In my previous blog post, I introduced the topic of SMTP over TLS and discussed why it’s an important tool to use to protect the privacy of email communication. In that post, I wrote that you do not have to encrypt email at this time, but I promised that I would write a subsequent post arguing that you should do so. This is that post.
How Much of My Mail Should I Encrypt?
You might be an email marketer reading this and thinking that encryption is about privacy, and making sure that Personally Identifiable Information (PII) can’t be compromised. You might further think that only some or even none of your mail has PII, so you don’t have to worry about SMTP over TLS. I’m of a mind (and I don’t believe I’m alone here) that you’re wrong about this, and I’d go so far as to say that the short answer to the question of “How much of my mail should I encrypt?” is, simply put:
ALL OF IT.
There are a few reasons for this.
It’s Not Just About PII
While it’s a useful tool to help keep PII secure, encryption can play a larger function in keeping your recipients safer from all kinds of bad behavior. For instance, you might think that transactional mail is worth encrypting, but there’s no point to encrypting marketing mail, because there’s no PII, and to be honest, it might be useful to get your marketing pitch in front of another pair of eyes, even if they’re of the prying kind. The problem, however, is that those prying eyes might belong to a criminal, and if he can establish a pattern of your customer(s) receiving marketing mail from you about a given brand or product, he can then craft look-alike emails (i.e., phishes) that can lure your customers into surrendering PII or getting their computers compromised. Encrypting all your mail can keep your customers (and your brand) safer.
More Encryption Means Less Decryption
While current encryption methods are quite powerful, they’re not impossible to break, especially for organizations with essentially unlimited resources. If only “special” mail is encrypted, then those organizations will have a rather limited set of messages to intercept and try to crack, and they can devote all their resources to the task. The more encrypted email there is, the more difficult it will be for them to decrypt anything useful, because it’ll be a veritable search for a needle in a pile of needles to find the messages that are actually worth focusing their efforts on.
Protection against Mistakes
The last reason for encrypting everything is really the simplest one. If your policy is to encrypt all outbound mail, then you’ll never mistakenly send something out unencrypted to a site that supports encryption. While you may be concerned about additional load on your mail servers due to the encryption, and you should certainly test things with a limited set of your servers before rolling it out 100%, you may be interested to know that a recent post on the subject by Facebook claimed that the “performance impact of enabling TLS for outbound connections was negligible.”
Privacy is an ongoing concern with electronic communications, and SMTP over TLS is one of the ways the email industry is addressing this concern. As a sender, you can contribute to the success of this effort, and protect your customers and your brand, by sending encrypted mail at every opportunity. The cost to do so is likely to be minimal, and the benefits to everyone far outweigh the cost.
If you have any questions, feel free to contact me at email@example.com or just comment below.