Email Encryption: The Full Guide

Email security

What is email encryption? 

Email encryption scrambles an email message’s contents, making it impossible to be intercepted and read by anyone other than the intended recipient. Adding encryption to email is the most practical way to keep email messages secure from the prying eyes of cyber-criminals.

Email power-users have known for a long time that off-the-shelf email clients transmit and/or store emails using “wide-open” methods, making data easy to steal. For example, packet sniffers can easily capture the contents of unsecured emails while they are in transit. Using email encryption software assures the sender that confidential data can only be read by the intended recipient.

There are different types of email encryption, including end-to-end encryption. This type of encryption, also called “message encryption,” conceals the message, to protect it from being read while traveling from one device to the other. This type of email encryption can also protect the recipient from accidentally exposing the email, e.g. forwarding a sensitive message to the wrong person, and can prevent them from taking certain actions, such as copying and pasting the email’s content.

When you use an end-to-end email encryption service, only you and your email recipients can read the emails you send.

How does email encryption software work?

End-to-end encryption uses complex codes called "keys" to scramble encrypted emails in transit, and then unscramble the contents once they arrive at their destination. Hackers and sniffers cannot see the contents of the email because they don’t have the key to decrypt (or unlock) the message.

This style of email security has been around a long time. In older end-to-end encryption systems, both the sender and the recipient have two keys: a public key and a private key. The private keys are kept private on the person’s device, while the public key is shared between the sender and the recipient(s).

If the public key is accessed by a third party, it does not pose a threat to the security of the email, since both the public and private keys are needed to read the email message. The disadvantage of the two-key system isn’t necessarily one of security, but one of convenience. Having to share a public key adds a step that makes securing email messages a challenge for many users - often meaning emails are not encrypted (out of convenience), which then introduces security risks.

At Egress, we solve this problem by streamlining the end-to-end encryption process - giving you the highest assurances of security, while making our software easy to use. Instead of using the two encryption keys (private and public), Egress uses symmetric key cryptography. This means the public key is eliminated; only one key is necessary. That key is automatically shared between the sender and receiver without sacrificing the security and reliability of the two-key system.

This method keeps the contents of emails and their attachments safely out of the view of everyone except the sender and receiver without adding any extra steps, such as sharing a password or special unlock code.

The good news is that the Egress symmetric key cryptography method is not only easier for all end-users, but it’s also considered the most robust way to send secure emails available today.

How to encrypt an email in Microsoft 365

Is email encryption easy in Microsoft 365 with Egress? Yes!

Microsoft 365 email encryption with Egress couldn’t be easier. Emails are encrypted in one simple step, so users of all comfort levels will be able to encrypt their emails effortlessly.

It works in two ways: For desktop encryption, Egress is integrated into end-users Microsoft 365 client, so all they have to do is select the level of protection they want from our dropdown menu.

For example, maybe they need to attach a highly sensitive document to an email. In our default settings, the sender would choose SECRET in our encryption dropdown menu (to give the email the highest level of security). Next, they click "Send", and that’s all there is to it -- they’ve used Egress end-to-end encryption to send a secure email. Do note that Egress administrators can tailor email encryption policies and labels to suit their organization's requirements.

It is also possible to automate email encryption in your Microsoft 365 environment using Egress Gateway. Sitting on your network perimeter, the Egress Gateway scans outbound emails against our out-of-the-box policy libraries and your organization’s bespoke policies to automatically encrypt all emails that contain sensitive data in the email body and/or any attachments.

The benefits of encrypted email

Encrypted email does its job when users have three things: Unmatched simplicity, maximum security, and control through rights management.

Sending an encrypted email with Egress is as simple as choosing the level of encryption you want and clicking "Send" or scanning for policies to automate encryption.

Different levels of encryption can be used to give the user different controls. This comes in handy in a variety of scenarios, such as:

    • Adding multi-factor authentication to an encrypted email message
    • Exercising information rights management control (e.g., preventing an email from being forwarded or printed)
    • Revoking and restricting access to individual email messages
    • Protecting attachments
    • Securely sending very large files as email attachments

All of these scenarios scratch the surface of the power of encrypted email.

