Send and Receive Encrypted Email with Apple Mail

With the release of OS X 10.7, Apple engineers brought a serious update to Apple Mail.  When this happened I was finally able to cast Microsoft Outlook (formerly Microsoft Entourage) aside.  Entourage was functional but slow.  But when it was deprecated in favor of Outlook things went sideways.  Microsoft went for a complete rewrite of the codebase and in doing so introduced significant issues into the product, any of which they have yet to fully resolve.  So when Apple Mail turned out to be a truly impressive update, I made the switch and have not regretted the change.

One of my larger issues with Entourage and Outlook was their support for encrypted email.  It worked, in the technical sense, but it never worked well… at least in my opinion.  Conversely, Apple Mail just works.  No qualification necessary, no messing around.  It just works.  The only tricky part is the initial configuration.  Here we will configure Apple Mail (version 5.1 that is part of OS X 10.7.1) to send encrypted messages.

To start the process, we need an encryption certificate.  Comodo.com offers a free certificate at the following address that is valid for one year.  It seems to be issued instantly, which is also ideal.  And the request process is much simpler than other services that I have used in the past.  Visit Comodo’s free email certificate site and fill out the form.

Be sure to specify a key size of 2048 and make note of the revocation password that you come up with on this page.  It’s unlikely but you might need it in the future.  Once the form is complete and the agreement is marks as accepted, Comodo will email instructions to the email address you specify.

When Comodo sends the Certificate and Install Instructions to the specified email address, the message includes a link titled Click & Install Comodo Email Certificate.  Before you do this, I strongly suggest setting Safari as the default web browser… at least for the moment.  An error is thrown if Chrome is the default browser.  I’m not sure what Firefox would do.  Safari will be the safest way to make it through this process.

To set the default browser for the system, simply launch Safari and then select Preferences from the Safari menu.  In the General tab, select Safari from the Default Web Browser menu.  Exit the preferences window and your change is complete.  If you don’t normally use Safari as your default browser, you can always return to Safari and change the default back once you are done installing the certificate.

Safari downloads the certificate to your downloads folder.  I think it is supposed to add it to your Keychain automatically but this was not the case for me with OS X 10.7.1.  I had to go to the Downloads directory and then double click on the download file titled CollectCCC.p7s.  When I did, the system launched the Keychain Access application and showed a dialog requiring me to select the destination keychain for the certificate.  I added the certificate to my Login keychain.  Now quit out of Keychain Access.  Quit Apple Mail and then reopen the App.  This gets the app to take a fresh look at the data in the keychain.

Now when you create a new email message, makes sure the From menu has the email account selected that uses the encryption certificate.  Notice the two icons at the far right.  One is a lock the is likely grayed out.  The other is a check mark they may or may not be grayed out.

Here’s what you need to know about the lock and check mark icons.  The check mark means that the message has a digital signature attached to the message.  The idea with the signature is that it represents to the recipient that the message has not been altered while in transit (no changes were made between the time you wrote the message and the time your recipient read it in their inbox).  The lock icon means the message is encrypted.

In order to exchange encrypted email messages with another user, both of you must go through the process of setting up your email client for secure messaging.  If only one of you has a certificate installed, it will not be possible to encrypt the message.

Before you can send an encrypted email to another user, you must first exchange signed emails.  This means that you must send your contact a message that has been digitally signed (check mark active, not grayed out).  Your recipient must then either respond to your message with a reply that has been digitally signed using a certificate on their end, or they can send you an entirely new message that has been digitally singed.  In either case, the email client will use the exchange to store the public key portion of the other users certificate in your system.  This is either stored in your system keychain or the address book.  I believe that OS X stores the associated contacts public key in the address book so it may be necessary to add your associate to your address book if they are not already there.

Once the exchange of signed emails has taken place, it should now be possible to exchange encrypted email messages.  When you create a new email message, the lock icon should now be available to click.  If it is grayed out or shows as unlocked, the message will be unencrypted.  With a click of the icon, the lock should become black and the padlock should become locked.  This means that the message will be encrypted and thereby secure.

Since sending encrypted messages requires the exchange of the signed messages prior to the exchange of encrypted messages, everyone included in a message must be a recipient that you have done a signature exchange with previously.  If you create a new email that includes a series of recipients, some of which you can send encrypted messages and some that you cannot, then your email client will not allow you to encrypt the message.  Some sort of error will be thrown.  The nature of the error will differ depending on the email client.

