Given the sensitive nature of what we send via email, it's best to encrypt your email when exchanging sensitive, personal information. However, all email encryption is not equal. The biggest email providers — Outlook, Gmail, Yahoo, and iOS — each have their own bells and whistles, and each comes with their own caveats. Your best bet to protect your emails? A three-prong encryption plan that includes enabling your email provider’s confidential settings, using a VPN, and pairing both with a separate encryption app.    

During the dial-up days, an encrypted email was the stuff of spy movies. Back then, emails typically zipped from sender to recipient unprotected.

In fact, sending an email a few decades ago was not much different from passing a note in class: If someone wanted to intercept your message and read it, they probably could.

Today, emails have become a lifeline for every facet of life. We communicate with our tax accountants over email, share our children’s birth certificates with schools over email, and the list goes on.

Given the sensitive nature of what we send, simple note-passing is no longer the safest way to exchange information.

What is email encryption? 

Online encryption is a way of scrambling a message — its path, addresses, and sometimes, its content — to protect the information from cyber snoops and thieves.

To open an encrypted email, the recipient must have a way to decode it, typically in the form of a passkey.

Say you get an email from a trusted source. You open the email and see a box that reads, “Click to open.” You click and then you receive (via text or email) a short string of numbers and/or letters.

You enter that “passcode” as prompted, and voila: The email, including its contents and attachments, is accessible.

Any time you share sensitive personal information via email, you should enable encryption. That includes personal information (PI), financial information, legal documents, personal records, or any other information you don’t want others to steal.

How to encrypt an email 

The general problem with encryption services today is that they often only work as intended (or to full capacity) if both the sender and the recipient are using the same email provider, the same security protocols, and/or the same encryption app.

Getting all your contacts to use your email provider, get their own "Certificate of Authenticity" (a digital ID that verifies an entity is who they claim to be), and/or download your favorite encryption app may not be a feasible option.

That said, by implementing these three safety precautions, you’ll be in excellent shape:  

  • Enable all the encryption capabilities and confidential settings your email provider offers. In recent years, mail service providers have improved their privacy features. If you enable those and send correspondence over a VPN (more on that below), your messages are not the “low-hanging fruit” unprotected emails are. Your built-in encryption options will vary based on the email provider you use, the type of account you have, and the device you're on. 

  • Use an encryption app or service that’s compatible with your email provider. This is the most simple and efficient way to encrypt the actual content of your messages and attachments. Encryption apps like these typically enable what’s called end-to-end encryption (E2EE).

  • Send email while connected to a VPN. The VPN included in select Allstate Identity Protection plans sends your emails via what’s essentially an encrypted channel.  


Fast Facts

Encryption lingo

Encryption lingo can be intimidating and confusing. To understand the basics, know that email encryption can be divided into two categories: 

  • TSL: “Transport Layer Security.” Messages that are TSL-compliant travel on encrypted channels, but the content of the actual message is not encrypted. For TSL encryption channels to work, both the sender and the recipient’s service providers must employ the security protocol.  

  • EE2E: “End-to-end encryption.” The “message envelope” and its content — message and attachments — are scrambled.  Only the sender and intended recipient can decipher the content.  

What to do if you receive an encrypted email 

Bad actors are at it again, this time sending encrypted emails that direct recipients to share their log-in credentials on fake sites that look like real ones.

The best defense against this is to only open an encrypted email if you are expecting one from a trusted source.

The types of content that are encrypted usually travel with specific intentions. For example, your accountant shares your tax returns, and you must unlock (unencrypt) them with a passcode. In such a case, both parties are aware of the exchange and expect it.

When in doubt, confirm the sender sent it in a separate email, by text, or by phone.