MacOS: Using Email Encryption in Apple’s Mail

email encryption

I recently praised Apple’s Mail for making it so easy to use email encryption. This is more important than ever, since electronic privacy is front and center in our attention. Let’s look at what you need to do to get started with encrypted email using Apple’s Mail app.

Step 1: Get Your Certificate from Actalis, a Free Email Encryption Authority

The first thing you need to do is get your encryption certificate. There are several Certificate Authorities (CAs), but many have stopped providing free options. On the other hand, Actalis recently began offering free S/MIME certificates for email. To get started, click over to the Actalis website and verify your email. Then, prove you aren’t a robot. Check all the appropriate boxes and click Submit Request. In moments, your certificate will arrive in your email.

Actalis provides a free S/MIME certificate in 4 simple steps
You can get your free Actalis S/MIME certificate in four easy steps

Step 2: Download and Install Your Certificate

After a few moments, you’ll get an email from Actalis with your certificate and the link and password to manage it. Drag the link from your email to your Downloads folder, then click on it to unzip the archive. Once unzipped, double-click the certificate file (ending in file extension .pfx) from the download location to open it and begin importing it into your Keychain. I store my encryption certificates in login, and you should too. Yes, the image below shows System, but I learned that placing it there resulted in having to enter my login credentials many, many times to send and decrypt emails. When I reinstalled the certificate, the window below never returned, and the certificate went to login.

Installing an S/MIME Certificate on macOS Catalina
Choose where you want to install your certificate. I keep mine in System.

After you click Add, Keychain Access will ask you to authenticate as a system administrator. Do so, and your certificate will be added to your Keychain.

Modifying Keychain Access requires administrative access
You’ll need your administrative password to install an S/MIME certificate.

Next, you’ll be prompted to enter the password for your certificate. This was displayed on the final page, notifying you that your certificate had been generated and emailed to you. After that, macOS will prompt you one more time for your administrator password, and then you’ll be done.

Providing the password for your S/MIME certificate
You’ll be prompted to enter the password provided when your S/MIME certificate was emailed to you.

Step 3: Exchange Digital Signatures

If Mail is already running, quit the application and relaunch it. At this point, Mail will automatically sign your emails with your public key. You can tell that it’s done so by the new icons next to the subject line. The lock, grayed out, is to encrypt your email. The checkmark, blue, shows that the email will be digitally signed.

Digitally signing an email in Mail
Digitally signing an email in Mail

When you send a signed email for the first time, you’ll be asked to grant Mail permission to use the keychain the certificate is stored within. Provide your user name and password, then click Allow.

Granting Mail permission to modify the keychain
You need to provide your administrative credentials one more time

Step 4: Send Your Encrypted Email

Once you’ve exchanged digitally-signed emails with your recipient, you’ll be all set to send encrypted messages. To do this, simply make sure the Lock next to the subject line is blue, and Mail will encrypt the email using your certificate.

To send an encrypted email, make sure the Lock is blue
To send an encrypted email, make sure the Lock is blue

Step 5: Verifying Your Emails Are Encrypted

If you want proof that the email encryption is working, try opening your message in another mail client. You’ll see that the body of your email is in an S/MIME attachment. You can open that attachment with Keychain Access (in fact, that’s the default), but that’s the only way you can read the content.

Encrypted email in Newton
In other email clients, the body of your email will be in an S/MIME attachment

But Is It Really Encrypted?

Okay, you have your doubts. Try opening the S/MIME attachment using TextEditor, for example. You’ll see that it’s completely encrypted and unreadable.

The jumbled mess that is an encrypted message
The jumbled mess that is an encrypted message

Be Careful With Those Keys

Once you’ve exchanged signed emails with someone, all of your future messages to that person will be encrypted. Of course, you can always turn that off by clicking the Lock to disable encryption. Just be very careful with your keys and certificates; if you lose them, you won’t be able to read those emails again.

What Happens When a Certificate Expires?

Almost all S/MIME certificates have expiration dates, and you can’t just renew them. You have to obtain a new certificate. However, you should not delete your public and private keys from your Keychain. You will still need them to open and decrypt older encrypted emails. You just won’t continue using them to encrypt new email messages.

