If you have general questions about PGP encryption, you can find more information here.
In our previous articles, we explained how to set up PGP and how to encrypt and decrypt your emails. However, this always requires that the person sending you a message has your public key in order to encrypt it.
But what about all the emails that are delivered to your mail.fr mailbox without being encrypted by the sender? These are generally stored unencrypted in your mailbox and can be read by anyone who gains access to it.
In the worst case, this could include hackers, law enforcement authorities, or even your provider.
Wouldn't it make sense to automatically encrypt incoming emails using your public key?
With PGP inbound encryption, we have developed a system that allows you to define in your mail.fr webmailer settings whether all incoming emails or only specific ones should be encrypted with your public key.
While this does not guarantee that an email was encrypted during the entire transmission process, it does ensure that once delivered to your mail.fr mailbox, it is protected from unauthorized access — including access by us.
Only you can read your encrypted emails using your private key.
To use this feature, you must first have created a PGP key pair (private key and public key) and be familiar with using PGP.
Please note that only you can decrypt and read an encrypted email. Decryption is NOT possible via the mail.fr webmailer, as this would require us to possess — or potentially gain access to — your private key. We deliberately avoid this, as we cannot guarantee with absolute certainty that your private key would never be exposed to third parties (e.g., hackers or authorities).
To decrypt and read your emails, you must therefore use an external email client in which PGP is installed and your private key is configured.
You can safely provide us with your public key, as it is only used to encrypt your incoming emails.
To enable PGP inbound encryption, you must provide us with the valid public key for your email address.
This email address can be any mail.fr address or an alias belonging to your account.
A public key is considered valid if it meets the following criteria:
Your public key is now assigned to your email address.
You can now use “Rules" to define which incoming emails should be encrypted.
In the settings area under “Messages / Email", click on “Rules".
You can also define conditions so that only emails matching certain criteria are encrypted. These criteria may include specific senders (From:) or specific subject lines.
You can also define additional actions after encryption. For example, the email can be moved to a specific folder after being encrypted.
Example: A rule that encrypts incoming messages from a specific sender and moves them to a custom folder: After creation, the rule will appear in the “All Rules" list.
If you no longer wish to use PGP inbound encryption, simply delete the corresponding rule(s).
The public key can remain stored at mail.fr.
You may also delete the public key entirely, provided it is no longer used in any rule. The key itself remains valid but will no longer be stored at mail.fr.
If you need to replace your public key (for example, because it has expired), you can keep your existing rules. Simply edit the relevant key and replace it.
If you generate multiple PGP key pairs for your email address, you can also add multiple public keys for inbound encryption.
For example, emails from Person X can be encrypted with Public Key 1, and emails from Person Y with Public Key 2.
If you want to determine whether an email was encrypted by the sender or only encrypted via PGP inbound encryption, it is advisable to use a different public key for inbound encryption than the one you share with your contacts or publish on public key servers.
PGP inbound encryption only processes emails that are delivered unencrypted.
When decrypting emails in your external email client, you can identify which public key was used based on the required passphrase (the password for the corresponding private key).
Additionally, you can check the email headers. If PGP inbound encryption has encrypted an originally unencrypted email, the header X-MDE-GPG: 1 will be added.
Please note that emails you send unencrypted are not stored encrypted in the webmailer’s “Sent" folder.
This applies whether you send emails via the webmailer or unencrypted via an external email client.
As a workaround, you can always send yourself a blind carbon copy (BCC) of your outgoing messages and use a filter rule in the webmailer to move them to your “Sent" folder. In this case, the message will be encrypted via PGP inbound encryption.
When using an external email client, also ensure that no copy of sent emails is stored in a folder.
When sending via the webmailer, you can likewise disable storing a copy of sent emails in the “Sent" folder.
Please note once again that without your private key, you cannot read your encrypted messages.
Important Note: Store your private key securely and protect it from unauthorized access.
If you lose your private key, we CANNOT assist you.
Your emails will remain permanently encrypted and unreadable.
All rights reserved. ©2015-2026 by mail.de GmbH