What milestones shaped secure email (TLS, PGP, S/MIME)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
PGP (Pretty Good Privacy) launched in 1991 and made strong encryption available to ordinary people. Phil Zimmermann wrote it, released it as freeware, and promptly got investigated by the U.S. government (strong encryption was classified as a weapon back then). The investigation was dropped in 1996, but PGP became a symbol for privacy rights. It's end-to-end encryption: you encrypt a message on your machine, and only the recipient's key can decrypt it. The message stays encrypted everywhere in between.
S/MIME (Secure/Multipurpose Internet Mail Extensions) arrived around the same time (mid-1990s) and did basically the same job (encryption and digital signing), but for enterprise email. It uses X.509 certificates instead of PGP's web-of-trust model, which made it easier for corporations to deploy. If you've ever seen an email with a little padlock icon or a "signed by" badge in Outlook or Apple Mail, that's S/MIME. Both PGP and S/MIME protect the message content itself, but they require both sender and recipient to have keys set up. That's always been the adoption problem: hardly anyone actually uses them outside of government, legal, or high-security environments.
TLS (Transport Layer Security) is different. It doesn't encrypt the message, it encrypts the connection between mail servers. TLS 1.0 was standardized in 1999 (replacing SSL), and it became the default way to protect email in transit. When your mail server talks to Gmail's mail server, TLS encrypts that connection so no one eavesdropping on the network can read what's passing through. The message itself arrives unencrypted in the recipient's inbox (unless you're also using PGP or S/MIME on top), but at least it wasn't readable while traveling.
And Here's the practical difference: PGP and S/MIME are end-to-end encryption (message stays encrypted from sender to recipient), but almost nobody uses them. TLS is transport encryption (protects the handoff between servers), and it's everywhere now. If you're sending marketing or transactional email in 2025, you're almost certainly using TLS without thinking about it. Your ESP handles it automatically. You're not using PGP or S/MIME unless you're in a regulated industry that requires it.
Why does this matter for deliverability? Because modern email authentication (SPF, DKIM, DMARC) solves a different problem than encryption. Encryption protects message content. Authentication proves who sent the message. Mailbox providers don't care whether your message is encrypted (they can't read it if it is), but they absolutely care whether you've authenticated your domain. If you're choosing where to spend your setup time, authentication wins every time for inbox placement.
Want to see if your domain's mail servers support TLS? Check your MX records and mail server config, or just send a test email and check the headers for "TLS" in the Received lines. (Our email header analyzer will show you.)
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.