Why email isn't secure
It's generally known that email is not the most secure way to transfer data. You're better off sending data in an encrypted zip file via FTP, then sending the same files as attachments to an email. Why is this the case?
- Email was not designed to be secure. The internet protocol for email transmission, Simple Mail Transfer Protocol (SMTP), doesn't include any provisions for security - emails are sent in plain text. SMTP allows emails to be intercepted and changed by third parties.
- Emails sent between different networks will typically involve routers operated by different owners.
- Most email clients will store messages as plain text to enable searching through emails, and also in the case of web based providers like Gmail to facilitate advertising.
Microsoft Exchange uses Transport Layer Security (TLS) to encrypt emails sent between internal servers. Exchange enables a certificate for inbound and outbound connections. However, as noted in Microsoft's documentation for Exchange, "This default configuration allows Exchange to provide opportunistic TLS on all inbound and outbound SMTP connections. Exchange attempts to encrypt the SMTP session with an external messaging server, but if the external server doesn't support TLS encryption, the session is unencrypted." Emails sent with Microsoft exchange will be encrypted on the server hosting the messages, and they will be transmitted in an encrypted tunnel.