If most companies do not enable TLS for SMTP and IMAP, should we consider email not secure at all?

Question

Many of our partner companies's email service do not enable encryption. Does that mean our email is not protected at all?

Definitely worth asking them to enable it - it will make life safer for both parties! — Rory Alsop, Nov 29 '12 at 18:35

score 14 · Accepted Answer · edited Mar 17 '17 at 13:14

Email is not secure. By default, it is not authenticated. SSL/TLS on SMTP and IMAP, at best, protect the emails while in transit, not when they are at rest; and you cannot be sure that such protection has been applied.

To some extent, when sending emails within a given organization, you might know that SSL/TLS was enforced on both SMTP and IMAP, and the confidentiality issue is "just" a matter of storage on the server side. But you cannot have the same kind of guarantee when the email must cross organization boundaries.

To get proper end-to-end security for emails, look up S/MIME and OpenPGP. The tools themselves won't ensure absolute security, because part of security is what the users do and understand, but at least these tools allow the achievement of secure emailing.

If most companies do not enable TLS for SMTP and IMAP, should we consider email not secure at all?

1 Answers1

Linked