To use GPG signed emails, generate a key pair with gpg --gen-key, configure your email client to sign outgoing messages with your private key, and share your public key with recipients. They can then verify that incoming emails genuinely came from you by checking the digital signature—the email client typically displays a green checkmark for valid signatures. Verification proves both authenticity (the sender controls that private key) and integrity (the message wasn’t modified after signing).

Why GPG Sign Your Emails?

Email spoofing is trivial to perform. Attackers can easily forge the “From” header to appear as anyone. GPG signing adds a cryptographic layer that proves:

• Authenticity: The message actually came from the holder of the private key
• Integrity: The message content was not modified after signing
• Non-repudiation: The sender cannot deny signing the message

For developers communicating about code, infrastructure, or sensitive topics, GPG signatures provide assurance that you’re interacting with the genuine party.

Prerequisites

Ensure you have GPG installed on your system:

# macOS
brew install gnupg

# Debian/Ubuntu
sudo apt-get install gnupg

# Fedora/RHEL
sudo dnf install gnupg

Verify the installation:

gpg --version

Generating Your GPG Key Pair

If you don’t already have a GPG key, generate one specifically for email use:

gpg --full-generate-key

Select RSA and RSA (default), choose a key size of 4096 bits for better security, and set an expiration date—two years is reasonable for email keys. Enter your name and email address associated with the email account you’ll sign from.

After generation, list your keys to confirm:

gpg --list-secret-keys

Note the key ID (the hexadecimal string after sec rsa4096/). You’ll need this for configuration.

Configuring Your Email Client

Thunderbird

Thunderbird has native GPG support. Open Settings → Account Settings → End-to-End Encryption. Click “Add Key” and select your newly created key. Enable “Digitally Sign” by default for outgoing messages.

For each account, ensure “Digitally sign outgoing messages” is checked under the account’s Security Settings.

Command-Line with Mutt

If you prefer a terminal-based email client, configure Mutt:

# Add to ~/.muttrc
set crypt_use_gpgme = yes
set crypt_default_keys = "0xYOURKEYID"
set sig_dashed = yes
set crypt_autosign = yes

Replace 0xYOURKEYID with your actual key ID (without the 0x prefix).

Apple Mail

Apple Mail requires the GPG Suite plugin. After installation, enable signing in Preferences → GPG Suite. You can also set default behavior to always sign.

Signing Outgoing Emails

Once configured, signing happens automatically for outgoing messages. You can also sign manually in clients that support it.

To sign a message from the command line (useful for scripts or automated emails):

# Create a signed message
echo "Your message content here" | gpg --clearsign --local-user 0xYOURKEYID > signed_message.txt

For actual email sending, most clients handle the signing transparently after initial configuration.

Verifying Incoming Signed Emails

Verification is where GPG provides real value. When you receive a signed email, your client checks the signature against the sender’s public key.

Using the Command Line

Save the signed portion of an email (the block between -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----) to a file, then verify:

gpg --verify signed_email.txt

Successful verification output looks like:

gpg: Signature made Mon 16 Mar 2026 10:30:00 EST
gpg:                using RSA key ABC123DEF456
gpg: Good signature from "Your Name <your@email.com>"

Importing Sender Public Keys

For verification to work, you need the sender’s public key. Several methods exist:

# Fetch from a keyserver
gpg --keyserver keyserver.ubuntu.com --search-keys sender@example.com

# Import from a file
gpg --import sender_public_key.asc

# Fetch from a keyserver by key ID
gpg --keyserver keyserver.ubuntu.com --recv-keys ABC123DEF456

Many developers publish their keys on their websites or include them in email signatures. The OpenPGP Keyserver network (keys.openpgp.org) is a reliable choice.

Thunderbird Verification

Thunderbird displays a verification icon next to signed messages. A green checkmark indicates a valid signature. Clicking the icon shows signature details, including the key used and any warnings.

Handling Signature Failures

When verification fails, investigate the cause:

“No public key”: The sender’s public key is not in your keyring. Obtain and import it using the methods above.

“BAD signature”: The message was modified after signing. Do not trust the content.

“Key expired”: The sender’s key has expired. Contact them to obtain a renewed key.

“Untrusted signature”: The key is valid but not trusted. This happens with new keys or keys not signed by someone you trust. Manually verify the key fingerprint through another channel:

gpg --fingerprint sender@example.com

Confirm the fingerprint via a different communication channel (phone, in-person) before marking the key as trusted.

Automating Verification in Scripts

For automated workflows, verify PGP signatures in shell scripts:

#!/bin/bash

# Verify a signed file
verify_signature() {
    local file="$1"
    if gpg --verify "$file" 2>/dev/null; then
        echo "Signature verified successfully"
        return 0
    else
        echo "Signature verification FAILED" >&2
        return 1
    fi
}

# Usage
verify_signature "message.txt"

This pattern works well for CI/CD pipelines that validate commit signatures or package release announcements.

Key Management Best Practices

Maintain your GPG keys properly:

Backup your secret key: Export to a secure location, preferably encrypted:

gpg --export-secret-keys 0xYOURKEYID | gpg --armor --output backup.asc

Use subkeys for daily signing: Create subkeys for signing and encryption while keeping your master key offline. This limits damage if a subkey is compromised.

Revoke certificates: Generate a revocation certificate when you create your key:

gpg --gen-revoke 0xYOURKEYID > revocation_cert.asc

Store this securely. If you lose access to your key, the revocation certificate notifies others not to trust messages signed with that key.

Integrating with Git

Many developers use the same GPG key for Git commits. Configure Git to use your signing key:

git config --global user.signingkey 0xYOURKEYID
git config --global commit.gpgsign true

This provides verified commit provenance, complementary to signed emails.

Getting Started

Start by generating a GPG key if you don’t have one. Configure your primary email client to sign outgoing messages by default. Import keys from frequent correspondents, and verify signatures on all signed messages you receive. Over time, building this habit creates a web of cryptographic trust.

GPG signing adds friction to email communication, but the authenticity guarantees are valuable for technical collaboration. Start with low-stakes communications to build familiarity before relying on signatures for sensitive matters.

Related Articles

• How to Use GPG Signed Emails to Verify Sender Identity
• Verify Someone’s Identity Before Meeting from a Dating App
• Email Encryption with GPG Step by Step
• How To Use Abine Blur For Masked Emails Phone Numbers And Cr
• Someone Signed Up for Services Using My Email — What to Do

Built by theluckystrike — More at zovo.one