What is PII? How to safeguard personal data in emails

Have you noticed how many emails ask for your personal information these days? You can’t buy a pair of shoes without revealing your date of birth, phone number, and known allergies.

Just kidding. Well, mostly.

From online shopping to job applications, we’re constantly sharing bits of ourselves through our inboxes. That information—your name, address, social security number—that’s what we call PII, or Personally Identifiable Information.

Here’s the thing about email and PII: they were never designed to go together. Ever. Email was created for open communication, not secure data transfer. Yet here we are, attaching documents with our banking details and sending messages with our home addresses, all while malicious actors are working overtime to intercept this information.

At Valimail, we take a different approach. Unlike many email security providers, we don’t collect, store, or process your PII. Our authentication technology focuses on securing the email channel itself without needing access to sensitive personal data. It’s security without the privacy tradeoffs.

Below, we’ll walk you through what actually counts as PII (it’s more than you might think), why it matters so much in email communications, and practical steps to keep it safe. This isn’t just for IT professionals. It’s for business owners, developers, builders, marketers, and practically anyone who touches PII in any capacity. 

What is PII (Personally Identifiable Information)?

PII stands for Personally Identifiable Information, data that can be used on its own or combined with other information to identify, contact, or locate a specific person. 

Think of PII as the digital breadcrumbs that, when put together, create a trail leading directly to you. Okay, it’s kind of scary when we put it like that.

Unlike anonymous data (like general statistics about website visitors), PII is specific to you as an individual. It’s the information that makes you uniquely you in databases and systems across the internet.

PII comes in two main types:

• Direct identifiers
• Indirect identifiers

Direct identifiers are the obvious information that points to you without needing any additional context:

• Full name
• Social Security number
• Email address
• Phone number
• Home address
• Driver’s license number
• Passport details
• Biometric data (fingerprints, retina scans)
• Account numbers (bank, credit card)

Indirect identifiers might not identify you on their own, but when combined with other information, they start to create a unique profile:

• ZIP code
• Date of birth
• Gender
• Race or ethnicity
• Job title and employer
• Educational background
• Medical information
• Device identifiers
• IP addresses

For example, knowing someone’s birth date alone doesn’t tell you who they are. But combine that with their ZIP code and gender, and you’ve narrowed things down a lot. Research has shown that these three pieces of information (ZIP code, birth date, and gender) can uniquely identify up to 87% of Americans.

What PII isn’t

There’s often confusion about what constitutes PII. General information like “male customer from California” isn’t PII because it applies to millions of people. Neither is truly anonymized data that’s been stripped of identifying elements and aggregated.

Business contact information exists in a gray area. Your work email and office phone number are technically PII, but they’re often treated differently under various regulations because they relate to your professional rather than personal life.

Weird, right?

Now, the consequences of exposed PII go beyond just annoying spam emails:

• Identity theft: With enough of your PII, criminals can open credit accounts, file tax returns, or apply for benefits in your name.
• Financial fraud: Direct access to financial PII means direct access to your money
• Targeted phishing: The more someone knows about you, the more convincing their scam attempts become.
• Personal safety: Location data and contact details in the wrong hands can lead to stalking or harassment.
• Reputational damage: For both individuals and companies, when PII breaches become public.

Understanding what constitutes PII is the first step in protecting it. And when it comes to email (one of the most common places where PII gets shared), knowing what you’re looking for is half the battle.

PII in email communications: Where’s the risk?

Email wasn’t built with security in mind. It was designed in the 1970s when the internet was just a small network of trusted academic and military computers. Fast forward to today, and we’re using this same basic technology to send sensitive personal information across a global network that’s practically swimming with threats.

And here’s where those risks are in terms of email:

1. Transmission vulnerabilities

When you send an unencrypted email containing PII, that information passes through multiple servers before reaching its destination. At any point in that journey, the data could be intercepted, especially over unsecured networks like public Wi-Fi.

The average corporate email account sends and receives 126 emails daily. That’s a lot of potential PII flying around unprotected.

2. Storage issues

Once an email reaches its destination, those PII risks don’t disappear. Emails don’t just vanish after they’re read. They sit in inboxes, archives, and backups for months or years. That tax document with your Social Security number you emailed last April? It’s probably still hanging out in someone’s inbox or saved on a device that could be lost, stolen, or hacked.

Many people access their email across multiple devices: work computers, personal laptops, phones, and tablets. Each device is another potential access point for unauthorized users.

3. Human error

We all make mistakes, and when it comes to email, those mistakes can expose PII:

• Sending sensitive information to the wrong recipient (thank you, autocomplete)
• Replying to all instead of just one person
• Forwarding email chains without realizing they contain PII further down
• Falling for phishing attacks that trick you into sharing personal data

A single misdirected email containing a customer database can expose thousands of individuals’ personal information in an instant.

4. Impersonation problems

Email lacks built-in identity verification. Cybercriminals exploit this flaw through domain spoofing—sending emails that appear to come from trusted sources. These impersonation attacks often target PII directly:

• Fake HR emails requesting employee information
• Spoofed bank communications asking for account details
• Impersonated executives requesting W-2 forms or other sensitive employee data

Without proper email authentication (looking at you, DMARC), it’s surprisingly easy for attackers to make an email look like it’s from your bank, your boss, or your healthcare provider.

