email security encryption post-quantum MTA-STS industry report

The State of Email Encryption in 2026

Adrian Maverick · · 8 min read

Email is over fifty years old. The encryption protecting it is, in most cases, a thin layer of TLS bolted on decades after the protocol was designed. In 2026, the gap between what people think their email provider does and what it actually does has never been wider.

This is the state of email encryption right now. What works, what doesn't, and what the next twelve months need to look like.

TLS: Mostly There, Quietly Broken

Transport Layer Security between mail servers is the baseline. When two mail servers talk to each other, TLS encrypts that hop so the message isn't traveling in plaintext across the public internet.

The good news: opportunistic TLS is close to universal among major providers. The serious operators all negotiate TLS by default for server-to-server delivery.

The bad news: opportunistic TLS is exactly that. Opportunistic. If the receiving server doesn't offer TLS, or offers a broken certificate, most senders downgrade to plaintext rather than fail the delivery. Attackers who can sit on the network path can still strip TLS in many configurations.

The fix has existed for years. It's called MTA-STS. Adoption is still surprisingly low.

MTA-STS and DANE: The Slow Climb

MTA-STS (RFC 8461) lets a domain publish a policy that says "only deliver mail to me over TLS, with a valid certificate, period." It closes the downgrade attack. It takes an afternoon to set up. It's free.

Adoption across the open internet is still below 1% of top domains, according to recent surveys, though the trend line has been moving up year over year. Government-sector domains are well ahead of the general population, driven by mandates. Among general consumer and business email, deployment remains the exception rather than the rule, and a meaningful share of policies that do exist are misconfigured.

DANE, the DNSSEC-anchored alternative, is even less common outside of a handful of European operators. TLS-RPT, which lets you collect failure reports, is rarer still.

If you run a mail server in 2026 and you haven't deployed MTA-STS, your users are exposed to attacks that have known, free mitigations.

End-to-End Encryption: Still a Rounding Error

Here is the uncomfortable truth. The vast majority of email worldwide is not end-to-end encrypted. Major webmail providers can read your messages because they hold the keys. TLS protects the message between servers, but the provider stores it in a form they can decrypt.

The providers that do offer end-to-end encryption fall into a few buckets:

  • PGP-based services that implement OpenPGP. End-to-end encryption works between users on the same provider, and through PGP key exchange with outsiders, but the user experience has historically been the bottleneck.
  • Proprietary symmetric and asymmetric schemes that some providers built in-house, often with their own key management layers.
  • S/MIME deployments mostly inside large enterprises. Functional, painful to manage, almost invisible to consumers.
  • Modern E2EE providers building on newer cryptographic foundations, including post-quantum primitives.

Across the consumer email market, true end-to-end encryption is still a single digit percentage of total volume. The marketing doesn't always match the reality.

Zero-Knowledge vs Zero-Access vs Encrypted At Rest

Three phrases that get thrown around interchangeably and shouldn't be.

Encrypted at rest means the provider encrypts the data on their disks. They still hold the keys. They can still read your mail. This is table stakes and it is not privacy.

Zero-access encryption means the provider claims they can't read your data because of the way they manage keys. Often true in practice. Sometimes complicated by the fact that they also handle authentication, password resets, and key recovery, which can leave keys recoverable through the provider in certain flows.

Zero-knowledge means the provider mathematically cannot decrypt your data. Not as a policy. Not as a promise. As a property of the system. Compromise of the provider does not compromise your mail.

The distinction matters because the threat models are different. A subpoena, a rogue employee, or a server breach reveals very different things depending on which one you actually have.

Post-Quantum: The Industry Is Late

NIST finalized the post-quantum standards in 2024. ML-KEM for key encapsulation. ML-DSA and SLH-DSA for signatures. The standards are real, the implementations are mature, and the threat is concrete: harvest now, decrypt later means encrypted email collected today is sitting in storage waiting for quantum hardware to catch up.

Where is the rest of the ecosystem?

