I'll stick by my recommendation that e-mail encryption and/or digital signing is an appropriate solution – no matter what mail server
s are involved in the exchange. Any SMTP e-mail will pass through an unknown number of "mail transfer agents" on its way from here to there – not just Yahoo and
mail.ru, and
any of them could both intercept the message, tamper with the message, or inject a fraudulent message.
SMTP is not, and was never designed to be, a secure communications
protocol.
The only way to effectively prevent this is to secure the one-and-only thing that you
can secure: "the message itself."
If you do this, then
upon receipt "that message from your friend" is positively identified as actually having come from your friend. Furthermore, you know that it
is, bit for bit, the exact message that your friend sent. (And this is true whether-or-not you decide to conceal your messages from prying eyes.)
All of my messages are digitally signed such that they can be verified using public keys that can be downloaded from any trusted key-server. And,
all of the recipients with whom I converse with regularly by email – whether for business or pleasure – have done the same. Exactly once, so far, I received a truly forged message, and my software instantly recognized and quarantined it. (Although I do continue to periodically receive marketing messages from my dead aunt.

)
The quarantine message didn't have to guess about the content: the message was
unsigned.
It utterly
baffles me why corporations have not routinely done the same thing, and why important web-mail clients such as Google Mail do not
always provide this service. (So that, "that e-mail from Southwest Airlines" is
verified to be "from Southwest Airlines, and intact.") Why
https: is "the new normal," but this is
not, is something that I simply do not comprehend. "We have the technology ..."
I don't have to "think about" the process of signing messages and checking message signatures – "it just happens,
every time." Email clients for Windows, Linux, OS/X, Android and iPhone
can very routinely provide this service ... using GPG and/or S/MIME ... so, why isn't this
universal by now, given that it is every bit as important (if not more so) than securing web-pages?
