End-to-end encryption remains elusive: Email continues to be the dominant electronic communication tool today because it is well understood, relatively easy to use, and relatively inexpensive. By and large, businesses have approved email for sending confidential information, and we often convince ourselves that it is secure, can be secured with third-party tools, or it’s “good enough.” This simply is not the case, and better solutions exist.It is impossible to guarantee that email is fully end-to-end encrypted in transit and at rest. Even where Google and Microsoft encrypt client data at rest, they hold the keys and have access to personal and corporate email. Stringent server configurations and addition of third-party tools can be used to enforce security of the data but they’re often trivial to circumvent, e.g., CC just one insecure recipient or distribution list and confidentiality is breached. Forcing encryption by rejecting clear-text SMTP connections would lead to significant service degradation forcing employees to look for workarounds. There is no foolproof configuration that guarantees data encryption due to the history of clear-text SMTP servers and the prevalence of their use today.SMTP comes from an era before cybercrime and mass global surveillance of online communications, so encryption and security were not built in. We’ve taped on solutions like SPF, DKIM and DMARC by leveraging DNS, but they are not widely adopted, still open to multiple attacks, and cannot be relied on for consistent communications. TLS has been wedged into SMTP to encrypt email in transit, but failing back to clear-text transmission is still the default on a significant number of servers on the Internet to ensure delivery.All these solutions are cumbersome for systems administrators to configure and maintain properly, which leads to lack of adoption or failed delivery. We would need Certbot to work as seamlessly for SMTP as it does for HTTP, and for major email providers such as Google and Microsoft to refuse clear-text connections for there to be any hope of improving this situation. Unfortunately, there is a lack of incentive to do this given the amount of email communication disruption it would cause. Google recently announced “end-to-end encrypted emails” in Gmail by employing Secure/Multipurpose Internet Mail Extensions (S/MIME) within Gmail. But Google also outlines some of the complexities and downfalls of attempting to use email for secure communications in their post. While this is a solution that works when sending email within Gmail it suffers the same issues as SMTP in that S/MIME is complex to setup and difficult to guarantee when sending to remote systems. Google’s solution is to have recipients outside of Gmail click on a link and come back to Googles servers to read the message over HTTPS. While this may be an acceptable solution for Gmail customers and ticks the compliance box it doesn’t fix the underlying issues with email. S/MIME has not received widespread adoption for the same reasons that SMTP+TLS has not. Security researchers are already speculating how attackers could take advantage of this feature for crafting phishing emails for credential harvesting.
Keith LawsonAdd to all this the alarming trend of email being adopted as an authentication mechanism and an out-of-band tool for password resets.The widespread use of sending a unique link to email accounts is opening attack vectors to critical services through personal accounts. Attackers have become aware of these trends and are taking advantage of being able to access corporate assets or sensitive personal information by compromising workers’ and executives’ personal email accounts, which often lack secure passwords or multi-factor authentication.Once an attacker gains access to a personal email account it is trivial to find evidence of systems that use that account for authentication or password resets, send a password reset though the third-party service, and gain access to that service.If that service is a corporate system, the attackers have gained access to your business through an employee’s personal email, which can be the initial compromise that leads to a widespread corporate security breach.
Moving beyond email: In December 2024, the FBI released guidelines for mobile communication that included recommendations to adopt technologies that provide end-to-end encryption as a direct result of known nation-state threats.Continuing to rely on email for critical business functions like large financial transactions or the sharing of sensitive information is a losing game. It’s time to start thinking about replacing sensitive or business-critical communications with modern technologies that support end-to-end encryption and were developed to use secure protocols by default. Applications like Signal rely on protocols that were designed with strong encryption and make it simple to ensure data is secured in transit. Tools like Microsoft Teams, Slack, and Cisco Webex have been designed from the ground up to use HTTPS. There are better alternatives available today.Change is hard and email has been entrenched in our personal and business lives for more than a generation now, but we have better alternatives, and the risks of email are too large to continue to ignore. Businesses need to start adopting policies that deprioritize email as a communications tool and incentivize using more secure alternatives.In a world where cyber threats evolve daily, relying on email is like locking your front door but leaving the windows wide open. Let’s treat email for what it is. A reliable, well-known tool for global communications. Better tools for protecting the security of data exist now. Rather than trying to retrofit the past let’s embrace the future. Is anyone going to be upset at having a few less emails in their inbox?
b2b-contenthub.com/wp-content/uploads/2025/05/email-for-authentication.png?resize=300%2C67&quality=50&strip=all 300w, b2b-contenthub.com/wp-content/uploads/2025/05/email-for-authentication.png?resize=768%2C170&quality=50&strip=all 768w, b2b-contenthub.com/wp-content/uploads/2025/05/email-for-authentication.png?resize=150%2C33&quality=50&strip=all 150w, b2b-contenthub.com/wp-content/uploads/2025/05/email-for-authentication.png?resize=640%2C142&quality=50&strip=all 640w, b2b-contenthub.com/wp-content/uploads/2025/05/email-for-authentication.png?resize=444%2C98&quality=50&strip=all 444w” width=”830″ height=”184″ sizes=”(max-width: 830px) 100vw, 830px” />
