Last updated: 23 June 2026
Most emails have some encryption, but it's usually only while the message travels between mail servers, not the kind of protection generally assumed. That means your email may be shielded in transit, yet still readable once it lands in a mailbox unless you use end-to-end encryption such as S/MIME or PGP.
You've probably asked this question while sending something that feels a bit too personal for ordinary email. A contract. A medical form. A password reset link. A spreadsheet with client details. That's usually the moment people realise “secure email” can mean a few very different things.
The confusing part is that “encrypted” isn't one single state. An email can be protected on the way over the internet, stored with some protection on a provider's servers, or locked so tightly that only the intended recipient can read it. Those are not the same thing, and they protect against different risks.
For people and businesses in Canada, that difference matters. Under Canadian privacy law, email content can count as personal information when it identifies an individual, so the practical question isn't just “are emails encrypted?” It's “where is this email protected, where is it exposed, and what can I control?”
Are Emails Encrypted by Default
The honest answer is yes, but only partly.
Most mainstream email services now support Transport Layer Security, or TLS, when mail moves between servers. In plain language, TLS is the lock on the delivery route. It helps stop someone from casually reading your message as it crosses the network. The UC San Diego email encryption guidance makes the bigger point clearly: mainstream email is still plaintext by design at the protocol level, and transport encryption doesn't automatically protect messages end to end or at rest.
What default email protection actually means
Think of ordinary email like sending a letter through a secure mail truck. The truck doors are locked while it's moving. That's useful, and we want that. But the letter inside isn't written in a secret code, so the mail company can still read it when it reaches the sorting office.
That's the core misunderstanding behind “are emails encrypted”. Many people hear that Gmail or Outlook uses encryption and assume nobody can read the message. In reality, default protection often covers the trip, not the contents after delivery.
Practical rule: If your provider can still process, store, or display the message normally, the provider likely has some level of access unless you've added message-level encryption.
A common situation makes this easier to see. Say you email a signed agreement to someone outside your company. If that message only has transport protection, it may be safer while moving across the internet, but it can still sit in readable form in one or both inboxes after delivery.
The question that matters more
For sensitive email, the primary issue is workflow.
If you draft a message in a webmail app, send it through a major provider, and the recipient opens it in another major provider, you may have decent transport protection without having true message confidentiality. Server copies, mailbox access, and backups can still expose the content.
If you want a fuller beginner-friendly explanation of the basics before going further, our guide on what email encryption means in practice walks through the core ideas without the jargon.
Default email usually protects transit. That helps against interception on the route.
Default email usually does not mean end-to-end encryption. Your provider may still be able to read the content.
Sensitive data needs more than “probably secure enough.” It needs the right kind of protection for the risk.
Encryption in Transit At Rest and End-to-End
Send a tax form, a contract, or medical details by email, and one question matters more than the label on a provider's homepage. At which points can someone other than the sender and recipient still read it?
That question gets clearer if you separate email protection into three different layers. They solve different problems, and under Canadian privacy expectations, that distinction matters. A message can be protected on the route, stored securely on a server, and still remain accessible to the provider or reachable through a legal request, depending on how it was encrypted.
Encryption in transit
Encryption in transit usually means TLS. TLS protects the connection while email travels between mail servers.
Google's Email encryption in transit data shows that TLS support between providers is widely used. That reduces the chance of someone intercepting the message while it moves across the internet. It does not change what happens once the message reaches a mailbox.
TLS works like a secure road for the package. The trip is protected while the package is in motion. After arrival, the package still gets handled at the destination.
That is why TLS is good baseline protection, not full message privacy.
Encryption at rest
Encryption at rest protects email while it is stored on servers, backup systems, or physical disks.
This helps against a narrower set of risks, such as stolen hardware or improper access to raw storage. It is useful housekeeping. It usually does not mean the provider is locked out of the mailbox, because the provider often controls the keys needed to make the stored data usable.
For privacy, that difference is the whole point.
A practical comparison helps here. If transit encryption protects the courier route, encryption at rest is the locked storage room where the delivered package sits overnight. The room is secured, but the facility operator can still open it if they hold the key.
So if you are asking, "Can my email provider still access this message?" encryption at rest often does not change the answer.
Encryption at rest lowers some storage risks. It does not, by itself, keep the service provider from accessing mailbox contents.
End-to-end encryption
End-to-end encryption works differently. Tools such as PGP and S/MIME encrypt the message before it leaves the sender's device, and only the recipient's key can turn it back into readable text.
The easiest way to picture it is a sealed note placed inside a locked box before the courier even picks it up. The road can be secure, and the warehouse can be secure, but the courier and the warehouse staff still cannot read the note inside the box unless they have the right key.
