All articlesdocument collection

How to Send & Receive Documents Securely (No Passwords)

60% of breaches involve human error. Email + attachment is the default. Here's what actually works for secure document exchange without passwords.

AT

Arthur Teboul

Founder, DokuTrak

July 16, 202610 min read
On this page

Your client asks for a W-2. You email it. They forward it to their accountant. Their accountant's intern downloads it onto their personal laptop. A week later, a phishing email that looks like your message prompts them to "verify" their details on a spoofed site. By then, the document has been copied into at least six inboxes and one personal device, none of which you control.

The data confirms this is the norm, not an edge case. 60% of data breaches involve the human element—error, misuse, or social engineering, not sophisticated attacks (Verizon 2025 DBIR, 2025). "Data emailed to the wrong recipient" is the single most-reported security incident to the UK's Information Commissioner's Office: 1,744 cases, 16% of all incidents (UK ICO data, 2023). This is not your fault. This is how email works.

The fix is not a stronger password or "please encrypt before sending." The fix is to not send the document through email at all.

The secure method that actually works: an encrypted, access-scoped link with automatic expiry. No account for the recipient. No password friction. Just TLS in transit, AES-256 at rest, and a time-limited token that only works once. This beats email + attachment, password-protected PDFs, and the shared-link sprawl of Drive or Dropbox because it controls the entire surface: who can access it, when, and for how long.

Most professionals don't have this yet. They're still asking clients to email, or using shared folders that anyone can forward. Check out how your approach compares and what "secure document exchange" actually looks like in practice.

Here's what "secure" actually means, how the methods compare, and which one to use when.


Why Email + Attachments Fails for Sensitive Documents

Email isn't designed for document transfer. This is not fixable with encryption settings or a longer password.

Transport is opportunistic: when you hit send, your attachment travels through your email provider's servers, the recipient's email provider's servers, and potentially several relay servers in between. Email uses STARTTLS to negotiate encryption—but if the receiving server doesn't advertise TLS support, your attachment is delivered in plaintext (RFC 3207). This is called "opportunistic TLS," and a meaningful share of email still isn't encrypted this way (Google Safer Email Report).

At-rest exposure is permanent: once the attachment lands in an inbox, it sits unencrypted at rest in most consumer and professional email services. Gmail and Outlook encrypt at the server level, but the keys are held by the provider. Anyone with access to that provider's infrastructure—via a breach, a court order, or a malicious insider—can read it.

Misdirection is unrecoverable: the most common real-world failure is sending to the wrong recipient. When it happens, there's no way to unwind it. The data sits in someone else's inbox forever.

Credential theft replaces encryption: if you try to secure an attachment with a password, you face a second problem: sending the password. Most people send the password in the same email, which defeats the entire point. Even with the password sent separately, the recipient may use a weak passphrase they reuse elsewhere, or the file sits in their email archive where it's accessible to anyone who compromises their account.

The scale is real. 22% of breaches are initiated by compromised or stolen credentials (Verizon 2025 DBIR, 2025). Phishing for login credentials takes 21 seconds for someone to click the link; another 28 seconds to type credentials (Verizon DBIR, 2024). By the time a client forwards your email to a colleague, you've lost control of the document entirely.


What "Secure" Actually Requires

When evaluating any document transfer method, three things matter: what protects the document in motion, what protects it at rest, and who controls access.

Encryption in Transit: TLS 1.3

Data moving between your client's browser and the server should use TLS 1.3 (IETF RFC 8446). NIST required federal systems to support TLS 1.3 by January 2024 (NIST SP 800-52r2). TLS 1.3 eliminates legacy cipher suites and mandates forward secrecy: even if a key is later compromised, past sessions remain protected. TLS 1.2 is still widely deployed but is no longer the current standard.

Key framing: TLS protects the hop between two machines. It does not encrypt data at rest and is not end-to-end.