  • Signal shipped PQXDH in 2023, adding a post-quantum key agreement layer to their X3DH handshake.
  • Apple iMessage added PQ3 in early 2024.
  • Browsers and CDNs began rolling out hybrid post-quantum TLS in 2023, switching to the standardized X25519MLKEM768 in late 2024. By the end of 2025, Cloudflare reported that more than half of human-generated traffic to its network was protected by hybrid post-quantum key agreement.
  • Email providers: a small but growing handful have shipped post-quantum primitives. The majority of the market has not.

Messaging apps moved. Browsers moved. Email is still catching up. This is the single biggest unaddressed gap in email security in 2026.

Metadata: The Part Nobody Wants to Talk About

Even if the body of an email is perfectly encrypted, the envelope leaks. Sender. Recipient. Timestamp. Subject line in many implementations. Server hops in the Received headers. User agent. IP address of the originating client.

For a lot of threat models, the metadata matters more than the contents. Knowing who you talked to and when is often enough to draw conclusions. The traditional SMTP model exposes all of it.

A small number of providers actively minimize metadata exposure. Most don't. If a service's privacy claims stop at "we encrypt the body," they are missing the larger attack surface.

The Regulatory Picture

2026 is shaping up to be a contentious year for encrypted communication.

  • The EU's ProtectEU proposal is pushing for "lawful access" to encrypted services. The technical and civil-liberties community is pushing back hard.
  • The UK's Online Safety Act continues to threaten client-side scanning, with multiple secure messaging providers stating they will exit the market rather than comply.
  • The US has multiple proposals circulating that would weaken end-to-end encryption under the banner of child safety or law enforcement access.
  • Switzerland is debating amendments to its surveillance ordinances that would affect providers traditionally seen as safe havens.

The pattern is consistent across jurisdictions. The legal environment for strong encryption is getting harder, not easier. Providers headquartered in friendlier jurisdictions, with mathematically zero-knowledge architectures, are increasingly the only ones who can credibly resist these pressures, because they cannot comply with what they cannot access.

What's Improving

Not all bad news.

  • Post-quantum awareness has gone from a research topic to a board-level concern in two years.
  • MTA-STS deployment is finally trending up among newer providers.
  • Plaintext SMTP authentication is nearly extinct.
  • Bulk-sender requirements introduced in 2024 have driven a meaningful jump in DMARC, SPF, and DKIM adoption.
  • Newer providers are starting to ship E2EE without the configuration burden that limited adoption in the 2010s.

The floor is rising. The ceiling is moving slower.

What 2027 Needs to Look Like

A short list of things that should be table stakes by next year:

  1. MTA-STS published and enforcing at every serious email provider.
  2. TLS-RPT collection so providers actually know when their TLS posture is failing.
  3. Post-quantum key exchange for all internal mail flows, with a public roadmap for cross-provider compatibility.
  4. Honest marketing. Distinguishing encrypted-at-rest, zero-access, and zero-knowledge clearly.
  5. Metadata minimization as a default, not a premium feature.
  6. Hybrid signature schemes so that the move to post-quantum doesn't break legacy interoperability.

None of this requires new research. The standards exist. The implementations exist. The reason these aren't more widely deployed is institutional, not technical.

Where Secria Stands

We built Secria on post-quantum cryptography from day one. Every Secria-to-Secria message uses a hybrid handshake combining ML-KEM-1024 for post-quantum key encapsulation with X25519 for classical key agreement, so a break in either primitive alone doesn't compromise the session. MTA-STS in enforce mode and TLS-RPT are deployed on our domains.

We did this not because it's a marketing differentiator, although it is one, but because the math is clear. The encryption protecting most email today will not survive the next decade. Building anything new in 2026 on RSA and ECC alone is a bet against time.

The standards are written. The deadline is closer than most of the industry wants to admit.

Secria is a post-quantum encrypted email service with zero-knowledge architecture. Sign up for free and start protecting your communications today.

Back to all posts