Inward2Onward · Practical Guide

Make your business communication private and secure

Professional-looking and private are two different jobs. This is how you do the second one — without the fear, and without buying more than you need.

The follow-up to the Business Email Setup Guide · Read time ~15 minutes

1Why this is a separate job

A professional address makes you look like a real business. It does not make your conversations private. Those are two different jobs, and most people finish the first and assume they got the second for free.

Your standard business inbox — Gmail, Outlook — encrypts your mail so a stranger on the network can't read it, and so it isn't sitting in plain text on a hard drive. That's real protection, and for a lot of businesses it's enough. But the provider itself can still access your messages to run its services. If your work involves conversations that need to stay strictly between you and the other person — client finances, health details, legal matters, anything you'd hate to see leaked — you want more than "looks professional."

One takeaway: decide what actually needs protecting before you buy anything. Then protect that, and don't let anyone scare you into protecting everything.

2Do you actually need this?

Be honest about your own work. Most of this guide is optional for most businesses. It earns its place when the answer to any of these is yes:

If none of those fit, do the basics in Section 6 and stop there. If one or more fit, keep reading — and match your effort to the risk, not to the scariest thing you can imagine.

3The words that matter

Four terms get used loosely and sold aggressively. Here's what each actually means, in plain language.

Encryption in transit

Your message is scrambled while it travels between servers, so someone tapping the connection can't read it. Standard on all major providers. Good, and not enough on its own.

Encryption at rest

Your message is stored scrambled on the provider's servers, not as plain text. Also standard on major providers. But the provider holds the keys, so it can still unscramble your mail to run features or if legally required.

Zero-access encryption

Your stored mail is encrypted with a key only you hold. The provider can't read it — not for features, not under legal pressure, not after a breach — because it doesn't have the key. This is the line between "they protect your data" and "they can't read your data." Proton is the best-known example.

End-to-end encryption (E2E)

Only you and the person you're writing to can read the message. Not even the provider can. The catch: it fully applies only when both sides are set up for it. Email between two Proton users is automatically end-to-end encrypted; email to an outside address usually isn't, unless you send it as a password-protected message or both sides use the same encryption standard.

The confusion to avoid "Privacy-focused provider" and "every message end-to-end encrypted" are not the same claim. A private provider protects your data and your privacy as a company. End-to-end is a property of a specific message, and it depends on who's on the other end.

4Choose a private provider

If you decided you need more than standard business mail, these are the main options. Pick on encryption model and how much you need real business features.

ProviderBest forEncryption modelTradeoffsTypical fit
Proton Mail Businesses that want strong privacy plus real business features. Zero-access storage; end-to-end automatic between Proton users, and via PGP or password-protected messages to outsiders. External E2E needs setup on both sides; smaller app ecosystem than the giants. Coaches, lawyers, clinicians, advisors handling sensitive client mail.
Tuta (formerly Tutanota) People who want the most content encrypted, at low cost. End-to-end and zero-access; also encrypts subject lines, attachments, contacts, and calendar. Uses quantum-safe algorithms. No PGP, so mail to outside addresses isn't E2E by default; fewer business features than Proton (no SMTP relay, group addresses, retention policies). Solos and small teams who want maximum encryption on a budget.
Fastmail People who want a private, well-built inbox — not maximum secrecy. Encrypted in transit and at rest; not end-to-end or zero-access by default. Protects your data and privacy, but can technically access your mail. Not for "no one but us can ever read this." Businesses prioritizing a clean, ad-free, private experience over strict secrecy.

↔ Swipe the table sideways on a phone to see every column.

A word on the big suites Google Workspace and Microsoft 365 offer added encryption features on higher tiers, but they aren't zero-access — the provider still holds keys. If "the provider can't read it" is your requirement, that points you to Proton or Tuta, not an add-on.

5Stop people impersonating you

Here's the threat most small businesses overlook: not someone reading your mail, but someone sending mail as you. A scammer spoofs your domain, emails your client a fake invoice, and your name takes the hit. Three small settings at your domain shut that down. You set them once.

The three records, in plain terms

You don't need to understand the cryptography. Your email provider publishes the exact values and a setup page; you paste them at your domain, the same place you verified it during setup. Turning these on protects your clients from fakes and helps your real mail stay out of spam.

Do this even if you skip everything else SPF, DKIM, and DMARC are the highest-value, lowest-effort security step for a small business. They cost nothing, take minutes, and defend the one thing you can't afford to lose — clients trusting that mail from your name is really from you.

6Lock down the account

This is the floor, private provider or not. If you did the basics in the setup guide, you're most of the way there. Go one level further:

7Secure the rest of the conversation

Email is only one channel. "Private communication" falls apart if the sensitive part just moves to a text or a shared file. Cover the whole conversation.

Messaging

For genuinely private back-and-forth, use an end-to-end encrypted messenger like Signal rather than SMS. SMS is not private and can be intercepted.

Sending something sensitive by email

Don't paste a password, account number, or private document into a normal email. Use your provider's password-protected or expiring message feature, or share it through an encrypted link — and send the password by a different channel.

Files and documents

Share sensitive files through a service that encrypts them and lets you set access and expiry, not as open attachments that live in inboxes forever. Give the least access needed, and remove it when the work's done.

Calendar and notes

Remember that meeting titles, notes, and attachments can hold sensitive details too. If you went with an encrypted provider, keep those inside it rather than scattering them across less-private apps.

8Devices and habits

The strongest email in the world doesn't help if your laptop is unlocked and unencrypted. The habits are boring and they work.

9Pick your level

Don't do everything. Pick the tier that matches your risk and start there.

Good

  • Standard business email, well secured
  • Password manager + 2FA
  • SPF, DKIM, DMARC turned on
  • Aliases for sign-ups

Better

  • Everything in Good
  • A private provider (Proton or Tuta)
  • Passkey or hardware key
  • Signal for sensitive chats
  • Password-protected messages for sensitive info

Most private

  • Everything in Better
  • Zero-access mail, calendar, and files in one encrypted suite
  • Encrypted file sharing with expiry
  • Device encryption + VPN as routine
  • Regular access reviews
How to choose Most solo service businesses are well served by Good. Handling sensitive client data pushes you to Better. Regulated or high-target work is where Most private earns its cost. Move up a tier when your risk does — not before.

10Private comms checklist

11Three myths to drop

"A privacy provider means every message is secret."

No. It means the company respects your privacy and, if it's zero-access, can't read your stored mail. A specific message is only end-to-end encrypted when the other side is set up for it too.

"A VPN makes my email private."

No. A VPN hides your internet connection from the network you're on. It does nothing about who can read the email itself. Useful, but a different job.

"Encrypted means anonymous."

No. Encryption protects the contents of your message. Your identity, the recipient, and the fact that you're communicating can still be visible. If anonymity is the goal, that's a harder, separate problem.


Where this leaves you

You started with an address that looks like a real business. Now you can decide, on purpose, how private your business communication needs to be — and set it at that level without overpaying in money or effort.

If you want a second set of eyes on which tier fits your work, or help turning on SPF/DKIM/DMARC without touching anything you shouldn't, that's a short conversation.

Book a call · Back to the setup guide · FAQ