Email is unsafe and cannot be made safe. The tools we have today to encrypt email are badly flawed. Even if those flaws were fixed, email would remain unsafe. Its problems cannot plausibly be mitigated. Avoid encrypted email.
Technologists hate this argument. Few of them specialize in cryptography or privacy, but all of them are interested in it, and many of them tinker with encrypted email tools.
Most email encryption on the Internet is performative, done as a status signal or show of solidarity. Ordinary people don’t exchange email messages that any powerful adversary would bother to read, and for those people, encrypted email is LARP security. It doesn’t matter whether or not these emails are safe, which is why they’re encrypted so shoddily.
But we have to consider more than the LARP cases. In providing encryption, we have to assume security does matter. Messages can be material to a civil case and subject to discovery. They can be subpoenaed in a law enforcement action. They safeguard life-altering financial transactions. They protect confidential sources. They coordinate resistance to oppressive regimes. It’s not enough, in these cases, to be “better than no encryption”. Without serious security, many of these messages should not be sent at all.
The least interesting problems with encrypted email have to do with PGP. PGP is a deeply broken system. It was designed in the 1990s, and in the 20 years since it became popular, cryptography has advanced in ways that PGP has not kept up with. So, for example, it recently turned out to be possible for eavesdroppers to decrypt messages without a key, simply by tampering with encrypted messages. Most technologists who work with PGP don’t understand it at a low enough level to see what’s wrong with it. But that’s a whole other argument. Even after we replace PGP, encrypted email will remain unsafe.
If messages can be sent in plaintext, they will be sent in plaintext.
Email is end-to-end unencrypted  by default. The foundations of electronic mail are plaintext. All mainstream email software expects plaintext. In meaningful ways, the Internet email system is simply designed not to be encrypted.
The clearest example of this problem is something every user of encrypted email has seen: the inevitable unencrypted reply. In any group of people exchanging encrypted emails, someone will eventually manage to reply in plaintext, usually with a quoted copy of the entire chain of email attached. This is tolerated, because most people who encrypt emails are LARPing. But in the real world, it’s an irrevocable disaster.
Even if modern email tools didn’t make it difficult to encrypt messages, the Internet email system would still be designed to expect plaintext. It cannot enforce encryption. Unencrypted email replies will remain an ever-present threat.
Serious secure messengers foreclose on this possibility. Secure messengers are encrypted by default; in many of the good ones, there’s no straightforward mechanism to send an unsafe message at all. This is table stakes.
Metadata is as important as content, and email leaks it.
Leave aside the fact that the most popular email encryption tool doesn’t even encrypt subject lines, which are message content, not metadata.
The email “envelope” that includes the sender, the recipient, and timestamps – is unencrypted and always will be. Court cases (and lists of arrest targets) have been won or lost on little more than this. Internet email creates a durable log of metadata, one that every serious adversary is already skilled at accessing.
The most popular modern secure messaging tool is Signal, which won the Levchin Prize at Real World Cryptography for its cryptographic privacy design. Signal currently requires phone numbers for all its users. It does this not because Signal wants to collect contact information for its users, but rather because Signal is allergic to it: using phone numbers means Signal can piggyback on the contact lists users already have, rather than storing those lists on its servers. A core design goal of the most important secure messenger is to avoid keeping a record of who’s talking to whom.
Not every modern secure messenger is as conscientious as Signal. But they’re all better than Internet email, which doesn’t just collect metadata, but actively broadcasts it. Email on the Internet is a collaboration between many different providers; and each hop on its store-and-forward is another point at which metadata is logged.
Every archived message will eventually leak.
Most people email using services like Google Mail. One of the fundamental features of modern email is search, which is implemented by having the service provider keep a plaintext archive of email messages. Of the people who don’t use services like Google Mail, the majority use email client software that itself keeps a searchable archive. Ordinary people have email archives spanning years.
Searchable archives are too useful to sacrifice, but for secure messaging, archival is an unreasonable default. Secure messaging systems make arrangements for “disappearing messages”. They operate from the premise that their users will eventually lose custody of their devices. Ask Ross Ulbricht why this matters.
