Secure email - e-Strategy Guide

Quick Links

Australian Government Logo - Department of Broadband, Communications and the Digital Economy
Skip to content
Home More from the net Get connected Make email work Creative web use Online security
IT risk Securing a PC Virus protection Firewalls Recovering data Spam Secure email Authentication Spyware Online scams Filters Confidentiality Secure networks
Phone on the web Why a website? Build a website Website functions Promotion Training Resources Templates Case studies Feedback

Email security

Standard email software offers very poor security.

Emails are easy to intercept. Sending an unsecured email message is like sending a postcard – anyone can read it along the way. Email messages passing between mail servers can be viewed or even modified by unauthorised people before the message is forwarded to the next server. Unsecured email makes it easy for outsiders to obtain confidential information about your operations. In a legal context, an email that has been tampered with during transmission may still be accepted as legally binding.

However, for electronic mail within your organisation or simple communications with clients and members, secure electronic mail may not be necessary.

But if you deal regularly with confidential documents such as client referrals or want to take orders for memberships or services via email, then you should consider introducing a secure email system.

Secure email versus postal mail

Using the analogy of a paper-based transaction, secure email systems provide the following advantages:

  • a secure ‘envelope’ for you to seal your document so no-one except the intended recipients can open it. Each recipient can even put the contents back inside the secure envelope for long-term storage if they want to make sure no-one can read the contents from their PC
  • inside the envelope is a signed, authenticated document that can be archived along with the signature for non-repudiation. Any attachments are also signed and authenticated.

Your options

You need to decide how much of your email communication needs to be secured.

Options for increasing the security of your email include:

How can I send emails securely?

Today, there are many more emails sent than letters posted. Even the smallest nonprofit organisation is likely to use email to keep in touch with members, clients and volunteers. Whether you use a Web-based email service (such as Hotmail or Yahoo) or an email package (such as Outlook, Eudora or Notes), you need to know about secure email and encryption.

Email security products solve the problems associated with standard email by ‘encrypting’ the mail so it cannot be read by anyone other than the intended recipient. Cryptography is the process of putting messages into a ‘secret code’ so they can't be read if they're intercepted. Most email security products use a variant on public key cryptography.

There are numerous off-the-shelf and downloadable products available to do this. Secure email services can also be accessed online, and some web-based services are available free of charge for basic functions.

In most cases, secure email services will only work if both the sender and the recipient are using the same software. For this reason, it will generally be impossible to secure all your email transactions. However, you should be able to agree on a standard approach with key partners and for your own staff.

Email can be digitally signed to verify the integrity of the message content and the sender’s identity. Although the email is not encrypted which means that anyone can read it, you know that it hasn’t been tampered with and it did really come from the person who says they sent it. This is an easier, cheaper option than full encryption.

Secure web email

For organisations that require only occasional access to secure email, a free web-based service is a sensible choice. Getting a secure email account from these services is normally only a matter of filling out a form online. Many of them are free, but some will charge you for premium services such as technical support or sending large attachments. Remember that these services generally will not guarantee the security of emails sent to non-users of the service. You will need to talk to your key partners about setting up the same secure email software.

Dedicated email encryption

Encryption-based email software packages use a technique known as public key cryptography to scramble messages so that only the authorised recipient can read them. In some cases, security ‘plug-ins’ can be added to your existing email software.

Email software packages using public key cryptography are very secure and relatively simple to use, especially as there is now a defined security standard (S/MIME) for all email software developers to use. The main difficulty with public-key systems is that you need to know the recipient's public key to encrypt a message from them. Some software packages and common operating systems such as Microsoft Windows now include facilities to manage public key information.

Within your organisation, it is important that everyone's email system is set up to meet the security standards you require.

Secure email gateways

Some organisations find that it is more appropriate and efficient for emails to remain unsecured within their own environment and then be secured when they pass out into the internet. In other words, internal mail is not secure, but external mail is. To meet this requirement, email gateway security products are available. These capture outgoing email and ensure that it is sent securely.

More information

See the Australian Government’s Trusting the Internet Fact Sheet – How do I make sure my digital certificates and keys are secure?

Suppliers of secure email products and services:


Tip

Keyword hints

If you are searching the web on this topic, try the following search terms: email security, cryptography, secure email

Copyright | Privacy | Disclaimer | Contact Us | Site Map | Back to top
Document ID: 1524, Last Updated: 23 January 2008 9:11am