What milestones shaped secure email (TLS, PGP, S/MIME)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

PGP (Pretty Good Privacy) launched in 1991 and made strong encryption available to ordinary people. Phil Zimmermann wrote it, released it as freeware, and promptly got investigated by the U.S. government (strong encryption was classified as a weapon back then). The investigation was dropped in 1996, but PGP became a symbol for privacy rights. It's end-to-end encryption: you encrypt a message on your machine, and only the recipient's key can decrypt it. The message stays encrypted everywhere in between.

S/MIME (Secure/Multipurpose Internet Mail Extensions) arrived around the same time (mid-1990s) and did basically the same job (encryption and digital signing), but for enterprise email. It uses X.509 certificates instead of PGP's web-of-trust model, which made it easier for corporations to deploy. If you've ever seen an email with a little padlock icon or a "signed by" badge in Outlook or Apple Mail, that's S/MIME. Both PGP and S/MIME protect the message content itself, but they require both sender and recipient to have keys set up. That's always been the adoption problem: hardly anyone actually uses them outside of government, legal, or high-security environments.

TLS (Transport Layer Security) is different. It doesn't encrypt the message, it encrypts the connection between mail servers. TLS 1.0 was standardized in 1999 (replacing SSL), and it became the default way to protect email in transit. When your mail server talks to Gmail's mail server, TLS encrypts that connection so no one eavesdropping on the network can read what's passing through. The message itself arrives unencrypted in the recipient's inbox (unless you're also using PGP or S/MIME on top), but at least it wasn't readable while traveling.

And Here's the practical difference: PGP and S/MIME are end-to-end encryption (message stays encrypted from sender to recipient), but almost nobody uses them. TLS is transport encryption (protects the handoff between servers), and it's everywhere now. If you're sending marketing or transactional email in 2025, you're almost certainly using TLS without thinking about it. Your ESP handles it automatically. You're not using PGP or S/MIME unless you're in a regulated industry that requires it.

Why does this matter for deliverability? Because modern email authentication (SPF, DKIM, DMARC) solves a different problem than encryption. Encryption protects message content. Authentication proves who sent the message. Mailbox providers don't care whether your message is encrypted (they can't read it if it is), but they absolutely care whether you've authenticated your domain. If you're choosing where to spend your setup time, authentication wins every time for inbox placement.

Want to see if your domain's mail servers support TLS? Check your MX records and mail server config, or just send a test email and check the headers for "TLS" in the Received lines. (Our email header analyzer will show you.)

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Ask ChatGPT about your encryption setup →

I read this on the Email Almanac about encryption milestones (PGP, S/MIME, TLS): "PGP and S/MIME are end-to-end encryption (message stays encrypted from sender to recipient), but almost nobody uses them. TLS is transport encryption (protects the handoff between servers), and it's everywhere now. If you're sending marketing or transactional email in 2025, you're almost certainly using TLS without thinking about it. Your ESP handles it automatically." Help me understand what this means for MY email setup: 1. Do I need to configure TLS, or is my ESP already handling it? 2. Should I be using PGP or S/MIME for my emails? When does that make sense? 3. How do I check if my outbound email is using TLS? 4. Does encryption affect deliverability or inbox placement? 5. What's the relationship between encryption and authentication (SPF/DKIM/DMARC)? --- My details (the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, SendGrid, Postmark, custom SMTP - Sending volume: e.g. 5,000/month - Email type: transactional, marketing, internal corporate - Industry: [if relevant, legal, healthcare, finance require different encryption standards] - Current challenge: what prompted this question

Edit the yellow boxes, then send to the AI of your choice.