Roy Tomlinson created a digital relic dating back to the birth of the Internet in 1971, sending messages electronically on the Arpanet Research network.
At that time, large-scale global networks were just a vision, and information security was not a major issue, because the network itself was a trustworthy environment. From a perspective, Arpanet had 213 connected hosts before it passed TCP in 1983. Today, there are nearly 20 billion nodes on the Internet, with more than 5 million running SMTP servers.
With the formation of the Internet and early protocols adopted, email evolved into the backbone of digital communications. But this is still in an era of increasingly complex cyber threats, which remains one of the most insecure and outdated forms of communication. We have cancelled FTP and Telnet; it’s time to phase out SMTP.
Phishing has won
The vast majority of the initial compromises in today’s cybersecurity incidents began with phishing. We deployed multi-layer anti-spam and email filtering technology, but no solution was perfect, their attackers were getting more and more complex and eventually sneaked malicious emails into employees’ inboxes.
We also continue to conduct cyber-aware activities and phishing simulations, however, a large percentage of employees still click on malicious links. According to Verizon’s 2025 Data Breach Investigation Report, in 2024, the median time users fell from phishing emails was less than 60 seconds.
The complexity of an attack born with emails combines the overwhelming emails that ordinary people receive – who can blame someone for being a victim? I often joke with colleagues that the first thing we can do to improve the security of any organization is to turn off emails. The battle with phishing emails is a defeated battle that circumvents all security defenses with just one click. We must rethink how to communicate electronically.
End-to-end encryption remains elusive
Email remains the main electronic communication tool today because it is well understood, relatively easy to use and relatively inexpensive. Overall, businesses have approved emails to send confidential information, and we often convince ourselves that we can use third-party tools to ensure it is safe, or “good enough.” This is not the case, and better solutions exist.
It is not possible to ensure that emails are fully end-to-end encrypted in transit and at rest. Even if Google and Microsoft encrypt customer data in REST, they can hold keys and access personal and corporate emails. Strict server configuration and adding third-party tools can be used to perform data security, but they are often easily avoided – for example, CC is only an unsafe recipient or distribution list and is a violation of confidentiality. Forced encryption by denying clear SMTP connections can lead to a large number of service degradation, forcing employees to find solutions. Thanks to the clear history of TEXT SMTP servers and the popularity of today’s use, there is no foolproof configuration that guarantees data encryption.
SMTP comes from the era before cybercrime and massive global surveillance of online communications, so there is no built-in encryption and security. We record solutions like SPF, DKIM, and DMARC by leveraging DNS, but they are not widely adopted but are still not open, but can still rely on multiple attacks and cannot rely on consistent communication. TLS has been dragged into SMTP to encrypt emails in transit, but by default the large number of servers on the Internet, the transfer of returning clear text is still the default value to ensure delivery.
All of these solutions are tedious configuration and proper maintenance for system administrators, which leads to a lack of adoption or delivery failure. We need Certbot to work seamlessly like HTTP, and for major email providers like Google and Microsoft, clear text connections are rejected so that there is any hope to improve this. Unfortunately, given the disruption of email communications it can cause, there is a lack of motivation to do this.
Google recently announced “end-to-end encrypted email” in Gmail by adopting the Secure/Multi-Purpose Internet Mail Extension (S/MIME) in Gmail. But Google also outlines some of the complexities and downfalls of trying to use emails for secure communication in its posts. While this is a solution, it’s the same problem with SMTP when sending emails in Gmail is complex setup and difficult to guarantee when sent to a remote system. Google’s solution is to have the recipient click a link outside of Gmail and then return to the Google server to read the message over HTTPS. While this may be an acceptable solution for Gmail customers and the compliance box is checked, it doesn’t solve the basic issues in the email. The reason for S/MIME is the same as that for SMTP+TLS does not. Security researchers are already speculating on how attackers can use this feature to create phishing emails for certificate harvesting.
Email for identity verification: Another failed battle
Keith Lawson
The shocking trend to add all of these emails is used as an authentication mechanism and an out-of-band tool for password reset.
The widespread use of sending unique links to email accounts is to open attack vectors to critical services through personal accounts. Attackers have been aware of these trends and access company assets or sensitive personal information by damaging workers and executives’ personal email accounts that often lack secure passwords or multi-factor authentication.
Once an attacker gains access to his personal email account, he can find evidence of a system that uses the system for authentication or password reset, send a password in the form of a third-party service, and access the service.
If the service is a corporate system, an attacker gains access to your business through the employee’s personal email, which could be the initial compromise that led to a wide range of enterprise security breaches.
Beyond Email
In December 2024, the FBI released mobile communications guidelines, which included recommendations for adopting technology to provide end-to-end encryption, a direct result of known nation-state threats.
Continue to rely on email to get critical business features such as large financial transactions or sharing sensitive information is a failed game. It’s time to start thinking about replacing sensitive or critical communications with modern technologies that support end-to-end encryption and use security protocols by default. Applications such as signals rely on protocols with a strong encryption design and make it simple to ensure data is kept in shipping. Tools like Microsoft Teams, Slack, and Cisco Webex have been designed from scratch to use HTTPS. There are better alternatives today.
Changes are hard, emails have gone beyond our personal and corporate lives rather than a generation, but we have better choices, and the risks of emails are too great to continue to ignore. Businesses need to start adopting policies that use email deprivation as a communication tool and use safer alternatives to incentivize.
In a world where cyber threats continue to evolve every day, relying on email is like locking the front door but opening the windows. Let’s treat emails. Reliable, well-known tool for global communications. There are now better tools to protect data security. Instead of trying to transform the past, let us embrace the future. Will anyone feel frustrated with few emails missing in their inbox?
