It’s easy to do!
Writing encrypted emails is as easy as writing normal ones!
Simple to use & secure
Further information
OpenPGP (short for “Pretty Good Privacy”) is the open-source gold standard for fast and secure end-to-end email encryption, which is why GMX relies on it. OpenPGP has never been cracked, making it extremely secure. When emails are encrypted using OpenPGP, the sender, recipient, subject, metadata, and the contents are made completely inaccessible to unauthorised parties.
PGP email encryption is done by using two complementary keys: one public key for encryption and a private key for decryption. The public key “locks” the message of the person you’re communicating with so that only the person with the private key can decrypt and read it. That’s why it’s so important for the private key to be kept secret. The use of these interdependent keys guarantees the highest level of security.
PGP email is an encryption procedure that is recognised all over the world, making it an ideal method for carrying out encrypted communication across countries and systems. Other methods of encrypting emails only make it possible with one-way communication inside the encryption program and fail to make their process transparent. In contrast, OpenPGP has made sure to make its procedure and functionality completely transparent.
Further information
GMX users can enjoy unhackable email communication without needing to have expert knowledge, thanks to GMX’s email encryption procedure. GMX made the OpenPGP procedure as simple as possible, optimising it for user-friendliness. This was made conceivable because of its cooperation with Mailvelope, an open-source project based in Heidelberg, Germany, that offers a browser-based OpenPGP solution of its own.
With GMX, keys are generated in an easy 3-step setup process, which considerably simplifies the otherwise lengthy and complicated process of key-generation. The public and private complementary keys required for encryption are created in the background, meaning the user isn’t inconvenienced by the technical process behind this. Storing the keys locally in the browser extension makes outside access impossible. For another layer of security, a key password is created during the setup process. Those who already have a PGP key can import it by going to the options in the browser extension.
In the third step of the setup process, users can set up a backup in case the key or key password ever gets lost and needs to be recovered. Encrypted messages cannot be decrypted without a backup if the key or key password was lost. Mailvelope keeps the required data secure in a security container with a 26-digit code. The recovery code is sent out via a document, which the user must print out and store securely. Though this backup procedure is optional, GMX highly recommends setting it up.
Users can enjoy email encryption on their mobile devices as well. This is yet another feature that sets GMX apart from other existing OpenPGP procedures. Users can activate email encryption in the GMX Mail App using a QR scan or the recovery code they received from the recovery document while setting up the backup option. Once encrypted communication has been set up successfully on the PC, the Map app will provide the option to use this capability on mobile devices.
For encrypted communication to work, both the sender and the recipient must have each others’ public key. This would normally require the communication partners to exchange and manually verify the keys. However, GMX offers two alternatives to this manual procedure.
If email encryption has not yet been set up by the email recipient, the sender must email them a personal invitation to do so, which will also provide them with both the public key of the sender and instructions for starting to set up encryption. After the recipient has successfully set up encrypted communication, their public key is sent to the sender, but in the background.
If the recipient has already set up encryption, the GMX Key Directory will already have their public key. The sender must simply enter the recipient’s address and their public key is made available to them. Stored keys all have the GMX signature, ensuring that the key is authentic. If you do not wish for your public key to be stored, go to your mailbox settings to remove it from the GMX Key Directory at any time.
Further information
GMX makes its encryption procedure transparent by disclosing how the process works as well as the source code behind it. Plus, it’s audited by independent external security experts. You can therefore rest assured that the security of GMX encryption can be counted on, even with its more user-friendly procedure.
GMX has deliberately chosen browser-based encryption since that’s the only sure way of providing true end-to-end encryption. That’s because encryption using the browser-based method takes place on the user’s computer and not on the provider’s end. By partnering with Mailvelope, GMX’s encryption procedure ensures that the encryption technology is kept separate from users’ data.
Mailvelope’s browser extension provides even more security options. While taking part in encrypted communication, the graphical security background, which can be customised by the user, is displayed during all stages. This means that users can easily check to make sure their window has not been altered. Mailvelope’s security protocol, yet another security feature, can also be viewed in settings. The security protocol logs all actions the user has taken with regard to the browser extension. When the user accesses the extension via the secured window, the browser extension displays an ‘OK’.
5 FAQ about GMX encrypted emails
You can use GMX’s encrypted email service completely free of charge!
Yes, you can find step-by-step instructions here.
GMX’s encryption procedure relies on OpenPGP, a procedure which has never been cracked, making it an extremely secure process.
Just how you would write a normal email, you write an encrypted email using your mailbox. Locate the button with a lock next to the ‘Compose Email’ button. Click on it to compose a new encrypted email. For detailed instructions, you can also visit our help page about sending encrypted email.
During setup of encrypted communication, GMX gives you the option of setting up a backup recovery document, which has a recovery code printed on it. You will use this recovery code to recover your key and password. That’s why it’s so important to keep the recovery document in a secure place, inaccessible to unauthorised parties.
