Inbound encryption encrypts all newly arriving emails with your public S/MIME or OpenPGP key. This includes when the sender of an email does not encrypt it.

Activating inbound encryption

If you wish to use inbound encryption, you will need an OpenPGP key pair. In addition, this key pair needs to be set up in an email program or the browser add-on Mailvelope.

If you use S/MIME to encrypt emails, please read our instructions titled How do I activate inbound encryption with my public S/MIME key?

How to activate inbound encryption:

1. Export your public OpenPGP key as a file
   We explain how this works for Enigmail and Mailvelope.
2. Click Settings in the webmail interface
3. Click My account
4. Click PGP- and S/MIME-encryption
5. Under “Key administration and Posteo key directory” click the email address displayed in the format keys@posteo.de to open your email program
   Alternatively, you could also copy the address and paste it into your preferred email program.

6. Attach the public key file exported in step 1 to an email.
7. Click Send

8. After about 60 seconds, reopen PGP- and S/MIME-encryption from the menu. If the key upload was successful, you will see a button Activate inbound encryption now – click the button and confirm activation on the following screen.

From now on, Posteo will encrypt all newly arriving emails with your public OpenPGP key.

If an error occurs, you will receive an email with subject Undelivered Mail Returned to Sender. In this case, upload your key again.

In this case, please also refer to our help article titled Does my S/MIME or OpenPGP key need to fulfil certain criteria?.

Tips and security information

• The system first encrypts emails when they arrive on our server. Inbound encryption is therefore no substitute for regular end-to-end encryption set up by the sender of an email.
• If you lose your private key, you will have no access to your encrypted emails.
• If inbound encryption with OpenPGP is activated, you can only read your emails if your device supports PGP. Important: Programs that only support InlinePGP can not decrypt inbound-encrypted emails.
• If you activate inbound encryption, you can only read newly arriving emails in the webmail interface using the browser add-on Mailvelope.
• Encrypted emails also remain encrypted after deactivating inbound encryption.

Further information on inbound encryption

• Emails that are already encrypted will not be encrypted again.
• The system does not encrypt emails arriving via the migration service.
• Forwarding: The system will not use your public key to encrypt emails that you forward to other accounts. If you would like the system to encrypt forwarded emails with your public key, you can use our filters to achieve this.
• The system also will not encrypt emails copied to your account via IMAP.
• The text search is no longer usable.
• Inbound encryption only operates on newly arriving emails. Retrospective encryption of your archive does not occur. Inbound encryption does not encrypt the header of your emails. For this, we recommend Posteo crypto mail storage, which can be combined with inbound encryption without issue.

Related help articles

• Replacing a key: How do I upload a new key for inbound encryption?
• How do I deactivate inbound encryption?
• How do I delete my public key from the Posteo server?