A look at email security - Part 1 - Overview and general advice

Summary

This is part 1 of a series looking at email security.

The schedule and content of the other parts might change as they are released over the next few months, but each article will contain an up-to-date table of contents.

  • Part 1 - Overview and general advice
    • Introduction
    • Dos and don'ts
  • Part 2 - S/MIME certificates: what they are, how they work and how to obtain one free of charge
    • What is S/MIME?
    • Public-Key Cryptography
    • How does digital signing work?
    • What about encrypting the message?
    • Obtaining a free S/MIME certificate
  • Part 3 - Signing and encrypting emails with S/MIME on desktop and mobile devices
    • Using S/MIME on Windows with Outlook and Thunderbird
    • Using S/MIME on the Apple Mac
    • Using S/MIME in Outlook Web App (in Office 365)
    • Using S/MIME on Android, iOS and Windows Phone
  • Part 4 - PGP keys: what they are and how to obtain one free of charge
    • What is PGP?
    • Obtaining a PGP key
  • Part 5 - Signing and encrypting email with PGP
    • Using PGP on Windows with Outlook, Thunderbird, etc
    • Using PGP in Outlook Web App (in Office 365)
    • Using PGP on Android, iOS, Windows Phone
  • Part 6 - DKIM and SPF
    • What are they and how do they work? Something to do with DNS records?
  • Part 7 - Sending signed emails programmatically
    • Sample code to sign and send emails. Probably written in C# to be delivered via ASP.NET Web API 2.
  • Part 8 - Conclusions

Introduction

When thinking about email security there are probably two main things to take into consideration: privacy and authenticity.

Privacy - Has the email been read by anybody else?

Authenticity - Was the email really sent by this person or company? Has it been altered in any way since it was sent?

If I could be sure that any email I sent (or received) could satisfy those simple privacy and authenticity requirements, I'd be pretty happy.

The aim of the rest of this series of articles is to enable you to achieve just that.

Coming up in part 2 we'll look at signing and encrypting email with S/MIME certificates, right the way from obtaining the certificate to installing (and using) it on your PC and mobile device.

Check the table of contents at the top of the page to see what else is going to be covered over the next few weeks.

Before we start, I should mention that we're going to be looking at generally available email security options. This means that if you know of some super, top-secret thing that's used by some government somewhere, then I'm not going to be writing about that.

And don't forget, as I have mentioned before when writing about using a personal VPN, it's probably best if you accept that any agency with sufficient funds and motivation can probably find out exactly what you've been doing and that includes reading your email. Having said that, there's no need to make it easy for them and I only said probably, not definitely.

Dos and Don'ts

A lot of emails have a disclaimer as part of their signature, saying something like this:

Internet communications are not secure and therefore [company name] does not accept legal responsibility for the contents of this message.

This probably looks like a bit of a cop out, but I think it's useful to remind people that email has various security issues; there are lots of opportunities for an email to be intercepted between it being sent and it being received by the intended recipient and it's best if you understand and accept that. And that's without even considering whether or not the email was really sent by the apparent sender.

Perhaps it's time for a quote from my father. He's got a lot to answer for as he's the reason I was playing Air Attack on the Commodore PET in 1979 when most other three-year-olds were doing nothing of the sort.

"Don't write anything in an email you wouldn't want to see on the front page of a tabloid newspaper" - Alan Chantler

This is something my father has been saying to me for a long time and it's sort of related to what I was saying about not oversharing on social media. I spoke to him about this today and he expanded on it by adding that you should assume that email is not secure and, even if it were and you solved the problems of privacy and authenticity, you can't be sure what the recipient is going to do with it. I think that's good general advice.

Here are a few dos and don'ts to bear in mind when using email.

  • Do assume that email is not secure.
  • Do check the recipients carefully, especially if using autocomplete.
  • Do read your email in full before you send it.
  • Don't write anything in an email that you couldn't bear to be made public.
  • Do remember that not everyone has your best interests at heart.
  • Don't send sensitive information via email.
  • Don't assume all email really comes from the purported sender.
  • And of course, following on from that last point, don't fall for phishing emails. A good rule is never to click on a link in an email ostensibly from your bank or similar and always to check the URL of each link before clicking on it.

Let's end with a couple of real examples.

I once worked with somebody who emailed a zip file of some code to his personal email account. I'm not sure why he did this, but it was discovered automatically and he left the job soon after.

I also worked with somebody who printed out every email he ever received. This was over ten years ago, but still he had several stacks of paper on his desk, each above head height. Imagine if you'd sent something confidential to this guy. It's quite possible everyone in the office might inadvertently have seen it (although they might have needed to stand on a stepladder to do so).

Conclusion

Email is not a secure communication medium, but you can take steps to increase its security significantly.

The main purpose of this article is to set the schedule for the rest of the series on email security.

If you want to learn how to improve the security of your email, you should definitely stick around. The technical guides are coming in the later installments, starting with part 2 and part 3 (coming next) which deal with signing and encrypting email with S/MIME certificates.


Image credit: bluebay/Shutterstock.com