Enigmail Configuration Manual

Per-Recipient Rules - Technical Description


Enigmail contains a feature that allows rules for setting encryption, signing and PGP/MIME for every recipient and to define what OpenPGP key(s) to use. This document describes the syntax of the rules file and the processing.


The settings are stored in <profile>/pgprules.xml. This is an XML file with the following structure:

<pgpRule email='{user1@some.domain}' keyId='0x1234ABCD' sign='1' encrypt='1' pgpMime='1'/>
<pgpRule email='user2@some.domain}' keyId='0x1234ABCE' sign='2' encrypt='1' pgpMime='0'/>

The  <pgpRule .../> entries define how Enigmail should enable or disable the settings for encryption, signing and PGP/MIME and what OpenPGP Key ID to use. The attributes are defined as follows (see also examples below):

  • email: the e-mail(s) from the To:, Cc: and Bcc: fields to match. The matching works on substrings. In order to match the boundaries of an e-mail address, you can use the curly brackets { and }. You can specify several addresses separated with spaces. E.g.:

    • {user1@some.domain} matches exactly and only user1@some.domain

    • user@some.domain} matches e.g. my.user@some.domain, or your.user@some.domain

    • @some.domain} matches any address at some.domain

    • user@domain matches  e.g. my.user@domain.name, or  your.user@domain.other

  • keyId: the list of OpenPGP Key ID's to use for the recipient. It is recommended to use the 8-byte key ID 0x1234ABCD, or even the 16-byte key ID 0x1234567890ABCDEF. You can specify several keys separated by spaces. If you specify a dot (.) as single value in the field, no key ID is used, and any recipient matching will not be considered any further (see below under Notes for more details).

  • sign: enable or disable message signing. This either uses or overrides what you have specified in the message composition window. The allowed values are:

    • 0 - disable signing, even if it was enabled in the message composition window (overrules the other values)

    • 1 - leave signing as specified in the message composition window

    • 2 - enable signing, even if it was not enabled in the message composition window

These signing values are applied for all rules that match. If one of the rule disables signing, the message will not be signed, regardless of other rules with value=2.
  • encrypt: enable or disable message encryption. The allowed values and their meaning are the same as for message signing.

  • pgpMime: enable or disable the use PGP/MIME (RFC 3156). If PGP/MIME is disabled, the messages are encoded using "inline PGP". The allowed values and their meaning are the same as for message signing.


Example content of pgprules.xml:

<pgpRule email='@some.domain}' keyId='' sign='1' encrypt='2' pgpMime='1'/>
<pgpRule email='{first.user@some.domain}' keyId='0x11111111' sign='1' encrypt='1' pgpMime='1'/>
<pgpRule email='{second.user@some.domain}' keyId='0x11111112' sign='2' encrypt='2' pgpMime='2'/>
<pgpRule email='{third.user@some.domain}' keyId='0x11111113' sign='2' encrypt='2' pgpMime='0'/>
<pgpRule email='{mailing-list@some.domain}' keyId='0x11111111 0x11111112 0x11111113 0x11111114' sign='2' encrypt='2' pgpMime='0'/>
<pgpRule email='@mycompany.com} @mycustomer.com}' keyId='.' sign='2' encrypt='2' pgpMime='2'/>
<pgpRule email='{mother@somewhere.com}' keyId='' sign='0' encrypt='0' pgpMime='0'/>
<pgpRule email='@' keyId='' sign='0' encrypt='0' pgpMime='0'/>

The above rules define the following:

Line 2: encrypt all mails to every user @some.domain
Line 3: use OpenPGP Key ID 0x11111111 for mails to first.user@some.domain
Line 4: use OpenPGP Key ID 0x11111112 for mails to second.user@some.domain. In addition, sign and encrypt all mails with PGP/MIME
Line 5: use OpenPGP Key ID 0x11111112 for mails to second.user@some.domain. In addition, sign and encrypt all mails, but never use PGP/MIME (e.g. because his mail client doesn't understand it)
Line 6: for mails to mailing-list@some.domain, use the key ID's 0x11111111, 0x11111112, 0x11111113 and 0x11111114. Always sign and encrypt mails with inline-PGP
Line 7: sign and encrypt all mails to mycompany.com and mycustomer.com with PGP/MIME. Use the email address as matching criteria to find the key and ignore any further rules for these recipients.
Line 8: do not sign or encrypt any mails to mother@somewhere.com
Line 9: do not sign or encrypt any mails to anybody else


  • The file is processed sequentially. If a rule contains a keyId field with some value, the rule is applied, but the address that matched will not be rechecked in any following rules. This also applies, if the keyId contains a single dot (.). In this case no specific keyId is used, and the key is matched using the email address.

  • In order to minimize the number of entries you have to make in the pgprules.xml file, you should set your default settings carefully in Account Settings > OpenPGP Security and in OpenPGP > Preferences > Key Selection.

  • It is highly recommended to enable the option Always confirm before sending in OpenPGP > Preferences > Sending in order to check the resulting status for encryption, signing and PGP/MIME before a message is sent.