5. Lifecycle vulnerability

Vulnerabilities exist throughout the entire information lifecycle:

• Creation (PII entering the email system)
• Transmission (PII moving between servers)
• Use (PII being accessed by recipients)
• Storage (PII sitting in inboxes and archives)
• Disposal (or lack thereof—many emails are never properly deleted)

Unlike purpose-built secure messaging systems, Email leaves PII exposed at multiple points. And because email is so ubiquitous and convenient, we often use it without thinking about these vulnerabilities.

Identifying PII in your organization’s emails

PII can be scattered across thousands of messages, attachments, and archives, and it’s often in formats and locations you might not expect.

Start with the obvious places: HR communications, customer service emails, and financial correspondences. These typically contain the highest concentration of personal data. But don’t stop there. Marketing emails with customer lists, inter-departmental messages about projects, and even seemingly innocent meeting invites can contain identifying information.

For smaller organizations, sampling representative emails from different departments can give you a sense of where PII lives in your systems. Look for patterns in how information flows—who sends sensitive data, who receives it, and how it’s formatted.

Larger organizations will need automated PII scanning tools that can search across email archives using pattern recognition for common PII formats (like Social Security numbers) and contextual clues (phrases like “date of birth” followed by dates). Still, even these can become a problem if they scan and keep that information.

Don’t forget about attachments: documents, spreadsheets, and PDFs frequently contain more sensitive information than the emails themselves.

How to safeguard PII (the right way) in your emails

Protecting PII in emails doesn’t have to mean implementing complex systems that make everyone’s job harder. Nobody wants that. The best security measures blend into your workflow while still providing protection. Here’s how to get it right:

1. Start with the simplest question: Does this PII need to be in an email at all? Usually, no. Sometimes the best protection is not sending sensitive information in the first place. Consider secure document sharing platforms or customer portals for transmitting truly sensitive data like SSNs or financial details.
2. Encryption is your friend: End-to-end encrypted email services guarantee that even if someone intercepts your message, they can’t read its contents. Many email providers now offer encryption options with just a click or two.
3. Email authentication: Email authentication protocols like DMARC, SPF, and DKIM protect against the most common email-based PII threats: phishing and impersonation attacks. They verify sender identity to prevent attackers from posing as trusted entities to extract personal information.
4. Email hygiene: Regularly purging old messages containing PII, using secure passwords with multi-factor authentication, and being careful about email access on mobile devices reduces your risk profile.
5. Training: Most PII breaches happen from human error, not sophisticated hacking. Regular training sessions on recognizing sensitive information and understanding proper handling protocols go a long way toward preventing costly mistakes.

Email authentication’s role in PII protection

Email authentication protocols like DMARC, SPF, and DKIM prevent the most common attack vector for PII theft: impersonation.

Think about it: most major data breaches start with someone pretending to be someone they’re not. “Hello from IT, we need your login details.” “HR here, please confirm your SSN.” Without authentication, these spoofed emails cruise right into inboxes.

When only legitimate senders can use your domain, email authentication stops attackers before they can trick employees or customers into sharing sensitive information. It’s preventative medicine for your email ecosystem—addressing the problem at its source rather than trying to contain a breach after the fact.

Curious if your domain is currently vulnerable to spoofing? Take two minutes to run your domain through Valimail’s free Domain Checker tool (no signup required)—it’ll tell you.

Why DMARC RUF (forensic reports) are risky

If you care about protecting PII, there’s a silent privacy hazard hiding in many DMARC setups: RUF forensic reports. Unlike RUA (aggregate) reports, which summarize sending sources and authentication outcomes at a high level, RUF reports can include message-level details about specific emails that failed authentication. That often means PII.

What RUF reports can expose:

Depending on the sender and implementation, RUF reports may contain:

• Full or partial message headers (From, To, Reply-To, Subject)
• Sender and recipient addresses (sometimes the original recipient)
• Message subject lines and occasionally snippets or body content
• Attachment names, embedded URLs, and IP addresses
• Internal routing data (Message-IDs, mailhost details)

There are a lot of breadcrumbs, precisely the kind that turn into a trail back to a real person.

Instead of using RUF reports, here are some safer alternatives that protect your PII:

• Use RUA aggregate reports only; they deliver insights most teams need, like sending sources, pass/fail rates, and alignment.
• Enable TLS-RPT to monitor transport security issues without exposing message content.
• Instrument at the edge for deep forensics when truly needed, under your existing access controls and retention policies.
• Apply strict retention and access if you must keep RUF.
• Use Valimail for aggregate intelligence and TLS reporting, plus automation to give you the visibility you need without the privacy tradeoffs.

Keep your PII safe with proper email authentication

Identifying what PII is and how to protect it in email communications is just the first step. The real challenge is implementing safeguards that don’t disrupt your daily operations. That’s where we can help. 

Valimail secures your email channel without collecting or storing any PII, protecting privacy while preventing impersonation attacks that lead to data breaches. We do this through DMARC automation, guaranteeing that spoofers can’t use your brand to trick employees, customers, or partners.

Want more comprehensive protection? Try Valimail Monitor for free and get detailed insights into who’s sending email using your domain (legitimate senders and potential impersonators alike), all without exposing your sensitive data.