That changes the privacy model in a meaningful way. With properly configured end-to-end encryption, the provider can still move the message, store it, and often see routing details, but it cannot normally read the body content in plain text.
This is also the layer that matters most if your concern is provider access or disclosure under legal process. Under Canadian law, the exact result depends on who holds the readable version and the keys. If the provider can decrypt the message, the provider may be able to disclose readable content when required. If the provider never has the decryption key, what it can disclose is more limited.
Why these terms get blurred together
Email companies often describe all three layers as "encrypted email," which is technically understandable and practically confusing. For a person deciding whether to email payroll records, client files, or health information, the primary issue is not whether encryption exists somewhere in the system. The primary issue is where readable copies still exist.
Here is the simpler way to sort it out:
| Protection type | What it protects | What it does not guarantee |
|---|---|---|
| In transit | The connection while the message moves between systems | Privacy after delivery |
| At rest | Stored email on servers or disks | That the provider cannot access the message |
| End-to-end | The message content from sender to recipient | That headers, subject lines, or recipient actions are hidden |
If you remember one practical rule, use this one: TLS protects the trip. End-to-end encryption protects the contents.
Where Your Email Is Still Exposed
Even when an email uses some encryption, parts of the message trail can still remain visible or vulnerable. This matters most when the content involves personal, financial, legal, or medical details.
The parts encryption often doesn't cover
Start with metadata. Even if message content is protected, email systems still need certain routing details to work. That can include who sent the message, who received it, and when it was sent. In many setups, the subject line also gets weaker protection than people expect.
Then there's provider access. If your email isn't end-to-end encrypted, your provider may be able to process and access the contents as part of delivering, storing, indexing, or filtering the message. That doesn't mean every provider abuses that access. It means the access exists, which is a different privacy model from “only sender and recipient can read this.”
A third gap is connected tools. Calendar add-ons, CRM systems, browser extensions, forwarding rules, and mobile mail apps can widen the circle of access. You might protect the route perfectly and still expose the message through an integration you forgot you enabled.
The human risk is often simpler
The biggest privacy failures are often ordinary mistakes.
Microsoft's email encryption explainer notes two important points that matter here. Under PIPEDA, organisations in Canada must safeguard personal information with security appropriate to its sensitivity. The same source also cites a 2024 survey showing more than one in four UK adults reported accidentally sharing personal data with the wrong recipient by email, and it notes that misdirected emails are a leading cause of reported data breaches.
That UK figure isn't a Canadian measurement, but it's still a useful benchmark for a very familiar problem. Someone types the wrong address. Autocomplete picks the wrong contact. A file goes to the wrong person. Once a plaintext email leaves your outbox, that mistake can become a privacy incident immediately.
If an email can be read by the wrong recipient the moment it arrives, the security problem isn't theoretical. It's operational.
Where exposure often happens in practice
Mailbox access: If someone gets into your account, they can read stored mail that isn't protected at the message level.
Backups and copies: Messages may exist in archives, synced devices, and retained server copies.
Forwarding: A careful sender can still lose protection if the recipient forwards content into a weaker environment.
Wrong recipient: Human error can beat technical safeguards if the content wasn't locked for a specific recipient.
For regulated organisations, this is why “some encryption” isn't enough as a policy standard. You need to know where the message is exposed after delivery, not just whether it was protected on the wire.
How to Send an Encrypted Email
You are about to email a passport scan, a contract, or a medical form. The message looks ordinary in your compose window, but the privacy risk depends on how you send it and what the recipient can open.
For practical use, there are two main ways to send encrypted email. One relies on an email service that builds secure sending into the product. The other uses public-key tools such as PGP or S/MIME. The right choice depends less on theory and more on your real situation: who you are emailing, how sensitive the message is, and whether Canadian data handling rules matter to you.
Use a service with built-in encrypted workflows
For many people, this is the easier path.
A privacy-focused email provider can handle much of the hard part for you by giving you secure storage, encrypted sending options, and clearer controls for messages that need more than ordinary inbox protection. That matters because email privacy often breaks on usability. If sending a protected message feels confusing, people fall back to regular email.
Provider-based encryption also helps with a legal question many Canadian readers care about: where the message is stored and which laws may apply to it after delivery. If your provider stores data in Canada, that can affect how personal information is handled and disclosed. Typewire is one example. It supports PGP keys in webmail and frames private email around Canadian data residency for people who want email hosted under Canadian law rather than foreign cloud infrastructure.
This option is often the best fit when you need better protection without turning every message into a technical project.
Use PGP or S/MIME manually
PGP and S/MIME are message-level tools. They lock the content for a specific recipient.
