[basilgohar]

Gmail can be fetched via IMAP and leave Gmail's infra entirely. And I don't think Google guarantees that their implementation stays fully on their own owned infra. It's a reasonable assumption but I'd never trust that for a security guarantee.

Email is not an end-to-end secure data protocol without the use of client side encryption/decryption like PGP/GPG, but even then, sender/receiver and time are all in the envelop metadata.

[catoc]

Yeah, that exactly my point - no idea why I’m being downvoted on this

[giancarlostoro]

Probably because Law Firms arent necessarily computer security firms. Lots of people have terrible op sec. Additionally if you the recipient are on gmail it stops mattering, now Google knows your legal woes.

[catoc]

Exactly, I’d never use Gmail for anything sensitive. Even for just personal emails I use my own mailserver. (And again, for truly sensitive stuff I don’t use email at all)

[eru]

If the sender is using GMail, then using your own mail server is less secure than using GMail as the receiver.

[catoc]

Sure even though, as most others, my server supports TLS, having your email not leave gmail at all may be slightly more secure. Part of the point however was that when either server or receiver is using Gmail, your possibly confidential email content is still in Google’s hands. Using a personal server reduces that part of the attack surface. Still this does not mean I vacate my overall point that email in general is suboptimal from a secop standpoint.