since email clients were available on windows 3.1 in the early 1990’s they have had PKI facilities for keeping email totally private. PKI is still the most reliable and secure system for keeping nosy parkers out of email streams. it is a universal system that both parties of a conversation need to buy into separately, in order to interact.
each user of the system buys a s/mime (email certificate) from a certificate provider, and has that installed in their email apps. there are many providers to buy an email certificate from. all certificates are compatible with each other, all email addresses & 99.6% of email apps
each certificate has two parts – a PUBLIC KEY & PRIVATE KEY
the public key part is used (usually by other people) to encrypt an email that only it’s matching private key can unscramble. and only you have that, don’t copy or give your private key to anyone for any reason.
when receiving an encrypted email, or signing an outgoing email, you may be prompted for the passphrase for your key (as proof of owner action)
buying in & getting going
when you purchase an email certificate you will set a passphrase & download a file (your email key pair) and follow the instructions for installing it in your mail app. don’t whatever you do forget the passphrase to your keypair
make sure you tick a little box during this process to “make your key exportable”. make sure to “sign” all emails from now on. this alerts subscribers to the PKI system that they can encrypt a reply to you.
when you receive signed email from someone else, the public key of the sender is automatically added to your mail app. only because you also own a certificate, from then on you can choose the “sign & encrypt” option when sending that person an email.
someone who doesn’t have a keypair of their own, receiving a signed email is now restricted by the app mafia (microsoft/mozilla/apple/et al) from encrypting a reply. they can however take comfort from the surety their email was in fact from yourself & that it was delivered intact, un-damaged.