The basic idea is simple. Your public key works like an open padlock you can hand out. Anyone can use it to lock a message for you. Your private key is the only key that opens that lock, so only you can read the message after it is encrypted. That is why these tools are useful when you want the message body protected beyond ordinary provider-level security.
The trade-off is setup. You need to create or import keys, verify you have the right recipient key, protect your private key, and make sure the other person can decrypt what you send. If any part of that chain is missing, the message may still be secure in theory but frustrating in practice.
If you want the hands-on version, this guide to using PGP encryption for secure email walks through the setup and the common sticking points.
A practical rule: if the recipient needs to open the email quickly and is unlikely to manage keys correctly, a provider workflow is usually the safer option.
A short explainer may help if you want to see the mechanics visually:
What you can control right now
Match the method to the message. Routine updates can stay in ordinary email. IDs, financial details, legal documents, and health information deserve message-level protection or a secure portal.
Check the recipient before you send. Confirm the address, then confirm they can open an encrypted message the way you plan to send it.
Keep sensitive details out of the subject line. Subject lines often have weaker protection than the message body.
Choose the simplest secure option people will use. In many real workplaces, that means a built-in encrypted workflow instead of manual key management.
Ask where the data will sit after delivery. For Canadian organisations, privacy risk is not only about interception. It is also about storage location, access, and the laws that may apply once the email reaches a server.
Choosing an Encrypted Email Provider
If you don't want to become your own cryptography admin, your provider choice does a lot of the heavy lifting.
Some services focus on convenience first. Others focus on privacy first. Neither approach is automatically wrong, but they solve different problems. If your main concern is whether emails are encrypted in a way that protects content, you need to look past generic security language.
What to check before switching
A good provider should explain, in plain language, what is protected in transit, what is protected at rest, and whether the provider itself can read stored message content.
Look for these points:
Clear encryption model: Can the provider explain what's end-to-end encrypted and what isn't?
Data residency: If jurisdiction matters to you, where is the email stored and which privacy laws apply?
Business model: If you pay for the service, the company has less incentive to monetise your inbox through unrelated means.
Usable security: Strong privacy only helps if you can still send, receive, search, and manage email without constant friction.
Comparing provider philosophies
Here's a simple way to think about it:
| Feature | Big Tech Email (e.g., Gmail) | Privacy-First Email (e.g., Typewire) |
|---|---|---|
| Default transport security | Usually present | Usually present |
| End-to-end privacy model | Often limited or optional | More likely to be a core design goal |
| Inbox business model | Can be tied to a broader ecosystem | More often funded by subscriptions |
| Jurisdiction focus | Often global and cloud-distributed | May emphasise local hosting and legal clarity |
| User trade-off | Convenience and familiarity | More deliberate privacy choices |
That table isn't a verdict. It's a lens. The best provider for you depends on what you need most. Some people care mainly about convenience. Others care about reducing provider access and keeping data under a specific legal framework.
If you're comparing services in detail, our privacy guide to the pros and cons of top email providers is a useful next read.
The small details matter more than the marketing
Many people don't switch providers because they're chasing perfect secrecy. They switch because ordinary email feels too exposed for everyday work.
A few examples come up often:
A small business launch: You don't want sending limits to get in the way during a busy campaign.
Client communication: You want custom domains and predictable handling of business email.
Privacy concerns: You'd rather use a service that makes money from subscriptions, not from building an ad-driven ecosystem around your account.
Good email privacy isn't just about stronger cryptography. It's about choosing a provider whose incentives match your expectations.
Your Action Plan for Better Email Privacy
You don't need to master every encryption standard to make better decisions.
Start with your actual habits. Think about the last few emails you sent that included personal details, contracts, attachments, or account information. If those messages only relied on default delivery protection, they may have been safer in transit than in the past, but not necessarily private in the way you intended.
A simple plan works well:
Review your provider's encryption language. Check whether it describes transit protection, storage protection, and end-to-end encryption separately.
Treat sensitive content differently. If the message would cause a problem when sent to the wrong person, don't rely on ordinary plaintext email.
Reduce easy exposure. Keep subject lines vague, double-check recipients, and trim unnecessary personal data from the body.
Test a privacy-first service. If stronger controls matter to you, try a provider that makes encrypted email easier to use day to day.
The short answer to “are emails encrypted?” is still yes, but only partly. The useful answer is this: email privacy depends on where the message is protected, where it sits in readable form, and who holds the keys.
If you want email that stays focused on privacy, Canadian hosting, and practical encrypted workflows, take a look at Typewire. We built it for people and small businesses who want ad-free email, clearer control over where data lives, and a simpler path to private communication.