Explained: How to Send and Receive Encrypted Emails (Easily!)

Dennis Faas's picture

Infopackets Reader Tom G. writes:

" Dear Dennis,

I am trying to send encrypted email to a friend using MS Outlook. To do so, I purchased a digital certificate from Comodo, then imported the certificate into Outlook. I could send my friend digitally signed messages which he could read and reply to. He could send me digitally signed and encrypted messages, which I could read and reply to. However, I could not generate an encrypted message; I could only reply to his. I could not create an encrypted message from scratch. When attempting to initiate an encrypted message, I was told 'Microsoft had problems encrypting the message (pic) because the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities.' I don't understand that. Eventually I stumbled my way through and made it work, but with great difficulty. Despite all the emphasis on computer security, email digital certificate installation is NOT for the faint of heart. Shame on the software vendors! Do you have any thoughts on the subject? "

My response:

Setting up email encryption using an email client is not easy to do because it relies on you acquiring (purchasing) a valid digital certificate (which will eventually expire), then you need to import the certificate into your client, then configure the email client to use encryption, then have your recipient do the same, then test to ensure everything is working. This is way too much work for what it's worth.

Also, this is not so much the case of a software vendor "not making it easy", per say. It is more of a problem that email has been open standard for a long time, with millions of email servers already using the open standard, and then trying to change the standard and have everyone agree how to go about doing it. One way, as you have discovered, is to take matters into your own hand and use digital certificates at the client level. There are easier ways to do it, which I will describe next.

A Simple Way to Send Encrypted Emails: Using An Email Service Provider

A much easier method would be to use an email provider that already supports digital encryption such as Gmail. There are other providers that do the same - I'm just mentioning Gmail here because Gmail is one of the best free email providers.

The big benefit here is that you won't need to worry about certificates that expire, plus all the heavy lifting is already done.

If you don't use a dedicated email client (such as MS Outlook) to send or receive emails, all you need to do is sign into Gmail.com (which uses a secure HTTPS connection) and you can send and read emails encrypted - however there are some major caveats (described next).

If you are using a dedicated email client (such as MS Outlook) to send / receive emails, then you will need to set up Outlook using SSL and TLS encryption, otherwise the messages won't be encrypted.

IMPORTANT: There is NO GUARANTEE your Sent Email will Arrive Encrypted at its Destination

Please read carefully!

Even if you use a third party email service provider that claims to use encryption - whether it's Gmail, Proton Mail, Send Inc, Hotmail, Yahoo, AOL, etc! - there is no guarantee that your message will arrive secure (encrypted) at its destination.

The reason here is because not all email servers support encrypted communication between each other - therefore, email may be sent unencrypted to the destination server. Remember - email is an open standard and there is no guarantee every service provider is using the same method to send and receive emails.

Let's look at an example. If you sent email to johndoe[at]aol.com and you use Gmail to send your encrypted email, Gmail will try and contact AOL using TLS encryption to send the message. If AOL doesn't support encryption, then Gmail will send the email unencrypted. Furthermore: if johndoe[at]aol.com forwarded your message to a third party, that message may not arrive encrypted for the same reason I just mentioned.

So, just because you sent an email using encryption does not mean it will arrive encrypted, or "secure".

There is a way around this - described next!

How to Ensure Your Message Arrives Encrypted Using a Third Party Email Provider

If you plan to communicate with someone in particular and you want to be assured that your messages are fully encrypted (from end to end - meaning sent encrypted and received encrypted), then I suggest you sign up for a Gmail account (or similar email provider that guarantees encryption) - and your friend also signs up for the same account at the same provider.

That way, your messages will always be sent and arrive securely because you are using the same server to send and receive emails. This communication is guaranteed secured, so long as everyone uses a secure connection to connect to third party email server to send and receive their messages, whether you're using Outlook as your email client, or the web interface.

How to Encrypt Emails - Without Third Party Email Service

Yet another way to send an encrypted message - without using a third party email service - is to use a program like 7ZIP (free) to encrypt and password protect your message.

For example, you can compose a plain text document (or even a .DOC word file), then use 7ZIP to encrypt the document with password protection, then email the encrypted .zip or .7z file to a friend as an attachment. When your friend receives the file, he or she will need to enter a password to open it and decrypt the text document. Without the password, the file will not be readable because it is encrypted.

