TLS Secures Your Emails But Not Theirs. What You Can Do About It

You might have seen the “lock” icon in your web browser, that’s what represents TLS which is also used in email to encrypt messages while they travel from one server to another.

However, TLS has an important limitation: it only protects data during transport, and only if both sides use it. Once your message reaches the recipient’s email server, it’s no longer encrypted by TLS – it’s readable by that server (and potentially by the provider’s staff or anyone who hacks into that server). In other words, TLS encryption is “hop-by-hop” rather than end-to-end; each mail server along the route decrypts the message before forwarding it on. This has a couple of consequences, and the rest of this article explores what you can do about these gaps and how to bolster your email’s security beyond basic TLS.

How Proxy Servers Play a Role in Email Security

One way to improve the situation is through the use of proxy servers in the email path. In networking, a proxy server is an intermediary that relays traffic between a sender and receiver. In the context of email, proxy servers often take the form of mail gateways or relay servers that sit between your email server and the outside world. These can be on-premises appliances or cloud services that your company or email provider uses to handle email traffic. Think of them as dedicated security checkpoints for your email.

A proxy server can be configured to enforce TLS usage and add other protections. For example, a business might route all outgoing emails through a security gateway that is set to require encryption when communicating with other mail servers. If the gateway finds that the receiving server doesn’t support TLS, it might block the email or reroute it through a secure portal instead of sending it insecurely. For incoming mail, an email proxy can likewise demand that the sending server use TLS before it accepts the message. This ensures that both inbound and outbound messages are always encrypted during transit, effectively closing the loophole when the other side’s server is not up to par on security.

Beyond just enforcing encryption, proxy servers (email gateways) provide additional layers of defense. They can perform content filtering and malware scanning on the emails that pass through. Since the gateway will decrypt incoming mail (if it was TLS encrypted) to inspect it, it can check for viruses, spam, or suspicious content and stop threats before they reach the end user’s inbox. Similarly, for outgoing mail, a gateway might scan for sensitive data (like credit card numbers or personal information) and automatically encrypt those messages or apply policies to prevent data leakage.

Many companies and government agencies use encryption gateways that automatically apply such rules. For example, an organization might route all messages through a gateway appliance which is configured to enforce compliance policies – any email meeting certain criteria (say, containing confidential data) gets encrypted automatically. This takes the burden off users to remember when to encrypt; the proxy does it for them.

Choosing Secure Email Providers and Strong Authentication

What can an everyday user do if you can’t exactly control what the recipient’s mail server is doing? One practical step is to choose your email provider wisely. Not all email services offer the same level of security. Ideally, you want a provider that encrypts your emails at every stage – in transit and at rest – and supports modern security features. Today, there’s a growing number of email services built with security in mind; in fact, the number of encrypted email providers has increased significantly since the early 2000s. Today, some of them offer end-to-end encryption by design, rather than an extra feature. For instance, ProtonMail automatically uses end-to-end encryption, meaning your messages are encrypted such that even the provider itself cannot read them. So, you can always opt for providers that offer strong encryption.

If switching to a specialized secure provider isn’t feasible, you can still maximize security on your existing email account. First, ensure that your provider supports TLS (most major ones like Gmail, Outlook, Yahoo do – you can usually find this in their security or help documentation). Some providers go further by enforcing strict transport security (Google, for example, uses policies and a tool called STARTTLS Policy List/MTA-STS to insist on encryption for certain domains). Also check if your provider offers features like S/MIME encryption for emails (some services for business users do) or a “confidential mode” for sending self-expiring messages. These can add extra protection on top of standard TLS.

Equally important is securing access to your account. With two-factor authentication turned on, even if someone guesses or steals your password, they still can’t log in without a second verification step (like a code from your phone). This protects you from another angle – after all, TLS won’t matter if an attacker can simply log into your email account and read your mails from the server. Use a strong, unique password for email and consider a reputable password manager to keep track of it. In summary, pick an email service with strong encryption practices and use its security features to the fullest. A quick checklist of what to look for in an email provider:

Encryption in transit: They should use TLS for sending/receiving mail with other servers (virtually all good providers do this now).
Encryption at rest: The service should encrypt stored emails on their servers. Bonus points if they have zero-access encryption (where they can’t read your data even if they wanted to).
End-to-end encryption support: Ideally, the provider offers end-to-end encryption, at least between users of the same service or via optional settings.
Strong authentication options: Look for 2FA support, secure password recovery, and login alerts.
Reputation and transparency: Choose providers known for security – those that are transparent about their practices, engage in security audits, or have a track record of quickly patching issues.

By selecting a robust email provider and locking down your account, you dramatically reduce the risk that your emails will be compromised on “their” end (the recipient’s side) or via account breaches.