Configuration

Enigmail can be fine-tuned to tailor your needs. Here we'll illustrate the many configuration options of Enigmail.

If you use GnuPG and configured it manually, please note that these preferences will override any similar entry in the GnuPG configuration file gpg.conf.

Basic
To access the Enigmail preferences select Enigmail → Preferences from the menu bar. This will initially bring up the Basic preferences, which control the basic functioning of Enigmail.



Files and Directories shows where GnuPG was found. Enigmail tries to locate automatically the GnuPG executable file upon its start. Typical locations are C:\Program Files (x86)\GNU\GnuPG\gpg2.exe for Windows and /usr/local/bin/gpg2 for Linux and Mac OS X. If however Enigmail can't manage to find GnuPG, or you want to specify that location manually, tick Override with and enter the path to the GnuPG executable file.

You will be asked for your passphrase every time it needs to access your private key, for instance whenever you sign, decrypt, or change your key pair properties. It is often cumbersome to have to type the passphrase all the time, and you might be tempted to choose a passphrase that's short and simple to type, which is a bad idea. Instead, you should set a caching time for your passphrase. You can do this by entering the desired number of minutes in the field Remember passphrase for [ ] minutes of idle time. In the picture shown here, you will not be asked for the passphrase for 15 minutes. You will be asked for the passphrase again when either the specified caching time has expired, or simply you restarted the computer. Read more about passphrase handling here.

Do not leave your computer unprotected while the passphrase is stored in the cache.

Finally, the Display / Hide Expert Settings and Menus toggle button allows you to access the Expert preferences by activating four additional tabs.

Sending
The Sending tab of the Preferences shows the options for sending encrypted mails. It is always accessible, even if you haven't enabled the expert settings. These settings define how Enigmail will behave when sending secured mail.



By default, Convenient encryption settings are enabled. This ensures an easy start for beginners by providing that all sub-settings are set to default values, as shown in the above picture. Advanced users might want to change to Manual encryption settings which permits to define all sub-settings.

Encrypt/sign replies to encrypted/signed messages (checked by default) automatically switches on encryption/signing when composing a reply to an encrypted/signed message. This is a smart thing to do, especially if you quote the original message.

Automatically send encrypted:
 * Never - never try to automatically send encrypted;
 * If possible (default) - send encrypted when you have all public keys of the recipients (everyone in To, Cc, and Bcc).

To send encrypted, accept:
 * Only trusted keys - do not allow you to encrypt a message with keys that are not valid (this is the usual GnuPG behaviour);
 * All usable keys (default) - allow you to encrypt a message with any key which is not expired, revoked, or disabled.

Confirm before sending controls a confirmation dialog that would pop up before sending any message, so that you can check the signing, encryption, and S/MIME status:
 * Never (default) - select this option if you send S/MIME signed or encrypted messages from time to time;
 * Always - always prompt for confirmation;
 * If encrypted - prompt only when mail is going to be sent encrypted;
 * If unencrypted - prompt only when mail is going to be sent unencrypted;
 * If rules changed the default encryption setting - prompt only when Per-Recipient Rules changed the default encryption setting (useful to detect when a rule switched off encryption).

Key Selection
This tab is accessible only if you have enabled Expert settings in the Basic tab.



These settings define how Enigmail will select, for each recipient, the public keys to encrypt a message with. The options enable different ways to get the correct key. Enigmail will process, in order, all options that have been checked, and will stop as soon as one of the options results in a match.


 * By Per-Recipient Rules (checked by default) - choose the key depending on per-recipient rules;
 * By E-Mail-Addresses according to the key manager (checked by default) - select the key whose User ID matches the recipients mail address;
 * Manually if keys are missing (checked by default) - if the above options don't result in a match, pop up the Key Selection window to let you choose the keys manually;
 * Always (also) manually - always pop up the Key Selection window to let you choose the keys manually. If one of the above options are selected and have found suitable keys, they will be preselected.

The Edit Rules... button opens the Per-Recipient Rules Editor window.

Advanced
This tab is accessible only if you have enabled Expert settings in the Basic tab.



