I am aware that I can access GMail securely using SSL however what I would like to learn or know is that once I send an email, does that email remain encrypted?
If I am using a secure web based mail service such as GMail, do the emails remain encrypted after they are sent
gmailwebmail
Related Solutions
When you trust the certificate from the site encrypted with SSL, you can:
- Trust that the connection to that web server is encrypted.
- Trust that the identity of that web server is correct (ie its not phishing scam).
- Trust that someone isn't intercepting your traffic to the web server (man in the middle).
(the important thing here, of course, is that you trust the certificate presented by Google's mail server, which you generally should :-))
The data you submit in a form when composing an email will be encrypted through HTTPS as it travels from your client browser to the Gmail server that will pass it off to the SMTP server. When you display mail in your browser from the server, this is also encrypted.
SMTP does not encrypt mail, however. There are ways to use TLS (transport layer security) over IMAP and POP to encrypt the authenication data from the user/client to the server. When you connect via IMAP/POP with TLS, the data you receive when retrieving mail is encrypted from the server to you. IMAP and POP are retrieval protocols only. When you use an external client such as Thunderbird to send mail, it will go through an SMTP server. This can be encrypted as well using SASL/TLS with SMTP, but again that is only from your client to the server, and not from the server to its final destination.
If you want to send and receive encrypted email end to end, no matter where it goes on the network, then you need to look into a solution like PGP/GPG. For more information about this, see the question I asked. Gmail's webui doesn't support usage of PGP/GPG, so you'll need to set that up with an external mail client such as Thunderbird, Mail.app, or Outlook (or others).
As far as email you send from your Gmail account to a friend's Gmail account, it is sent around inside Google's internal mail infrastructure. This may have one or more hops between servers, but usually stays within their private (10.x.x.x) network. You can verify this by looking at the headers of the email your friend sends. From the email in the Gmail webui, hit the drop down button next to the "Reply" and click "Show Original". You're looking for lines that start with "Received:", like these:
Received: by 10.215.12.12 with SMTP id p12cs100615qai;
Sun, 18 Jan 2009 15:04:17 -0800 (PST)
Received: by 10.90.100.20 with SMTP id x20mr2195513agb.12.1232319857088;
Sun, 18 Jan 2009 15:04:17 -0800 (PST)
Received: by 10.90.68.11 with HTTP; Sun, 18 Jan 2009 15:04:17 -0800 (PST)
This is a Gmail to Gmail message I have. The first (last) message here indicates that the mail server 10.90.68.11 received the message in question from an HTTP connection (webui). Then the mail went via SMTP to 10.90.100.20, then SMTP to 10.215.12.12, where it was delivered to me.
Again, while this is all internal to Google's network, SMTP should not be considered a secure protocol for sending sensitive information. Anyone who has access to the systems in the chain above can potentially read the message. Also note that Google Apps may go through a gateway system on their network that has an external address (still owned by Google, though).
"Sent: do NOT store sent messages on server"
Toggle this, and sent items will be stored on the Gmail server, thus enabling you access from both desktop and iPhone.
I would suggest you set all the "Store on server" options to Checked. Google's not always correct, or up to date; although they do try their best. I've never had issues with all the settings to store data on the server in the last 4-5 years Gmail IMAP has been available.
Also, look at what you have set as your Sent folder. In the list of mailboxes, scroll down until you see something like "Gmail" or whatever you named that account. Expand the list. If you see another folder in there with a name similar to "sent", it may be that your missing emails are there. Drag and Drop your known emails to this folder, then select it again, and from the menu, choose Mailbox > Use this mailbox for > Sent. Similarly for trash, junk, and drafts. I find it also helpful when dealing with an Exchange account over IMAP since Outlook on Windows XP has a different naming convention than Apple's mail client software.
Best Answer
For the most-part, "no," because SMTP transactions are not encrypted by default. If both sites do support encryption, and share the same mechanisms for encrypted transport, then this is possible, but it can't be guaranteed.
To be sure that your eMails are encrypted, encrypting them client-side can provide you with the assurance you need. Some eMail programs may have encryption features built-in (such as Pegasus Mail and some others), but chances are you'll need to use a third-party encryption tool like OpenSSL, GPG, or PGP (or rely on 7-Zip's AES encryption features to encrypt your message contents, file attachments, etc.), especially if your recipient isn't using the same eMail client software that you are. A challenge you may also run into with such third-party client-side preparations is that your recipients will also need to know how to perform the decryption.
Also, there are some portions of your eMail messages that cannot be encrypted for practical reasons, such as the destination address (otherwise how will the mail servers know where to send your message?).
Additional information
Many web-based eMail solutions, and also some POP3/IMAP4/SMTP servers, are accessible with encryption enabled. This is client-to-server communications, which is not the same as server-to-server communications (which is what is being asked about).
Although having client-to-server encryption is great, it's only securing one aspect of eMail transportation. The other places where your eMail could potentially be available to third-party observers in an unencrypted form are:
It is usually assumed, however, that the recipient has taken reasonable measures to protect their system from basic security threats, and so the focus is typically on encryption between the sender and the recipient. Using client-side encryption technologies can certainly eliminate administrative issues with mail servers (e.g., untrustworthy staff at the ISP who like to snoop around in other people's eMail inboxes).
For a message like "Hi honey, I'll be picking up some groceries on he way home," encryption often isn't needed at all. For a message like "The password for the VPN is TunaBreath42," encryption is clearly beneficial. Weighing the importance of encrypting your eMails is only something that you can judge.