Email TLS encryption—what it is, and how much protection it offers

Email TLS encryption is touted as a solid security standard, but does it live up to the promises? Learn everything about its effectiveness and shortcomings.
Client server encrypted communication diagram.
Email TLS encryption is a widely-used security standard supported by most ESPs (email service providers). It was developed to prevent eavesdropping and interceptions so that users can enjoy more privacy online.So, how effective is it?There’s a discrepancy between the perceived and objective level of security you get with TLS. Hearing the word “encryption” is enough for an average user to get some peace of mind without further questioning the ESP’s security measures.To help you understand the true extent of privacy you get with TLS-supported email services, this article will teach you everything you need to know about this encryption standard. You’ll learn about its benefits and drawbacks, and then you’ll discover the most effective way to keep your online correspondence safe.
Upgrade to Skiff Mail for top-tier email encryptionSkiff Mail provides advanced end-to-end encryption, ensuring the highest level of email protection
Sign up

What is TLS email encryption?

TLS (Transport Layer Security) is the evolution of SSL (Secure Socket Layer) encryption. It’s a cryptographic protocol that protects your emails while they’re traveling across networks and servers to reach the recipient.The mechanism behind TLS is straightforward:
  1. You send an email, and your email service provider requests a secure connection from the recipient’s service
  2. Your email is converted from plain text into strings of scrambled characters to prevent third parties from reading it
  3. When the email reaches the recipient’s provider, it gets decrypted on their servers
  4. The plain-text version of the email reaches the recipient’s device
The main benefit of TLS is protection from third parties and hackers—at least in theory. Despite its wide implementation, this encryption standard suffers from a few notable drawbacks exposing users to security risks.

Why TLS email security isn’t enough to keep your correspondence safe

TLS encryption offers basic privacy that might be sufficient for casual users who don’t send any sensitive data via email. Such cases are rare as most people rely heavily on this communication method, so transferring private files or information is virtually unavoidable.To prevent unauthorized access to your email contents, you must go beyond TLS for several reasons:
  1. Limited protection dependent on the recipient’s email service provider
  2. Risky decryption key storage
  3. Exposure to downgrade attacks
  4. No encryption at rest
Switch to a reliable E2EE email providerAlong with the built-in E2EE, a free Skiff account offers numerous safety measures
Sign up

TLS can’t protect you if the recipient’s provider doesn’t support it

Even though TLS is a popular encryption standard, not every provider supports it. If your provider can’t establish a secure connection with the recipient’s provider, the email will be sent in plain text using the SMTP (Simple Mail Transfer Protocol) standard, which doesn’t offer any protection.Most users don’t pay attention to whether their connection has defaulted to SMTP, so there’s a chance you wouldn’t notice if the email you sent isn’t secured. You might unknowingly expose your data to risks and make it easy for malicious parties to intercept your traffic.

Your email provider creates and holds the decryption key

When you receive an email encrypted by TLS, it doesn’t get decrypted on your browser or device. Your provider uses a public decryption key to decipher the message and send it to you in plain text.The same mechanism is used for sending an email—instead of being decrypted on your device, it first reaches the service provider’s server before being converted.This means your email provider has full access to your correspondence. They can read your emails and use the data to target you with ads or provide personalized auto-fill while you’re composing a message. It’s an intrusive practice used by most major email services that robs users of their fundamental right to privacy.

TLS is vulnerable to downgrade attacks

As the name implies, a downgrade attack happens when a hacker demotes a security protocol to an older, less secure version. There are many types of such attacks, most notably:
Attack typeHow it works
DROWN (Decrypting RSA Using Obsolete and Weakened Encryption)Exploits the less-secure SSLv2 connections to attack servers that allow them, letting the attacker decrypt sensitive information
POODLE (Padding Oracle on Downgraded Legacy Encryption)The target unknowingly installs malicious code that fakes unsuccessful attempts to establish a secure connection, forcing the server to switch from TLS to SSL 3.0
SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes)Targets hash algorithms to let the attacker intercept traffic and decrypt messages
While many downgrade attacks can be prevented by frequent updates to the provider’s encryption protocols, the user has no influence on this. You must rely on your email service provider to follow the latest security practices, which not all of them do.

