TLS, PGP and Encryption: How Email Travels Securely

Every email we send makes a complex journey: it passes through servers, gateways, and intermediate networks until it reaches the recipient’s mailbox. During that journey, data can be intercepted or manipulated if not properly protected.

To prevent this, modern email relies on three security pillars: TLS, which encrypts the connection; DANE, which validates the authenticity of encryption; and PGP, which protects content end-to-end. Together, they form the technical foundation that allows email to remain a secure and reliable channel.

The original email problem

Email was born in the 70s as an open and trusted system. Messages were sent in plain text and anyone who intercepted the connection could read their content. Unlike current messaging systems, SMTP —the base protocol of email— did not include encryption or authentication.

This made it a vulnerable channel: intercepting, modifying, or forging emails was trivial. Hence arose the need to apply cryptographic mechanisms to protect communications, migrating security from the network to the application itself.

TLS: encryption in transit (the communication tunnel)

TLS (Transport Layer Security) is the current standard for protecting the connection between email servers and clients. When you send an email, your server negotiates an encrypted connection with the recipient’s, similar to when you access a secure website with HTTPS.

If both servers support TLS:

• The message content is transmitted encrypted throughout the journey.
• No one intercepting the traffic can read or modify it without breaking the connection (man-in-the-middle attack).

Example:

From that point on, all SMTP communication travels encrypted.

Advantages:

• Automatic and transparent implementation for the user.
• Compatible with most modern servers.
• Prevents reading or manipulation of the message during transport.

Limitations:

• Protects only transport, not content at rest on the server.
• If one of the servers doesn’t support TLS, the email can travel unencrypted (opportunistic encryption).
• Providers can still access the message text (it’s not end-to-end encryption).

DANE: server identity verification

Although TLS encrypts communication, by itself it doesn’t guarantee that the destination server is legitimate. An attacker could intercept the connection and force the email to be sent to a fake server with a fraudulent certificate (man-in-the-middle or downgrade attack).

To verify the authenticity of the server, DANE (DNS-based Authentication of Named Entities) was created. DANE allows a domain to publish in its DNS —using DNSSEC— the valid TLS certificates for its email server.

Thus, senders can verify the recipient server’s identity before establishing the connection and guarantee they’re encrypting with the correct entity.

Example of DANE record (TLSA):

_25._tcp.mail.example.com. IN TLSA 3 1 1 <certificate_hash>

Advantages:

• Prevents spoofing and encryption degradation attacks on SMTP connections.
• Ensures the TLS session is established with the authentic server.
• Reinforces trust in transit encryption by adding a verifiable authentication layer.

In summary: TLS encrypts the connection, and DANE confirms you’re connecting with the legitimate recipient.

PGP: end-to-end content encryption

PGP (Pretty Good Privacy) takes a fundamental step: it encrypts the message itself, regardless of the connection that transports it. This asymmetric cryptography system uses a key pair:

• Public key: Shared with the world and used to encrypt messages intended for that user.
• Private key: Kept secret and used to decrypt received messages and sign sent ones.

Thus, only the recipient who possesses the corresponding private key can read the message. Neither intermediate servers, nor the email provider, nor third parties can access the content. PGP also allows digitally signing messages, guaranteeing the sender’s authenticity.

Advantages:

• Maximum confidentiality: End-to-end encryption.
• Integrity and authenticity guaranteed through digital signatures.
• Security independent of third-party servers.

Limitations:

• Complex to configure and maintain for the average user.
• Requires prior and secure exchange of public keys.

PGP is used in environments where absolute confidentiality is the top priority (investigative journalism, lawyers with privileged information, etc.).

Encryption vs. Traceability: The role of trust services

PGP and TLS/DANE focus on confidentiality (hiding content). However, in registered email services, the primary objective is guaranteeing integrity and traceability for probative purposes.

Registered email must be auditable and verifiable in case of litigation, which requires that its content, although encrypted in transit and storage, remains legally verifiable.

That’s why in eEvidence we apply encryption in transit (TLS) and in storage to protect information. Additionally, we apply timestamping, hash, and digital signature on content and evidence.

In this way, a chain of trust is created that preserves confidentiality from third parties without compromising the probative function of email, ensuring that the original content is unalterable and verifiable in a legal process.

Frequently Asked Questions (FAQ)

Does TLS encrypt email content?

TLS encrypts the communication channel (the tunnel). The message itself remains in plain text on servers, but travels through a secure medium. Content encryption requires PGP.

What does DANE add compared to TLS?

DANE validates that the recipient server’s TLS certificate is authentic, confirming the recipient’s identity and preventing spoofing or encryption degradation attacks.

Does eEvidence’s registered email encrypt messages?

Yes. Emails travel encrypted via TLS and evidence (the sealed message) is encrypted and digitally signed in our secure storage. This guarantees their integrity and that the evidence is verifiable.

Conclusion

Modern email is protected through a layered architecture: TLS secures transport; DANE guarantees channel authenticity; and PGP protects content. Together, they provide a solid framework of technical protection and digital trust.

With solutions like eEvidence’s registered email, companies integrate these security layers with legal requirements. They guarantee not only confidentiality in sending, but also verifiable proof of their content, sending, and delivery, achieving the perfect balance between technical security and legal validity.