Sender verification on emails

2 mins
Email encryption

Proton Mail employs different methods to protect your privacy and security. While our end-to-end encryption(new window) protects your email from being read by outsiders, it does not ensure that your email has been sent by the right person. For example, if sends you an email, there is no certainty that it was actually John himself who wrote and sent the email.

To verify the identity of the sender, Proton Mail uses digital signatures. Digital signatures are similar to physical signatures, except each digital signature only signs a specific email. This means that the email cannot be changed or tampered with after it was signed.

Learn more about digital signatures

Sender verification on emails

When trusted keys are available, digital signatures in emails are automatically verified. To check whether the email has a valid digital signature, you can hover on the Lock icon next to the sender’s address. This is how a digitally signed email looks:

Digitally signed email(new window)

An email with an invalid digital signature looks like this:

Failed digital signature(new window)

Signature verification on attachments

Email attachments can also be digitally signed. Email attachments that have passed Proton Mail’s security checks and have been digitally signed can be downloaded immediately.

However, if the email attachment failed the digital signature check, you will encounter this warning when you try to download the attachment:

Verification error(new window)

This article(new window) provides more detail on digital signatures.

Does an invalid signature mean that someone tampered with my data?

While it is possible that someone has tampered with your data, this is not always the case. It could be that someone deleted their public keys or account, making it impossible to verify the signature. Your browser will then be unable to verify the authenticity of the emails and attachments.

Didn’t find what you were looking for?