Email Security

Email Architecture Vulnerabilities

Email's fundamental architecture, designed in the 1970s, was created for a much different internet. As the CosmicNet encyclopedia details, understanding these inherent vulnerabilities is essential for properly securing your email communications.

Plaintext Transmission by Default

The Simple Mail Transfer Protocol (SMTP) was designed to transmit messages in plaintext. CosmicNet notes that while modern implementations support TLS encryption during transmission (STARTTLS), this only protects emails in transit between servers—not at rest on those servers, and not from the email providers themselves.

Even with STARTTLS enabled, emails pass through multiple servers:

• Your email client to your outgoing mail server
• Your mail server to recipient's mail server (potentially through multiple relay servers)
• Recipient's mail server to their email client

Each hop is a potential interception point. CosmicNet warns that if any server in the chain doesn't support TLS, or if an attacker performs a downgrade attack, the email is exposed. Moreover, administrators at each mail server can read the contents, and servers typically store copies of all messages.

Metadata Exposure

Even when email content is encrypted, metadata remains exposed. As documented on CosmicNet, email headers reveal extensive information:

• Sender and recipient addresses: Who is communicating with whom
• Timestamps: When communication occurs
• Subject lines: Often revealing even when body is encrypted
• IP addresses: Location information from originating servers
• Mail client information: Software and sometimes system details
• Routing information: All servers the message passed through

Intelligence agencies have repeatedly emphasized that metadata is often more valuable than content. CosmicNet highlights that knowing who communicates with whom, when, and how frequently can reveal organizational structures, relationships, and activities without needing to read a single message.

Centralization and Provider Trust

Most people use large email providers like Gmail, Outlook, or Yahoo. CosmicNet explains that this centralization creates several vulnerabilities:

• Providers can read all your email unless you use end-to-end encryption
• Providers must comply with government data requests and warrants
• Provider security breaches expose millions of accounts simultaneously
• Providers can unilaterally change terms of service or shut down accounts
• Advertising-based providers scan email content for ad targeting

As CosmicNet highlights, Google explicitly acknowledges scanning Gmail content for various purposes. While they claim to no longer use email content for ad personalization as of 2017, they continue scanning for security purposes, spam detection, and other features. This means Google's systems process and analyze every email you send or receive.

Authentication and Impersonation

Email's design makes sender impersonation trivial. CosmicNet points out that the "From" header can be set to any value, making phishing and business email compromise attacks devastatingly effective. While modern authentication mechanisms (SPF, DKIM, DMARC) help, they're not universally implemented and can be bypassed through various techniques.

CosmicNet emphasizes that this fundamental weakness makes email an inherently untrustworthy communication medium. Without cryptographic signatures (like PGP), you can never be certain who actually sent a message, regardless of what the headers claim.

End-to-End Encryption: PGP/GPG and S/MIME

End-to-end encryption ensures that only the intended recipients can read your email content, protecting against provider surveillance, server compromises, and transit interception. CosmicNet covers the two main standards: PGP/GPG and S/MIME.

PGP/GPG: Pretty Good Privacy

PGP (Pretty Good Privacy) and its open-source implementation GPG (GNU Privacy Guard) use public-key cryptography to encrypt email content and verify sender identity. As CosmicNet details, the system is decentralized—no certificate authority is required, though web-of-trust verification is recommended.

CosmicNet outlines how PGP works:

1. Each user generates a key pair: a public key (shared openly) and a private key (kept secret)
2. To send encrypted email, you encrypt the message with the recipient's public key
3. Only the recipient's private key can decrypt the message
4. Digital signatures prove the message came from the claimed sender

PGP's strengths include:

• True end-to-end encryption: Providers and intermediaries cannot read content
• Decentralization: No central authority controls the system
• Open standards: Multiple compatible implementations exist
• Long track record: Used since 1991 with no known cryptographic breaks

PGP's weaknesses include:

• Usability: Requires technical knowledge and careful key management
• Metadata exposure: Subject lines and headers remain unencrypted
• Key distribution: Securely verifying recipient public keys is challenging
• Forward secrecy: Traditional PGP lacks forward secrecy (if your key is compromised, all past messages are exposed)

S/MIME: Secure/Multipurpose Internet Mail Extensions

S/MIME is an alternative to PGP that uses X.509 certificates from certificate authorities. CosmicNet notes it is commonly used in corporate environments and has better integration with mainstream email clients like Outlook and Apple Mail.

