Email security protocols like SSL, TLS, STARTTLS used to secure email transmissions and protect your email from the outside interference. It should be noted that your email needs more security protocols for a very good reason. It is shocking to say that the Simple Mail Transfer Protocol (SMTP) has no built-insecurity. That’s why more security protocols is needed for your email.
But don’t worry about the security of your email as fortunately, there are numerous security protocols which work with SMTP.
Now let’s go through the Email security protocols and see how they protect your emails.
Email Security Protocols
1. SSL/TLS Keeps Your Emails Secure
SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are the most common email security protocols that protect your email as it travels across the internet. SSL and TLS are application layer protocols. The application layers standardizes communications for end-user services in internet communication networks.
In such cases, in order to secure your email communication, the application layer provides a security framework and set of rules that works with SMTP (also an application layer protocol).
TLS provides additional privacy and security for communicating computer programs. Here, in this instance, TLS provides security for SMTP. When your email client sends and receives a message, it uses the Transmission Control Protocol (TCP) to initiate a “handshake” with the email server.
The handshake is a series of steps where the email client and the email server validate security and encryption settings and begin the transmission of the email itself. At a basic level, the handshake works like so:
- Client sends “hello,” encryption types, and compatible TLS versions to Email Server.
- Server responds with the server TLS Digital Certificate and the server public encryption key.
- Client verifies the certificate information.
- Client generates a Shared Secret Key (also known as the Pre-Master Key) using the server public key and sends it to the server.
- Server decrypts the Secret Shared Key.
- Client and Server can now use the Secret Shared Key to encrypt the data transfer, in this case, your email.
TLS is very important as the overwhelming majority of email servers and email clients use it to provide a base-level of encryption for your emails.
Forced TLS and Opportunistic TLS
Forced TLS is a protocol configuration that forces all email transactions to use the secure TLS standard. If the email cannot transit from the email client to the email server, then on to the email recipient, the message will not send.
Opportunistic TLS is a protocol command that tells the email server that the email client wants to turn an existing connection into a secure TLS connection.
At times, your email client will use a plain text connection instead of following the aforementioned handshake process to create a secure connection. Opportunistic TLS will attempt to start the TLS handshake to create the tunnel. However, if the handshake process fails, Opportunistic TLS will fall back to a plain text connection and send the email without encryption.
2. Digital Certificates
Digital Certificates are a type of public key encryption. A Digital Certificate is an encryption tool you can use to secure an email cryptographically.
By having this certificate people are allowed to send you encrypted emails using a predefined public encryption key, as well as encrypting your outgoing mail for others. Therefore, it is noteworthy that your Digital Certificate works somewhat like a passport in that it is bound to your online identity and its primary use is to validate that identity.
When you have a Digital Certificate, your public key is available for anyone that wants to send you encrypted mail. In fact, during this process, they encrypt their document with your public key, and you decrypt it with your private key.
Keep in mind that Digital Certificates aren’t limited to individuals. Businesses, government organizations, email servers, and almost any other digital entity can have a Digital Certificate that confirms and validates an online identity.
3. DKIM Is One of the Other Email Security Protocols
DKIM or DomainKeys Identified Mail, an anti-tamper protocol, makes you to be sure about the security of your mail in transit. By using digital signatures, DKIM checks that the email was sent by a specific domain. Moreover, it checks if the domain authorized the sending of the email. In that, it is an extension of SPF. DKIM makes it easier to develop domain blacklists and whitelists.
4. Sender Policy Framework Protects Domain Spoofing
The Sender Policy Framework (SPF) is an authentication protocol that theoretically protects against domain spoofing. SPF introduces additional security checks that enable a mail server to determine whether a message originated from the domain, or whether someone is using the domain to mask their true identity. A domain is a part of the internet that falls under a single name. For example, “Underspy.com” is a domain.
Hackers and spammers regularly mask their domain when attempting to infiltrate a system or scam a user because a domain can be traced by location and owner, or at the very least, blacklisted. By spoofing a malicious email as a healthy working domain, they stand a better chance of an unsuspecting user clicking through or opening a malicious attachment.
The Sender Policy Framework has three core elements: the framework, an authentication method, and a specialized email header conveying the information.
5. S/MIME Makes an End-to-End Encryption
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a long-standing end-to-end encryption protocol. S/MIME encrypts your email message before it is sent—but not the sender, recipient, or other parts of the email header. Only the recipient can decrypt your message.
S/MIME is implemented by your email client but requires a Digital Certificate. Most modern email clients support S/MIME though you will have to check specific support for your preferred application and email provider.
6. PGP/Open PGP Another Email Security Protocol
PGP or Pretty Good Privacy is another long-standing end-to-end encryption protocol. Its open-source counterpart named OpenPGP that you may like to encounter.
It receives frequent updates and you will find it in numerous modern apps and services. Like S/MIME, a third-party can still access the email metadata, such as the email sender and recipient information.
You can add OpenPGP to your email security setup using one of the following applications:
- Windows: Windows users should check out Gpg4Win
- macOS: macOS users should check out GPGSuite
- Linux: Linux users should see GnuPG
- Android: Android users should check out OpenKeychain
- iOS: iOS user look at PGP Everywhere
The implementation of OpenPGP in each program is slightly different. Each program has a different developer putting the OpenPGP protocol to use encrypting your emails. However, they are all reliable encryption programs you can trust with your data. OpenPGP is one of the easiest ways you can add encryption to your life across a variety of platforms, too.
7. DMARC Is One of the Other Email Security Protocols
Domain-Based Message Authentication Reporting and Conformance (DMARC) is the final key in the email security protocol lock.
DMARC is an authentication system that validates the SPF and DKIM standards to protect against fraudulent activity stemming from a domain. It is a key feature in the battle against domain spoofing. However, relatively low adoption rates mean spoofing is still rampant.
DMARC works by preventing the spoofing of the “header from” address. It does this by:
- Matching the “header from” domain name with the “envelope from” domain name. The “envelope from” domain is defined during the SPF check.
- Matching the “header from” domain name with the “d= domain name” found in the DKIM signature.
DMARC instructs an email provider on how to handle any incoming emails. If the email fails to meet the SPF check and/or the DKIM authentication, it is rejected. DMARC is a technology that allows domains of all sizes to protect their name from spoofing. It isn’t foolproof, however.
Got an hour to spare? The video above details SPF, DKIM, and DMARC in great detail using real-world examples.
As email security protocols add security to your emails, they are extremely important. Without them, your emails are vulnerable on their own. SMTP has no inbuilt security and sending an email in plain text (i.e., without any protection, readable by anyone that intercepts it) is risky, especially if it contains your sensitive information and can leads to identity theft.