Skip to content
← Back to blog

What's actually encrypted in your email — explained

By Reeva Team · May 19, 2026

“Encrypted email” can mean a lot of things, and the differences matter. Here’s a plain-English rundown of what each kind of encryption actually protects, and where Reeva fits.

TLS in transit

When your client talks to a mail server, TLS scrambles the connection so passive observers on the network can’t read it. Every reputable provider does this. It does not protect your mail once it’s stored or once it leaves their server for a different mail provider that doesn’t support TLS.

Reeva enforces TLS for IMAP, SMTP, JMAP and the webmail. Always on.

Encryption at rest

Once mail lands on disk, encryption at rest keeps it unreadable if the disks are stolen or mishandled. The provider holds the keys, so they can still serve your mail to you and to search.

Reeva encrypts mail and files at rest. Passwords are hashed with bcrypt, never stored.

End-to-end encryption (E2EE)

Only the sender and the named recipients can read the message. Even the provider can’t. The trade-off: it usually requires both sides to be on a system that supports it, and it complicates spam filtering, search and recovery.

Reeva does not offer platform-only E2EE between Reeva accounts today. If you need E2EE end-to-end with people outside the platform, PGP is the open option.

PGP / OpenPGP

PGP is end-to-end at the message layer, on top of regular email. You publish a public key, people encrypt to it, and only you (with your private key) can read. Works with any mail provider, including Reeva over standard IMAP/SMTP. The downside is key management.

S/MIME

Same idea as PGP but using corporate-style certificates issued by a CA. Common in enterprises. Works over standard email too.

So where does Reeva land?

Reeva protects mail with TLS in transit and encryption at rest. We do not look at your content to target ads — there’s no ad business to begin with. If you want true message-layer E2EE, PGP or S/MIME works on top of Reeva like any standards-based provider. The point is choice: because Reeva uses open protocols, you control the encryption story end to end.

Try Reeva free →