Take Control of Apple Mail is your complete guide to Apple’s Mail app. In this book, Joe explains core concepts like special IMAP mailboxes and email archiving, reveals Mail’s hidden interface elements and gestures, and helps with common tasks like addressing and adding attachments. He also offers tips on customizing Mail, including a nifty chapter on how simple plugins and special automation can dramatically improve the way you use Mail. Joe also covers finding that message in the haystack with Mail’s natural-language search, improving the messages you send, how digital signatures and encryption work in Mail, and—perhaps most important—an award-winning strategy for avoiding email overload.
You’ll quickly find the information that’s most important to you, including:
- Key changes in Mail for Catalina and iOS 13/iPadOS 13 (including missing and broken features, alas)
- Getting through your email faster with gestures
- Using advanced search techniques to find filed messages
- Using plugins to significantly enhance how you use Mail
- The whys and hows of sending attachments
- Using markup features to embellish, and even sign, outgoing attachments
- Defeating spam with the Junk Mail filter—and what to do if you need more firepower
- Understanding special mailboxes like Sent, Drafts, and Junk
- Using notifications to stay apprised of incoming messages
- Taking charge of email organization with rules and other measures
- Backing up and restoring email
- Importing email from other apps, older versions of Mail, or another Mac
- Deciding whether you should encrypt your email, along with detailed, real-world steps for signing and encrypting messages
- Taking Mail to the next level with AppleScript and Automator
- Key skills for using Mail in iOS and iPadOS, such as working with incoming and outgoing messages, using attachments, and configuring accounts
- Fixing problems: receiving, sending, logging in, bad mailboxes, and more
Although this book primarily covers Mail on Catalina, Mojave, iOS 13/iPadOS 13, and iOS 12, the majority of it is also applicable to earlier versions.
Posted by Joe Kissell on June 12, 2020
I joined Chuck Joiner on MacVoices in a two-part interview to discuss the fifth edition of my book Take Control of Apple Mail.
In Part 1, I talk about some of the bugs and design flaws in Mail for Catalina.
In Part 2, I stay hydrated while talking about plugins, security issues, and the challenges of email for ordinary users.
Posted by Joe Kissell on May 14, 2018
It’s been a while since the previous edition of Take Control of Apple Mail was published, so I had a lot to catch up on in my interview with Chuck Joiner on MacVoices. I’m not exactly a green rage monster this time, but there are a number of things about Mail I’m…less than happy about. If you feel the same way, I hope you find this interview therapeutic.
Posted by Joe Kissell on
Note: Please see the end of this article for updates.
Just hours before the scheduled release of Take Control of Apple Mail, Fourth Edition, my Twitter feed started blowing up with Urgent! Breathless! Warnings! about a newly discovered vulnerability that affects email messages encrypted with S/MIME or OpenPGP, about which I have a whole chapter in my book (“Sign and Encrypt Messages”). And my first thought was, oh, great, my book needs revising before it’s even out. I’ve now examined the original report that prompted the warnings and have a better understanding of the situation, which I’d like to share with you here, and which I plan to update as new facts emerge. Let me start with this, however:
The sky is not falling.
Yes, there is a problem, but (a) the odds that you will encounter it, even if you regularly use email encryption—and most people don’t—are incredibly small; (b) there are easy temporary workarounds; and (c) it is being fixed even as I type these words.
Let’s go over the details.
A team of European researchers found a vulnerability that they’ve dubbed EFAIL. That site summarizes the issue; their complete technical paper (PDF) is here. The very short version of the problem is that there is a technique that an attacker could potentially use to cause your email client to send the decrypted contents of an encrypted message to outside parties. This technique exploits a combination of weaknesses in two encryption standards, design flaws in certain modern email clients (Apple Mail among them, on both macOS and iOS), and less-than-ideal default settings. It works only when you receive and open a message that contains a hidden copy of encrypted email you’ve already sent or received—meaning you are almost certainly being targeted directly. And it affects both of the most common encryption methods—S/MIME (built into most email clients) and OpenPGP (used by GnuPG and other software).
