If you’re going to need the email address in the future, then you’ll have to store them in plain text.

You could encrypt them, of course, however, this is effectively security through obscurity in this case. Basically, if your application’s perimeter is secure, your data within it can be plain text. Encrypting here adds complexity to you working with the data, but doesn’t really stop an attacker from getting your raw data.

As you say, if he gets through your perimeter defenses, he’s likely to easily get your decryption key to decrypt the email data. Encryption may slow down the determined attacker slightly, but will not add any real security to your data.

The best scenario is to hash the email address (with salt!) and store that. This allows you to check the email address against an input value (for example) and verify that the email address input is the same as what you have stored, of course, the major downside for this is that you can’t know what the email address is without that additional value, so if you’re wanting to (for example) regularly email your users, you’ll be out of luck.

I suspect you’re storing the email address because it’s useful data, and you will want to do something with it (like send an email 🙂 in which case, encrypting just adds overhead to working with that data, whilst gaining very little in return.

In this case, I would focus on securing access the database itself (i.e. your “perimeter” defenses) and ensure they are as strong as can be, whilst leaving the data in the database in plain text.