Email as we know it dates back to the 1970s, and was never designed with security in mind.
Recent headlines have brought this into view. Last week the Electronic Frontier Foundation released a memo stating that PGP and S/MIME, two tools used to encrypt emails, have been compromised thanks to an exploit named “Efail.” Basically no one uses encrypted email messages because it’s a pain to set up, and now it turns out you can go through the whole process and still be vulnerable. The problem might be email itself.
Here’s Quinn Norton, writing for The Atlantic:
The lesson of Efail is that you can build everything well, but if you’ve built on a bad foundation, there’s no structure strong enough to stand. No one is responsible for email itself, and in the days since the Efail disclosure people have been pointing fingers at each other—email clients, vendors, OpenPGP standards, and S/mime software vendors. It’s no one’s fault and it’s everyone’s fault. These kinds of disclosures, and the hacks built on the flaws of email, will keep coming for the foreseeable future.
It’s unfortunate, but secure messaging works best if one company is in control, which is probably why the new Confidential Mode in Gmail doesn’t actually send the contents of your message over email—everything is instead stored on Google servers.
If you really want security it might be best to avoid email altogether. I recommend checking out Signal, which was built from the ground up with encrypted communications in mind.