In this case it does not matter how the message is sent, whether it is using a secure email connection or not - because the file is already encrypted before you sent it.

I hope that helps!

Additional 1-on-1 Support: From Dennis

When it comes to securing email, there is a lot to consider. If you need help setting up your email client (or email server for that matter) to send and receive secure emails - I can help using my remote desktop support service. Simply contact me briefly describing the issue and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 5 (8 votes)

Comments

LouisianaJoe's picture

A simpler way is to not trust the email client to do the job. There are several utilities that can encrypt a file. One of the simpler ones is 7-Zip. You can compress a file and give it a password that you can share with the recipient. Send the message as a 7-zip file and the recipient can use the password to unzip the file. I use a different password for each person that I share files with. I only have to send them the password once.

Several years ago, I created an excel spreadsheet that lists passwords. I wrote a macro for it that encrypts the passwords with an entered key. sometimes I use this to send a key for encrypted files and I tell the user the key for the spreadsheet on the phone.

Dennis Faas's picture

I already mentioned this in the article - did you miss it? It's the last solution offered.

Phil's picture

I used PGP as a DOS and a Windows program, but that king of the "public key-private key" world had the fatal flaw of requiring technically-skilled people at both ends of the communication.

Much easier is setting up an account at a site like SendInc.com, which uses https browser encryption like shopping and banking sites. You sign in, write a message on screen, upload files, and address the message. The recipient gets an invitation to log in or create a free account, and can then download the files and the message as a pdf. After a week the site dumps your upload.

They have paid accounts with additional features (like an "oops" feature to delete a message before the recipient logs in), but the free account is perfectly servicable.

The only thing this system lacks is digital signing to verify the sender's identity.

Phil Olenick

Dennis Faas's picture

As I mentioned in the article, the same rules apply with gmail. End to end encryption won't matter **** UNLESS **** the receiving party uses an encrypted email server OR you use the same service. It seems a lot of people are not understanding this point. If you sign up with gmail and your friend uses gmail, you get encrypted email.

Phil's picture

What no one here seems to recognize is that the service I'm talking about only uses email to ask the recipient to use their browser to log into an encrypted site.

The message and attachments travel in both directions through browser encryption regardless of what email system is used to send the notification that there's a message waiting.

No one has to modify their email setup this way, since email is not used for the sensitive information.

petershaw's picture

Solution: https://protonmail.com/

Dennis Faas's picture

The only extra "security" Proton Mail offers is that they don't log your connections - which does not apply to this article. Emailing "end to end encryption" is the same as what is offered at Gmail or any other email service provider offering TLS connections on their outgoing emails. As I pointed out, it won't be encrypted if the receiving party is not using an encrypted email server that accepts TLS connections. Emailing a friend using the same service (whether it's Proton mail or Gmail) will give you the same result - encrypted email - because it's the same service.

Phil's picture

The virtue of the SendInc.com approach is that it requires no setup by - or even prior notice to - the recipient: they get an ordinary email through their normal email program or host and click on a link to an encrypted website where they either log in (if they've already set up an account there) or create a free account, and can then download the message and attachments protected by browser encryption.

And once you've set up a free account, you can use it to send or receive mail with anyone.

Oh - and since it's free, and you use your email address as your login id, you can send or receive from any of your email identities, and from any machine with a modern web browser, with no setup beyond creating the logins.

It's as friction-free as it gets.

Phil Olenick

haroldmacpherson_10639's picture

Great article Dennis. Thank you for all your advice throughout the years! Have used much of it.Sincerely, Harold.

JimBo's picture

Hi Dennis,

Seems like the simplest solution would be to have an encryption Plug-In for Outlook that would provide an integrated "button" to encrypt what you are getting ready to send with a key you provide or select. Same plug-in used on the other end would decrypt the received email with a similar action while in the Inbox.

The major point of protection, other than ease of use, is that only the rightful recipient would have the decryption key. In other words, third party snooping is thwarted with the only discomfort I can see being the recipient must have been told the proper key once upon a time via some sneaky way. (I like using The Daily News, second page, third and fifth word from the date the email was sent.)

As far as I know no crafty programmer has coded this plug-in but I wish someone would, Open Source would be a plus.

What do you think, am I missing something? Is Outlook's Plug-In interface too lame to do this? Would easy to use hard encryption be something that some would not like to see rapidly spreading? If your ISP or mail provider can, in any way, see plain text then it's not really encrypted, right?