Using Email Securely

Learn how to send and receive encrypted messages.

Square #10

Did you know all Tufts faculty, staff and students are able to send and receive encrypted emails from their email account? Read the information below to learn how to send encrypted messages.

Messages between people who are using Tufts email accounts, where both the sender and the recipient(s) are using addresses, are already encrypted. This makes email between people using Tufts addresses more secure than regular email (e.g. Gmail) and allows students, faculty, and staff to safely share private information with each other when appropriate. It is always a good idea to limit the use of email for any sensitive information, and if email is used, to Follow the Five steps below.

To learn the quick steps to take, see Instructions for Sending Encrypted Email.

Sending an email using encryption is just one step to protect your personal information and Tufts confidential information. See the five steps below to learn other steps you can take.

Restrict your use of email for sensitive information.

Follow the Five: How - Who - With - What -  Done

  • Have you ever sent an email to the wrong person? We all have.
  • Are hackers trying to get access to the information in your emails? Yes!
  • Do important emails sometimes get overlooked in your inbox and your colleagues’ inboxes?

So how can you use email more securely?

Follow the Five whenever using email for sensitive information:

  1. How should I send this email?
  2. Who will be able to read it?
  3. Should the email be sent With a notice or special flag?
  4. What should be included in the message or as an attachment?
  5. Have I deleted the email so that I am Done? 

1) How should I send this email?

  • If it includes sensitive information, use one of the ways to encrypt the message.
  • Use the appropriate email account. If you are a faculty or staff member, do not use your personal email for your Tufts work, and don’t forward your email account to a personal email account.


2) Limit Who will be able to Read your Email Message

  • Only send sensitive information to the person who needs it. Be careful who you copy.
  • The best practice is to avoid using elists for sending sensitive information whenever possible. Elists can quickly become out of date and include people who should not receive the information. Mistakes in choosing an elist can easily happen.
  • Check the email address you are sending to, and then check again. If an email has sensitive information and it is sent to someone who should not have received the information, that may be reportable as a data breach.
  • Start with a new email message. Be very careful with “Reply” and “Forward.” When sensitive information is included in a chain of emails, the information can become “buried” and may be inadvertently sent to someone who should not receive it.

3) Consider sending the Email With a Special Notice or Flag

  • To alert the email’s recipient to the sensitivity of the information, it is good practice to include a message such as:

 “This message contains material that is confidential for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete and destroy all copies.”

  • You may also want to send the email flagged as High Priority so it is not overlooked and is read promptly.

4) Limit What is included in the Email

  • Don’t send the email until you review what you have included. Delete any sensitive information the recipient doesn’t need for their Tufts’ work.
  • For personal information, when possible, don’t include the person’s name. If some identifier is necessary, consider using only initials or a partial name.

5) Securely Delete the Email to be Done

  • Never store sensitive information in email. Don’t use email as a file system for important information.
  • Use these 3 steps to completely delete an email so that it is not recoverable:
  1. Place the email in Trash
  2. Empty the Trash
  3. Purge your Trash so the email can’t be recovered. See Securely Deleting Email.

Are there times you also need to collect sensitive information from people who don’t have a email account? Read the simple steps below you can take to make sure that information is encrypted when it is sent to you.

See Collecting Sensitive Information using Tufts Secure Email.