That's pretty much been my conclusion, and whilst Schneier's confirmation is somewhat reassurring for my sanity, it's deeply troubling for any prospects for privacy.
I'd really like to see a focused effort put forth on addressing the failures of email in a novel, and open, standard. After many decades of service, I'm largely convinced that no level of patching SMTP or the various hacks of message formats will be successful.
And proprietary efforts are all but certain to be harmful.
(Irony that email is a federated implementation of a protocol, yet the website is called antifederal.)
I've had my own domain name since 2002. Many others here may also do similar. Many may not.
This federates you, and your mailing address. Freedom to change email providers, without inconveniencing those you converse with.
There are two sides to a transaction, however. Your mail may be federated, but the other side likely isn't. I'm incredibly disappointed how stuff like PGP has not been widely adopted.
Maybe it continues the historical tradition of Federalists vs Anti-Federalists:
"The primary opposition to the Constitution was based on it being a centralizing document that risked making the states a mere administrative arm of the central government.
States' rights advocates like Thomas Jefferson, George Mason, Patrick Henry, and Elbridge Gerry were wary of the new document.
The Federalists were aware of these objections and their opponents.
Thus, in trying to head them off at the pass, they adopted the name Federalists to give people the impression, true or not, that they were for a federal form of government and not a national one.
This forced those who opposed the constitution to be known as Anti-Federalists, which to the less attentive audience gave the impression that they were against federalism and thus for a centralized regime."
A (downvoted/dead) reply addresss the PGP question:
because mainstream media didn't tell people to do it.
That's ... part of the problem, but only a part.
* Mainstream vendors never supported it within their applications.
* Key management remains difficult.
* Given the risk of key exfiltration (any soft key -- password, passphrase, PKI, biometrics -- can be compromised), PGP alone is not sufficient. Even with passphrase-protected keys.
* PGP-encrypted (and signed) email leaks massive amounts of cryptographically assured metadata. (There was a conference preso a few years back concerning PGP metadata leakage via email/Usenet though I cannot find it presently.) Absent some container which includes the message headers themselves (not just body), and the key metadata (sender / receiver), this remains a problem. And metadata are almost always more useful than message data themselves.
* Incorporating PGP/PKI into other authentication, encryption, decryption, integrity, ownership, and related process workflows is at best poor, and almost overwhelmingly nonexistent. The failure to settle on any uniform standards of web-based auth / encrypt / decrypt protocols is a major component of this.
I've been putting increasingly more thought into how protocols and standards are (and are not) established. One realisation is that very frequently it is not the supplier but a large-volume purchaser or consumer who is instrumental in establishing standards. The US Government has often played this role -- the US Bureau of Standards (established under Herbert Hoover as Secretary of Commerce), military purchasing and standardisation (often across multiple providers), the U.S. Navy's role in establishing containerisation standards during a logistics-supply problem known as the Vietnam war, standardised healthcare procedure, diagnostic, and billing codes, and more, all come to mind.
The prospect of the U.S. federal government, a large state government (California, New York, Illinois, ...), or the EU or an EU-member settling on a standard might move things forward.
As for owning your own domain -- that works, somewhat, but pushes a number of problems out into other spaces. Domain registration, ownership, control, payments, etc., are not painless, and even large organisations with dedicated personnel and procedures in place foul this up all the time.
While this is true, most of my personal correspondence ends up on Google servers, there is a significant increase of privacy you get from the more utility based emails. For instance, if you shop on Amazon and switch away from Gmail, Google loses out on all of your purchasing habits. Consider that the Unroll.me fiasco involved one ride sharing company buying data about your receipts from the other.
SCHNEIER: I use an encrypted chat application like Signal. By and large, email security is out of our control