These settings define miscellaneous OpenPGP and Enigmail options.

If you use HTML to compose email messages, messages signed with the Inline PGP standard (the default in Enigmail) need to be re-wrapped before they can be sent, in order to avoid invalid signatures. We recommend you leave enabled the option Re-wrap signed HTML text before sending, unless you have problems caused by re-wrapping.

Add Enigmail comment in OpenPGP signature adds the comment line Comment: Using GnuPG with Thunderbird - http://www.enigmail.net to the OpenPGP signature block. Note that you can add any comment to the OpenPGP signature by calling GnuPG with the parameter "--comment your_comment" (see below to learn how to specify additional parameters to the GnuPG executable).

When signing, lines starting with a dash (-) are replaced with two dashes separated by a space (- -) according to the OpenPGP standard. This however makes a double-dash line (--) no longer appear as a separator between the message body and a personal signature, usually displayed in grey. By enabling the option  '--' is a signature separator Enigmail makes some workaround to correctly handle the signature separator when reading and composing messages.

Usually, email addresses are surrounded by angle brackets (< >) to separate the full name part from the email part, e.g. John Random Hacker . Deactivating the option Use '<' and '>' to specify email addresses removes the brackets from email addresses. This is necessary to ensure compatibility with some provider service, like Hushmail, that does not support brackets in email addresses. Hushmail is a provider for OpenPGP encryption over the web, but keys generated with Hushmail are not fully compatible to OpenPGP. This option should be normally turned on when encrypting, as Enigmail relies on it to avoid potential confusions and hence security problems, but needs to be turned off for Hushmail keys.

Only download attachments when opened (IMAP only) enables an IMAP feature that makes Thunderbird download only the first 35-40 Kb of a message, downloading attachments only on demand. However, if an encrypted message is larger than this size, it may happen that it is downloaded only in part, its end will be missing, and hence Enigmail will fail to decrypt it. If you use an IMAP inbox, and notice that Thunderbird sees some of your mails as broken or reports an error when trying to decrypt them, disable this option. Thunderbird will then download the complete message at once. Alternatively, you can click on the broken lock to download the message in full.

The text field Additional parameters for GnuPG allows you to have Enigmail call the GnuPG executable with the additional parameters you prefer.

Finally, the Reset Warnings button controls the way Enigmail pops up the interactive dialogs asking you to make a choice. If you ever asked Enigmail to remember your choice for the future (for instance when choosing how Enigmail should sign/encrypt attachments), clicking this button will have Enigmail prompt you the dialog again when needed.

Keyserver
This tab is accessible only if you have enabled Expert settings in the Basic tab.



These options are related to the keyservers used to search public keys from.

The text field Specify your keyserver(s) allows you to specify a list of OpenPGP keyservers. These keyservers will be proposed to you next time you launch a search for a person's public key on a keyserver.

You may prepend a protocol to the name of a keyserver, e.g. hkp://keyserver.example.com or ldap://certserver.pgp.com.

If you want, you may enter a keyserver name in the field Automatically download keys for signature verification from the following keyserver. Enigmail will then automatically try to download every public key needed to verify signed messages from the keyserver specified in this field. If you use this option, please specify only one name.

Debugging
This tab is accessible only if you have enabled Expert settings in the Basic tab.

The options in this tab do not modify the configuration of Enigmail but are used instead to troubleshooting and diagnose problems.

You can specify a filename in Log directory to have Enigmail start to write in that file a debug log about its operations. Logging is enabled automatically when the textfield is not empty. To disable logging, clear the textfield. You can view the debug log via the menu command Enigmail → Debugging Options → View Log; from there you can also save the contents of the debug log to another file to send it to the developers.

By entering an email address in Test email and clicking on Test, you will make Enigmail perform a self-test and pop up a dialog window with the results. (No mail will be sent to the specified address.) For more detailed results, you can read the Enigmail console via Enigmail → Debugging Options → View Console.