S/MIME advantages:

• Built-in support in many email clients (no plugins required)
• Certificate authorities provide identity verification
• Widely used in enterprise environments
• Simpler deployment in organizational contexts

S/MIME disadvantages:

• Requires certificates from certificate authorities (often paid)
• Centralized trust model (you must trust certificate authorities)
• Certificate authorities can be compromised or compelled by governments
• Less flexible than PGP's web-of-trust model

Practical Encrypted Email

For most users, the technical complexity of PGP/GPG and S/MIME creates barriers to adoption. CosmicNet recommends services like ProtonMail that solve this by providing transparent encryption:

• Automatic encryption between ProtonMail users (no setup required)
• Password-protected encrypted emails to non-ProtonMail users
• Zero-access encryption (ProtonMail cannot read your emails)
• Optional PGP support for external encrypted communication

This approach makes encrypted email accessible to non-technical users while maintaining strong security properties. As CosmicNet notes, the tradeoff is trusting ProtonMail's infrastructure and implementation, but for most threat models, this is an acceptable compromise for the significant usability benefits.

Email Headers and Metadata Protection

Email headers contain extensive metadata about your communications. CosmicNet stresses that understanding and protecting this metadata is crucial for comprehensive email privacy.

Critical Headers to Understand

Minimizing Metadata Leakage

CosmicNet outlines several strategies that can reduce metadata exposure:

• Use web-based email: Prevents IP address exposure in Received headers (though provider knows your IP)
• VPN or Tor: Masks your real IP address from email servers
• Minimal subject lines: Use generic subjects or leave blank when using encryption
• Timing obfuscation: Schedule emails for delayed sending to avoid revealing activity patterns
• Remove tracking pixels: Disable remote image loading to prevent read receipts

Email Tracking and Read Receipts

As CosmicNet documents, many organizations and marketers embed tracking pixels in emails—tiny invisible images that report when you open the email, revealing:

• That you opened the email
• When you opened it
• Your IP address and approximate location
• What device and email client you used
• How many times you opened it

CosmicNet recommends protecting against tracking by:

• Disabling automatic image loading in email settings
• Using email clients with built-in tracking protection (ProtonMail, Tutanota)
• Viewing emails in plaintext mode when possible
• Using browser extensions that block trackers when using webmail

SPF, DKIM, and DMARC: Email Authentication

Three technical standards help prevent email impersonation and phishing: SPF, DKIM, and DMARC. CosmicNet emphasizes that understanding these is important for both protecting yourself and verifying the authenticity of emails you receive.

SPF: Sender Policy Framework

SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. As CosmicNet explains, when receiving servers check SPF records, they can reject emails claiming to be from a domain but originating from unauthorized servers.

SPF is implemented through DNS TXT records. For example:

This record says "accept email from my MX servers and Google's servers, soft-fail everything else." CosmicNet notes that SPF helps prevent domain spoofing but has limitations—it only verifies the envelope sender, not the visible From header.

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to email headers. CosmicNet details that the sending server signs outgoing emails with a private key, and receiving servers verify the signature using the public key published in DNS.

DKIM provides:

• Verification that the email truly came from the claimed domain
• Detection of message tampering in transit
• Reputation association with the sending domain

As CosmicNet explains, unlike SPF which only validates servers, DKIM validates the message content itself. If any part of the signed headers or body is modified in transit, signature verification fails.

