Automatic Encryption of Incoming Emails with S/MIME

If you have general questions about S/MIME encryption, you can find more information here.

What is S/MIME incoming encryption?

In previous articles, we explained how to configure S/MIME and how to encrypt and decrypt emails. Normally, this requires that the sender already has your public key in order to encrypt a message for you.

But what about all emails delivered to your mail.ch mailbox that were not encrypted by the sender?

These emails are usually stored unencrypted in your mailbox and can be read by anyone with access to it — potentially attackers, authorities, or even the provider itself.

Would it not make sense to automatically encrypt incoming emails using your public key?

With S/MIME incoming encryption, we provide a system that allows you to define in the mail.ch webmailer settings whether all incoming emails — or only specific ones — should be encrypted automatically using your public key.

This does not guarantee that an email was encrypted during transmission from sender to recipient. However, it ensures that once the email has been delivered to your mail.ch mailbox, it is stored encrypted and protected from unauthorized access — including from us. Only you can decrypt and read these emails using your private key.

How do I set up S/MIME incoming encryption?

Prerequisite: You must already have created an S/MIME key pair (private key and public key) and be familiar with using S/MIME.

Once an email has been encrypted, only you can decrypt and read it. Decryption is NOT possible via the mail.ch webmailer, because that would require us to possess — or potentially gain access to — your private key. This is explicitly avoided for security reasons.

To decrypt and read your emails, you must therefore use an external email client where S/MIME is configured and your private key is installed.

Your public key, however, can be safely provided to us, as it is only used to encrypt incoming emails.

Submitting your public key

To use S/MIME incoming encryption, you must provide the valid public key associated with your email address. This can be any mail.ch email address or an alias belonging to your account.

The public key is considered valid if:

• The expiration date is at least one day in the future
• The key length is at least 1024 bits
• The public key belongs to the key pair created for this specific email address

1. After logging into your mail.ch mailbox, navigate to "Messages / E-Mail / S/MIME Keys" in the settings.
2. Click on the email address for which you created the S/MIME key pair.
3. Click "New.".
4. Assign a clear name to your public key so you can identify it later when defining encryption rules.
5. Check the box if the public key should also be published via SMIMEA (see "Publish S/MIME Key" for details).
6. Paste your public key into the designated field.
7. Click "Save."

The public key is now assigned to your email address.

You can now define rules to determine which incoming emails should be encrypted.

In the settings menu under "Messages / E-Mail", click on "Rules."

Encrypt all incoming emails

After creating the rule, it will appear in the lower section "All Rules.". Ensure that this rule is listed at the top. If necessary, move it to the top position using the arrow buttons.

Encrypt specific incoming emails

You can also define rules so that only emails matching specific conditions are encrypted — for example, based on sender (From:) or subject line.

Additional actions can follow encryption. For example, after encryption, the email can automatically be moved to a specific folder.

After creation, the rule will be listed under "All Rules."

Removing, changing, or adding public keys

If you no longer wish to use S/MIME incoming encryption, simply delete the corresponding rule(s). The public key can remain stored at mail.ch.

You may also completely delete the public key if it is no longer used in any rule. It will remain valid but will no longer be available for encryption in mail.ch.

If you need to replace an old public key (for example, if it has expired), you can retain all existing rules. Simply edit the rule and replace the old key with the new one.

If you generate multiple S/MIME key pairs for your email address, you can add multiple public keys for incoming encryption. For example, you could encrypt all emails from Person X with Public Key 1 and all emails from Person Y with Public Key 2.

Difference Between End-to-End Encryption and Incoming Encryption

To check whether an email was encrypted by the sender or only encrypted after delivery via incoming encryption, it is recommended to use a different public key for incoming encryption than the one you have distributed to contacts or published on public key servers.

S/MIME incoming encryption only considers emails delivered unencrypted. When decrypting emails in an external email client with your S/MIME private key, you can identify which public key was used based on the passphrase.

Additionally, email headers indicate if encryption was applied by mail.ch. If the S/MIME incoming encryption encrypted a previously unencrypted email, the header "X-MDE-SMIME: 1" is added.

Unencrypted Sending

Please note that emails you send unencrypted are not automatically stored encrypted in the webmailer "Sent" folder, regardless of whether they are sent via webmail or an external email client.

As a workaround, you can BCC yourself on outgoing messages and use a filter in the webmailer to move them to the "Sent" folder. In this case, they will be encrypted via S/MIME incoming encryption.

When using an external email client, make sure that sent messages are not saved in any folder. In webmail, you can also prevent a copy from being stored in the "Sent" folder.

Remember: without your private key, you cannot read your encrypted messages.

Important Notice: Keep your private key safe and protect it from unauthorized access.

If you lose your private key, we CANNOT help you. Your emails will remain encrypted and unreadable forever!