Encryption at Rest: AES-256

Files should be encrypted when stored. AES-256 is NIST-approved (FIPS 197) and is the standard cipher for major file services. Any service storing sensitive documents should specify its encryption standard. If they don't, don't use it.

Practical point: "AES-256 at rest" means the provider encrypts the stored file—but the provider holds the keys. This is different from end-to-end encryption, where only the sender and recipient can decrypt the content.

Access Control: Scoped, Time-Limited, Revocable

A shared link with indefinite lifetime is not secure. The right design grants access to a specific request, for a defined window, and revokes it when the window closes or the upload completes. A password-protected link adds friction without adding real security (see the myths section below).

Audit Trail

Who accessed the document? When? From which IP? Did they accept it or reject it? An audit log is not nice-to-have; it's legally required in regulated industries.


MethodTransportAt RestRecipient FrictionReal StrengthsReal Weaknesses
Email + attachmentOpportunistic TLS (often plaintext)Unencrypted in inboxNone (trivial to send)Ubiquitous, instantMisdirection risk, permanent exposure, password sharing is brittle
Email + password-protected PDFOpportunistic TLSEncrypted (only if AES-256 + strong password)None to lowFeels secureLegacy PDF encryption is broken; password-sharing defeats it; no revocation
WeTransfer or similar linkTLSAES-256 (provider holds keys)None (no account)No setup, link-basedLink forwarding is access; provider can read stored files; time-limited retention only
Google Drive / Dropbox shared linkTLSAES-256 (provider holds keys)Low to medium (account nudges for some flows)Familiar, integrates with existing workflow"Anyone with the link" is forwarding risk; permission model is easy to misconfigure; link sprawl
Client portal (account + password)TLSAES-256 (provider holds keys)High (new account + password friction)Full access control, audit trail, permission matrixClients hate new accounts; password reuse risk; "just email it" wins
No-account secure link (category)TLS 1.3AES-256 (provider holds keys)None (single click, no password)Eliminates credential theft, no account friction, automatic expiry, per-request scopeStill provider-holds-keys (not E2EE); link interception in narrow window (mitigated by TLS + expiry)

The row that matters: no-account secure link. It combines the frictionless access of WeTransfer with the scoped, revocable control of a portal, without asking the recipient to remember a password.


Receiving Documents: Where Security Actually Breaks

This is where most professionals fail. Collecting FROM clients is harder than sending TO them because you can't control what the client sends or how well they understand "secure."

When a client uploads a document, three things can go wrong:

  1. The file is the wrong type (they sent a bank statement when you asked for a tax return).
  2. The file is unreadable (blurry scan, PDF corruption, unsupported format).
  3. The document is expired (they uploaded a one-year-old ID).

A portal that just accepts every upload puts the manual review burden on you. You manually sort 30 uploads to find the three that are actually usable. This is why most people default back to email: the manual review loop feels faster than setting up security infrastructure.

The right collection workflow: AI flags wrong/unreadable/expired files before they reach you, you make the final decision. This is the signal that separates "real collection" from "just send me email in a nicer box." No-account secure link + AI validation = lowest friction + highest quality.


Password-Protected PDF: A Myth Worth Breaking

Myth: "A password-protected PDF is secure."

Truth: Only if it's AES-256 and uses a strong passphrase and the password travels out-of-band. Most PDFs are not this secure.

Legacy 40-bit and 128-bit RC4 PDF encryption are broken irrespective of the password. "Owner password" permission flags (no-print, no-copy, no-edit) are enforced only by cooperating readers—bypass tools that ignore the flags have existed for 20 years (Kaspersky / 36C3).

The real failure: emailing the PDF and its password in the same channel. Security collapses to the weakest link—the password, sent in the message thread, visible to anyone who ever accessed the conversation.

A link-based method removes this problem because there is no password to send.

Myth: "A password-protected ZIP is secure."