Encrypted email is not what I would refer to as simple or straightforward.  The process will need to become far more intuitive before it becomes mainstream.  Until then, only the technically adept will be able to secure their correspondence.

And for anyone looking to use encrypted email, there are a few additional points to keep in mind.  Webmail interfaces cannot send or read encrypted messages.  This includes popular web browser based email clients such as Gmail, AOL mail, and Yahoo.  An encrypted message will appear in a webmail client.  The sender will be displayed, as will the subject of the message.  But the contents of the message will not be displayed in a readable format.  To date, no webmail services has a facility for dealing with encrypted email messages.  So keep in mind that any mail exchanges that contain secure email will be limited to modern desktop email programs like Apple Mail.  This limits flexibility of options such as checking your mail from a web browser while on the road.

When Apple released iOS 5 for the iPhone, iPod Touch, and iPad, rudimentary support for encrypted email was added to both the operating system and the built-in mail client.  Look for a followup post detailing how to configure iOS 5 to work with encrypted email.

UPDATE: 11/10/11 11:00am
I have some feedback from a couple of users that might help the rest of us.  First of all, I want to underscore Safari as a requirement when requesting the certificate from Comodo.  I had someone use Firefox by mistake and the certificate seemed to download without issue but for some reason it kept installing into the wrong part of the Keychain.  And when it was in the wrong location in Keychain, Mail would never find it.  So, please be 100% certain to use Safari when requesting and when downloading the .p7s key file from Comodo.

The second point worth clarifying is the proper location of the certificate within Keychain Access following import.  As explained, with OS X 10.7, it should be possible simply to double click on the CollectCCC.p7s file after it has been downloaded from Comodo.  Ideally the OS will open Keychain Access and import the certificate to the correct location.  On the chance that your system does not run this process automatically, it should be possible to open Keychain Access (/Applications/Utilities) and the select Import Items from the File menu.  Browse to the CollectCCC.p7s file and make sure the Destination Keychain is set to Login.

Once the certificate is imported into the Keychain, it is critical to be sure that it was saved in the correct location.  There are two categories inside of Keychain that hold certificates.  The correct location for email certs is labeled My Certificates.  Once the certificate has been imported into Keychain, select the Login keychain, then select the My Certificates Category.  On the right, there should be a certificate listened using your specified email address as its name.  If it’s there, everything is set and ready for the Mail app to automatically locate the installed certificate.

If you have imported the certificate and you don’t see it listed under My Certificates, look for it under the Certificates category.  If it is located there and has a name that is your email address, it means that the certificate imported into the wrong location.  In the case of one user, his cert imported to this location every time because he had request the Comodo cert and downloaded it using Firefox by mistake.  In order to correct the issue he had to delete the cert from the Certificates category and then go back to Comodo and revoke the initial cert using the password he provided when he first generated the file.  Then he had to go back and create a new certificate using Safari.

There are a lot of things that can go wrong along the way.  Making sure the certificate has been properly imported into the correct part of the OS Keychain is key.  If the certificate with your email address is not located in the My Certificates category, there is no way Mail will be able to utilize it.  Confirming the certificate’s import and proper location should be step one in any troubleshooting process.

14 Responses to Send and Receive Encrypted Email with Apple Mail
  1. Anonymous Reply

    Thanks.

    You made it clean and simple

  2. daria Reply

    Thanks a lot!! It is the first nice explanation I found!

  3. Godot Gogo Reply

    By far the best guide!

    Thanks a ton!

  4. Tina Reply

    A couple of corrections… It’s Entourage, not Encourage — I’m assuming that you were “unhelped” by your friendly spellchecker.

    Second, certificates are fairly mobile. I’m not so convinced of the need to revoke the issued cert when problems were encountered with Firefox. Firefox does not use Apple’s Keychains but a downloaded file should be importable as long as it wasn’t damaged. What’s more likely is that Firefox is storing the certs in its own certificate storage spot — which means that the certificate(s) can be exported from Firefox and then imported to Keychain Access. The format of the exported certificate(s) then becomes important. I’m happy to be corrected on this if I am wrong.

