(I never went back and edited this. That means it's probably a little rough and may be confusing.)
Secure email requires encryption. Encryption requires two keys. One is called a public key, a sender can use this to encrypt a message. The other is called a private key. It can be used to decrypt a message that was encrypted with the corresponding public key.
When you send secure email, there are two functions. One is called 'signing'. In a signed message, the mail program uses the recipient's public key to create something called a digest. The recipient can open the digest (with their private key) and verify that the email is exactly the one that was sent. The other security function is called encrypting. In this case, the sender uses a public key to put an encrypted form of the message into the email and send that instead. The recipient uses his or her private key to decrypt the message into a readable form that security people call plaintext.
When you send an encrypted or signed email to a list of people, a different key is used for each person. A different encrypted package is sent to each. Each uses his or her personal private key to open the message. You cannot send an encrypted message to a list of people that includes someone for whom you do not have a public key.
Managing the keys is done with something called certificates. The certificate contains both the public and the private key and information that allows the mail program (in cases where its important enough to pay the certificate company) to verify that you are you and that this is your key.
To start, get a free certificate at:
https://www.comodo.com/home/email-security/free-email-certificate.php
After executing the signup, it will email your the certificate.
- Double click on the attachment in the email from Comodo tol open Keychain Access.
It will automatically install the certificate.
To verify that it all works, quit Mail.app and restart it. Create a new email and you will see new icons on the left of the subject line.

That blue check means your emails are now signed. If some hacker messes with the message before it gets to me, I will get a notification that the message is not the one you sent. The grayed out lock symbol says that you are not yet able to send an encrypted email, yet.
To be able to send encrypted email, your email program has to have the other person’s public key. Mail.app collects these when it gets a signed email. To send an encrypted email, ask the person (I have one so I'm a good option) to send you a signed one and reply (or Mail.app may already have it). The lock should turn blue in a new message to that person.
But, when you receive an encrypted message (eg, when I reply to your first encrypted message), you will see that you cannot read it on your iPhone. The problem is that your iPhone needs to have your certificate as well.
NOTE: YOU DO NOT NEED TO DO THIS. THE EXPORT FROM KEYCHAIN CAN BE SENT. I DON'T REMEMBER EXACTLY WHAT I DID, SO I AM LEAVING THIS PART IN.
To update your iPhone with a certificate, you need a new program called the iPhone Configuration Utility.
Download it from
http://support.apple.com/kb/DL1465
Install it like any other program. It gets installed into "Applications/Utility/IPhone Configuration Utility".
Open Keychain Access
- Find the certificate that was installed before in the ‘login’ keychain. It is named as your email address. If you have old ones, it will probably be the one with the latest expiration date.
- Select it and choose Export Items from the File menu.
You will see a file dialog. In addition to files, it will show a popup men under the file list.
- Choose “Personal Information Exchange (p12)”
- Save the file someplace easy to find again (Desktop is good. You can throw it away after this is done.)
Open iPhone Configuration Utility.
- Select “Configuration Profiles” from the palette in the left column
- Click the New icon on the top left.
This will show a new set of controls in the lower left window.
Select the General item.
-` Make up an informative name .
- Then make up a unique Identifier. For this purpose, I suggest something like com.domain.emailCert.yourEmailName.
Leave Description and Security as they are (blank, or whatever you want to type, and Always).
Next, scroll down from General and find Credentials.
- Click on the Configure button that shows and you will see a file dialog. Choose the p12 file you made before and Open.
The final act in Configuration Utility is to click Share, next to the New icon.
- Select None from the Security popup and Share…. This will take you to Mail.app.
There you will see a new mail message with a file attached. Email this to yourself.
The last step is to open the email on your iPhone and tap the certificate.
It will open.
- Click the button, top left, that says Install. It will ask for your phone’s password.
- Enter your password and click Done. It will tell you that the profile is not signed.
- Click Install. It will ask you to do it again to confirm.
- Click Install again (this time red and at the bottom).
It will return you to your email message and you are done.
(You can look at it or delete it by going to Settings->General->Profile. It’s way down at the bottom).
Now you can find the email that you couldn’t read before and you will be able to read it.