MacOS: Using Email Encryption in Apple’s Mail

2 minute read
| Quick Tip

I recently praised Apple’s Mail for making it so easy to use email encryption. This is more important than ever, since electronic privacy is front and center in our attention. Let’s look at what you need to do to get started with encrypted email using Apple’s Mail app.

email encryption

Let’s walk through setting up email encryption on Apple’s Mail app (Image Credit: stevepb)

Step 1: Visit Comodo, an Email Encryption Authority

The first thing you need to do is get your encryption certificate. There are several Certificate Authorities (CAs), but Comodo is well-recognized, works well with Apple, and is free. Just go to Comodo’s main page, highlight Personal, and click Free Personal Email Certificate.

Comodo's Main Page

Get started from Comodo’s main page

Step 2: Select the Right Product

The page that loads will have several options, including Free Email Certificate. Click the Download button for that option.

Personal Email Certificate

Choose to download a personal email certificate

Step 3: Fill Out a Form

Next, you’ll fill out the application form for your free email certificate. The key size should be automatically set to 2048 (High Grade), but select that if it isn’t. Note that if you aren’t in the United States, that might not be an option for you. If it’s not an option, choose the highest grade you can.

Application form for email certificate

The application form for a personal email certificate

Step 4: Download and Install Your Certificate

After a few moments, you’ll get an email from Comodo with a link to collect your certificate. Click that link, and your certificate should automatically download. Once it does, double-click it from the download location to open it and begin importing it into your Keychain. I store my encryption certificates in System, but that’s not required.

Adding certificate to Keychain

Add the certificate to your Keychain

After you click Add, Keychain Access will ask you to authenticate as a system administrator. Do so, and your certificate will be added to your Keychain.

Grant permission to Keychain Access

Grant permission to Keychain Access

Step 5: Exchange Digital Signatures

If Mail is already running, quit the application and relaunch it. At this point, Mail will automatically sign your emails with your public key. You can tell that it’s done so by the new icons next to the subject line. The lock, grayed out, is to encrypt your email. The checkmark, blue, shows that the email will be digitally signed.

Digitally signing an email in Mail

Digitally signing an email in Mail

When you send a signed email for the first time, you’ll be asked to grant Mail permission to sign the email. You can choose to Allow just once, but I’d recommend clicking Always Allow.

Allowing Mail to access the certificate

Allowing Mail to access the certificate

Step 6: Send Your Encrypted Email

Once you’ve exchanged digitally-signed emails with your recipient, you’ll be all set to send encrypted messages. To do this, simply make sure the Lock next to the subject line is blue, and Mail will encrypt the email using your certificate.

To send an encrypted email, make sure the Lock is blue

To send an encrypted email, make sure the Lock is blue

Step 7: Verifying Your Emails Are Encrypted

If you want proof that the email encryption is working, try opening your message in another mail client. You’ll see that the body of your email is in an S/MIME attachment. You can open that attachment with Keychain Access (in fact, that’s the default), but that’s the only way you can read the content.

Encrypted email in Newton

In other email clients, the body of your email will be in an S/MIME attachment

But Is It Really Encrypted?

Okay, you have your doubts. Try opening the S/MIME attachment using TextEditor, for example. You’ll see that it’s completely encrypted and unreadable.

The jumbled mess that is an encrypted message

The jumbled mess that is an encrypted message

Be Careful With Those Keys

Once you’ve exchanged signed emails with someone, all of your future messages to that person will be encrypted. Of course, you can always turn that off by clicking the Lock to disable encryption. Just be very careful with your keys and certificates; if you lose them, you won’t be able to read those emails again.

26 Comments Add a comment

  1. Interesting thought. Not that I’m suggesting anything. But suppose someone lived in, let’s call it Kleptocrostan, where they do not allow high level encryption. If you used a VPN routed through a server in the US I wonder if you could then get the 2048 High Grade key and use it outside the US? Not that I’d ever suggest circumventing the laws of Kleptocrostan, but it might make an interesting experiment. Purely for research purposes mind you. I would not advise or counsel anyone to break local laws. (nudge nudge, wink wink).

  2. Old UNIX Guy

    Geoduck,

    Not sure about Kleptocrostan, but in the Peoples Republic of Delusional Egomaniacs with Laughable Combovers … or in Comeystan … I’d recommend trying…

  3. TitanTiger

    I sent an email to one of my other email accounts digitally signed, and replied from that email back. But I still don’t have the encrypt option available. Still greyed out.

  4. Jeff Butts

    @TitanTiger: that’s odd. Do all of the emails show being digitally signed? Apple has stopped recognizing a couple of CAs, including StartSSL.

    @Brilor: yes, you have to exchange signed emails with the recipient first.

  5. @Jeff Butts: what does “exchange signed emails” mean? If I send an encrypted email to my buddy, they won’t be able to read it and vice-versa, so I don’t see how that enables my buddy to read my email and me his. Don’t we have to exchange certificates or keys or something? Anyway, the process isn’t clear for me although your setup instructions for the sender are crystal clear. Thank you.. Brian

  6. @brilor
    I tried this a number of years ago but haven’t done it recently, so here’s my understanding. The first message you send “digitally signed” (but must not be encrypted) to the person will contain your public key which then gets stored in their keychain. So then you can send them subsequent messages that are encrypted and they have your public key to decrypt them from the first message.

