Introducing Mailvelope: A Brief Guide for Newbies

By Bernhard Spirkl - July 27, 2023
Mailvelope running on a computer screen
Mailvelope: What it is - and what it's not

In the realm of digital communication, we're used to two primary forms of software. On the one hand, we have native apps—software that we download and install directly on our devices. These apps run on our operating systems and can access our device's resources. On the other hand, we have Software-as-a-Service (SaaS) or online services. These are platforms that we access via the internet, where we typically create an account and log in to use the service. Mailvelope fits into neither of these conventional categories. According to my experience as a support member of the Mailvelope team this divergence from the typical software models we're familiar with can stir some confusion. Let's, therefore, proceed to clarify what Mailvelope is – and significantly, what it is not.

Mailvelope: A browser extension, not a native application

As Mailvelope is a piece of software that adds some custom functions to your browser it’s a so-called “browser extension” (some call it also a “browser-addon”). Some of you may already be familiar with the concept of browser extensions: AdBlock, for example, improves our browsing experience by filtering out intrusive ads. Tools like Passbolt remember our passwords so we don't have to. Some others help you gather and organize information from the websites you are visiting. Many members of this software family are like mini-assistants, quietly working in the background once they are installed in our browsers.[1] In most browsers, these little helpers gather next to the address bar, sometimes hidden behind a puzzle icon.

Browser Extensions next to the address field in Firefox
Browser Extensions next to the address field in Firefox

Mailvelope: Adding encryption to your webmail

Now that we know what type of software Mailvelope is and where it lives on our machine, we can talk a little bit more about what it’s doing. To put it as general as possible: Mailvelope is able to interact with websites, providing end-to-end encryption capabilities to them. Although it can be used just about anywhere, in most cases it will be used to add the ability to encrypt and decrypt emails on the website of a webmail provider.

Common Misconception #1: Sorry, it’s webmail only!

Sometimes people ask if they can use Mailvelope for email encryption with their native email client i.e. Outlook or Apple Mail. The answer is simple: As Mailvelope lives within your browser it is only able to interact with websites. Native Apps can be enhanced with PGP functionality, using Plug-Ins. These are little extensions adding that functionality to these programs, similar to the browser being enhanced by installing Mailvelope.

Mailvelope: Interacting with your Webmail provider

So let’s say you installed Mailvelope in your browser and your webmail provider is Gmail.[2] Once you access the inbox of Gmail, Mailvelope will recognize this and begin interacting with the website. For instance, Mailvelope will display its logo next to the Gmail “Compose” button, offering you the option to write an encrypted email instead of a regular one. If you choose to do so and click on the logo, the Mailvelope editor will open, overlaying the Gmail user interface.[3]

Mailvelope editor floating above Gmail UI
Locally generated Mailvelope editor floating above Gmail UI

Common Misconception #2: Can Google read my emails?

Because we are all used to the idea that everything that happens in the browser originates "from the Internet" in some way, people often assume that this must also be the case with the Mailvelope editor. In reality, however, it turns out that the editor window is locally generated by Mailvelope and everything you type in it is not shared with Gmail nor with us. It stays on your local machine and gets deleted at the moment it's encrypted and sent. You can imagine that keeping the content of this window secure is essential. Therefore Mailvelope creates secure isolation between the private content of your communication and other applications running in the browser. You may have also noticed that Mailvelope asks you to personalize the color and design of the app after installation. This will add another layer of security because a potential attacker would have to mimic your design to cheat you with a faked editor.

Mailvelope: Finding the right keys

After you typed your message, Mailvelope will need to know to whom you are going to send it and, more important, with which keys it should encrypt the message. That's where the Mailvelope key server comes into play. This server works much like the phone books of old. If you wanted to call someone but didn't have their number, you could look it up in one of these hefty volumes. The Mailvelope key server performs a similar function. It holds the public key associated with a given email address. As soon as you type in an email address, Mailvelope will look for this public key. Only by knowing this key (and being certain that it belongs to the person with this email address) can you send an email to someone that only they can open. This is the reason why you get asked for confirmation of your key by the key server when installing Mailvelope. It just wants to ensure it's you and not someone else pretending to be you.

Mailvelope: Encrypting and sending your message

Once you've finished writing your text and entered the recipient's email address, Mailvelope works its magic. As soon as you hit the “Send/Encrypt” button, the text is encrypted by Mailvelope. Need to attach a file? Just drag and drop it onto the attachment field of the editor – it will be encrypted along with the message.

Common Misconception #3: Where Is the Server?

Tech-savvy users sometimes question how we can securely transfer data from the browser to our server for encryption and then back. The simple answer is: There are no servers involved in the encryption process. Encryption occurs locally in the browser. This is made possible through Javascript and a fantastic library called OpenPGP.js.

Mailvelope: Being the Swiss knife of email encryption is not always easy

What’s described here for Gmail users might include a few more steps on other webmail providers. It will work with almost any of them, but sometimes as comfortably. While we are striving to make the process of writing an encrypted email as easy as writing a normal email this is currently not possible with every email provider. Providers have rules and protocols for communication with other apps. Unfortunately, these rules are not standardized and not every provider has even one. The German email providers WEB.DE, GMX, and Posteo worked together with Mailvelope in the last years to seamlessly integrate Mailvelope into their services. As it is the provider with the biggest market share, we implemented seamless integration with Gmail so far.[4] integration is planned.

Mailvelope: Your privacy is not just an afterthought - it's our fundamental principle.

We've explored how Mailvelope stands out as a unique and highly effective tool for enhancing the security of your email communication. It operates by crafting a secure, private environment within your browser for composing messages and encrypts these messages locally, eliminating the need for server interaction. While Mailvelope may seem complex at first glance, a deeper understanding of its workings unveils its inherent versatility and efficacy.

Our Community Version is offered for free. To try it, follow the steps given in our Get Started Guide. If you're a business owner or head of an organization using Google Workspace, consider trying Mailvelope Business free for 14 days, or reach out to us with your specific needs.

[1] Like a native app, a browser extension must be installed—but this installation occurs within your web browser rather than your device's operating system. Mailvelope is currently running on Chrome, Firefox, and Edge and can be found in the respective webstores.

[2] How to do this exactly and how to generate or import your keys you can learn on our Get started

[3] Gmail will ask for your permission first, as will your browser on installing.

[4] For Google Workspace users this seamless experience is available as our product Mailvelope Business