TL;DR: Plain email travels in the open, so it can be read or altered in transit. Encryption fixes that at two levels: transport encryption (TLS) protects the connection between mail servers, and end-to-end encryption (PGP/S-MIME) means only the sender and recipient can read the message — not even the providers. For most businesses, enforced transport TLS plus strong authentication is the practical baseline. Scan your domain free to check your transport setup.
Transport encryption (TLS)
This is the everyday one. When two mail servers talk, they can negotiate TLS so the message is encrypted on the wire — the same technology as the HTTPS padlock. The catch: it's usually "opportunistic" (used if available, skipped if not), which an attacker can strip. You can require it with MTA-STS. Transport TLS protects mail in transit, but the providers at each end can still read it.
End-to-end encryption (PGP / S/MIME)
Here the message is encrypted by the sender and only decrypted by the recipient, using keys they control. Even the mail providers see only ciphertext. It's the strongest privacy — but it's harder to set up (key management) and both parties need it configured, so it's used where confidentiality is critical (legal, medical, sensitive deals) rather than for everyday mail.
Encryption at rest
Separately, reputable providers encrypt stored mailboxes "at rest" so data on their disks is protected. That's handled by the provider and is different from in-transit and end-to-end encryption.
What most businesses actually need
- Enforced transport TLS (MTA-STS) so mail to and from you can't be silently downgraded.
- Strong authentication (SPF/DKIM/DMARC) — encryption protects privacy, authentication proves identity; you want both.
- End-to-end only where required — for genuinely confidential exchanges.
FAQ
Is my email already encrypted?
In transit, often yes (opportunistic TLS) — but not guaranteed unless enforced, and not end-to-end. Big providers also encrypt at rest.
Do I need PGP/S-MIME?
Only if you exchange genuinely sensitive content and both sides can manage keys. Most businesses don't need it for routine mail.
Does encryption stop spoofing?
No — that's authentication's job (DMARC). Encryption protects the content; authentication proves the sender.
Want to confirm your mail enforces TLS and is properly authenticated? Scan your domain, then reply to your report — we're developers and we'll harden your transport and authentication.