What is a secure email? A detailed guide to email safety

What is a secure email, and how to ensure full access control? Discover the basics of email security protocols, best practices, and reliable email providers!
Email attacks make up the biggest percentage of cybercrimes, resulting in billions of dollars in losses for individuals and businesses each year. This makes the question, “What is a secure email?” relevant to everyone—not only cybersecurity professionals.Email security is especially important in business because exchanged data can be highly sensitive. Whether you want to learn about email security for personal or professional reasons, this concise guide to email security will teach you about:
Create a safe environment for online communicationUpgrade to Skiff Mail's end-to-end encryption for the highest level of email security
Sign up

Common threats to email security

Most email attacks belong to one of the following four categories:
  1. Phishing
  2. Malware
  3. Spam
  4. Business email compromise (BEC)


Email attacks that involve hackers impersonating a familiar correspondent, institution, or company are called phishing. They are the most common types of email fraud. In phishing attempts, cybercriminals ask the target to share sensitive data, such as:
  • Personal detailsSocial Security number, address, full name, phone number, date of birth
  • Financial data—Bank account details, credit card number
  • Login credentials—Username and password for your email or bank account
  • Business information—Intellectual property, internal data, and similar confidential information
There are various types of phishing attacks, depending on their goals, targets, and methods. Here’s a breakdown of the most frequent ones:
Type of phishing attackDescription
PharmingEmails lead to a fake version of a real website. Attackers try to deceive recipients into entering their login credentials
WhalingAttacks target high-profile individuals in an organization, usually senior company executives. Targets can also include celebrities and politicians
SmishingPhishing attempts via SMS messages instead of emails
Hackers often make phishing attempts on popular email clients, targeting millions of people simultaneously. Gmail users have suffered such attacks on multiple occasions.


Named after the malicious software they employ, malware attacks use email as a delivery method for viruses—usually hidden in a download link or email attachment.The following table highlights the most common malware types and their purpose:
Type of malwareDescription
SpywareProvides cybercriminals with information about your computer activities through keystroke recorders, data collectors, and other activity trackers
AdwareDisplays aggressive pop-ups you can’t turn off, usually to generate ad revenue for the attackers
ScarewareCreates fake dialogue windows that resemble messages from your operating system to get you to perform a specific action on your computer
RansomwareEncrypts files on your device, denying access to them unless you pay a ransom to the attackers
Poor email security helps attackers install malware on your system, providing them with sensitive information and unauthorized access to your device.With integrated ecosystems like Google Workspace, your email security depends on other apps too. In one instance, hackers accessed millions of Gmail accounts after users installed a ransomware-infested Google Chrome extension.


Generally, spam is less harmful than other email threats. In its most benign form, it’s an unsolicited commercial message, more annoying than dangerous, designed to advertise questionable business opportunities, products, or services.Still, spam emails can also distribute malware or attempt phishing. Even without viruses, spam messages can quickly overwhelm your inbox, which makes managing emails from actual senders challenging.

Business email compromise (BEC)

This type of cybercrime combines phishing techniques with spam and malware to compromise employee email accounts. BEC is one of the most damaging email attacks as the FBI estimated it caused a $26 billion loss between 2016 and 2019.The scam typically involves a phishing attack on an employee’s email account by making fraudulent payment requests with fake invoices.Attackers often impersonate company lawyers, CEOs, or other executives, to trick employees into providing confidential information. They even target HR representatives to steal executives’ personal information and use the data to leverage further attacks.A well-prepared BEC attack can fool even Big Tech players that invest billions in cybersecurity. In 2019, a lone scammer managed to trick Facebook and Google into paying over $120 million by pretending to be a Taiwanese tech manufacturer.

What is a secure email? Standard security measures

Email platforms use numerous security measures to protect the contents of your messages. The main ones are:

Secure email servers

Providers store your emails on their servers, making them obvious targets for hackers and a vital defense point in any cybersecurity strategy.As a user, you have two choices regarding email servers:
  1. Default servers hosted by your email service provider
  2. Private email servers
With a default server, the provider has access to the contents of your emails. In the past, companies like Google have scanned emails for ad targeting and training machine learning models.Setting up a private email server means you don’t have to worry about your provider accessing your private messages. You decide what security measures to use—additional firewalls, spam filters, and encryption.The problem with private email servers is the cost and effort required to set up and maintain them. You’d need in-depth technical knowledge, advanced hardware equipment, and the time to apply regular patches and updates.While default servers provide less control and privacy, they’re a zero-effort solution. Most people make that compromise and rely on the security measures provided by their email clients.

