MacOS: Using Email Encryption in Apple’s Mail

I recently praised Apple’s Mail for making it so easy to use email encryption. This is more important than ever, since electronic privacy is front and center in our attention. Let’s look at what you need to do to get started with encrypted email using Apple’s Mail app.

email encryption

Let’s walk through setting up email encryption on Apple’s Mail app (Image Credit: stevepb)

Step 1: Visit Comodo, an Email Encryption Authority

The first thing you need to do is get your encryption certificate. There are several Certificate Authorities (CAs), but Comodo is well-recognized, works well with Apple, and is free. Just go to Comodo’s main page, highlight Personal, and click Free Personal Email Certificate.

Step 2: Select the Right Product

The page that loads will have several options, including Free Email Certificate. Click the Download button for that option.

Personal Email Certificate

Choose to download a personal email certificate

Step 3: Fill Out a Form

Next, you’ll fill out the application form for your free email certificate. The key size should be automatically set to 2048 (High Grade), but select that if it isn’t. Note that if you aren’t in the United States, that might not be an option for you. If it’s not an option, choose the highest grade you can.

Application form for email certificate

The application form for a personal email certificate

Step 4: Download and Install Your Certificate

After a few moments, you’ll get an email from Comodo with a link to collect your certificate. Click that link, and your certificate should automatically download. Once it does, double-click it from the download location to open it and begin importing it into your Keychain. I store my encryption certificates in System, but that’s not required.

Adding certificate to Keychain

Add the certificate to your Keychain

After you click Add, Keychain Access will ask you to authenticate as a system administrator. Do so, and your certificate will be added to your Keychain.

Grant permission to Keychain Access

Grant permission to Keychain Access

Step 5: Exchange Digital Signatures

If Mail is already running, quit the application and relaunch it. At this point, Mail will automatically sign your emails with your public key. You can tell that it’s done so by the new icons next to the subject line. The lock, grayed out, is to encrypt your email. The checkmark, blue, shows that the email will be digitally signed.

Digitally signing an email in Mail

Digitally signing an email in Mail

When you send a signed email for the first time, you’ll be asked to grant Mail permission to sign the email. You can choose to Allow just once, but I’d recommend clicking Always Allow.

Allowing Mail to access the certificate

Allowing Mail to access the certificate

Step 6: Send Your Encrypted Email

Once you’ve exchanged digitally-signed emails with your recipient, you’ll be all set to send encrypted messages. To do this, simply make sure the Lock next to the subject line is blue, and Mail will encrypt the email using your certificate.

To send an encrypted email, make sure the Lock is blue

To send an encrypted email, make sure the Lock is blue

Step 7: Verifying Your Emails Are Encrypted

If you want proof that the email encryption is working, try opening your message in another mail client. You’ll see that the body of your email is in an S/MIME attachment. You can open that attachment with Keychain Access (in fact, that’s the default), but that’s the only way you can read the content.

Encrypted email in Newton

In other email clients, the body of your email will be in an S/MIME attachment

But Is It Really Encrypted?

Okay, you have your doubts. Try opening the S/MIME attachment using TextEditor, for example. You’ll see that it’s completely encrypted and unreadable.

The jumbled mess that is an encrypted message

The jumbled mess that is an encrypted message

Be Careful With Those Keys

Once you’ve exchanged signed emails with someone, all of your future messages to that person will be encrypted. Of course, you can always turn that off by clicking the Lock to disable encryption. Just be very careful with your keys and certificates; if you lose them, you won’t be able to read those emails again.

Check Also

Apple Did a Dry Run of APFS on Your Device Even Before iOS 10.3

Apple rolled out APFS for good in iOS 10.3, but well before that the company …

Leave a Reply

Your email address will not be published. Required fields are marked *