Secure Email¶
Zammad supports S/MIME for high-security email communication.

Use the 🔒 Encrypt and ✅ Sign buttons to turn on encryption and signing for outgoing emails.¶
Note
🤔 Huh? I don’t see “Sign” or “Encrypt” options in the ticket view…
This feature is optional; if you don’t see it in the ticket composer, that means your administrator hasn’t enabled it yet. Administrators can learn more here.
What is S/MIME?¶
S/MIME is the most widely-supported method for secure email communication. With S/MIME, you can exchange signed and encrypted messages with others.
- Signing
is proof that a message hasn’t been tampered with or sent by an impersonator.
In other words, it guarantees a message’s integrity and authenticity.
- Encryption
scrambles a message so that it can only be unscrambled by the intended recipient.
In other words, it guarantees privacy and data security.
Overview¶
Note
🤝 S/MIME only works if the other party is using it, too.
Your administrator is responsible for adding all the necessary certificates in Zammad’s admin panel.
📬 Incoming¶
The 🔒 and ✅ icons at the top of a message indicate its S/MIME status.

Click on an incoming message to expand its details. Hover over the security status to show a certificate/CA summary.¶
This message was encrypted for you. Even if it was intercepted by a third party (hacker, gov’t agency, etc.), they won’t be able to read it. |
|
This message is not encrypted. |
|
This message’s signature has been successfully verified. You can be confident that it’s authentic and that the contents have not been modified. |
|
This message is not signed. |
📮 Outgoing¶
Use the 🔒 Encrypt and ✅ Sign buttons to turn on encryption and signing for outgoing emails.
Note
Outgoing emails can only be encrypted for a single recipient.

🔒 Encrypt and ✅ Sign buttons are present on both new tickets and replies. Hover over the buttons to show a certificate/CA summary.¶
This message will be encrypted. Even if it’s intercepted by a third party (hacker, gov’t agency, etc.), they won’t be able to read it. |
|
This message will not be encrypted. |
|
This message will be signed. Recipients using S/MIME can verify that it came from you and that the contents have not been modified. |
|
This message will not be signed. |
Troubleshooting¶
📬 Incoming¶
- “Sign: Unable to find certificate for validation”
Without the sender’s certificate, Zammad cannot verify the message signature.
Ask your administrator to add the sender’s certificate to Zammad’s certificate store.
Warning
🕵️ ALWAYS verify certificates in-person or over the phone!
The whole point of signature verification is to alert you when someone is trying to pretend to be someone they’re not. Never accept a certificate from someone online without verifying it first.
- “Encryption: Unable to find private key to decrypt”
This message was encrypted with a certificate that does not match any on file. Without a matching private key, Zammad cannot decrypt the message.
Ask your administrator to verify your organization’s private key in Zammad’s certificate store, and ask the sender to double-check the public key they used to encrypt the message.
Hint
📢 Your public key can be safely shared with anyone.
(But if they’re smart, they’ll take extra precautions to make sure it really belongs to you.)
📮 Outgoing¶
- The 🔒 Encrypt button is disabled
Ask your administrator to add the recipient’s certificate to Zammad’s certificate store.
- The ✅ Sign button is disabled
Ask your administrator to verify your organization’s private key in Zammad’s certificate store.