Two-factor authentication

Weak, previously used passwords are the most common security hole of any email account. Even strong passwords might not be enough, considering the number of people who get their passwords stolen via malware or phishing attacks.Two-factor authentication (2FA) ensures no one can access your account but you, even if they obtain your login credentials.With 2FA, login is followed by an additional prompt asking for a verification code sent to your trusted device. Even if someone knows the password for your email account, they won’t be able to access it without the one-time code.Gmail, Yahoo, and Outlook support 2FA, but it is most effective when used in combination with other email security measures.

Standard email security protocols

The rules that define and standardize email exchange are called email security protocols. Two of the most widespread are:
  1. Transport Layer Security (TLS)
  2. Secure/Multipurpose Internet Mail Extensions (S/MIME)
TLS is the default email security protocol for Google, Yahoo, and other popular providers. It protects your emails in transit between servers but leaves messages vulnerable while they rest on servers.S/MIME is more advanced because it provides security for emails at rest and in transit between servers. This protocol isn’t without its flaws, as your email service provider generates and stores the encryption and decryption keys. As a result, your email privacy and security depend on your provider’s server security.Mainstream providers approach S/MIME compatibility differently. While Outlook offers S/MIME to all users, Google only provides this level of protection to the highest-tier subscribers. Both platforms require you to obtain a S/MIME security certificate and install it manually, making the process tedious even if you’re tech-savvy.

Strong end-to-end encryption

In terms of email security, the best measure is protecting your messages at the device level before they’re ever uploaded to a server. End-to-end encryption (E2EE) is the only way to do it.With true E2EE, the encryption and decryption keys are generated at the device level and accessible only to senders and recipients. Your provider does not have access to the keys.This way, end-to-end encryption solves the server security problem. Hackers cannot read your messages even if they access the servers because the decryption keys aren’t stored there.E2EE also addresses email privacy concerns. No one can scan your emails for ad targeting or other purposes, including your provider.
Opt for full protection with Skiff MailSkiff's E2EE security features go beyond traditional email providers, offering you peace of mind
Sign up

Best practices to ensure email security

Many standard measures have common vulnerabilities, and hackers have learned to bypass them. To ensure maximum email security, you should:
  1. Create a strong password
  2. Be cautious with unknown senders
  3. Update antivirus software regularly
  4. Use an E2EE-enabled email platform

Create a strong password

To protect your emails from unauthorized access, refrain from using obvious and weak passwords. Hard-to-crack passwords are longer than eight characters and contain a combination of:
  • Numbers
  • Lowercase letters
  • Uppercase letters
  • Special symbols
Make your passwords as random as you can and never use personally identifiable information like your name, address, date of birth, etc. Hackers could use your social media and other online sources to crack the password.Reusing old passwords from other accounts is also dangerous. If hackers compromise one of your accounts, they can access your emails as well. Modern-day cyber criminals have developed software that automatically cross-references one password with your other accounts.Password reuse is a huge problem for corporate cybersecurity. When employees are allowed to set their passwords for business email accounts, they often reuse personal passwords, which may have already been compromised.To avoid this, enable 2FA whenever possible. While it won’t protect your emails from every type of attack, it’s an excellent secondary line of defense when combined with E2EE and other security measures.

