This page contains the Frequently Asked Question about Enigmail and around.

Some detailed technical information can also be found in the FAQ on the Enigmail website.



Install and Uninstall

Why does Enigmail fail to install on Firefox/Chrome?

Enigmail is an extension for Postbox and Interlink Mail & News. It is not supposed to, and hence cannot, be installed in Firefox or Chrome.

If you use Firefox or Google Chrome to download Enigmail, you need to right-click on the download link, select Save as..., and save the XPI file on your computer. Then open your mail client, go to Tools → Labs → Extensions (on Postbox) or Tools → Add-ons → Extensions (on Interlink), click the gear-wheel button, select Install Add-On [or Labs Project] from File and choose the Enigmail XPI file. On Interlilnk, restart your mail client afterwards.

Can Enigmail be used for webmail?

Enigmail is developed for Postbox and Interlink. There is no intention from our team to extend Enigmail to support web based mail, or web applications in general.

The Mailvelope project is an extension for Mozilla Firefox or Google Chrome allowing OpenPGP-secured messages in webmail.

How do I uninstall Enigmail?

Go to Tools → Lsbs → Extensions (on Postbox) or Tools → Add-ons → Extensions (on Interlink), click on the Remove button, then restart your mail client.

Encryption and Decryption

How do I encrypt automatically my email messages?

If you use the default configuration, Enigmail will automatically encrypt all messages whenever possible -– that is, if you have the public keys for all recipients.

Additionally, you may set single (or all) identities to always encrypt, and opt-out while sending if you don't have a recipient’s key and it is acceptable for you to send that message unencrypted.

See also Sending Preferences in the configuration of Enigmail.

Is it possible to permanently decrypt email messages?

Yes, this is possible in Enigmail.

Why does Enigmail see some emails as broken?

This problem often occurs when using an IMAP mailserver and is due to your mail client not downloading the message as a whole. To fix this problem, go to Enigmail → Preferences → Advanced and disable the option Only download attachments when opened (IMAP only). Note: on Postbox the Enigmail menu is only available from the message composition window.

What should I do if my mail client shows an alert about an unresponsive script?

Sometimes, Enigmail (or GnuPG) takes a long time for the cryptographic operations to complete and the mail client issues a complain about an "unresponsive script". If this happens while sending an encrypted mail, you should never click on Cancel, as this would send the mail unencrypted. In this case always select Continue. If several attempts do not help, then quit and restart the mail application.

Why do I get an error "Secret key needed to decrypt message" and am unable to read encrypted messages sent to me?

Unless you accidentally deleted your key pair (for which there is no remedy, unless you have a backup), the message you received was not encrypted with your public key. The sender most likely encrypted it with his public key only instead of yours. Make sure the sender has your public key, and tell him to encrypt the message with it.

How can I encrypt the Subject?

Since Enigmail 2.0 the subject of the message can be encrypted (but no other header) together with the rest of the message. If the subject is encrypted, then the visible subject is replaced with "...". The default for this can be changed in Enigmail → Preferences → Advanced.

You can also enable/disable encryption of the subject for individual messages. For this you first need to customize the toolbar icons: right click on any icon and click on Customize... . Then drag the icon labelled Protect Subject into the toolbar.

Why can I not select some keys for encryption in the Key Selection window?

Keys that are revoked or expired cannot be used to encrypt. Download a valid public key from a keyserver, or contact your recipient and have him mail you his new, valid public key. Do not forget to ensure the integrity of this key by a secure channel.

Is it possible to use S/MIME and OpenPGP encryption concurrently?

No, you cannot mix S/MIME and OpenPGP in the same message as the two standards, and their implementation in Mozilla-based mail clients, interfere with each other.

What's the difference between Inline PGP and PGP/MIME?

Whether to use Inline PGP or PGP/MIME for emails is answered controversially, since both have strengths and drawbacks. Here's what you need to consider:

PGP/MIME is a standardized way (RFC 3156) to deal with OpenPGP content. Starting with v1.9, Enigmail uses this as the default. It puts the signed/encrypted content in a new MIME-wrapped mail body while the original mail body is empty or consists of an explanatory sentence. If the message is signed and/or encrypted, then the attachments are, too. Message text and attachments will be encrypted and/or signed as a whole.

  • PGP/MIME-aware mail clients validate and display the signature. Most PGP/MIME-unaware clients display the signature as an attachment; this attachment cannot easily be opened separately to verify the message. Some mail clients (for instance Windows Mail Desktop App) ignore the signature, which appears not to be there.
  • PGP/MIME-aware clients decrypt message and attachments automatically. PGP/MIME-unaware clients display two attachments, one of which encrypted.
  • HTML content is covered perfectly.

