Email is the killer app! email killing apps have come and gone, email is here to stay but is it fit for purpose in the modern age?

This is the first post in a series covering different elements of email and most notably the challenges of secure email.

Email has stood the test of time and today approximately 330 billion email messages are sent each day and this number consistently rises year on year.

• It’s truly ubiquitous, almost everyone with an internet connection has an email address as its almost impossible to operate in the digital age without one.
• Client and device agnostic, the open standards have ensured that any mailbox works with any client. I can access the same mailbox from my IOS phone using IOS Mail, my personal Windows PC using Thunderbird, my work PC using Outlook or via Webmail in some far flung destination.

It really is remarkable how well this unsung hero of the Internet has continued to grow with relatively little investment/attention, it continues to scale and “just works”.

Its a truly distributed system with no single owner, completely independent providers integrate in an apparently seamless manner. In reality that relies on a series of aging standards that determine interoperability.

Much of the technology that underpins email, as was once true for all Internet technologies, are based on inherent trust. This inherent trust inevitably exposes security vulnerabilities but the difference with email, is these vulnerabilities hardly every get the media attention others have.

The majority of these standards haven't really evolved in the last 20 years. There have been numerous, and sometimes conflicting, additions that have intended to provide increased security or better authentication of senders (aka anti-SPAM).

However adoption of these newer security enhancing standards varies dramatically. Whilst things like SPF and DMARC have gained good ground, their benefit in SPAM reduction very evident, others that enhance security have very low adoption (e.g. DANE, DNSSEC, MTA-STS).

I suggest there are a few reasons for this:

1. Consumers and businesses are largely unaware of the security risks associated with email, The adoption of SSL on HTTP was remarkable, it was supported by a clear risk and a simple solution. However the risks associated with email appear to go unnoticed and without a strong consumer facing incentive, many seem not to adopt.
2. Large email providers work on a hot potato basis, their mail systems are designed to deliver an email to its next destination as quickly as possible. The sheer volume of data associated and the never ending firehose of inbound mail, makes it critical to move it on as quickly as possible, anything that hinders outbound delivery is avoided.
3. Interoperability and backward compatibility, unfortunately the reality is that with such a distributed yet integrated system, minimum standards are defined by the lowest common denominator and thus until we have mass adoption, raising the bar becomes near on impossible without isolating servers.

Again, the world quickly adopted https on the basis you’d not put your credit card number number into a website where the connection isn’t encrypted, yet people send equally and often more sensitive information over email where even the most basic encryption (STARTTLS) is entirely optional/opportunistic. The effectiveness of the transition to HTTPS has to be partly attributed to the mass recognition that if your browser didn’t have a lock (or historically a green bar) then don’t trust the website.

The vast majority of us are completely oblivious to how our messages get to their destination, if anyone has gained access whilst in transport or rest, and if the person they intended to receive the mail, did indeed receive it untampered.

So is email fit for the modern age?

Not yet is the short answer, Email has clear vulnerabilities and users need a better understanding of those risks so they can make more informed decisions. Ultimately though our collective mission should be to raise the bar to the point in which the trust we have in email is effortlessly backed up by technology that delivers on that trust.

This is our mission!