    • Steve Manke Reply

      Tina, thanks for the comments! You’re right about Entourage and the spellchecker. But, even more sadly, my tired eyes missed it every time. Embarrassing! :-)

      I should take another look at this. Firefox has been updated at least a dozen times since I did the original post. But you’re right. It shouldn’t be doing anything non-standard with the cert. That said, or the path or least resistance, Safari seems to be the way to go.

      I’m using Chrome as my default browser these days so I should do an update to the post and see what’s really changed. The only thing that still seems to be the same is that this is still a more difficult process than it should be. It’s 2013 for goodness sake! :-)

  5. Hendri Hondorp Reply

    Hi Steve,

    Thanks for your perfect explanation about secure email with Apple Mail. It works great at my office.

    I have a question for you and maybe you can help me with it:
    I have 2 mail accounts using Mail.app, one is my university (my work) account and one is a gmail account (private). My university account is signed and this works fine, but only when I start a new message. When I send a new message to someone which public key I have received earlier I can send a encrypted email to him. That’s correct!

    But when I reply to him/her I have to do strange things : set my account using the “From:” button from my univ account to my gmail and back to univ account. Only this way the email message is signed and encrypted.
    Is this a bug?

    • Steve Manke Reply

      Hendri,

      Double check that you have certificates for both accounts installed. What you are describing makes me suspect that you might only have one for your university account. It would explain why Mail keeps pointing you in that direction. You should be able to add a second cert for your gmail account. Once it is in place (and you have traded the initial requisite signed emails first), you should be back on track with your gmail account.

      I have been experimenting with this mod for Apple Mail: https://gpgtools.org/

      That is proving to be an easier way to get encrypted email running in Apple Mail. The difference being that this method uses public/private key based encryption. But it installs a module into Apple Mail and the site has a video tutorial that makes understanding what is happening so much easier.

      It might be worth looking at if my first suggestion doesn’t do the trick. I plan on doing a post about gpgtools in the near future as well.

      I hope that helps!

  6. Josef A. Reply

    thanks for precious information here. especially about where the certs are supposed to reside.

    unfortunately, my certs always do end up in “Certificates” and not in “My Certificates”. been trying to do the whole process several times now, including applying for a new cert, but no luck.

    within the Keychain Access app it’s not possible to move the certs either … which would be nice.

    so … i am stuck, badly stuck !

    • Steve Manke Reply

      Josef,

      When you download the cert, are you using Safari? For me, as long as I was using Safari, it would just sort of put things into Keychain properly. I didn’t have a choice that let the software make a mistake.

      Also, what version of the OS are you using? Maybe there’s a bug in that version. I’ll do some checking.

      • Josef Reply

        Yes, using SAFARI 7.0.4 on Mac OS X (10.9.3), everything very “fresh” after setting up this system just a couple of days ago.

        Started with getting verificate from Comodo, but thought I should try other companies that provide free certificates. Ran into the same problem with a certificate from another company, don’t remember which. But third attempt with a certificate from CAcert.org made me happy.

        With this certificate from CAcert things seem to work fine and problem seems to be resolved.

        Which makes me state that Safari and/or the Keychain Access app do treat apps from different companies different, probably also depending on how the certificates are “shaped”.

        • Steve Manke Reply

          Good to know! I haven’t had to install a new cert in some time, so I haven’t run into the issue.

          This entire process is still entirely too invasive, if you ask me. If it was easier, encryption would be much more common and email wouldn’t feel like its still stuck in the 1990’s.

          There is now way that the “average computer user” can manage something like this. That disappoints me.

          • Josef

            I completely agree, that this somehow prevents most people to start using encrypting their e-mails.

            Now … I am having this thing ahead of me to make that certificate working for the mail client on my iPhone as well …

  7. MaX Reply

    Great article. Thanks!

    But is there a way to prevent digitally signed emails by default with Apple Mail. If possible I would like NOT to use such feature of digitally signed emails by default. How?

    Why? Because I do not want it as default and because I have had issues with recipients not been able to see such messages or even open their associated attachments. A real nightmare.

    Thanks.

    • Steve Manke Reply

      That’s a great question. I had that problem with one contact but I don’t recall what was causing it. I’m sure it was either my friend’s email client or something unusual about his mail service, but I don’t think I ever found the cause.

      To the best of my knowledge, there isn’t a way to keep Mail from signing each message by default. The software is a little too “helpful” in the regard.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.