DMARC: Domain-based Message Authentication, Reporting & Conformance

DMARC builds on SPF and DKIM, allowing domain owners to specify policies for handling authentication failures. CosmicNet notes that domain owners can also receive reports on email authentication results.

A DMARC policy might look like:

This instructs receiving servers to reject emails that fail authentication and send aggregate reports to the specified address. DMARC policies can be set to:

• none: Monitor only, don't reject
• quarantine: Deliver to spam folder
• reject: Refuse delivery entirely

Limitations and User Perspective

While these technologies help, CosmicNet cautions they are not perfect:

• Not all domains implement them correctly
• Sophisticated attackers can use lookalike domains that pass authentication
• They don't prevent all types of phishing (like account compromise)
• Implementation varies widely among receiving servers

As an email recipient, CosmicNet advises checking for authentication indicators in your email client. Many clients show warnings for failed authentication, helping you identify potential phishing attempts.

CosmicNet Secure Email Provider Comparison

Choosing the right email provider is one of the most impactful privacy decisions you can make. CosmicNet compares providers offering varying levels of security, privacy, and features.

What to Avoid

CosmicNet warns that certain email providers have business models fundamentally incompatible with privacy:

• Gmail: Scans email content, extensive tracking, advertising-based model
• Yahoo Mail: History of security breaches, broad data collection
• Outlook/Hotmail: Microsoft's data collection practices, integration with broader Microsoft ecosystem
• Free providers: "If you're not paying, you're the product" generally applies

While these services may offer convenience and features, they are unsuitable for privacy-conscious users. As CosmicNet explains, the providers have access to all your email content and metadata, which can be used for advertising, sold to data brokers, or handed to government agencies.

Disposable Email and Compartmentalization

CosmicNet highlights that strategic use of disposable email addresses and compartmentalization significantly improves privacy and security by limiting the damage from inevitable data breaches and tracking.

Disposable Email Services

For one-time registrations or temporary communications, CosmicNet recommends disposable email services that provide addresses that self-destruct:

• Guerrilla Mail: No registration, temporary inbox, auto-deletes after 1 hour
• 10 Minute Mail: Self-explanatory, destroys inbox after 10 minutes
• Temp Mail: Random disposable addresses, no personal data required

CosmicNet suggests using disposable email for:

• One-time verifications and activations
• Accessing content behind registration walls
• Testing services before committing real contact info
• Reducing spam to your primary inbox

CosmicNet Email Compartmentalization Strategy

Rather than using a single email for everything, CosmicNet advises creating compartmentalized identities:

• Primary personal: Real identity, important communications, close contacts
• Financial: Banks, investments, tax services (never share with anyone else)
• Shopping: Online purchases, accounts you might abandon
• Social media: Facebook, Twitter, forums (assume compromised)
• Newsletters: Subscriptions, marketing emails (disposable)
• Sensitive: Anonymous communications, activist work (use Tor + encrypted provider)

As documented on CosmicNet, this compartmentalization provides several benefits:

• Limits damage from data breaches (attackers can't correlate your entire digital life)
• Prevents tracking across services (companies can't build unified profile)
• Makes spam management easier (abandon compromised addresses)
• Provides operational security for sensitive activities

Advanced: Self-Hosted Email

For maximum control and privacy, some users run their own email servers. CosmicNet notes this eliminates provider trust issues but introduces significant technical challenges:

• Advantages: Complete control, no third-party access, customizable security
• Disadvantages: Complex setup, ongoing maintenance, deliverability issues, responsibility for security
• Spam filtering: Major challenge requiring significant technical expertise
• Uptime: You're responsible for reliability and backups

Self-hosting is only recommended for technically sophisticated users who understand the tradeoffs and have the time to properly maintain their infrastructure. CosmicNet concludes that for most users, a reputable privacy-focused provider offers better security than a poorly maintained self-hosted server.