Though I am still an advocate of the use of PGP for encrypting email communications over the alternative of simply sending communications in the clear, and I acknowledge the ubquitity of email in day-to-day life (as unfortunate as it is... we can't all be Donald Knuth!), email must be considered an completely insecure means of communication even when post-quantum encryption (not the stuff that comes with your Linux distribution!) is used. To treat email as a secure means of communication, not only must post-quantum cryptography be used to encrypt the contents of the email in transmission, but the messages must also contain a cryptographic signature under all circumstances that originates from the same key. Additionally, even PGP and other standardized encryption systems do not typically encrypt the subject field, so the subject would need to be declared in the message body, perhaps before the true contents of the message have begun.
Why the need for persistent use of digital signatures? This is due to flaws in DomainKeys Identified Mail, or DKIM for short - a protocol defined primarily in RFC 6376 and RFC 8463. DKIM is an essential part of the security mechanisms built into email as a communication system, ensuring that the sender of any email you receive is who they say they are. One can see why such a distinction is important when considering what types of accounts might be linked to their email - bank accounts? Personal social media? Work-related accounts? More?
Unfortunately, the cryptoschemes that are present in DKIM, even with the revisions of RFC 8463 in mind, are obsolete. They are all susceptible to attack by a quantum computer. Even if such an attack is not yet possible with the current status of quantum hardware, it is only a matter of time before such attacks are feasible to the most powerful actors (nation states, then large corporations, and from there who knows). It will obviously be an enormous effort to roll out these sweeping security improvements across the entirety of the internet; work on this must begin NOW.
What this might entail is concerning, especially when considering that it will be rich nation states that get access to this technology first. An attacker with access to a sufficient quantum computer would be able to trivally bypass the authentication methods present in email, enabling them to spoof any email address that they wish. This could lead to forgery of communications for the purposes of false incrimination. It could lead to forgery of communications for covert purposes, for warmongering, for corporate espionage - the results are limitless. Until these flaws are rectified, the only safe use of email is with a manually attached digital signature considered as a requirement for a message to be considered valid. Work must occur to educate the general public on how signature schemes function at a high level and why their importance is paramount.
I urge the IETF to obsolete RFC 6376 as soon as possible and incorporate quantum-resistant cryptography into DKIM and similar authentication methods. Until then, the preferred means of communication for those who place any emphasis on message authenticity and security should be a platform like Signal first, then email with both encryption and signature at all times as only a fallback.