Email encryption

Email workflow

 Sender  ------HTTP/SMTP---->   HTTP/SMTP-Server    ---|
                                                      SMTP
Receiver ---HTTP/IMAP/POP3--> HTTP/POP3/IMAP-Server <--|
  • HTTP ... to send/receive emails. (Sender/Receiver: webmail)
  • SMTP ... just to send emails. (Sender: email client)
  • IMAP/POP3 ... to receive emails. (Receiver: email client)

Protocol details

HTTP
If you access the webmail these days to read or send emails, it will most likely happen via HTTPS and not plain old HTTP. To make sure always check the site information in the web browser.

SMTP/IMAP/POP3
In the old days SMTP/IMAP/POP3 were plain text only, and then they added Opportunistic TLS. This means sender and receiver have to agree on it, but these days most of them do.


Security discussion

Level 1: MitM attacks on Opportunistic TLS between sender/receiver and server. (More details)
Solution: Use webmail instead of email client.

Level 2: The attacker has access to the POP3/IMAP-Server.
Solution: Use E2EE by encrypting the text yourself, for example with GPG.