Practical Privacy, Security, and Speech Guide
A field guide to modern privacy, security, and freedom of speech.

7.2 Email privacy

Hand holding a smartphone
Mobile communications and messaging.

Email is an older technology that still carries much of the world’s paperwork. It was designed for openness and reliability, not secrecy. That history matters: the way messages move across networks, the way they are stored, and the way accounts are managed all reflect decisions made decades ago. Modern threats exploit those decisions, while modern users expect privacy by default. Bridging that gap takes realistic choices rather than perfection.

Legacy systems, modern threats

Email is more like a postcard than a sealed letter. The message content can be protected with end-to-end encryption, but the surrounding details are normally visible to each server that handles it. This includes the sender and recipient addresses, timestamps, and sometimes routing headers that expose where the message travelled. Most email still travels between servers using encryption “in transit” (usually TLS), which stops casual eavesdropping on the network. It does not stop the providers themselves from seeing the content, and it does not remove the metadata that routes the message.

Threats have also shifted. The biggest risks for many people are not sophisticated interception on backbone networks, but account compromise, phishing, and the ordinary consequences of messages being archived for years. Email is central to password resets, account recovery, and billing correspondence. A compromised inbox can become a pivot point into many other services, and old messages can be used to answer security questions or impersonate you with conviction.

It is common to assume that “encrypted email” means the same privacy as a secure messaging app. It does not. Even when the message body is encrypted end-to-end, the subject line is usually visible, as are the addresses. This is not a flaw in a particular provider; it is baked into the way the system works.

Provider trust

Every email provider has the technical ability to access messages stored on its servers unless you use end-to-end encryption and keep the keys yourself. This is not only about benevolent or malicious intent. Providers need access for spam filtering, search, backup, legal compliance, and abuse handling. Many also monetise data in aggregate, and some rely on advertising profiles tied to account activity. Even providers that make strong privacy promises still have to operate within the legal frameworks of their jurisdictions.

In the UK, providers can be required to retain or disclose information under various powers. This does not mean that everyone is monitored, but it does mean that your provider’s location and corporate structure can affect your exposure. It also means that your own threat model should be realistic: if you are sending routine messages about appointments or shopping, a mainstream provider might be fine; if you are working with sensitive sources, you will need stricter controls.

There are practical mitigations that do not require an all-or-nothing approach. You can separate everyday correspondence from sensitive conversations, use a provider with a stronger privacy posture for the latter, and keep account recovery options minimal. A provider that supports hardware security keys and app-specific passwords is generally easier to lock down than one that relies on SMS codes. None of these steps remove the provider from the equation, but they reduce the chances of account takeover and limit the damage if it happens.

Metadata permanence

Email generates metadata automatically: who wrote to whom, when, from which device or IP address, and how the message moved through the network. This metadata is often as revealing as the message itself. A single thread can show patterns of work, travel, relationships, or organisational structure. Because metadata is useful for debugging, abuse prevention, and compliance, it tends to be kept for long periods and replicated across logs.

Even if you delete messages, copies may still exist in backups, on recipients’ servers, or in audit logs. This is not necessarily sinister; it is how large systems maintain reliability. The trade-off is that “delete” often means “no longer visible in your inbox” rather than “expunged everywhere”. For everyday use, the practical response is to assume that metadata has a long shelf life and to avoid putting sensitive details into subject lines or headers. It is also sensible to use separate accounts for different roles, so that metadata does not create a complete map of your life in a single place.

A common misunderstanding is that using a different device or a VPN hides email metadata. It can obscure your IP address from the provider or recipient, but it does nothing to hide the sender, recipient, or time. It also does not prevent a provider from seeing the content unless you add end-to-end encryption on top.

Aliases and compartmentalisation

Aliases are extra addresses that deliver to a main inbox. They are useful for reducing spam, tracking where your address leaked, and separating online roles. Some providers let you create aliases on the fly, while others offer fixed sets. They are a simple form of compartmentalisation: if a shop address gets breached, you can disable that alias without losing your personal inbox.

The limits of aliases are worth understanding. If all aliases terminate at the same inbox, they are still linked behind the scenes. That means a provider, or anyone who gains access to your account, can see the connections between roles. If you need stronger separation, use distinct accounts with separate recovery methods and, ideally, separate devices or browser profiles. A journalist might keep a public-facing address on a mainstream provider for press releases, while using a more hardened account for source communication. A freelancer might keep clients in one account and personal correspondence in another so that an accidental forwarding rule does not expose private mail.

Aliases also influence how you manage recovery. If all aliases map to one account and that account is compromised, the attacker inherits them all. If you instead compartmentalise, you accept more complexity in exchange for limiting blast radius. The right choice depends on how much inconvenience you can tolerate and what you are protecting.

Attachments and tracking

Attachments are often treated as “just files”, but email handling adds extra risks. When you open an attachment in a webmail interface, the file may be scanned or converted, and a copy can be stored temporarily on the provider’s systems. That is usually helpful for security, but it also means the provider can access the file. Downloading and opening a document locally can be safer in some respects, but it introduces its own risks if the file contains malware or hidden scripts.

Tracking is another quiet part of email. Many marketing messages embed invisible images or unique links so the sender can tell when, where, and on what device you read an email. This is not limited to marketing; it can show up in newsletters, event invitations, and even individual messages sent by a person using a tool that adds tracking automatically. Disabling remote images, or setting your mail client to ask before loading them, prevents most tracking pixels from firing. Some clients also strip tracking parameters from links, which reduces follow-on tracking when you click.

There is a trade-off here. Blocking images can make legitimate emails harder to read, and it does not stop all tracking. A sender can still infer that you received a message if you reply, click a link, or download an attachment. For sensitive conversations, it is often better to exchange files using a secure file-sharing method rather than attachments, and to treat links with caution even when they appear to come from someone you know.

Practical choices for everyday email

Email privacy is less about a single perfect tool and more about setting boundaries that match your day-to-day reality. For many people, the most effective steps are simple: use a reputable provider, enable strong two-factor authentication with a security key if possible, keep a clean separation between personal and work accounts, and be cautious about what you put in subject lines. For situations that genuinely require stronger privacy, add end-to-end encryption with tools that manage keys on your devices, and accept that this will make email less convenient and less compatible with people who are not using the same approach.

The constraints of the system are not going away, and most risks cannot be eliminated. You can, however, make the system work for you by understanding where the privacy boundaries really are and by choosing friction where it matters most.