‘Secure email’: A losing battle CISOs must give up

A digital relic dating back to before the birth of the Internet, email was created in 1971 by Roy Tomlinson to electronically send information on the ARPANET research network. 

At the time, large-scale, global networks were just a vision and information security wasn’t a significant concern because the networks themselves were trusted environments. To put this in perspective, ARPANET had 213 connected hosts before it adopted TCP in 1983. Today there are nearly 20 billion nodes on the Internet, with upwards of 5 million of them running SMTP servers.

As the Internet formed, and early protocols were adopted, email evolved to be the backbone of digital communication. But it remains to this day one of the most insecure and outdated forms of communication in an era of increasingly sophisticated cyber threats. We have done away with FTP and Telnet; it’s time to stamp out SMTP.

Phishing has already won

The vast majority of initial compromises in cybersecurity incidents today begin with phishing. We deploy multiple layers of anti-spam and email filtering technologies, yet no solution is perfect, and attackers, who are getting increasingly more sophisticated, eventually sneak their malicious emails through to employee inboxes.

We also continue to conduct cyber awareness campaigns and run phishing simulations, and yet, significant percentages of employees still click on malicious links. In 2024, the median time for users to fall for a phishing email was less than 60 seconds, according to Verizon’s 2025 Data Breach Investigations Report.

The sophistication of email-born attacks combined with the overwhelming volume of email the average person receives — who can blame someone for falling victim? I often joke to my colleagues that the No. 1 thing we could do to improve the security of any organization is turn off email. The fight against phishing email is a losing battle and it only takes a single click for all your security defenses to be circumvented. We must rethink how we communicate electronically.

End-to-end encryption remains elusive

Email continues to be the dominant electronic communication tool today because it is well understood, relatively easy to use, and relatively inexpensive. By and large, businesses have approved email for sending confidential information, and we often convince ourselves that it is secure, can be secured with third-party tools, or it’s “good enough.” This simply is not the case, and better solutions exist.

It is impossible to guarantee that email is fully end-to-end encrypted in transit and at rest. Even where Google and Microsoft encrypt client data at rest, they hold the keys and have access to personal and corporate email. Stringent server configurations and addition of third-party tools can be used to enforce security of the data but they’re often trivial to circumvent — e.g., CC just one insecure recipient or distribution list and confidentiality is breached. Forcing encryption by rejecting clear-text SMTP connections would lead to significant service degradation forcing employees to look for workarounds. There is no foolproof configuration that guarantees data encryption due to the history of clear-text SMTP servers and the prevalence of their use today.

SMTP comes from an era before cybercrime and mass global surveillance of online communications, so encryption and security were not built in. We’ve taped on solutions like SPF, DKIM and DMARC by leveraging DNS, but they are not widely adopted, still open to multiple attacks, and cannot be relied on for consistent communications. TLS has been wedged into SMTP to encrypt email in transit, but failing back to clear-text transmission is still the default on a significant number of servers on the Internet to ensure delivery.

All these solutions are cumbersome for systems administrators to configure and maintain properly, which leads to lack of adoption or failed delivery. We would need Certbot to work as seamlessly for SMTP as it does for HTTP, and for major email providers such as Google and Microsoft to refuse clear-text connections for there to be any hope of improving this situation. Unfortunately, there is a lack of incentive to do this given the amount of email communication disruption it would cause.  

Google recently announced “end-to-end encrypted emails” in Gmail by employing Secure/Multipurpose Internet Mail Extensions (S/MIME) within Gmail. But Google also outlines some of the complexities and downfalls of attempting to use email for secure communications in their post. While this is a solution that works when sending email within Gmail it suffers the same issues as SMTP in that S/MIME is complex to setup and difficult to guarantee when sending to remote systems. Google’s solution is to have recipients outside of Gmail click on a link and come back to Googles servers to read the message over HTTPS. While this may be an acceptable solution for Gmail customers and ticks the compliance box it doesn’t fix the underlying issues with email. S/MIME has not received widespread adoption for the same reasons that SMTP+TLS has not. Security researchers are already speculating how attackers could take advantage of this feature for crafting phishing emails for credential harvesting.

Email for authentication: Another losing battle

Keith Lawson

Add to all this the alarming trend of email being adopted as an authentication mechanism and an out-of-band tool for password resets.

The widespread use of sending a unique link to email accounts is opening attack vectors to critical services through personal accounts. Attackers have become aware of these trends and are taking advantage of being able to access corporate assets or sensitive personal information by compromising workers’ and executives’ personal email accounts, which often lack secure passwords or multi-factor authentication.

Once an attacker gains access to a personal email account it is trivial to find evidence of systems that use that account for authentication or password resets, send a password reset though the third-party service, and gain access to that service.

If that service is a corporate system, the attackers have gained access to your business through an employee’s personal email, which can be the initial compromise that leads to a widespread corporate security breach.

Moving beyond email

In December 2024, the FBI released guidelines for mobile communication that included recommendations to adopt technologies that provide end-to-end encryption as a direct result of known nation-state threats.

Continuing to rely on email for critical business functions like large financial transactions or the sharing of sensitive information is a losing game. It’s time to start thinking about replacing sensitive or business-critical communications with modern technologies that support end-to-end encryption and were developed to use secure protocols by default. Applications like Signal rely on protocols that were designed with strong encryption and make it simple to ensure data is secured in transit. Tools like Microsoft Teams, Slack, and Cisco Webex have been designed from the ground up to use HTTPS. There are better alternatives available today.

Change is hard and email has been entrenched in our personal and business lives for more than a generation now, but we have better alternatives, and the risks of email are too large to continue to ignore. Businesses need to start adopting policies that deprioritize email as a communications tool and incentivize using more secure alternatives.

In a world where cyber threats evolve daily, relying on email is like locking your front door but leaving the windows wide open. Let’s treat email for what it is. A reliable, well-known tool for global communications. Better tools for protecting the security of data exist now. Rather than trying to retrofit the past let’s embrace the future. Is anyone going to be upset at having a few less emails in their inbox?