This article has been updated to use a new S/MIME certificate provider, and reflect changes in Apple Mail on macOS Catalina.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments

According to the up to 3 years old comments, this seems to be a recycled article.
I tried a month ago the Actalis certificate and there is a problem. Not sure on perpetrator, but installing the certificate on Mac, iPhone and iPad it works (signature) for a while but after 2-3 days the messages sent from device 1 is showing as correctly signed on the same device, but on devices 2 and 3 are marked red as untrusted signature and marry-go-round…

Last edited 1 year ago by 1252

Installed the same certificate on multiple devices?

John Kheit

Aww dude this is fantastic. You rock Jeff! Thanks so much for the great writeup!

The Comodo service is not free in Europe: they charge €27.16 for an S/MIME certificate. Better to use MacGPG.


I used these instructions a year ago to get S/MIME working and then the certificate expired – this is how I got a new one. I’m on a Mac. Turns out you can’t renew a certificate, you have to create a new one. So I followed the steps above again, using Safari (same as last time) because it didn’t work for me on Firefox originally. When I downloaded the cert from Comodo using Safari there was a problem with it – the private key was not included. So I tried Firefox and although the message said that the certificate had been installed… Read more »


Is there any way of getting the certificate on an iPhone without a Mac?


@Laurie, I found a way to get past this… I am still getting the error, but it now loads the certificate ok (the entry with the email name has a sub key now when I click on the expander arrow). What I had done wrong was that I started the certificate request with firefox, and when that didn’t result in a proper certificate I tried that same link with Safari. That got me the certificate, but it was clearly busted. So make sure you request the certificate in Safari and also download it in Safari. You will have to revoke… Read more »


@Laurie (or anyone), any luck figuring out what that “Error: -26276” can be overcome? I am encountering that myself and had no luck with a number of attempts. I create a new empty keychain, still the same issue (which was my attempt at brute forcing this). Not sure what else to do… I downloaded the certificate using safari, which rendered the expected file in my download folder, so I would think that that’s not the problem. I am on the latest Sierra with a updates installed.


Geoduck –
Certainly if the VPN showed the Kleptocrostanian in the US, the stronger key would work. So i tested the system from the US using a VPN registering my IP as being in the UK and was able to get 2048 bit key. So I suppose the theory you suggested might work…for the Kleptocrostanian to portray being in the US or the UK. Just saying…though I’m not advocating it, just testing a hypothetical.

Laurie Fleming

I must be holding my mouth the wrong way, but when I try to add the certificate, I get a dialogue box:

An error occurred. Unable to import the certificate.

Error: 26276

However it does create certificate records for my email address, COMODO SHA-256 Client Authentication and Secure Email CA and AddTrust External CA Root.

I’m puzzled.


@ Jeff Butts. I’m signed in under an Admin account. (I know not the safest from a security perspective) The really strange thing is the lack of the always accept button. Not sure if there is a way to get it to appear. It is also a different box than you show up above, though I followed your steps exactly and stored the certificate in the system part of my keychain


@ Jeff Butts. No. It is a different dialog box. It says “macOS wants to make changes. Enter an administrator’s name and password to allow this. macOS wants to use the “System” keychain” then I only have an Allow or Deny box. There is no always allow option.


@jjcyr Butts I enjoyed the article and now have mail set up, but when ever I send an email to a new address the dialogue box I get doesn’t have a always allow option, and instead of Mail asking form permission to use my keychain, it is the system asking. What went wrong?

Scott Goldman

@jjcyr Butts – Excellent! Thank you so much for that. I was just about the pull the trigger on uninstalling GPG and go with the native S/MIME functionality but figured I’d check here first. So glad I did. I’ll wait for the article before making my decision.

Scott Goldman

@jjcyr Butts – Thanks for your comment. I’m aware of the native support for S/MIME. What I’m trying to determine is why I should consider OpenPGP (via GPG Mail Suite) if there is a built-in solution that serves the same purpose. is there some advantage to the OpenPGP protocol that is so appreciably better that I should use that solution instead of the native one (which works with Sierra as well). I appreciate your time and expertise.


Thank you to everyone for clarifying the process. Very helpful!

Scott Goldman

What is the advantage – or the difference – between using the method versus installing the GPG Mail Suite? They appear to both do the same thing and my preference would be to simplify things by using Apple’s internal functionality rather than additional bolt-ons. Is there something that I’m missing here or does Mail’s functionality obviate the need for GPG?