Google taking email encryption seriously

This week, I’ve started noticing a new part of my gmail messages: a red, unlocked padlock keeps showing up on certain messages in my inbox. It looks like this:

That padlock is now showing up on messages that are sent to Gmail and have not been sent in an encrypted manner via TLS (Transport Layer Security.)

In addition the displaying the padlock, users can click on an arrow to see more complete headers, including the encryption status of any message. The majority of my messages do not display the padlock. Mostly they have been marketing messages. Here is the expanded information for a message I received from Redbox this morning:


The link takes users to a page detailing what it means, and provides some security information. Google says this about the red padlock:

Gmail supports encryption in transit using Transport Layer Security (TLS), and will automatically encrypt your incoming and outgoing emails if it can. Some other email services don’t support TLS, and therefore messages exchanged with these services will not be TLS encrypted.

I can imagine this week many companies and email providers are scrambling to upgrade or patch their systems to make sure messages are being sent over TLS. No one wants to shown to users as being insecure, even for messages telling me to rent The Martian this weekend. Great flick, though, enjoyed it very much.

For the messages I’ve tested, the majority have come through securely, including email providers like Mailchimp and transactional senders like SendGrid and Mandrill. In my research, gigantic marketing services providers, such as (Bigfoot Intereactive)–who send emails for giant brands like Target, Chase, Discover, and more–are sending insecure messages. A message I received yesterday from Carlsson Hotels was shown as insecure. It was sent via the domain, which resolves to Epsilon. More on Epsilon and that domain.

If you are not sure if your email marketing messages are being sent securely or not, now would be a good time to test and ask your email provider if they send messages over TLS. If they aren’t, ask when they will start as that red padlock is going scare consumers and make them fear something is wrong.