How Email Encryption Works: A Beginner's Guide

The Basics: What Encryption Actually Does

When you send an unencrypted email, it travels across the internet as plain text. Every server it passes through — your provider's servers, the recipient's provider's servers, and potentially others in between — can read it. It's like sending a postcard: anyone who handles it can read the message.

Encryption transforms your message using a mathematical algorithm so that it becomes unreadable to anyone who doesn't have the right key to decode it. The message becomes a string of random-looking characters. Only the person holding the correct decryption key can turn it back into readable text.

TLS: The Minimum Standard (But Not Enough)

Most email sent today uses TLS (Transport Layer Security). TLS encrypts the connection between mail servers — so when your email travels from your provider to the recipient's provider, it's protected from eavesdropping on the wire.

But TLS has a critical limitation: it only encrypts the transport. The mail servers themselves can still read your messages. Your provider stores your email in a form they can access. This means your emails are protected from network interception, but not from the provider itself, court orders, or data breaches.

End-to-End Encryption: The Real Solution

End-to-end encryption (E2EE) means the message is encrypted on your device and can only be decrypted on the recipient's device. No one in between — not the mail server, not the provider, not a hacker, not a government — can read it.

With E2EE, the mail server only ever sees encrypted gibberish. It's a messenger that moves locked boxes without ever knowing what's inside.

Public Keys and Private Keys: How the Magic Works

E2EE uses a system called asymmetric cryptography. Each person has two mathematically linked keys:

• Public key — shared with everyone. Anyone can use it to encrypt a message for you.
• Private key — kept secret on your device. Only you can use it to decrypt messages sent to you.

The critical insight: you can publish your public key on the internet and invite anyone to send you encrypted messages. But only your private key — which never leaves your device — can decrypt them. Not even the person who encrypted the message can decrypt it afterwards.

PGP: The Gold Standard for Email Encryption

PGP (Pretty Good Privacy) is the most widely used standard for email encryption. Invented in 1991 by Phil Zimmermann, it combines asymmetric encryption with a "web of trust" model for verifying identities.

When two enemail users exchange emails, PGP works automatically in the background:

1. Your email client fetches the recipient's public key from enemail's key server
2. Your message is encrypted using their public key before it leaves your device
3. The encrypted message is delivered to the recipient's inbox
4. Their enemail client decrypts it automatically using their private key

From the user's perspective, it looks exactly like normal email. The security happens invisibly.

Zero-Knowledge: When Even the Server Can't Help

Some providers go one step further with a "zero-knowledge" architecture. This means the encryption keys are derived from your password and exist only on your device. The server genuinely cannot decrypt your emails — not because of policy, but because it mathematically cannot.

This is the architecture enemail uses. Even if we were compelled by a court to hand over your data, we would hand over encrypted blobs that are computationally impossible to crack without your key.

What About Emails to Non-Encrypted Recipients?

If you send an email from enemail to a Gmail user, E2EE isn't possible end-to-end (Gmail doesn't support it by default). In this case, enemail uses TLS to secure the transmission, which is the industry standard. For maximum security, you can share your public PGP key with external contacts and ask them to use it.