Truth: Legacy ZipCrypto (the default cipher in many tools) is broken by a known-plaintext attack requiring only ~12 bytes of known plaintext—password strength is irrelevant (bkcrack). Even AES-256 ZIP leaks metadata (filenames in the central directory are in cleartext unless you enable "encrypt file names"), and it's still only as strong as the password.


Here's the pattern that works: encrypted link over TLS, no password, automatic expiry.

When you send a document request:

  • A cryptographically random, time-limited token is generated
  • That token is sent to the recipient's email as a one-click link
  • The link grants access only to that specific request, nothing else
  • When the upload is complete (or the time window closes), the link is revoked
  • Documents are transmitted over TLS 1.3 directly to AES-256 encrypted storage; they never sit in email

No-account links are immune to credential theft because there are no credentials to steal. The token is single-use, scoped to one transaction, and expires. Even if an attacker intercepts the email containing the link, they face a narrow window to act. Resending the request generates a new token that invalidates the old one.

The trade-off: this method is still provider-holds-keys (not end-to-end encrypted). But it is dramatically more secure than email, a password-protected PDF, or a shared folder link, and it's measurably more likely to work because there's no password friction.


Start Here

If you're sending documents to clients, ask: "Would I be comfortable explaining this to a regulator or a judge if something went wrong?"

Email + attachment? No. Email + password-protected PDF? No. A shared Drive link with "anyone with the link" access? No.

An encrypted, link-based request with automatic expiry and access scoping? Yes.

For the full deep-dive on building a secure upload flow, see secure document upload portals.

If email is the problem you're trying to escape, here's why email fails for document collection.

And for the full picture of the category, start with document collection software.


DokuTrak starts at $79/month for solo professionals, with no-account secure links, AI document validation (flags wrong/unreadable/expired files before they reach you), and automatic reminders so you're not chasing clients. Every plan includes AES-256 encryption, TLS 1.3 in transit, and access control per request.

Start your 14-day free trial (credit card required, cancel any time with no charge).


Sources

Frequently asked questions

What is the most secure way to send documents to clients?

An encrypted, access-scoped link over TLS with time-limited expiry beats email + attachments because it eliminates misdirection risk (the #1 incident type), keeps documents out of email inboxes, and requires no password friction. The criteria: TLS 1.3 in transit, AES-256 at rest, link expiry, and access control per request, not a standing account.

Is a password-protected PDF secure?

Only if it's AES-256 (not legacy RC4/40-bit), uses a strong passphrase, and the password travels out-of-band. Modern PDFs with owner-permission flags are still bypassable; emailing the PDF and password in the same channel defeats the security entirely. A link-based method is more secure because it eliminates the password-sharing problem.

How do I securely collect documents from clients?

Use a no-account upload link (time-limited token) over TLS instead of asking clients to create a portal account. This removes the credential attack surface and the friction that pushes clients back to email. The link should expire automatically, grant access only to one request, and revoke when complete. AI validation of uploaded files (format, readability, expiry) catches problems before they reach you.

Is Google Drive or Dropbox secure enough for document exchange?

They use AES-256, but the provider holds the keys (not end-to-end encrypted). A shared link with 'anyone with the link' access is forwarding risk — the link is a bearer token. Restricting access requires account setup or extra steps. For regulated industries (law, finance, healthcare), they lack compliance audit trails and native document-request workflows.

Why do people still email documents if it's not secure?

Friction. Creating a portal account, remembering a new password, or managing link permissions feels harder than 'just email it.' The secure methods that win are the ones that make the simple path the secure path: one-click link, no account, automatic expiry. Most people default to the easiest thing, not the right thing.

What's the difference between TLS and end-to-end encryption?

TLS encrypts data in transit between your device and a server; the provider can read it at rest because the provider holds the keys. End-to-end encryption means only the sender and recipient can decrypt it; nobody else, including the provider, can read the plaintext. For most SaaS tools (Drive, Dropbox, WeTransfer), encryption is at-rest AES-256 with provider-held keys, not end-to-end. Framing matters here because 'encrypted' doesn't mean 'nobody can read it.'