Google announced support for end-to-end encrypted emails on Gmail for organizations and later this year for end users last week. This allows Gmail users to encrypt emails so that only the recipient can read them.
Gmail is far from being the first email provider to offer such a feature. Proton Mail, for instance, supported end-to-end encrypted emails from the get-go.
When you read Google’s announcement, you may stumble upon the explainer on how this is implemented. Not technically, but how it works from the user’s perspective.
According to Google, end-to-end encrypted emails on Gmail work differently depending on whether you are a Gmail user or not, and whether an administrator has configured use of the restricted Gmail version for all users.
So, here are the different scenarios when someone sends an encrypted email from Gmail.
- When the recipient is a Gmail user, the user may read it in their inbox. The email is decrypted when it reaches the inbox and the email can be read.
- When the recipient is not a Gmail user, they receive an invitation to open the email in a guest Google Workspace account. This allows them to view and reply to the email in a restricted version of Gmail.
- If S/MIME is configured, Gmail sends the encrypted email via S/MIME.
Google Workspaces administrators may furthermore configure encrypted emails to always require the restricted version of Gmail.
Here is why that is bad
Some emails, all end-to-end encrypted ones, no longer land in your inbox, if you do not use Gmail or when the admin enabled restricted mode. You furthermore need to sign in using an invite link and a pin. Organizations may furthermore limit access to emails by revoking access at any time.
To be fair, this is not all that different from how Proton Mail handles sending encrypted emails to non-Proton users.
Still, if you are not a Gmail user, you may have to read some emails on the Gmail website in the future using the guest account feature of Google Workspaces. This may have severe consquences:
- When you search emails in your dedicated client or web service, encrypted email content is not included.
- Filters may not work correctly, as they may only apply to the public part of the email and not the body.
- Security tools can’t scan the emails.
It is probably only a matter of time before malware campaigns start to use the new feature.
Now You: what is your take on this? Do you use encrypted email already? Feel free to leave a comment down below.
“if you are not a Gmail user, you may have to read some emails on the Gmail website in the future using the guest account feature of Google Workspaces.”
Well what do you know! Not being a Gmail user myself, at this point I know that I WILL NOT connect to Google Workspaces’ guest account to read/respond to an email which has been sent to me, personally. Email is a one-to-one communication protocol, widened or restricted based on the sender’s choices, but systematically supervised and managed by Google is not acceptable and will not be tolerated here. Google’s move confirms my policy which has almost ways been to avoid that company by all means.
Totally agree with Tom re Google. And, any invitation from Google will be ignored.
This is a good step forward for gmail users. The problem will be those that do not use gmail, as malware and phishing will surely happen. Google needs to remove all embeded url links in emails and just show the urls links as plain text as this would greatly reduce the dangers.
This will be fun for GMail users when they after quite some time will get hold of me somehow and I inform them that I don’t read encrypted emails sent with GMail, only emails that I get in my inbox. I will jump through zero hoops for you.
What about those that use Thunderbird with a gmail account?
That is a good question. Google does not mention third-party clients. My initial guess is that it is not supported, but too early to tell.
What Bobo said. I won’t play with Google. Cureently using Tuta and Proton mail.