[Someone1234]

It is encrypted, at rest. If this was taken from an active mail server, the mail server's software needs access to the unencrypted data to work, therefore that is moot.

As to why mail servers hold email? That's how they, namely IMAP or EAS, work. If the mail server didn't have the mail, and the authorized user wanted the mail, where is it meant to come from?

The more pertinent question is: Why was a DoD mail server connected to the public internet? The DoD have their own network.

[bradknowles]

I ran the mail servers for the Defense Information Systems Agency at DISA.mil.

For unclassified systems, of course those are connected to the Internet. How else would you communicate with the rest of the world? And I filled out an SF-86 when I applied to be hired by them. There's nothing classified on an SF-86. No classified data was leaked when OPM was hit by Chinese hackers that stole all sorts of PII data for everyone who held a security clearance, including fingerprints and retina prints. Oh, and OPM was hit by the Chinese not once, but twice.

For classified systems, those are connected to the SIPRnet or other classified "internet". And those classified internets are typically shared with other governmental agencies, and not unique to DoD.

[MichaelZuo]

Isn't there encrypted email?

[Jtsummers]

There is, and for a DoD employee to not have sent a document like an SF-86 encrypted indicates a failure to follow basic procedures. Every DoD employee (military and civilian) has an encryption key they can use, and are required to use, for things like PII and many others (which an SF-86 would definitely contain).

[GauntletWizard]

Efforts to end-to-end encrypt e-mail have been disastrous, coming down to a combination of human factors and difficulty of coordination - but mostly, people want to be able to read their mail. Sometimes they want to read it from public terminals. Sometimes they lose their phone and still need it to be accessible. Often, e-mails are required to be unencrypted by the mail server for compliance purposes - Nearly all financial data has to be archived, and that's often the crown jewels you're trying to encrypt, anyway.

I don't know of a good oral history of PGP, but I suspect if you find one, it'll have the answers that you're looking for.

[Jtsummers]

US DoD has CAC - Common Access Card (commonly called a "CAC Card", but that's as silly as a "PIN Number"). CACs have encryption keys and are used for signing and encrypting email. The data should have been transmitted and stored encrypted for something like an SF-86.