Avoiding data breaches

With Egress Protect encrypted email software, your email messages will be safeguarded at every stage using AE-256 bit encryption, from the moment you hit "Send" to residing in your recipient’s inbox.

Breaking this down, it means your email messages are obscured going from server to server after you hit "Send" and, with the right policies applied, recipient's actions can be limited. In addition, if your recipient's email is hacked, or their machine gets a virus or is otherwise infected or compromised, your encrypted email would be protected as it sits in their inbox.

Real-time control

Users have real-time control of securely-sent emails when using Egress Protect. Examples of limitations you can put on the recipient include the inability to copy, forward, or print an email. These are examples of information rights management control. This level of security goes a long way in preventing sensitive data from ending up in the wrong hands.

The sender can also change or recall access to an email in real time. Factors like adding watermarks, preventing recipients from printing, and making emails read-only all give senders greater control over the data they share.

Sending large files

It's very frustrating when users need to send large files securely, but they can’t do so via email attachments. The alternatives are insecure, complicated workarounds or splitting the content into multiple messages. Neither are convenient; and neither protect your data adequately. Egress Protect email encryption software allows users to easily send large attachments in a single secure email, with all message contents and attachments encrypted to keep sensitive data secure.

Security on-the-go

Modern users are road warriors who are expected to move seamlessly from desktop to laptop to cell phone. Since email is still a central hub for professionals everywhere, Egress protects email on every device. Users can send secure emails from anywhere. The consistent interface from device-to-device provides an intuitive experience for users of all levels of sophistication.

Streamlining the process

Machine learning and AI work behind the scenes with Egress Intelligent Email Security. The software is always learning your behavior so it can make email security, including encryption, easier and easier. For example, Egress can understand the types of data you share with particular coworkers and the level of risk they pose to sensitive data. It can them prompt you to choose the right level of encryption relative to the risk of a data breach. This AI component of the software helps you minimize email security mistakes.

Overall, the benefits of Egress email encryption include both its ease of use for users of all levels of sophistication, as well as its flexibility and power in keeping emails secure from end-to-end.

Different types of email encryption

There are several different types of email encryption, all with varying levels of effectiveness. Let’s compare some other forms of encryption to end-to-end encryption.


First is TLS, or Transport Layer Security. TLS is a protocol that uses cryptography to secure communication of data from one point to another. It is a relatively mature protocol, and it has wide use in many applications, including voice over IP (VoIP). When you see a website uses HTTPS (the URL starts with https://), that means the site uses TLS.

The main difference between TLS and end-to-end encryption is that TLS encrypts the data as it travels over a network, but that data may not be encrypted once it reaches a destination. If you send a message over Google Hangouts (which uses TLS), for example, Google may store that message in plain text on their servers for their own data analysis. Thinking about this for email, with TLS a message will sit in plaintext in the recipient's mailbox - and can be forwarded or printed at any time. End-to-end encryption, on the other hand, encrypts the message both in transit and on the servers and devices of both users, and enables the sender to put controls in place for how the recipient handles the data.


Secure Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy MIME (PGP/MIME) are both examples of older encryption protocols that use cryptography to encrypt email messages. Messages are secured with digital signatures, which generate a code called a hash. Hashes can be compared, and if they're not equal, it means the message was corrupted, is incomplete, or has been altered during transmission.

Using systems like S/MIME and PGP were very sophisticated in their time, but they have also always been difficult to use, especially for non-technical users. Problems can arise if there is a conflict in versions from one endpoint to the other, for example.

These protocols also had other problems For example, crashes and corrupted backups could mean lost passwords with no workarounds. If you lost the key to decrypt a message, the data was lost forever.

End-to-end email encryption that uses symmetric encryption with one key (like in Egress Protect) overcomes all of the obstacles that pioneer technologies like S/MIME and PGP encountered.

With Egress, you get all of the security of TLS, MIME, and PGP without the fear of messages being stored in plain text or keys being lost.

How to open encrypted email

If you have received an encrypted email from Egress and want to open it, click here.