Is Apple's Mail app secure and encrypted?

Hi MPUers,

  • How does Mail store emails? On device or iCloud?
  • Are these emails on device/iCloud encrypted or can be read by any app/person

If you are using Mail, how do you like it? Planning to switch from gmail to Mail app

The answer on both these questions is: it depends.

It’s installed on any Mac, iPad and iPhone. Not a huge barrier to try it yourself.


In addition to @vco1’s comments, to give Apple Mail a try, fire it up and connect you Google mail account to it.

Like @vco1 I have Apple mail on all my Apple devices, and have done so for years. Works fine and is integrated with the Apple ecosystem pretty well and for me that a benefit. The Google mail app on iOS useful to help manage Google 2-factor security. So I have it, but don’t use it really much for mail.

1 Like

Are you switching from gmail to icloud or just connecting your gmail account to mail app?

Email is the least secure messaging system we use. All of the protocols, SMTP, IMAP and POP are designed without encryption or authentication. Any security has to be added on top by something like PGP.


Mail downloads your email messages from the account provider you have and creates local archives that, for all I know, are not encrypted. Someone with access to your Mac account or your physical disk could read those emails. Enabling full-disk encryption will mitigate the last attack vector.


The thing to remember is that Mail is an app, not a service. It uses standard protocols (IMAP,POP) to send and receive email via mail servers, including those operated by Apple (for iCloud mail).

So if your email provider encrypts, Mail will get encrypted messages, and it’ll be up to you to decrypt them. Or if you send an encrypted message from your Mac, it will be encrypted, and it’s up to your recipient to decrypt it. That’s end to end encryption, but Mail isn’t doing it.

Keep in mind that at least some email metadata – including sender and receiver (or at least reply-to), time and date, IP addresses, etc etc – isn’t and can’t be encrypted; servers wouldn’t know where to send messages, or how to send any response from the recipient. And, as has been pointed out, email on the Internet was never designed to be particularly secure, whatever email client you use


Just to expand on this for the OP: IMAP and SMTP do have encrypted versions that you should use if your service provider supports them. Using them does not change the fact that plain old email (without an additional layer of encryption such as PGP, as @jcarucci mentioned) should never be considered a private, for a number of reasons.


Since I have no control of the copies of messages I have sent to, or received from, others I have no expectation of privacy.

1 Like

Just connecting gmail to Mail app

Then nothing goes to iCloud, it is just on your devices via imap. Any security off device is on google.


Just clarifying for OP, unless I’m misunderstanding - the transmission is encrypted when using POP3, IMAP, or SMTP over SSL, but the data it’s actually transmitting is stored “at rest” on both sides as cleartext.

If you have email on a given server, unless you’re using PGP or something the admin of that server can go read your email whenever they feel like it. And even with tech like PGP, the headers (who it’s from, who it’s to, where it went on the way, when it was sent, etc.) are all available in cleartext.


So all the mail is only saved on the device? How does it sync between devices then?

To what I say on iOS, it was asking me to enable iCloud sync so I can use Mail on both mac and iOS

It makes me a bit anxious every time I get to know about how much admins/companies have access to our data (email and other stuff). End-end encryption should be the norm.

PS: I should stop reading all this stuff to keep life simpler. Don’t know how y’all handle this. :smile:

1 Like

If you’re using IMAP, it doesn’t sync “between devices”. It syncs between each device and your provider’s IMAP server. Since both devices are syncing to and from that server, the devices are in sync as a side effect. :slight_smile:


you can install GPG Suite that supports pgp private / public keys for encrypting and signing emails

And if your provider doesn’t support them, find a new provider.

So I started using Mail on iOS, its pretty barebones but has a few nice features.

One thing I can’t seen to figure out is, it does not show gmail labels on the email itself. I mean there are folders for each label, but email sitting in my inbox with label (in gmail), don’t have any label in inbox in Mail. They show up in the label folder though. But I want the label tag to show in the inbox as well. Any way to make this work?

And, any suggestion on privacy in Mail? I used to keep images blocked in gmail to avoid pixel tracking and “Read” indicator. I just tried the same thing with Mail by enabling “Block All Remote Content”, it was still showing a few images that were being blocked by gmail. How effective is this in your experience?

Based on what I read, “Protect Mail Activity” proxies the mail hides the IP, but the images are all loading up, which can let the sender know if I read the email or not, which is what I don’t want.

Long story short, the way Gmail works and the way Mail works is different. This is mostly because Gmail isn’t standard IMAP, and Mail is.

Gmail stores ONE copy of the message, and applies multiple labels to it on the back end so that it can show it in “folders” - but the folders are illusory. The mail lives in “All Mail”, and is surfaced in different views based on tags/labels.

Mail is standard IMAP, which means that if an email has three different labels, and is thus in three different “folders” in Gmail, Mail sees three actual folders and will therefore download three copies.

This would be true of any standard IMAP client trying to access Gmail.