Is Fax More Secure Than Email?

The short answer is no, not in any way that should drive your decision. The longer answer is that asking which medium is "more secure" is almost always the wrong question. The thing that actually matters is what your provider, on either side, does with your message between the moment you press send and the moment the recipient opens it.

For most of the last forty years, the case for fax being more secure rested on one idea: data travels over a dedicated phone line, so a hacker would have to physically tap a wire to intercept it. That was a reasonable argument in 1995. It is much less compelling now, for a reason that has nothing to do with phone lines and everything to do with how faxes are actually sent and received today.

What most people mean by "secure"

When someone asks whether fax is safer than email, they almost always mean one of three things:

  1. Will anyone intercept this in transit?
  2. Could it sit somewhere later where the wrong person reads it?
  3. Can the recipient trust that I am the one who sent it?

Email and fax have different answers to each of those questions. Neither medium wins all three. The honest framing is that "fax" and "email" are not really single technologies anymore. Most faxes you send today are an email, an HTTPS upload, and a phone-line transmission stitched together by a service provider. Most emails between two reputable providers are encrypted at the transport layer in both directions. They sit on servers protected by hardware security modules and covered by SOC 2 audits. The interesting question is not "which medium." It is "which combination of provider choices."

Where the security actually lives

For any modern fax or email exchange, three layers decide how safe the message really is. Compare your provider on each one and you will get a much sharper answer than the medium-versus-medium debate ever produced.

Transport: how the message moves

For email between two well-configured providers (think Gmail, Outlook, Fastmail, ProtonMail), the transport is TLS-encrypted by default. The same is true of any reputable online fax service for the portion of the journey between your browser and their servers, and between their servers and the recipient’s mail server if they deliver as fax-to-email.

The part that is genuinely unencrypted is the PSTN segment, the actual phone-line transmission between the sending fax service and the receiving fax machine. That uses the ITU-T fax group 3 or 4 protocol, which is digital but not encrypted. In theory, anyone with physical access to the line could read it.

In practice, that scenario is rare. Tapping a phone line takes physical access, time, and equipment, and the attacker has to know which line carries traffic worth reading. Compared to the remote, automated attacks that hit email mailboxes at scale, it barely registers as a risk for most senders.

Storage: what sits on a server later

This is where the two media diverge sharply, and it favours fax for a reason that is mostly accidental.

Email is designed to be stored. Your sent folder, the recipient’s inbox, your provider’s backup tier, the recipient’s provider’s backup tier, all of these are durable copies. Any one of them is a target if the credentials protecting it get phished, leaked, or guessed.

Fax, sent through a traditional machine, leaves almost nothing behind. The page comes off the receiving end and the bits are gone from the wire. Sent through an online fax service, that is no longer true. The provider has a copy of the document, often for as long as the account exists, plus whatever logging surrounds it. If you signed in to send the fax, you have an account history sitting on someone else’s server too.

The relevant question is: how long does the provider keep your document, who can read it, and what happens when you delete it? A pay-as-you-go service that purges the file shortly after delivery has a very different storage posture from a subscription service that keeps faxes for years in your account history so you can view them later.

Identity and access: who can prove what

Email has spent twenty years building protocols (SPF, DKIM, DMARC) that let a recipient verify the sender’s domain. They are imperfect, but they exist, and they catch the obvious forgeries.

Fax has nothing equivalent. The header on a fax (the "CSID") is set by the sending machine and can be edited freely. The caller ID can be spoofed by anyone with access to the right telephony settings. Bruce Schneier called fax signatures legally meaningless in 2008 for this exact reason. Nothing has changed since.

If forgery is the threat you care about, a properly authenticated email is more verifiable than a fax. The reverse claim, that "anyone could fake an email from your boss," is true but visible: the headers carry the evidence. A faked fax leaves no comparable trail.

