Q. Recently, I've become concerned about the privacy of sending email. What's a cheap and easy way to protect my email messages?
A. I've consistently preached that the use of unencrypted email is the No. 1 security issue faced by the CPA community, but it took a nationally publicized email calamity to drive this point home. Once delivered, a single email can continue to reside on your computer, your computer's backup, your recipient's computer, his or her computer's backup, your email carrier's computers and its computer backups, and possibly on the computers of bad actors and/or government spy agencies that systematically intercept billions of email messages as they are delivered.
In many cases, backups of your backups could retain copies of your email messages, as could your synced smartphone, your recipient's synced smartphone, and other devices. Simply put, you can't undo an email. When news reports first surfaced that someone might have used a data-scrubbing tool called BleachBit to erase thousands of emails, I confidently assured my audiences that any attempt to erase one's emails would be futile and that copies of those emails most certainly remained. Eventually, my claims were proved accurate.
What we must learn from recent email privacy news stories is that every unencrypted email you send is vulnerable and therefore unsuited for use by professional CPAs who transmit sensitive company and client data. There are no legitimate alternatives; you must encrypt your email. A relatively easy and inexpensive way to accomplish this goal is for both you and your recipients to use either Google's free Gmail service or Microsoft's free Outlook.com service (previously called Hotmail) because both of these solutions automatically encrypt your email messages from the moment they are sent to the moment they are received. (Caveat: Full end-to-end encryption works only if both the sender and the recipient use the same Gmail or Outlook.com email solution; you can't mix and match these solutions and still achieve end-to-end encryption.) You can sign up for a Gmail account by visiting Gmail.com. You can sign up for an Outlook.com account by visiting Outlook.com. Both services include spam filtering, free cloud storage, and POP3 and IMAP support. (Example screenshots of my Outlook.com and Gmail accounts are below.)
There are at least two drawbacks to using a Gmail or Outlook.com account, as follows:
- Fewer email tools. By default, both Gmail and Outlook.com use web-based email reader interfaces that offer only a fraction of the full email functionality found in the full desktop version of Outlook.
- Generic email address extensions. By default, Gmail and Outlook.com email addresses use either the Gmail.com or Outlook.com extension, instead of your company's normal email extension.
You can work around these two issues by setting up your computer to import your Gmail or Outlook.com email messages into Outlook Desktop, and by setting up an alias email address for your Gmail and/or Outlook.com account. These workarounds are briefly described below.
1. Import Gmail or Outlook.com messages into Outlook Desktop. (For Gmail, Google requires you to first prepare your Gmail account by turning on two-step verification, and the password you use for this two-step verification will then be used by Office 365 to establish an import connection to your Gmail account. See the next topic for instructions for setting up two-step verification.) Next, from your Outlook 2010, 2013, or 2016 ribbon, select File, Add Account to launch the Auto Account Setup screen (pictured below).
Enter your name, email address (Gmail or Hotmail/Outlook.com), and password, and then click Next; Outlook will autodetect your alias email's account information and configure your settings to import copies of all future email messages into Outlook Desktop. (Note: This import solution is available only via Outlook's Desktop edition. It is not available from Outlook.com or the Outlook phone app, and you can tell you are using these lesser editions because they don't have a File tab option on their menus.) You can see more detailed instructions about this import process on Microsoft's Outlook support website at .
2. Set up a Gmail alias. To set up an alias email address, open your Gmail account, sign in, click the Settings gear in the top right corner, then select Settings. In the resulting horizontal menu near the top of the screen, select the Accounts and Import tab, Import mail and contacts, enter the email address you want to use as a Gmail alias, enter the password, and if necessary, enter the Pop username and Pop server, and then click Continue, as pictured below.
Next, sign in to the account you added, open the confirmation message you received from Gmail, and click the link in the email to confirm and establish the connection. To complete the setup, change the From line to reflect your newly added alias email address. You can view more detailed setup instructions about this setup process on Google's Gmail Help site at .
3. Set up an Outlook.com alias. To set up an alias email address in your Outlook.com account, open Outlook.com, click the Settings gear, and then select Options. In the resulting Options menu in the left menu pane, select Connected Accounts, Other email accounts. Enter the alias email address and your email password then click OK.
Please remember that Gmail and Outlook.com encrypt your email messages end to end only when both the sender and recipient use the same service. If your recipient uses a different email system, then your Gmail or Outlook messages are encrypted only to your mail server; the privacy of the message from that point forward then depends on the recipient's mail server settings and the recipient's email encryption settings.
Many third-party end-to-end email encryption solutions are available in the marketplace for a reasonable fee. Unfortunately, all email encryption options require your email recipients to set up or configure their computers to some degree to receive and decrypt the emails you send. I've recommended Gmail and Outlook.com because both are free, both are relatively easy to set up, and there is at least a small chance that your recipients may already be using a Gmail or Outlook.com account. Some of today's popular "free" and "for-fee" third-party email encryption applications include HPE SecureMail (, DataMotion SecureMail (, and Trend Micro Email Encryption (. Whichever third-party email encryption solution you choose, the setup required will probably be complicated because your recipients must participate in the setup to some degree—so you should expect this process to be a time-consuming, but essential, privacy measure.
About the author
J. Carlton Collins ([email protected]) is a technology consultant, a CPE instructor, and a JofA contributing editor.
Note: Instructions for Microsoft Office in “Technology Q&A” refer to the 2007 through 2016 versions, unless otherwise specified.
Submit a question
Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to [email protected]. We regret being unable to individually answer all submitted questions.