Inline PGP is the traditional method where the ciphertext replaces the plain text of a mail body. Inline PGP mails are not considered secure anymore.

  • PGP-aware mail clients may validate and display the signature. PGP-unaware clients display the signature in clear, preceding and trailing the body text.
  • PGP-aware clients may decrypt message and attachments automatically. PGP-unaware clients display an encrypted text block as body text.
  • Signed unencrypted HTML content is problematic, and signatures often fail.

Creation of inline PGP messages is not supported anymore on Postbox and Interlink.

How does Enigmail choose between S/MIME and OpenPGP?

Enigmail chooses automatically between S/MIME and OpenPGP according to the following rules:

  1. If possible, encrypt the message with whatever protocol allows to encrypt to all recipients.
  2. If S/MIME and OpenPGP are both possible for encryption, then choose according to the preference value If both, Enigmail and S/MIME encryption are possible, then ... (prefer S/MIME or prefer Enigmail) in the Account Settings OpenPGP Security tab.
  3. If encryption is not possible, then check if signing is enabled for S/MIME and/or OpenPGP. If only one of the two protocols are set to "sign", then choose that protocol. If both protocols have signing enabled, then follow the preference rule above.

Which symmetric ciphers does Enigmail use?

As said previously, Enigmail (or better: OpenPGP) uses hybrid encryption; the message is first encrypted with a symmetric algorithm using a generated session key, which is then encrypted for each intended recipient with the recipient's public key and added to the encrypted message. The symmetric algorithm OpenPGP uses is chosen from this list:

  • AES (128)
  • AES192
  • AES256
  • IDEA
  • 3DES
  • CAST5

The default in GnuPG is currently AES-128.

Each recipient's public key contains a list of preferred algorithms. OpenPGP chooses an algorithm that satisfies everyone, i.e. all recipients and the sender of the encrypted message.

Why do I get an error whenever I try to post to a newsgroup?


You are trying to post an encrypted message to a newsgroup. This doesn't make sense as a newsgroup, like a mailing list, is a public space and not an entity that could own a key pair. (Just ask yourself who is supposed to own the private key, or what would be the trust associated with this entity, or why the information you post should be encrypted in first place.)

You should send the message unencrypted. If you just want to obfuscate information, such as spoilers, ROT13 will be more than adequate for your purpose.

Signature and Verification

What shall I do if I get a "Bad signature" for a message?

It may happen sometimes that a signed message is altered during transport, producing a bad signature; this is often caused by shortcomings in one of the participated software implementations. These alterations might concern invisible characters such as line breaks, spaces, or tabs, and happen during the sending process or by improperly working mail servers. In case of an invalid signature, nothing can be said about the integrity of the mail text. It may be unchanged or not, and you are advised to take it with caution. A good practice would be to ask the sender - by encrypted mail - for a statement about the contents.

Why does Enigmail tell me "Untrusted good signature" when I already have the key of the sender?

This means that the signature cryptographically verifies, but the sender's key is not fully valid in your public keyring. This is the default for freshly imported keys. You need to set full validity for that sender's particular public key.

How do I specify the hash algorithm?

You can't specify the hash algorithm in Enigmail.


I have lost my passphrase / my key pair / my private key! What do I do now?

A note: Your private key is bundled with your public key in your key pair, hence losing your private key and losing your key pair means exactly the same.

There is no way to recover your passphrase: your only hope is to try to remember what it was. If you don't succeed, you lose the use of your private key, and hence your whole key pair is now useless. There is no way to recover your private key, either. It cannot be obtained from your public key or from any message that was signed/encrypted by that private key. You can only recover it if you made a backup of it.

Hence, losing the passphrase or the key is definitive. If you generated a revocation certificate (and you should have), use it to revoke the key pair. You must also generate a new key pair, send the new public key to your contacts, and warn them not to use the old public key any more.

Messages that were sent to you encrypted with the old key cannot be decrypted any more. Messages that were signed by you with the old key can still be verified by the recipients by using the old (revoked) key.

To avoid this disaster, it is highly recommended that you backup in advance your key pair: from Key Management, select File → Export Keys to File, make sure you included the secret key, then store the file in a safe place. Make sure you chose a passphrase you can remember, too.

I have lost my key pair; how can I import the revocation certificate?

You must first re-import your public key, either from a key server or from a mail correspondent. After this you can import the revocation certificate.

After I reinstalled Enigmail, all keys have disappeared from the Key Management window. How do I get them back?

The keys are still there, but are displayed only the keys that match the search criteria entered in the Search for field. If you want to see all keys, tick the checkbox Display all keys by default.

Why is Enigmail unable to access the keyserver?