No comparable feature exists in email. Some email clients have obscure tools for automatically pruning archives, but there’s no way for me to reliably signal to a counterparty that the message I’m about to send should not be retained for more than 30 minutes. In reality, any email I send is likely to be archived forever. No matter how good a job one does securing their own data, their emails are always at the mercy of the least secure person they’ve sent them to.
Tangent: the adoption of web mail services drastically reduces the security it can plausibly provide. For encryption to protect users, it must be delivered “end to end”, with encryption established directly between users, not between users and their mail server. There are, of course, web email services that purport to encrypt messages. But they store encryption keys (or code and data sufficient to derive them). These systems obviously don’t work, as anyone with an account on Ladar Levison’s Lavabit mail service hopefully learned. The popularity of “encrypted” web mail services is further evidence of encrypted email’s real role as a LARPing tool.
Every long term secret will eventually leak.
Forward secrecy is the property that a cryptographic key that is compromised in the future can’t easily be used to retroactively decrypt all previous messages. To accomplish this, we want two kinds of keys: an “identity” key that lives for weeks or months and “ephemeral” keys that change with each message. The long-lived identity key isn’t used to encrypt messages, but rather to establish the ephemeral keys. Compromise my identity key and you might read messages I send in the future, but not the ones I’ve sent in the past.
Different tools do better and worse jobs of forward secrecy, but nothing does worse than encrypted Internet email, which not only demands of users that they keep a single long-term key, but begs them to publish those keys in public ledgers. Every new device a user of these systems buys and every backup they take is another opportunity for total compromise. Users are encouraged to rotate their PGP keys in the same way that LARPers are encouraged to sharpen their play swords: not only does nobody do it, but the whole system would probably fall apart if everyone did.
Technologists are clever problem solvers and these arguments are catnip to software developers. Would it be possible to develop a version of Internet email that didn’t have some of these problems? One that supported some kind of back-and-forth messaging scheme that worked in the background to establish message keys? Sure. But that system wouldn’t be Internet email. It would, at best, be a new secure messaging system, tunneled through and incompatible with all mainstream uses of email, only asymptotically approaching the security of the serious secure messengers we have now.
What should people use instead?
Real secure messaging software. The standard and best answer here is Signal, but there are others, and if the question is “should I use encrypted email or should I use a secure messenger”, we’re agnostic to which one you use. Or you can do more elaborate things. Magic Wormhole will securely exchange documents between people. age will encrypt documents that can be sent through less secure systems. These tools are all harder to use and more fraught than secure messengers, but they’re better than encrypted email.
There are reasons people use and like email. We use email, too! It’s incredibly convenient. You can often guess people’s email addresses and communicate with them without ever being introduced. Every computing platform in the world supports it. Nobody needs to install anything new, or learn how to use a new system. Email is not going away.
You can reasonably want email to be secure. Pray for a true peace in space! And we don’t object to email security features, like hop-by-hop TLS encryption and MTA-STS, that make the system more resistant to dragnet surveillance. But email cannot promise security, and so shouldn’t pretend to offer it. We need clarity about what kinds of systems are worthy of carrying secrets and which aren’t, or we end up with expert-run news publications with mail spools full of archived messages, many presumably from sources, along with a roadmap to all the people who sent those messages and upon whose operational security competence their safety depends. And that’s the best case.
Stop using encrypted email.
 End-to-end encryption, again, is the property that only the sender and the receiver need to trust each other, and that they need not trust their providers; it’s what you get when the senders and receivers generate their own keys, and those keys never leave their custody. Email is “encrypted” in a different sense, hop-by-hop, with TLS; Google will arrange with your mail server not to reveal plaintext on the wire. But Google and your mail server both get the plaintext of your messages. Hop-by-hop encryption is a good thing: it makes untargeted dragnet surveillance harder. But tools like PGP don’t make this kind of surveillance any harder, and a targeted attacker will still get access to mail servers and messages.