MacOS: Using Email Encryption in Apple’s Mail

2 minute read
| Quick Tip

I recently praised Apple’s Mail for making it so easy to use email encryption. This is more important than ever, since electronic privacy is front and center in our attention. Let’s look at what you need to do to get started with encrypted email using Apple’s Mail app.

email encryption

Let’s walk through setting up email encryption on Apple’s Mail app (Image Credit: stevepb)

Step 1: Visit Comodo, an Email Encryption Authority

The first thing you need to do is get your encryption certificate. There are several Certificate Authorities (CAs), but Comodo is well-recognized, works well with Apple, and is free. Just go to Comodo’s main page, highlight Personal, and click Free Personal Email Certificate.

Comodo's Main Page

Get started from Comodo’s main page

Step 2: Select the Right Product

The page that loads will have several options, including Free Email Certificate. Click the Download button for that option.

Personal Email Certificate

Choose to download a personal email certificate

Step 3: Fill Out a Form

Next, you’ll fill out the application form for your free email certificate. The key size should be automatically set to 2048 (High Grade), but select that if it isn’t. Note that if you aren’t in the United States, that might not be an option for you. If it’s not an option, choose the highest grade you can.

Application form for email certificate

The application form for a personal email certificate

Step 4: Download and Install Your Certificate

After a few moments, you’ll get an email from Comodo with a link to collect your certificate. Click that link, and your certificate should automatically download. Once it does, double-click it from the download location to open it and begin importing it into your Keychain. I store my encryption certificates in System, but that’s not required.

Adding certificate to Keychain

Add the certificate to your Keychain

After you click Add, Keychain Access will ask you to authenticate as a system administrator. Do so, and your certificate will be added to your Keychain.

Grant permission to Keychain Access

Grant permission to Keychain Access

Step 5: Exchange Digital Signatures

If Mail is already running, quit the application and relaunch it. At this point, Mail will automatically sign your emails with your public key. You can tell that it’s done so by the new icons next to the subject line. The lock, grayed out, is to encrypt your email. The checkmark, blue, shows that the email will be digitally signed.

Digitally signing an email in Mail

Digitally signing an email in Mail

When you send a signed email for the first time, you’ll be asked to grant Mail permission to sign the email. You can choose to Allow just once, but I’d recommend clicking Always Allow.

Allowing Mail to access the certificate

Allowing Mail to access the certificate

Step 6: Send Your Encrypted Email

Once you’ve exchanged digitally-signed emails with your recipient, you’ll be all set to send encrypted messages. To do this, simply make sure the Lock next to the subject line is blue, and Mail will encrypt the email using your certificate.

To send an encrypted email, make sure the Lock is blue

To send an encrypted email, make sure the Lock is blue

Step 7: Verifying Your Emails Are Encrypted

If you want proof that the email encryption is working, try opening your message in another mail client. You’ll see that the body of your email is in an S/MIME attachment. You can open that attachment with Keychain Access (in fact, that’s the default), but that’s the only way you can read the content.

Encrypted email in Newton

In other email clients, the body of your email will be in an S/MIME attachment

But Is It Really Encrypted?

Okay, you have your doubts. Try opening the S/MIME attachment using TextEditor, for example. You’ll see that it’s completely encrypted and unreadable.

The jumbled mess that is an encrypted message

The jumbled mess that is an encrypted message

Be Careful With Those Keys

Once you’ve exchanged signed emails with someone, all of your future messages to that person will be encrypted. Of course, you can always turn that off by clicking the Lock to disable encryption. Just be very careful with your keys and certificates; if you lose them, you won’t be able to read those emails again.

27
Leave a Reply

Please Login to comment
27 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
13 Comment authors
crtait6sventhegrinchgraymanLaurie Flemingwhisper Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
crtait6
Member
crtait6

Is there any way of getting the certificate on an iPhone without a Mac?