Modern keyservers communicate via HTTPS (TCP port 443). If you are behind a firewall, you need to ensure that this port is open for outgoing connections. If you use a proxy, you'll need to set the proxy correctly in your mail client.

How can I automatically refresh the public keys of my communication partners?

Public keys are automatically refreshed at irregular intervals. You can disable this feature via the "Config Editor".

Postbox: Press Shift + Alt + B.

Interlink: Open Edit → Preferences → Advanced Tab → Config Editor.

Then search for extensions.enigmail.keyRefreshOn and set the value to false.

Which key type/size should I choose for my key pair? Which is best?

There is no such thing as "the best key type" or "the best key size"; all choices have consequences and trade-offs. You might feel that a 4096-bit RSA key is safer, but the person you're sending email to might be trying to read it on an old PDA which takes over a minute to decrypt each message. Finding precisely the optimal set of consequences and trade-offs is a very subtle thing, and the perfect set for you will probably not be the same for someone else.

The IETF OpenPGP Working Group has spent over a decade looking at which choices offer an excellent balance of speed, safety, and compatibility for the vast majority of users. Their opinions have evolved over time to take into account the technology and threats of the day. The people of the GnuPG project are active participants in the Working Group, and as such GnuPG implements the Working Group's recommendations.

Therefore, the best advice we can give is to stick to Enigmail's defaults, which will work fine for the overwhelming majority of users.

Troubleshooting, Support, Bug Reports, Feature Requests

How can I test if Enigmail works correctly?

If the installation was successful, restart your mail client. The menubar of the message composer window now should have an Enigmail entry. Selecting Enigmail → About Enigmail will display the Enigmail version number and details about the underlying OpenPGP library.

If Enigmail was correctly installed, you can now start trying to send to yourself some signed/encrypted message, and check if you are able to verify/decrypt them correctly. Then you can send messages to Edward, an automated program that is able to receive and understand OpenPGP messages and reply accordingly.

I have some problem I can't solve. How can I troubleshoot it? Where can I get support?

First, you can get a good deal of information from the Enigmail console, which shows the commands Enigmail sends to GnuPG or its own library, and which can be accessed via Enigmail → Debugging Options → View Console.

You can also view the Enigmail logfile via Enigmail → Debugging Options → View Log.

When asking the Enigmail developers for help, both console output and logfiles are of crucial importance in pinpointing a problem.

If an Enigmail function is not working as it should and you know how to use GnuPG, you can try to achieve the same result through the GnuPG command line. For instance, if you cannot remove public key 0xABCDEF012345678 from Key Management, open a shell prompt and issue the following command:

gpg --delete-keys 0xABCDEF012345678

If the above doesn't work or you don't feel yourself enough experienced to use GnuPG, ask the friendly Enigmail/GnuPG community for support.

How do I enable the debug log in Enigmail?

From Enigmail → Preferences → Debugging. Then you can view the log via the menu command Enigmail → Debugging Options → View Log, and save it as a file if you wish so.

How do I report a bug?

You can report a bug here. Please check first the list of already known bugs so that a bug doesn't get submitted twice. If you spotted a new bug, you can file a bug report. If you're in doubt, please first ask on the mailing list or in the user forum.

It would be great if Enigmail could do this-and-this! Could you please implement it?

You can submit feature requests in the Enigmail Forum, Feature Requests thread.

But please first consider that Enigmail follows the OpenPGP standard. It is not its purpose to innovate or invent new protocols. If the feature you propose is not included in or not compliant to the standard, the feature is not going to be included in Enigmail, no matter how many users ask for it. The Enigmail source code is freely available, though. If you really need such a feature, you can download the code and modify it to suit your needs. Please consider first that breaking standards is generally not a wise idea, and will result in incompatible products.


How do I use Enigmail with GnuPG v1.4.x?

Enigmail 1.8 was the last version that supported GnuPG 1.4.x. Recent versions of Enigmail require GnuPG 2.x.

Why is Enigmail showing key error messages after I upgraded?

If you upgraded Enigmail and started seeing error messages such as these:

  • "Error - No matching private/secret key found to decrypt message."
  • "Send operation aborted. Error - encryption command failed."
  • "Send operation aborted. Key 0x12345678 not found or not valid. The (sub-)key might have expired."

then please read our Guide for resolving issues with GnuPG 2.x and gpg-agent.

How can I get the HTML view back?

Go to View → Message body as → Original HTML.

Why did Enigmail stop working after I installed a new extension?

Some extensions cause conflicts with Enigmail, preventing it to successfully sign/encrypt outgoing mail or verify/decrypt incoming mail.

Previous Chapter: Configuration
Next Chapter: Support