it is sent—but not the sender, recipient, or other parts of the email header. Only the recipient can decrypt your message.
S/MIME is implemented by your email client but requires a Digital Certificate. Most modern email clients support S/MIME though you will have to check specific support for your preferred application and email provider.
7. What Is PGP/OpenPGP?
Pretty Good Privacy (PGP) is another long-standing end-to-end encryption protocol. However, you’re more likely to encounter and use its open-source counterpart, OpenPGP.
OpenPGP is the open-source implementation of the PGP encryption protocol. It receives frequent updates, and you will find it in numerous modern apps and services. Like S/MIME, a third-party can still access the email metadata, such as the email sender and recipient information.
You can add OpenPGP to your email security setup using one of the following applications:
- Windows: Windows users should check out Gpg4Win
- macOS: macOS users should check out GPGSuite
- Linux: Linux users should see GnuPG
- Android: Android users should check out OpenKeychain
- iOS: iOS user? Look at PGP Everywhere
The implementation of OpenPGP in each program is slightly different. Each program has a different developer putting the OpenPGP protocol to use encrypting your emails. However, they’re all reliable encryption programs you can trust with your data.
OpenPGP is one of the easiest ways you can add encryption to your life across a variety of platforms, too.
Why Are Email Security Protocols Important?
Email security protocols are extremely important because they add security to your emails. On their own, your emails are vulnerable. SMTP has no inbuilt security and sending an email in plain text (i.e., without any protection, readable by anyone that intercepts it) is risky, especially if it contains sensitive information.
Want to understand more about encryption? Learn about five common encryption algorithms and why you shouldn’t trust your own encryption to protect your data.