sventhegrinch
Member
sventhegrinch

@Laurie, I found a way to get past this… I am still getting the error, but it now loads the certificate ok (the entry with the email name has a sub key now when I click on the expander arrow). What I had done wrong was that I started the certificate request with firefox, and when that didn’t result in a proper certificate I tried that same link with Safari. That got me the certificate, but it was clearly busted. So make sure you request the certificate in Safari and also download it in Safari. You will have to revoke… Read more »

sventhegrinch
Member
sventhegrinch

@Laurie (or anyone), any luck figuring out what that “Error: -26276” can be overcome? I am encountering that myself and had no luck with a number of attempts. I create a new empty keychain, still the same issue (which was my attempt at brute forcing this). Not sure what else to do… I downloaded the certificate using safari, which rendered the expected file in my download folder, so I would think that that’s not the problem. I am on the latest Sierra with a updates installed.

grayman
Member
grayman

Geoduck –
Certainly if the VPN showed the Kleptocrostanian in the US, the stronger key would work. So i tested the system from the US using a VPN registering my IP as being in the UK and was able to get 2048 bit key. So I suppose the theory you suggested might work…for the Kleptocrostanian to portray being in the US or the UK. Just saying…though I’m not advocating it, just testing a hypothetical.

Laurie Fleming
Member
Laurie Fleming

I must be holding my mouth the wrong way, but when I try to add the certificate, I get a dialogue box:

An error occurred. Unable to import the certificate.

Error: 26276

However it does create certificate records for my email address, COMODO SHA-256 Client Authentication and Secure Email CA and AddTrust External CA Root.

I’m puzzled.

whisper
Member
whisper

@ Jeff Butts. I’m signed in under an Admin account. (I know not the safest from a security perspective) The really strange thing is the lack of the always accept button. Not sure if there is a way to get it to appear. It is also a different box than you show up above, though I followed your steps exactly and stored the certificate in the system part of my keychain

whisper
Member
whisper

@ Jeff Butts. No. It is a different dialog box. It says “macOS wants to make changes. Enter an administrator’s name and password to allow this. macOS wants to use the “System” keychain” then I only have an Allow or Deny box. There is no always allow option.

whisper
Member
whisper

@Jeff Butts I enjoyed the article and now have mail set up, but when ever I send an email to a new address the dialogue box I get doesn’t have a always allow option, and instead of Mail asking form permission to use my keychain, it is the system asking. What went wrong?

Scott Goldman
Member
Scott Goldman

@Jeff Butts – Excellent! Thank you so much for that. I was just about the pull the trigger on uninstalling GPG and go with the native S/MIME functionality but figured I’d check here first. So glad I did. I’ll wait for the article before making my decision.

Scott Goldman
Member
Scott Goldman

@Jeff Butts – Thanks for your comment. I’m aware of the native support for S/MIME. What I’m trying to determine is why I should consider OpenPGP (via GPG Mail Suite) if there is a built-in solution that serves the same purpose. is there some advantage to the OpenPGP protocol that is so appreciably better that I should use that solution instead of the native one (which works with Sierra as well). I appreciate your time and expertise.

brilor
Member
brilor

Thank you to everyone for clarifying the process. Very helpful!
Brian

Scott Goldman
Member
Scott Goldman

What is the advantage – or the difference – between using the method versus installing the GPG Mail Suite? They appear to both do the same thing and my preference would be to simplify things by using Apple’s internal functionality rather than additional bolt-ons. Is there something that I’m missing here or does Mail’s functionality obviate the need for GPG?

prl99
Member
prl99

Just got mine and it’s good for one year. The instructions in the email from Comodo also says: Tip: “Encrypt contents” will only work if you have added a digitally signed email to your address book from the person you want to encrypt the email with. I’m not sure this is accurate for Mac Mail users. Mail will search the sender’s keychain for the recipient’s email address and if it finds a certificate with that matching email, it will allow you to click and highlight the signing and encrypting button. One of the key issues can be making sure you… Read more »

prl99
Member
prl99

The instructions miss a vital step after step 5. The recipient must also create their own digital certificate, then respond to the original sender’s email. This way, both email users have signing and encryption certificates. Each sender then sends a signed email to other friends who also get their own certificates. Over time, this builds up a certificate library in everyone’s keychain making it easy to send encrypted emails to recipients in their keychain. Where I used to work, our email system had an encryption client that contacted a key library that included current certificates/keys for everyone at work. These… Read more »

dave256
Member
dave256

@brilor, notice there are separate buttons to check for sending it digitally signed and encrypted, so the first one you send with just the digital signature (see the screenshot in step 5). And then subsequent messages can be sent with both options checked so it is encrypted.