Secure email is essentially regular email with a few security enhancements on top. The technology behind the scenes is ultimately the same, which means that you already know how to use a secure email provider. You still send messages to named addresses with an @ and a domain, and you still get plenty of spam. For that reason, anyone can call themselves a secure email provider. There’s no dictionary definition, and most major email providers like Gmail and Outlook would also consider themselves “secure” despite falling short of the mark.
Most providers who use the term to describe their service go much further than requiring a strong password or using two-factor authentication. Security, in this sense, isn’t only about stopping someone from gaining access to your account, it’s also about keeping your data and identity safe. A truly secure email provider is unable to read your email conversations. They should ideally be located in a jurisdiction that’s not subject to data sharing between intelligence agencies. The technology itself would ideally be built on open standards for a “crowdsourced” approach to security. The service shouldn’t profile you, serve personalized ads, or log metadata.
This is why Gmail, Outlook, Yahoo, and most other free, mainstream email providers are not regarded as being truly secure. A secure email provider is “better” than Gmail in terms of data security, but you will miss out on Google’s features and deep integrations. Let your priorities decide which is the better option.
End-to-end encryption is essential in building a truly secure email system. While services like Gmail encrypt the connection between your computer and the server, any information you send to the server (including the contents of your messages) is not encrypted when it gets there. Any private conversations (or state secrets) you’re discussing will sit on Google’s servers in an unencrypted format. If that data is stolen, for example, in a data leak, it doesn’t need to be decrypted before it can be read. A secure provider will encrypt data on the server, making it useless to any third parties.
The lack of end-to-end encryption means that email providers can access the contents of your messages, and they’ve used this access in the past. Google previously scanned the contents of Gmail messages for advertising purposes but stopped the practice in 2017. The company continued scanning emails to power services like (the now-defunct) Google Now. How else will Google’s assistant be able to remind you about the trip you’ve got coming up?