Be cautious with unknown senders

Don’t open email attachments or links from unknown or suspicious senders, as they may be phishing attempts or contain malware.More elaborate phishing attacks come as emails from familiar institutions or people, so don’t click on hyperlinks and attachments, even when messages appear to come from trustworthy sources.Here are some things you can do to check if a link is safe without opening it:
  • Check for any spelling mistakes within the link
  • Copy the link and paste it into an URL checker
  • Hover over the link to see more information about the source
  • Check the sender’s email address to verify it’s legitimate

Update antivirus software regularly

Malware may end up on your computer even with the appropriate level of caution. Antivirus software is your last line of defense, so update it regularly. Hackers constantly develop new malware, and antivirus updates contain the information required to recognize these threats automatically.Most mainstream email providers offer built-in antivirus solutions, but they’re not 100% effective. Gmail has an antivirus scan for attachments, but it only works on certain file types up to 25 MB in size. Keep the antivirus software on your device updated in case your provider’s scans fail to detect a threat.

Separate business and personal email accounts

Don’t use personal email accounts for work correspondence and vice versa. Mixing personal and business emails makes it easier for malicious actors to breach both accounts.Sticking to this policy is crucial in the age of remote work because a massive amount of sensitive data is shared. Access control is vital for email security, so employees and entrepreneurs should only open business emails on corporate devices with a proper cybersecurity setup.

Use an E2EE-enabled email service

Almost none of the mainstream email providers offer end-to-end encryption—the most effective form of email security. Some niche providers use E2EE but lack the intuitive and modern UI and productivity tools you’d get with a provider like Google.Skiff Mail is an excellent solution since it offers practical features, a superior user experience, and complete email security.

What is secure email? The answer is Skiff

With built-in E2EE, a modern UI, and a robust productivity suite, Skiff rivals any mainstream email service.Skiff’s email encryption is based on two keys:
  1. Public encryption key—Automatically shared between senders and recipients
  2. Private decryption key—Stored on the recipient’s device and never shared with anyone
Device-level encryption means you never have to worry about data privacy. Only you and the intended recipient can read the contents of exchanged messages. Skiff’s team and other third parties cannot access your account.Total privacy is also ensured through a zero-knowledge login policy. You don’t provide personal information when signing up for a Skiff account, and the platform doesn’t store login credentials on its servers, making the entire process anonymous.Skiff also supports 2FA through the Authenticator app to boost your safety. Even password recovery is handled through a code generated by your device.Skiff is 100% open source, and its entire codebase is available on GitHub. Its technology is completely transparent, and you can learn more about it from Skiff’s public whitepaper. You can even chat with their team directly on the official Skiff Discord channel.

Skiff aliases protect you from phishing

Skiff supports custom domains and email aliases. The latter are useful tools for protecting your email privacy and hiding your identity from prying eyes. They also help you avoid spam and phishing attempts by not disclosing your identity to every recipient.A free Skiff account lets you create four email aliases, but upgrading to one of the affordable paid tiers increases the limit up to fifteen, enabling you to filter your inbox to organize your correspondence. For example, you can use one alias for all miscellaneous websites that might spam you with promotional content, leaving your primary inbox clutter-free.Skiff integrates with popular crypto wallets, namely:You can use credentials from these platforms to seamlessly log into Skiff without creating an account from scratch and conduct a completely anonymous communication that complements your crypto transactions.

Skiff gives you a full E2EE productivity suite

Source: SkiffSigning up for a free Skiff account means more than access to an E2EE email client. The platform offers a full productivity suite that rivals Google Workspace and Office 365 but with end-to-end encryption included in the package.Here’s what you can access:
  1. Skiff Pages—A document creation tool similar to Google Docs, lets you in a secure, end-to-end encrypted environment for online collaboration
  2. Skiff Drive—Encrypted cloud storage solution that helps you safely share and backup all file types
  3. Skiff Calendar—Private scheduling platform with video conferencing features and a fully customizable interface
The entire Skiff ecosystem is available with a free account. Owners of iOS and Android devices can download the dedicated apps, though Skiff is compatible with all popular browsers.

Sign up for free—upgrade later

Creating a free Skiff account takes only a few minutes and three quick steps:
  1. Open the signup page
  2. Choose your username and a strong password
  3. Start using Skiff’s E2EE productivity suite
While all four Skiff products are available with a free account, you can always upgrade later. Skiff’s three affordable paid plans give you access to more email aliases, custom domains, and up to 1TB of storage space.

Join the community

Become a part of our 1,000,000+ community and join the future of a private and decentralized internet.

Free plan • No card required