Further information
Yes, the attachments you include in your encrypted email, like photos, documents and other files, are also encrypted using OpenPGP.
Your keys are created and managed by Mailvelope but stored locally in your device’s browser extension. This means that they cannot be accessed from outside your device.
No. All important data is stored by the user thanks to the browser-based method. No government agency, nor GMX or Mailvelope can access the content of your encrypted emails. This makes even court decisions demanding data delivery ineffective.
No. Content that has been decrypted is only temporarily and locally visible on a device. The email must be decrypted every time it is opened.
With email encryption in Europe, the email is protected even if it leaves the secure European email network. That is, encrypted communication complements transport encryption. This ensures complete data protection, even when emails are sent abroad to regions with weaker regulations and without encrypted connection paths. This is because only the authorised recipient will be able to decrypt the message.
With browser-based encryption, GMX can ensure that the encryption takes place locally on the user’s computer and not in GMX’s infrastructure, unlike with the server-side method. Because of the partnership with Mailvelope, all data relevant to your security like keys or the respective passwords are outside of GMX’s access. The separation of encryption technology and user data is thereby ensured.
OpenPGP is the gold standard for encryption and is used worldwide, making it compatible with a variety of different systems while providing top-notch security. OpenPGP is transparent with regard to its source code and functionality. It is also monitored by external security service providers.
Yes. External and independent security service providers reviewed the encrypted email process.
Yes. You can use the PGP check number, or “fingerprint”, to do this. Once you confirm a new contact to whom you would like to send encrypted emails, an ’i’ will appear next to their email address. Click on the ‘i’ to show their fingerprint. Have them confirm their fingerprint in person or over the phone in order to verify that the key actually belongs to your contact.
Yes. To guarantee their authenticity, GMX uses its public key to sign all the keys stored in the Key Directory. To verify that GMX has signed a certain key, import the GMX key through the options in the Mailvelope browser extension. The corresponding fingerprint is: C394 C011 0A17 0954 47F1 5F0D 1DA4 1713 9553.
By default, all encrypted emails include the digital signature of the sender. This signature states that the email comes from the sender and that the content of the email has not been manipulated or altered during transmission. To verify whether a signature is valid, simply look in the lower left-hand area of the encrypted email.
Further information
No, each user has to only complete the process to set up the email encryption service once.
No, using and setting up encrypted communication is entirely voluntary. Even after you’ve set it up, you will always have the option of whether you wish to encrypt the email you are writing or not.
If you can find neither your password nor your recovery document, contact our customer service so that they can reset encrypted communication for you. Keep in mind, however, that the emails you sent or received up until that point cannot be decrypted again.
No, you can neither change nor reassign a key password. If you have forgotten it, you can display it using the recovery code from your recovery document.
Yes, your keys can be imported. Go to the expert settings in the Mailvelope browser extension to do this. Keep in mind, however, that these keys cannot be recovered using the recovery document. Also make sure that you do not delete the keys created by Mailvelope and GMX, as this will make the setup of GMX email encryption no longer be recognised.
For instructions on how to migrate your keys, please visit our help page about managing keys with Mailvelope.
Yes. Go to the expert settings in the Mailvelope browser extension to do so and import the key pair for the encrypted emails. Forward the emails to your mailbox. Keep in mind that these keys cannot be recovered using the recovery document. Make sure not to delete the keys that were created by GMX and Mailvelope as this will cause the encrypted communication setup to no longer be recognised.
Yes. Simply contact our customer service so that they can reset your account. Keep in mind, however, that emails that are already encrypted can no longer be decrypted once you do this.
Further information
Yes, as long as the recipient also uses OpenPGP, you can send emails to them in encrypted form.
Those encrypted emails that were sent to you can be found in your Inbox as usual. Those sent by you can be found in your 'Sent' folder. To make it easy for you to tell which emails are encrypted, we’ve marked them with a lock icon.
Emails that you’re reading or writing feature a customisable colourful background when they’re encrypted. Your browser extension will also display an ‘OK’ to indicate when you’re accessing the extension through the security window. For more information, please visit our help page about receiving and reading encrypted email.
Yes. Keep in mind, however, that the copied content is decrypted in the cache, meaning that it can be retrieved even after you have logged out as long as you have not emptied or overwritten the cache.
As long as you set up encrypted communication with the destination mailbox, you should be able to also read the forwarded encrypted emails. However, if the destination mailbox is with a different provider, encrypted communication may not be offered with them or they may have a more complicated setup process.
The GMX Key Directory stores your public key by default after you have set up encrypted communication. This is done to simplify communication. Your public key is made available when you enter a recipient’s address. If you do not wish for your key to be stored in the Key Directory, revoke your consent under ‘Encryption’ > ‘Privacy’ in ‘Settings’.