TLS-encrypted emails aren’t protected while resting

When your emails are sitting in your inbox and on the provider’s servers, TLS can’t secure them. Encryption only happens during transit and ends when the message reaches the recipient’s provider.Big Tech email providers are common targets of cybersecurity attacks, so entrusting them with sensitive information isn’t a smart idea. You need a secure service that ensures your emails are safe wherever they are. To achieve this level of security, you should move away from TLS in favor of end-to-end encryption (E2EE).

Why E2EE is superior to TLS

E2E encryption is a more comprehensive and secure alternative to basic protocols like TLS or SSL. It safeguards your emails from the moment they leave your device, ensuring nobody but the recipient can read them.Key ownership is another major difference, as E2EE lets the user create and store the decryption key so that not even the email service provider can see their messages. You can send private emails without the risk of your sensitive data being accessed by the provider or sold to advertisers.Skiff is among the few privacy-first email providers using advanced end-to-end encryption standards to give users control of their data and online identity. If you want to fortify the security of your online correspondence, sign up for Skiff Mail.

How Skiff Mail helps you stay safe online

Skiff Mail relies on several security measures besides strong E2EE to give you a carefree emailing experience. It uses two keys to safeguard your correspondence—a public key for encrypting messages and a private decryption key stored on the user’s device.The platform doesn’t store decryption keys, personal details, or even login details. You can get started without leaving any identifiable information and take advantage of Skiff’s zero-knowledge authentication to enjoy ultimate protection and privacy.Skiff made sure every user can heighten their email security without technical knowledge. The powerful back-end is combined with a beautifully-designed user interface to make every action intuitive. The encryption is automatic and takes place from the moment you sign up.As an open-source platform, Skiff is fully transparent about its encryption protocols and privacy practices. Anyone can review the codebase, which undergoes regular external audits. If you want to learn more, check out the whitepaper or visit Skiff’s GitHub to join the community.You can sign up for free, and you’ll get numerous features typically hidden behind a paywall:
  • Unlimited, lighting-fast email and text search
  • 10 GB of end-to-end encrypted storage
  • 4 aliases
If you need a reliable email for managing crypto assets and enjoying anonymous communication, you can sign into Skiff with various wallets:

Maximize your productivity with Skiff’s privacy-first workspace

Email is only one part of your workflow, so Skiff lets you keep your data and files safe beyond it with three additional E2EE platforms:
  • Skiff Pages—An end-to-end encrypted alternative to unsecured options like Google Workspace. Skiff Pages lets you create unlimited docs and features a rich text editor alongside various collaboration tools. You can communicate and share files between team members without privacy concerns
  • Skiff Drive—A secure storage solution supporting all file types. Skiff Drive offers optional integration with the InterPlanetary File System (IPFS), a decentralized space for all your sensitive data
  • Skiff Calendar—Confidential and customizable, Skiff Calendar lets you stay organized and choose the features you need the most to personalize your workspace. You can also send private invites and RSVPs to keep the attendees’ information safe
Skiff enables work on the go without security risks thanks to its compatibility with browsers and iOS, Android, and macOS devices. Visit the download page for more details and installation instructions.

Sign up for Skiff’s free plan and safeguard your data

Getting started with Skiff is quick and simple—all you have to do is:
  1. Visit the signup page
  2. Create your account
  3. Explore Skiff Mail and other privacy-first products
The free plan doesn’t have a time limit and is robust enough for an average user. If you need extra features like short aliases, custom domains, or more storage, you can upgrade to one of the paid plans:
Storage15 GB100 GB1 TB
Skiff aliases101015
Short aliases111
Custom domains125

Get the most out of E2EE with proper security hygiene

E2EE protects your emails from most types of cyberattacks, but no encryption is omnipotent. To stay safe from attacks beyond its reach, make sure to:
  • Set strong passwords and two-factor authentication—Helps you avoid brute-force and dictionary attacks aimed at stealing your login credentials
  • Beware of phishing—Phishing is a form of social engineering, so its effectiveness mostly depends on the way you handle emails from unknown senders. Tread carefully with any links or attachments that seem suspicious, and be wary of requests for personal information
  • Invest in malware protection—E2EE can’t protect your data if your device is compromised by malware, so install a capable antivirus platform and run regular scans

Join the community

Become a part of our 1,000,000+ community and join the future of a private and decentralized internet.

Free plan • No card required