A digital residue back dating before the birth of the Internet was designed to send electronically information by Roy Tomlinson in Email 1971 Arpaanet Research network.
At the time, large scale, the global network was just a vision and information safety was not a significant concern because the network itself was reliable environment. To keep it in perspective, Arpnet hosted 213 connected by Arpnet before adopting TCP in 1983. Today there are about 20 billion nodes on the Internet, running SMTP servers above 5 million.
As the Internet was formed, and the initial protocol was adopted, email developed as the backbone of digital communication. But it is one of the most unsafe and older forms of communication in the era of rapidly sophisticated cyber threats to date. We have removed with FTP and Telnet; It is time to seal SMTP.
Fishing has already won
Most of the initial agreement in cyber security incidents begins with fishing today. We deploy many layers of anti-spam and email filtering techniques, yet no solution is correct, and the attackers, which are rapidly more sophisticated, eventually secretly via the employee inbox to their malicious email through the inbox.
We continue to run cyber awareness campaigns and run fishing simulation, and still, significant percentage employees still click on malicious links. In 2024, the average time for users to fall for fishing email was less than 60 seconds, 2025 data violation check report of Verizon,
The sophistication of email-birth attacks receives the joint average person with huge amounts of email-who can blame someone for falling? I often joke with my colleagues that we can talk about number 1 to improve the safety of any organization that stops the email. The fight against fishing email is a losing battle and it only takes the same click to ignore all your safety defense. We should reconsider how we communicate electronically.
End-to-end encryption remains elusive
Email is still the major electronic communication tool today because it is well understood, relatively easy to use, and relatively inexpensive. By and large, businesses have approved the email to send confidential information, and we often explain ourselves that it is safe, can be secured with third -party equipment, or it is “quite good.” This is not just the case, and better solutions exist.
It is impossible to guarantee that the email is completely encrypted and relaxed in the end-to-end transit. Even where Google and Microsoft Ease customer data comfortably encrypted, they hold keys and have access to individual and corporate emails. Stringent server configurations and third-party joints can be used to apply data protection, but they are often trivial to ignore-like CC is just an unsafe recipient or distribution list and privacy violation. Forcing the encryption by rejecting the clear-text SMTP connection, the employees will decline significantly to watch the work-round. There is no silly configuration that guarantees data encryption due to clear-reciting SMTP server’s history and the prevalence of their use today.
SMTP comes from an era before cyber crime of online communication and large scale global monitoring, so it was not made in encryption and security. We have taken advantage of DNS to tap on solutions such as SPF, DKIM and Dmarc, but they are not widely adopted, still open to many attacks, and cannot be dependent on coherent communication. The TLS is included in the SMTP to encryp the email in the transit, but to ensure delivery, a clear-reciting transmission is still default on a significant number of servers on the Internet to ensure.
All these solutions are cumbersome for system administrators to configure and maintain properly, leading to adoption or failed delivery. We will need authentication required For SMTP to work basically, as it does for http, and for major email providers such as Google and Microsoft, to deny a clear-text connection to have any hope of improving this situation. Unfortunately, there is a lack of encouragement to do this that this email will be the reason for its amount of communication disruption.
Google Recently declared By employing safe/multipurpose Internet Mail Extension (S/MIME) within Gmail in Gmail “End-to-end encrypted email” in Gmail. But Google also underlines some complications and collapse of attempting attempts to use email for safe communication in its post. Although this is a solution that works when sending emails within Gmail, it is suffering from the same issue as it is complex to setup SMTP in S/MIME and is difficult to guarantee when sending the remote system. Google solution click on a link to recipients outside Gmail and return to Googles server to read the message on https. Although this Gmail can be an acceptable solution for customers and tick the compliance box, it does not cure the underlying issues with email. S/Mime has not been widely adopted for the reasons that SMTP+TLS has not done. Security researchers are already guessing how the attackers can do Take advantage of this facility To prepare fishing email for credential harvesting.
Email for authentication: another losing fight
Keith Lawson
All this adds to the dangerous trend of email being adopted as a certification mechanism and an out-of-band tool for the password reset.
Extensive use of sending a unique link to email accounts is opening an attack vector for important services through individual accounts. The attackers have become aware of these trends and are taking advantage of being able to reach corporate property or sensitive personal information by compromising the personal email accounts of workers and officials, which often leads to a lack of safe password or multi-factor authentication.
Once an attacker gains access to an individual email account, it is trivial to find evidence of systems that use the account for authentication or password reset, send a password reset, although third-party service, and receive access to that service.
If that service is a corporate system, the attackers have access to your business through an employee’s personal email, which may be an initial agreement that leads to a comprehensive corporate security violation.
Moving beyond email
In December 2024, FBI released Guidelines for mobile communication It included recommendations to adopt technologies that provide end-to-end encryption as a direct result of known nation-state hazards.
Relying on email for important business functions such as large financial transactions or sharing sensitive information is a losing game. This is the time to start thinking about changing sensitive or professional-mating communication with modern techniques that support end-to-end encryption and were developed to use safe protocol by default form. Rely on applications like signal Protocol It was designed with strong encryption and simplifies it to ensure that the data is secured in transit. Tools such as Microsoft teams, Slack and Cisco Webex are designed from ground to use https. Today better options are available.
Change is hard and email is now stuck for more than a generation in our personal and professional life, but we have better options, and the risks of emails are very large. Businesses need to start adopting policies that send emails as a communication tool and encourage using more secure options.
In a world where cyber threats develop daily, relying on email is like locking your front door, but leaves the windows open. Let’s treat email what it is. A reliable, famous tool for global communication. Better equipment now exists to protect data safety. Instead of trying to back down the past, embrace the future. Is anyone going to be troubled by having some less email in their inbox?
