Everything You Need to Know About Email Encryption in 2026

Summary

If you think about emails as if they’re anything but the digital equivalent of a postcard–that is to say, postcards provide zero confidentiality–then someone lied to you and I’m sorry you had to find out from a furry blog that sometimes talks about applied cryptography. At the end of 2025, at the 39th Chaos Communications Congress in Hamburg, Germany, a team of security researchers posted some devastating vulnerabilities in PGP software (with a focus on GnuPG), and published them at gpg.fail. Note: They also discussed a minisign vulnerability and another attacking age’s plugin system, but these were much less severe than some of the GnuPG vulns. This disclosure reignited message board debates about GnuPG, OpenPGP, and related topics. I’m not going to reiterate the many problems with PGP or what you should use instead. Instead, I want to explain why cryptographers and security engineers that work on cryptography have largely abandoned any efforts to make “encrypted email” happen. This post will probably annoy some technical people because I’m opting for clarity over precision when it comes to technical topics. If something is factually incorrect, please feel free to email me and I will correct it. I’m certainly not immune to mistakes. But if something is just “not precise enough”, that’s deliberate because I’m writing for a more general audience than engineers who specialize in your particular interest. Why People Want to Encrypt Email Email is not simple. Even before you get into protocol discussions, email is actually several things bundled into one software package: The most basic mental model for email is an asynchronous “store-and-forward” message sent from you to other parties. Not to mention the notion of Cc: and Bcc: fields. Email addresses are an identity anchor for most of the Internet. Forgot your password? Don’t worry, we’ll just… send you an email. Wow. Mailing lists allow members of a group to send an email once and have everyone else receive an identic...