Skip to main navigation Skip to content Skip to footer links
 

How can I send emails securely?

Today, there are many more emails sent than letters posted. Sending and receiving email has become an indispensable form of personal, business and government communication. Even if your business has no plans to sell goods online, it is likely that you are using email to keep in touch with staff, customers and suppliers.

Whether you use a Web-based email service (such as Hotmail or Yahoo) or an email package (such as Outlook, Exchange, Eudora or Notes), you need to know about secure email and encryption.

When an email is sent, it is normally impossible to prove who has sent it because emails are very easy to intercept. It is also easy for someone to assume, or fake, another person's email address (this is known as spoofing). Sending an unsecured email message is like sending a postcard - anyone can read it along the way.

Email messages passing between mail servers can easily be captured or copied, viewed and modified by an unauthorised party before the message is forwarded to the next server.

Unsecured email makes it easy for competitors and unauthorised parties to gain confidential information about your operations. In a legal context, an email that has been tampered with during transmission may still be accepted as legally binding.

Email security products solve the problems associated with standard email by 'encrypting' the mail so it cannot be read by anyone other than the intended recipient. Cryptography is the process of putting messages into a 'secret code' so they can't be read if they're intercepted.

Most email security products use a variant on public key cryptography (described in the previous section, 'How do e-security technologies work?'). There are numerous off-the-shelf and downloadable products available to do this. Secure email services can also be accessed online, and some Web-based services are available free of charge for basic functions.

In most cases, secure email services will only work if both the sender and the recipient are using the same software. For this reason, it will generally be impossible to secure all your email transactions. However, you should be able to agree on a standard approach with key business partners and for your own staff.

Email transfer

Secure Web email

For businesses that require only occasional access to secure email, a free, Web-based service is a sensible choice. A list of some key providers is given below. Getting a secure email account from these services is normally only a matter of filling out a form online. Many of them are free, but some will charge you for 'premium' services such as technical support or sending large attachments. Remember that these services generally will not guarantee the security of emails sent to non-users of the service. You will need to talk to your key business partners or customers about setting up the same secure email software.

Where to go online

Groove Networks - http://www.groove.net/home/index.cfm

HushMail - www.hushmail.com

LokMail - www.lokmail.com

Dedicated email encryption

Encryption-based email software packages use a technique known as public key cryptography (the same system used for PKI and PGP) to 'scramble' messages so that only the authorized recipient can read them. In some cases, security 'plug-ins' can be added to your existing email software. For instance, PGP is available as a plug-in to popular email clients such as Microsoft Outlook, Outlook Express, Eudora and Netscape Messenger. (The workings of public key cryptography are explained in more detail in the 'E-Security Technology Overview' at the end of this guide.)

Email software packages using public key cryptography are very secure and relatively simple to use, especially as there is now a defined security standard (S/MIME) for all email software developers to use. The main difficulty with public- key systems is that you need to know the recipient's public key to encrypt a message for them. Some software packages and common operating systems such as Microsoft Windows now include facilities to manage public key information.

Within your business, it is important that everyone's email system is set up to meet the security standards you require. For example, a policy might state that all emails shall be signed and encrypted.

Secure email gateways

Some businesses find that it is more appropriate and efficient for emails to remain unsecured within their own environment and then be secured when they pass out into the Internet. In other words, internal mail is not secure, but external mail is.

To meet this requirement, email gateway security products are available. These 'capture' outgoing email and ensure that it is sent securely. Gateway products are sometimes combined with content analysis tools, which open up emails to check for inappropriate content.

Secure email versus postal mail

Using the analogy of a paper-based transaction, secure email systems provide the following advantages:

  • A secure 'envelope' for you to seal your document so no-one except the intended recipient(s) can open it. Each recipient can even put the contents back inside the secure envelope for long-term storage if they want to make sure no-one can read the contents from their PC.
  • Inside the envelope is a signed, authenticated document that can be archived along with the signature for non-repudiation. Any attachments are also signed and authenticated.

Conclusion

For electronic mail within your business or simple customer communications, secure electronic mail may not be necessary. However, if you deal regularly with confidential documents or want to take orders via email, then you should consider introducing a secure email system.

How to make it happen

You need to decide how much of your email communication needs to be secured. If you will only require secure email occasionally, a Web-based service or plug-in to your existing email software will suffice.

For more dedicated email security, you may need to change your email software or install a gateway system. You might want to use outside consultants.

Web addresses for some suppliers of secure email products and services are listed below. The Capability Directory of Electronic Authentication Technologies provides a fuller list of organizations that can assist you with this task.

Where to go online for more information

Australian Projects - www.austprojects.com.au

BeTRUSTed - www.betrusted.com.au

eSign - http://www.verisign.com.au/

RSA Security - www.rsasecurity.com

SecureNet- www.securenet.com.au

Telstra - http://www.telstra.com/index.jsp

Capability Directory of Electronic Authentication Technologies - http://www.aeema.asn.au/neac

If you are searching the Web on this topic, try the following search terms: - email security, cryptography, secure email.

  • Document ID: 19747 |
  • Last modified: 6 February 2008, 10:50am