In order for this exploit to work, the attacker must already have encrypted messages sent to or from you. (There are numerous ways these could be obtained, but all of them require the extra, and sometimes quite challenging, step of first hacking into your email in some way.) Once that’s done, the attacker takes the encrypted contents of one or more of these messages and hides it in a new, specially crafted, encrypted message sent to one of the original senders or recipients (and, presumably, made to look as though it comes from a trusted source). When the victim opens this message, their email client decrypts it and sends the attacker the plaintext contents of the encrypted message(s) hidden within it. So, this doesn’t give the attacker the ability to freely read all your encrypted email, only those specific messages sent to you or the other party in the email transaction in this sneaky way.
Why You Probably Don’t Have to Worry
EFAIL almost certainly won’t affect you, even if you take no action. Here’s why:
Very few people encrypt their email anyway. If you’re not using S/MIME or OpenPGP—and believe me, you’d know it if you were—there’s just nothing to see here.
I have seen no evidence, or even hints, that this exploit is being used, or has ever been used, in the wild. As far as I know, only the researchers who discovered the technique have actually tried it. (Obviously, that could change in hours or days, but it’s not like the bad guys have been actively using this already.) And remember, even if or when it does get out into the wild, an attacker can’t use this on you without first obtaining the existing encrypted email messages from your account that they want the contents of. That’s a nontrivial extra step.
The companies that make the affected email clients and third-party software are working on fixes right now. For example, the team that makes GPGTools has already tweeted that a mitigation is imminent, in GPGTools 2018.2, and that there’s an easy workaround in the meantime (about which, read on). And if Apple doesn’t address this in macOS 10.3.5 and iOS 11.4 within days, I’ll be shocked. (In other words: the vulnerability will likely be eliminated before anyone has time to exploit it.)
As the EFAIL researchers point out, although the developers of apps like Apple Mail, Thunderbird, and GPGTools can and should fix a variety of vulnerabilities, a complete and permanent fix requires changes to the S/MIME and OpenPGP standards, which will take longer. Even so, I fully expect the problem to resolve itself before it has any meaningful real-world effect.
What You Can Do Now
Long story short, flipping one switch is probably adequate.
If you are using Apple Mail on a Mac, and are actively using S/MIME or OpenPGP, the quickest and easiest way to immunize yourself against the most likely forms of this attack is simply to uncheck one box:
- Go to Mail > Preferences > Viewing.
- Uncheck “Load remote content in messages.”
- Close the Preferences window.
(I already had this unchecked in my copy of Mail, and have long recommended that other people do so too, because loading images from HTML messages is often used for tracking, and although some of this tracking is entirely benign, I prefer a little more privacy than the default.)
The Electronic Frontier Foundation (EFF) recommends going further—removing the GPGMail plugin (if you use it) to prevent Mail from decrypting messages automatically at all. But I agree with the GPGTools developers that this step is entirely unnecessary.
On an iOS device, do this:
- Go to Settings > Mail.
- Turn “Load Remote Images” off.
And that’s it.
A Few Last Remarks
In the paper that kicked off this whole crisis, the researchers included tables detailing which of the tested clients, on various platforms, are vulnerable to each of several variations on this attack. Interestingly, Canary Mail for iOS, an OpenPGP client I mention in my book, is not vulnerable. (The researchers didn’t test the Mac version, but I assume it’s also safe.) So, if you rely on OpenPGP-encrypted email on a Mac or iOS device, switching (even temporarily) to this client might be something to consider.
Finally, and I’ve said this many times in many books, keep your software up to date. All these fixes that developers are working on do you no good if you don’t install them. So please, keep up with system updates and security fixes for macOS and iOS, and make sure your third-party apps are also up to date.
If any significant new developments arise, I’ll update this article accordingly.
Update 2 (June 9, 2018): On June 4, GPG Suite from GPGTools was updated to version 2018.02, with mitigations for EFAIL. Apple also says that macOS 10.13.5 (released on June 1) addresses S/MIME vulnerabilities, although testing by the GPGTools developers indicates that Mail remains vulnerable to some EFAIL-related exploits.
Update 1 (May 31, 2018): Contrary to my expectations, neither Apple nor GPGTools has yet delivered an update to address this problem. I still expect fixes soon, but they didn’t happen as soon as they should have. In addition, one researcher has published a proof of concept exploit that could theoretically put your email at risk even if you disable the loading of remote images as described above. (And in any case, I should note that any mitigations you undertake on your own devices won’t help if your correspondents’ devices are compromised.) Even so, I have yet to hear of any real-world attacks involving the EFAIL vulnerability, and I still believe the sky is not falling. But I sure wish the security folks at Apple and elsewhere would kick their bug-fixing into high gear.