Where fax still has a real edge

For a narrow set of scenarios, fax does win:

  • Targeted phishing of the recipient. A fax has no clickable link, no attachment that triggers a macro, no JavaScript payload. A user cannot accidentally enable macros on a sheet of paper.
  • Endpoint compromise. Malware that scrapes an email inbox does not scrape a fax machine’s paper tray. If your concern is "what happens if the recipient’s laptop is owned," fax is harder to silently exfiltrate.
  • Regulated workflows that demand a fax of record. US healthcare and government workflows often still require fax not because anyone believes it is more secure, but because the paper trail and the regulatory checkbox are written into procedure. The security argument follows from the compliance one, not the other way around.

These are real, but they are narrower than the "fax is more secure, full stop" claim suggests.

Where email still has a real edge

Equally honestly:

  • Authentication. SPF/DKIM/DMARC give recipients tools to verify you that fax has no equivalent for.
  • End-to-end encryption is available. PGP, S/MIME, and provider-side encryption like ProtonMail’s exist for senders who need them. There is no widely deployed equivalent for fax outside diplomatic-grade hardware.
  • Reach and ergonomics. This is not a security property, but it is the reason most people send email and not fax: it works on any device, it is searchable, it does not depend on a working phone line at the other end.

How PayPerFax is built, and why that matters here

PayPerFax is a pay-as-you-go fax service. The shape of how it works has direct consequences for the security questions above, and it is worth being upfront about them.

  • No account. You do not create a profile to send a fax. There is no permanent username, password, or account dashboard to compromise.
  • No stored history. Without an account, there is no history of past faxes attached to you. The transactional record of your send is kept for the minimum the business and the law require.
  • No inbound number. PayPerFax does not give you a fax number that others can send to. There is no inbox sitting on our servers collecting incoming documents, because there is no inbox.
  • You pay only when delivery succeeds. No charge on a failed line, no recurring subscription to forget about, no card on file unless you choose to save one.

That posture is not an accident, and it is part of how we think about the security side of "is online fax safe." A service with no account to phish, no history to leak, and no inbound mailbox to compromise has fewer surfaces a thoughtful attacker could go after. The tradeoff is real, and worth stating plainly. If you need a dedicated incoming number, audit logs you can pull years later, or HIPAA-covered workflows, PayPerFax is not the right tool. Those needs map to a subscription service, and we say so on every relevant page.

For the senders we are built for (occasional, one-off, no-strings), the way the service is built is the security argument.

Per-provider safety summaries

For the major services in the category, we keep a brief, honest read on the security and reputation posture of each. If you have a specific provider in mind:

  • eFax is a long-running mainstream service with HIPAA-covered plans at the enterprise tier. The "Is eFax safe?" FAQ on that page covers what the standard plans deliver versus the enterprise tier.
  • FaxZero is a freemium service useful for non-sensitive personal sends. The safety FAQ on that page is honest about what the free tier is and is not designed for.
  • GotFreeFax sits in the same freemium bracket as FaxZero, with comparable tradeoffs. The safety read on its page covers the same ground for the rare cases where someone is choosing between them on security grounds.

We are filling in the same short safety summary on every entry in our fax-service comparison set over time, so this list will grow.

The honest answer

If you take one thing away from all of this: the medium is the wrong unit of analysis. What matters is the provider’s transport encryption, the provider’s storage and deletion policy, the provider’s identity controls, and your own posture as the sender. Fax wins on a narrow set of scenarios (no clickable payloads, no inbox to scrape), email wins on a wider set (authenticated sender, modern encryption, searchable record), and for everything in between the answer depends on what each side’s provider actually does.

If your reason for asking is "I need to send one sensitive document and never think about it again," PayPerFax was built for exactly that intent. If your reason is regulated, ongoing, or auditable, pick a service whose security posture matches that workflow, and do not let the "fax versus email" framing decide it for you.

References

  1. Public Switched Telephone Network, Wikipedia
  2. Fax Signatures, Schneier on Security
  3. Sending Fax Back to the Dark Ages, Check Point Research
  4. DMARC Overview, dmarc.org

More Fax-Related FAQs