DEV Community

Cover image for Protect your emails (Short note)
Alex P
Alex P

Posted on • Edited on

Protect your emails (Short note)

Participants:

  • Alice - sender (real Alice, or your bank, or social networks, etc..)
  • Bob – recipient (for example you, or vice versa)
  • Trudy – intruder of any kind (MitM, local infostealer, someone who has access to your laptop, internet or email provider, etc..)

In the case, if Alice sends Bob an email with its ID/bank statement/confirmation link... they (both) have some problems

Problems Description
No encryption Anybody who has access to your inbox (online, offline, or in transit) – can read your email content
No sender validation Why are you sure, that the message with the subject your account has been blocked is from your bank? Maybe somebody bought a domain like yourbank.com-block.zip and used it for phishing
No backups In the case, if your email provider is not accessible now for any reason – you have to have a second way to receive your letters
No retention period Sometimes it's not a good idea to keep all emails in the inbox as plaintext forever
No email address protection In the case of data breach of any online resource – your email address will be used for spam or credential stuffing

Solutions review

Encryption

If you just wanna encrypt your email contents between two email addresses – you may just use a mailvelope.
It works easy and good for both sides:

  • Just create your keys
  • And share your public key to Bob
  • Now he can use it for encryption when sends messages to your

Thunderbird could also resolve the issue, just read this note

There are a lot of clients, that support PGP encryption, just check the list here https://www.openpgp.org/software/

Backups

For some reason you may want to have yet another storage for your emails, for example: your laptops, Gmail, and Proton

Why? For cases, if your laptop is lost, your Gmail or Proton account will be blocked (or not accessible for maintenance) and you wanna find your letters anyway

Solution – email relays

I believe the best choice for today is https://simplelogin.io/, that is why:

  • solve the problem – generates a lot of email aliases, that will forward all emails to other your own inboxes
  • additionally provides a PGP encryption for all incoming emails, it's useful for cases if you want to encrypt messages from social networks or from your banks, but they do not support it

For paranoic: you may deploy it on your own hosting...

Email address protection

And again email relays:

  • SimpleLogin (and others) also provides email aliases, that could be used as reverse email addresses (you may use this alias even for communications and your real email address will be still hidden)

Other services like this one: addy.io or relay.firefox.com (no PGP, as I remember)

Retention period

Ok, you are responsible for your mailbox, but sometimes you send something to the other side and you want to be sure, that its mailbox will not be the reason for your data leak

How is it today?

  • A lot of users use Gmail – there is a protection of messages with confidential mode
    • your message will be removed after N days
    • additionally, you may request authorization by code from SMS (you should enter the phone number of the recipient, that you know)
  • The same functionality from other providers, like protonmail or tutanota
    • but there you may define the password, for access to the email
    • they additionally may request email confirmation (to confirm the inbox owning)
    • and provide a replying possibility – right from the web page, the recipient reads the letter

Sender validation

By the way:

  • if you use a PGP encryption you already have a sender validation (only if somebody does not own a sender's private key and its passphrase)
  • also you may use PGP just for signature
  • email relays provide you unique email addresses for each website, which is why if you receive an email not from your relay – you will be triggered by this red flag

Email as a chat

What about messengers?
A lot of them keep data as plain text (that is why the search function does not work offline 😉)

You may use your mailbox with backups, address protection, encryption, expiration periods, and sender validation like chat!

Just try Delta Chat

Top-level review

I described the easiest ways for a lot of people how to protect emails (addresses and contents), I hope someone can add more info (or concerns/questions) in the comments, and the post will be updated

Image description

Look at this checklist https://digital-defense.io/checklist/email/ , It believe it will be useful for someone

Top comments (5)

Collapse
 
alxwnth profile image
Alex

Thanks for an interesting post! The only reason I don’t use alias services is because I wouldn’t want my emails being forwarded via some black box third party. But addy looks interesting, I might try self-hosting it

Collapse
 
devh0us3 profile image
Alex P

My own choice is SimpleLogin, because "SimpleLogin joins the Proton family"
And I trust to Proton family, anyway – it could be used as a self-host, but I do not want to have issues with whitelisting my IP addresses for antispam systems

If you trust to Fastmail – aliasing supports there from the box, sometimes I see this as a feature for some mailing systems, but not sure, that I;m ready to use them

Collapse
 
ccoveille profile image
Christophe Colombier

Side remark, simplelogin, Firefox Replay and .addy integrate well with Bitwarden

bitwarden.com/blog/add-privacy-and...

Collapse
 
devh0us3 profile image
Alex P

Thank you! Very good a useful point, and next time I'll write about password managers short note with a comparison (I tried a lot of them and use them every day)

Additionally, let's mention other possibilities:

Collapse
 
ccoveille profile image
Christophe Colombier

While your article is great, I don't get why you refer to PGP (proprietary) instead of GPG