Here we will look at how to send and receive encrypted and/or signed emails using Thunderbird with the Enigmail add-on.

The screen-shots used are from the Windows version of Thunderbird, but they are very similar on Apple OS X.

Before we begin…

If you have not already installed GnuPG/OpenPGP and Thunderbird with the Enigmail add-on you should go back and do that first before trying to carry out the instructions on this page.

Installing GnuPG on Microsoft Windows using Gpg4win

Installing GnuPG on Apple OS X using GPG Tools

Mozilla Thunderbird

Installing Enigmail and Creating a Key Pair

Sending your first encrypted message

Note: At some points in this process you could be asked for the passphrase you used to create your key. This is to ensure you are the authorised user of the key.

To test that everything is working as it should be, you can send an encrypted message to yourself.

Open Thunderbird and begin a new message addressed to yourself.


At the top of the message you will see the Open/PGP options.  Click on the button and a window will open as shown below.


Select Encrypt Message and Use PGP/MIME and click OK.

You need to be aware of the difference between using PGP/MIME and not using it. Please see our guide Using OpenPGP – Some things you need to know.

You will now see your message in a window like this.


Note that in the bottom right of the window there are two icons.  When the key is highlighted this indicates the message will be encrypted. When the pen/pencil is highlighted it indicated the message will be signed. We will cover signing messages later.

You can now click Send and your message will be sent to you.

Reading your first encrypted message

You should find your encrypted message arrives quite quickly (it hasn’t had to go far!).

Click on it as you would any other message and you should see your message as below.


There are 3 areas of the screen that indicate the message is encrypted. The test at the top of the screen tells you it is an “OpenPGP Decrypted message”, the padlock also indicates this, and the key is present in the bottom right corner.

How do I know it was really encrypted?

This is a good question, and something you should check to satisfy yourself that it really was. Because OpenPGP is so well integrated with your email client, you never usually get to see the encrypted message.

To see the message as it was sent to the email servers, and also how it is stored on your machine click on Other Actions just to the right and above the message content, and then click View Source.  A window will open to show you the message as it is stored on your computer.


We have excluded the message headers in the screen-shot above just to make the image smaller.

It is worth having a close look at this window to familiarise yourself with what is encrypted and what isn’t.

You will notice that sender, recipient and the subject line are not encrypted.  This is necessary or it would not be possible to deliver your message (certainly in the case of recipient anyway). Do not put anything confidential in the subject of your emails.

However, the entire body of your message was encrypted and you will not see the text “This is my first encrypted message using Thunderbird, Enigmail and OpenPGP.” anywhere.

Note: Any attachments to your email (such as photographs or documents) will also be encoded with no further action on your part. Once they are decoded at the recipient end they will appear just as in an unencrypted message.

Sending your first signed message

Compose another message addressed to yourself similar to the one below.


Click on OpenPGP just as you did before, and this time choose the Sign Message and Use PGP/MIME options.

Alternatively, click on the pencil/pen icon in the bottom right of the window.

Click Send and if requested enter your passphrase.

Reading your first signed message

When you receive your signed email, open it and you should see a window similar to the one below.


You will see that like the encrypted email the same parts of the message indicate that this one is “signed” by an OpenPGP key.

As with the encrypted message, it is worth looking at the source code of the email so that you are aware of what signed emails look like in their “raw” format.


At first glance the source code looks similar to the encrypted message code. However, you will notice that the content of the message “This is my first signed message using Thunderbird, Enigmail and OpenPGP.” is now visible and not encrypted.

At the bottom of the email is a black of text starting with “—BEGIN PGP SIGNATURE___”. This is the OpenPGP signature that is used to verify the message is sent from you. In addition, the signature is based on the content of the message and so if the message is changed or tampered with before you read it the signature will be invalid and your email client will tell you this.

Note: You can encrypt and sign messages at the same time.

Start sending messages to people other than yourself

Now that you know how to encrypt and sign messages, you can start sending OpenPGP messages to everyone, right?

Well, perhaps not right away. There are a few things to consider first.

  1. You can sign messages with your own public key without needing the public keys of your recipients.
  2. Some people who use certain email clients or some webmail services will have problems reading any part of your signed messages.
  3. You can only encrypt messages to others if you have their public key.
  4. Others can only send encrypted messages to you if they have your public key.

Item 1 is not a problem, you already have your own key.

Item 2 can be a problem, and more information is available in our document Using OpenPGP – Some things you need to know.

Items 3 and 4 are easily addressed by uploading public keys to a key server. This makes it very easy for others to find your public key so they can send you encrypted messages. Depending on the configuration, Thunderbird with Enigmail will try to automatically download the public keys of people who send you signed and encrypted messages so that they are available for you to use. This can only happen if others have also uploaded their public keys to a key server.

If a key is not available from a key server, you will have to ask the person who owns that key to send it to you.