Per-Recipient Rules
Enigmail features a powerful system of Per-Recipient Rules (or PRR for short) that, for any recipient, allows you to specify in advance whether to sign, encrypt, or use either the PGP/MIME format or the Inline PGP standard. Per-recipient rules also allow you to specify which key to use for an intended recipient of an encrypted message. By default, Enigmail first searches the per-recipient rules and looks up for a rule matching the recipient; if no rule is specified (as it is the case after a fresh install of Enigmail), Enigmail selects the key with a user ID matching the recipient.

Per-Recipient Rules Editor
To edit per-recipient rules, select Enigmail → Edit Per-Recipient Rules. The picture below shows the Per-Recipient Rules Editor window:



Let's take again the example where we manually encrypted a message to cryptoguy@domain.org. This address is an alias for jrandomhacker@example.com. We have a key for the real address but not for the alias. Thus, Enigmail cannot encrypt automatically.

This can be conveniently solved by Per-Recipient Rules. For this purpose, we need to create a rule "When sending a message to cryptoguy@domain.org always encrypt it with the public key for jrandomhacker@example.com".

The Add button adds a new rule, and Modify modifies an existing rule.

Let's click on Add. Enigmail opens the Recipient Settings window where we can enter all parameters for this new rule:



First, we add the mail address which shall be processed; in this case we enter cryptoguy@domain.org. Then we choose Apply rule if recipient is exactly one of the above addresses from the drop-down menu. Then we select Use the following OpenPGP keys and we click on the button Select Key(s); the key selection window will appear. From there we select the public key for jrandomhacker@example.com.

Then we select Always for Encryption, Signing, and PGP/MIME. From now on, messages that we send to cryptoguy@domain.org will automatically be encrypted and signed using PGP/MIME. You might also choose to specify different options for Encryption, Signing, and PGP/MIME.

Click OK, and we see our first rule in the list:



If you create more than one rule, they are processed in order, from top to bottom. You can change the rules order by using the buttons Move Up and Move Down, while Delete will delete a rule.

Perhaps the most useful use of PRRs is to encrypt messages sent to a mailing list. In this case, specify the mailing list's email address as the recipient, and select the public keys (which we assume you have in your keyring) of all the members of the mailing list.

PRRs make possible not only to set encryption for specific addresses but also to exclude some addresses from encryption or signing. Just select Never in the encryption or signing fields for the rule.

Recipient Settings
In the Set Enigmail Rules for field you must enter the recipient email address you're writing the rule for. Recipients are the addresses specified in the fields To:, Cc:, and Bcc: of the email message, without distinction. If you want to have a rule for multiple email addresses, enter them all in the field, separated by spaces. Then choose the pattern matching criteria from the drop-down menu (Is exactly, Contains, Starts with, Ends with).

In the Action zone you specify the rule behaviour. If there is a match with the specified recipient email address(es):
 * Continue with next rule for the matching address allows you to define a rule without having to specify a Key ID in the Use the following OpenPGP keys field. This way, the email address is used to check for a key when sending the message. Further rules for the same address will be processed.
 * Do not check further rules for the matching address will stop the processing of any other rule for the matching address if this rule is matched. Rule processing will restart with the next recipient.
 * Use the following OpenPGP keys allows you to specify which recipient keys will be used for encryption. Use the Select Key(s)... button to choose the keys. This is the most used and recommended method. Further rules will be processed.

In the Defaults for... zone you decide whether to activate signing, encryption, and PGP/MIME if the rule is matched. Each function can be independently set to three options:
 * Never specifies that the function will be disabled;
 * Yes, if selected in Message Composition allows you to set the option at the time of message composition;
 * Always specifies that the function will be enabled.

When sending a message to multiple recipients, in case of conflicts between rules, Never overrules Always. For instance, if you create two rules for the following two recipients:

alice@example.com Signing: Always Encryption: Always PGP/MIME: Yes, if selected in Message Composition

bob@domain.org Signing: Always Encryption: Never PGP/MIME: Never

and you try to send a signed and encrypted message to alice@example.com and bob@domain.org, the message will be signed only. Also, should you have turned on PGP/MIME when composing the message, this setting would have been ignored and the message won't be encrypted with PGP/MIME.