Posteo Help Help categories Article

How do I activate inbound encryption with my public S/MIME key?

Posteo inbound encryption encrypts all newly arriving emails with your public S/MIME key. This includes when the sender of an email does not encrypt it.

Activating inbound encryption

If you wish to use inbound encryption, you will need an S/MIME key pair. In addition, this key pair needs to be set up in an email program.

If you would like to use OpenPGP to encrypt emails, please read our instructions titled How do I activate inbound encryption with my public PGP key?.

How to activate inbound encryption:

  1. Click Settings in the webmail interface
  2. Click My account
  3. Click PGP and S/MIME encryption
  4. Under “Key administration and Posteo key directory” click the email address displayed in the format keys@posteo.de, to open your email program.
    Alternatively, you could also copy the address and paste it into your preferred email program.
Activate inbound encryption with public S/MIME key - Step 1 to 4
  1. Send an S/MIME-signed email to the email address mentioned above.
    To send the email use your the email app of your choice. In the example image, Thunderbird is shown.
Activate inbound encryption with public S/MIME key - Step 5 to 6
  1. Reopen PGP- und S/MIME-encryption from the menu. If the key upload was successful, you will see a button Activate inbound encryption now. Click the button and confirm activation on the following screen.
To activate click "Activate inbound encryption"

From now on, Posteo will encrypt all newly arriving emails with your public S/MIME key.

If an error occurs, you will receive an email with subject Undelivered Mail Returned to Sender. In this case, upload your key again.

In this case, please also refer to our help article titled Does my S/MIME or OpenPGP key need to fulfil certain criteria?.

Activate inbound encryption with public S/MIME key - Error message

Tips and security information

  • The system first encrypts emails when they arrive on our server. Inbound encryption is therefore no substitute for regular end-to-end encryption set up by the sender of an email.
  • If you lose your private key, you will have no access to your encrypted emails.
  • If inbound encryption with S/MIME is activated, you can no longer read your emails in the webmail interface.
  • Encrypted emails also remain encrypted after deactivating inbound encryption.

Characteristics: What you need to know about inbound encryption

Further information on inbound encryption

  • Emails that are already encrypted will not be encrypted again.
  • The system does not encrypt emails arriving via the migration service.
  • Forwarding: The system will not use your public key to encrypt emails that you forward to other accounts.
  • The system will also not encrypt emails copied to your account via IMAP.
  • Filters no longer have access to the body of the email.
  • The text search is no longer usable.
  • Inbound encryption only operates on newly arriving emails. Retrospective encryption of your archive does not occur. Neither does inbound encryption encrypt the header of your emails. For this, we recommend Posteo crypto mail storage. This can be combined with inbound encryption without issue.

Related help articles