Skip to content Skip to main navigation Skip to footer

How to Encrypt Emails

Emails are inherently insecure, but most of the time it doesn’t matter. However, occasionally it would be preferable if some emails could be sent safe in the knowledge that only the intended recipient can read them. For example, consider a scenario in which you are receiving the results of a blood test from your doctor via email. With a standard email, there is no guarantee that it will not be viewed by anyone else before it reaches your inbox. Our end-to-end encryption feature can provide that guarantee. On this page we will explain how to use this feature to encrypt the emails you send so that no-one other than the intended recipient can read them.

Design Goals

Before we explain how to encrypt emails, let’s consider a few design goals for such a system. Click here to skip this bit.

PrivacyNo one but the intended recipient should be able to open the message; not even administrators or a junk filtering email system.
No PluginsNo plugin should be required to open the original message. It uses software that is commonly available on every computer or mobile device.
Off-line AccessRecipients should not have to rely on external websites in order to view the message. They should be able to view the message even if Internet access is not available.
Mobile AccessRecipients should be able to open the message on their mobile devices, running on iOS, Android or Windows.
No ExpirationA previously sent message should never expire.

SSL/TLS A misconception

Many individuals incorrectly think they can achieve end-to-end encryption when using SSL/TLS, but SSL can only encrypt in-transit data.

Consider the image below as an example:

How to Encrypt Emails

Since SSL/TLS only encrypts in-transit data (represented by red lines in the diagram), it is potentially stored in clear once the message gets to the next SMTP server. Therefore, both humans and software can look into the message, defeating the purpose of having an end-to-end encryption system.

Prelude to the Rescue!

Set Encryption Passwords on the Fly

Compose your email as normal with your email client, e.g. Microsoft Outlook or Mozilla Thunderbird or any other web-based email client, and modify the subject line to append with the word encpass followed by your chosen encryption password in brackets, for example:

Email subject line before being modified

Your tax returns for 2020

Email subject line after being modified

Your tax returns for 2020 encpass(magicWord2020)

In this example, magicWord2020 is the password that you must share with the recipients of the email by some other means so they can use it to open the email after they have received it. Don’t send the password in the body or attachments of the encrypted email as they won’t be able to see it. You must do this with each email that you want to encrypt. The password can be any text you choose and is specific to each email that is sent, but you can use the same password each time or different.

It is as simple as that. Of course, this can only work if we host your emails and if you send your emails using our mail servers, configured according to the instructions we provided.

For outgoing messages with encpass(yourPassword) at the end of the subject, Mailgate will extract the body and any attachments from the message, create an encrypted PDF document using 256-AES encryption and send the encrypted PDF instead. The PDF reader, either on desktop or mobile device, will prompt the recipient for the encryption password.

Set Predefined Encryption Passwords

If you want to do this regularly for specific recipients, e.g. your accountant or your clients if you are an accountant, it can be cumbersome to do this manually every time you send an email to these recipients. In this case you can associate a predefined password for specific recipients.

To enable this, log in to your Mailgate account, click here for instructions, and then do the folowing:

  • Select End-To-End Encryption from the Home menu.
  • Enter the recipient’s email address and the password you want to associate with it in the relevant boxes and press Add.
  • Repeat for each email address as required.

Then, when you send an email to one of these recipients, compose your email as normal and do one of the following:

  • Include the word encpass at the end of the subject, without a password in brackets.
    • Mailgate will automatically apply the predefined password to the encrypted email.
  • Include encpass(magicWord2020) at the end of the subject, to apply a one-off password as explained above.
  • include neither of these to send a normal unencrypted email.

Ignore the references to sensitive data on the web page as it doesn’t apply.

Note that predefined passwords can only work with one recipient in the message, not multiple recipients.