Secure Mail Guide
Home Posts Topics
Provider Matcher Tools Glossary Resources About

Glossary

Encrypted email terms, defined plainly — the cryptography and privacy vocabulary behind every provider comparison and setup guide we publish.

D

DKIM authentication

DomainKeys Identified Mail — a cryptographic signature added by the sending server proving a message wasn't altered and genuinely came from the domain.

See also: SPF, DMARC

DMARC authentication

A policy tying SPF and DKIM together, telling receivers what to do with mail that fails authentication and where to send reports. The anti-spoofing capstone.

See also: SPF, DKIM

E

Email alias privacy

A disposable forwarding address that hides your real mailbox. Limits cross-site tracking and contains spam/breach fallout; services include SimpleLogin and Addy.io.

See also: SimpleLogin / Addy.io, Plus addressing

Encryption at rest architecture

Stored mail kept encrypted on the provider's disks. Meaningful only if the provider also lacks the keys (zero-access); otherwise the provider can still read it.

See also: Zero-access encryption

End-to-end encryption (E2EE) fundamentals

Email encrypted on the sender's device and decryptable only by the intended recipient, so no server in between (including the provider) can read it. The core promise of secure email.

See also: PGP / OpenPGP, Transport encryption (TLS / STARTTLS), Zero-access encryption

F

Forward secrecy cryptography

A property where compromising a long-term key does not expose past sessions. Common in messaging; largely absent from traditional PGP email, a known limitation.

See also: PGP / OpenPGP

G

GPG (GnuPG) cryptography

The most common free, open-source implementation of OpenPGP, used by Thunderbird and command-line tooling to encrypt, decrypt, and sign mail.

See also: PGP / OpenPGP, Public-key (asymmetric) encryption

K

Key verification (fingerprint) cryptography

Confirming a public key really belongs to its claimed owner by comparing its fingerprint over a trusted channel. The step that prevents a man-in-the-middle on encrypted mail.

See also: PGP / OpenPGP, Web of trust

M

Metadata privacy

The data around a message — sender, recipient, subject (often), timestamps, IP. E2EE protects content but usually not metadata, which can be as revealing as the body.

See also: Threat model, Subject line exposure

MTA-STS authentication

A policy that forces TLS for inbound mail to a domain, preventing downgrade attacks that strip transport encryption between servers.

See also: Transport encryption (TLS / STARTTLS)

O

Open source / audited trust

Client code published for inspection and ideally independently audited. Not proof of security, but it lets E2EE and zero-access claims be verified rather than trusted.

See also: Zero-access encryption, End-to-end encryption (E2EE)

P

PGP / OpenPGP cryptography

The standard for end-to-end encrypting and signing email using public/private key pairs. Strong, but key management and recipient support are the practical hurdles.

See also: Public-key (asymmetric) encryption, GPG (GnuPG), Web of trust

Plus addressing privacy

Appending +tag to your address (you+shop@domain). Useful for filtering and breach attribution, but trivially stripped by spammers — weaker than true aliases.

See also: Email alias

Private key cryptography

The secret half of a key pair that decrypts messages and creates signatures. If it leaks, your encrypted mail is exposed; if it's lost, that mail is unrecoverable.

See also: Public-key (asymmetric) encryption, PGP / OpenPGP

Public-key (asymmetric) encryption cryptography

A scheme with a shared public key (anyone can encrypt to you) and a secret private key (only you can decrypt). The foundation of PGP and S/MIME email encryption.

See also: PGP / OpenPGP, Private key, S/MIME

S

S/MIME cryptography

An email encryption standard using certificates issued by a certificate authority rather than user-managed keys. Common in enterprises; less so in privacy-focused consumer email.

See also: Public-key (asymmetric) encryption, PGP / OpenPGP

SimpleLogin / Addy.io privacy

Alias services that generate unlimited forwarding addresses you can disable individually. SimpleLogin is part of the Proton ecosystem; Addy.io is open-source and self-hostable.

See also: Email alias

SPF authentication

Sender Policy Framework — a DNS record listing which servers may send mail for a domain, helping receivers reject spoofed senders.

See also: DKIM, DMARC

Subject line exposure privacy

Most email encryption does not encrypt the Subject header. Even with E2EE bodies, subjects often travel and are stored in cleartext unless the provider specifically protects them.

See also: Metadata, PGP / OpenPGP

T

Threat model privacy

An explicit statement of who you're protecting against and what they can do. Secure-email choices only make sense relative to a threat model — there is no universally 'secure' setup.

See also: Metadata, End-to-end encryption (E2EE)

Transport encryption (TLS / STARTTLS) fundamentals

Encryption of email only while in transit between servers. It protects against passive interception but every server along the path still sees plaintext — not the same as E2EE.

See also: End-to-end encryption (E2EE), MTA-STS

W

Web of trust cryptography

PGP's decentralized trust model where users sign each other's keys to vouch for authenticity, instead of relying on a central authority. Powerful in theory, cumbersome in practice.

See also: PGP / OpenPGP, Key verification (fingerprint)

Z

Zero-access encryption architecture

A provider design where stored messages are encrypted with keys the provider cannot access, so it can't read your mailbox at rest. Used by ProtonMail and Tuta for incoming mail.

See also: End-to-end encryption (E2EE), Encryption at rest