  7. @brilor, notice there are separate buttons to check for sending it digitally signed and encrypted, so the first one you send with just the digital signature (see the screenshot in step 5). And then subsequent messages can be sent with both options checked so it is encrypted.

  8. Jeff Butts

    @brilor: The latest responses are correct. To answer your question as I understand it, though, exchanging signed emails means the other person has to send you a signed email, too. In other words, assuming they are using Apple Mail, they need to send you an email with the check mark turned blue. On your end, you’ll see next to the sender’s email address “signed” in parentheses.

  9. The instructions miss a vital step after step 5. The recipient must also create their own digital certificate, then respond to the original sender’s email. This way, both email users have signing and encryption certificates. Each sender then sends a signed email to other friends who also get their own certificates. Over time, this builds up a certificate library in everyone’s keychain making it easy to send encrypted emails to recipients in their keychain. Where I used to work, our email system had an encryption client that contacted a key library that included current certificates/keys for everyone at work. These keys were updated regularly. I don’t know how long Comodo’s certificate is signed for but they do expire, requiring them to be updated.

  10. Just got mine and it’s good for one year. The instructions in the email from Comodo also says:

    Tip: “Encrypt contents” will only work if you have added a digitally signed email to your address book from the person you want to encrypt the email with.

    I’m not sure this is accurate for Mac Mail users. Mail will search the sender’s keychain for the recipient’s email address and if it finds a certificate with that matching email, it will allow you to click and highlight the signing and encrypting button. One of the key issues can be making sure you use the same email address. I have multiple alias domains since I started with mac.com, then me.com, and finally icloud.com. I still use my mac.com domain but it gets tricky with the others. The encryption certificate usually only works for the main address.

  11. What is the advantage – or the difference – between using the method versus installing the GPG Mail Suite? They appear to both do the same thing and my preference would be to simplify things by using Apple’s internal functionality rather than additional bolt-ons. Is there something that I’m missing here or does Mail’s functionality obviate the need for GPG?

  12. Jeff Butts

    @scott721: Apple Mail includes native support for S/MIME encryption. OpenPGP, which is what the GPG Mail Suite uses, follows a different protocol. Also, the GPG Mail Suite isn’t yet supported under macOS Sierra.

  13. @Jeff Butts – Thanks for your comment. I’m aware of the native support for S/MIME. What I’m trying to determine is why I should consider OpenPGP (via GPG Mail Suite) if there is a built-in solution that serves the same purpose. is there some advantage to the OpenPGP protocol that is so appreciably better that I should use that solution instead of the native one (which works with Sierra as well). I appreciate your time and expertise.

  14. @Jeff Butts – Excellent! Thank you so much for that. I was just about the pull the trigger on uninstalling GPG and go with the native S/MIME functionality but figured I’d check here first. So glad I did. I’ll wait for the article before making my decision.

  15. @Jeff Butts I enjoyed the article and now have mail set up, but when ever I send an email to a new address the dialogue box I get doesn’t have a always allow option, and instead of Mail asking form permission to use my keychain, it is the system asking. What went wrong?

  16. @ Jeff Butts. No. It is a different dialog box. It says “macOS wants to make changes. Enter an administrator’s name and password to allow this. macOS wants to use the “System” keychain” then I only have an Allow or Deny box. There is no always allow option.

  17. Jeff Butts

    @whisper, are you signed in with a Standard user account or an Administrator account? If Standard, you may have to authenticate with an administrator account for it to work.

  18. @ Jeff Butts. I’m signed in under an Admin account. (I know not the safest from a security perspective) The really strange thing is the lack of the always accept button. Not sure if there is a way to get it to appear. It is also a different box than you show up above, though I followed your steps exactly and stored the certificate in the system part of my keychain

  19. I must be holding my mouth the wrong way, but when I try to add the certificate, I get a dialogue box:

    An error occurred. Unable to import the certificate.

    Error: 26276

    However it does create certificate records for my email address, COMODO SHA-256 Client Authentication and Secure Email CA and AddTrust External CA Root.

    I’m puzzled.

  20. Geoduck –
    Certainly if the VPN showed the Kleptocrostanian in the US, the stronger key would work. So i tested the system from the US using a VPN registering my IP as being in the UK and was able to get 2048 bit key. So I suppose the theory you suggested might work…for the Kleptocrostanian to portray being in the US or the UK. Just saying…though I’m not advocating it, just testing a hypothetical.

  21. sventhegrinch

    @Laurie (or anyone), any luck figuring out what that “Error: -26276” can be overcome? I am encountering that myself and had no luck with a number of attempts. I create a new empty keychain, still the same issue (which was my attempt at brute forcing this). Not sure what else to do… I downloaded the certificate using safari, which rendered the expected file in my download folder, so I would think that that’s not the problem. I am on the latest Sierra with a updates installed.

  22. sventhegrinch

    @Laurie, I found a way to get past this… I am still getting the error, but it now loads the certificate ok (the entry with the email name has a sub key now when I click on the expander arrow).

    What I had done wrong was that I started the certificate request with firefox, and when that didn’t result in a proper certificate I tried that same link with Safari. That got me the certificate, but it was clearly busted.

    So make sure you request the certificate in Safari and also download it in Safari. You will have to revoke the certificate first though following the revoke link in the original mail you got from instantssl (using the revoking password you sepcified).

    Hope that this was your issue as well, and this resolves it.

    Sven

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account