Use Apple Mail more effectively! Email expert Joe Kissell explains what’s new with Mail in Mojave (or High Sierra) and iOS 12 or iOS 11, and how to best set up your Gmail, iCloud, IMAP, and Exchange accounts, He then shows you how to take Mail to the next level with plugins and automation, manage your incoming email, customize Mail, and solve common problems.
All Take Control books are delivered in three ebook formats—PDF, EPUB, and Mobipocket (Kindle)—and can be read on nearly any device.
You can work more effectively in Apple Mail with expert advice from Joe Kissell. You’ll learn how to make Mail serve your needs with essential setup, usage, and troubleshooting instructions, whether you use Gmail, iCloud, Exchange, IMAP, or POP—or more than one account—on your Mac running 10.14 Mojave (or 10.13 High Sierra), or on your iPad, iPhone, or iPod touch running iOS 12 or iOS 11.
Joe explains core concepts like special IMAP mailboxes and email archiving, reveals Mail’s hidden interface elements and gestures, and helps with common tasks like addressing and adding attachments. He also offers tips on customizing Mail, including a nifty chapter on how simple plugins and special automation can dramatically improve the way you use Mail. Joe also covers finding that message in the haystack with Mail’s natural language search, improving the messages you send, how digital signatures and encryption work in Mail, and—perhaps most important—an award-winning strategy for avoiding email overload.
You’ll quickly find the information that’s most important to you, including:
Key changes in Mail for Mojave and iOS 12
Getting through your email faster with gestures
Using advanced search techniques to find filed messages
Using plugins to significantly enhance how you use Mail (including significant changes to plugin behavior in Mojave)
The whys and hows of sending attachments
Using markup features to embellish, and even sign, outgoing attachments
Defeating spam with the Junk Mail filter—and what to do if you need more firepower
Understanding special mailboxes like Sent, Drafts, and Junk
Using notifications to stay apprised of incoming messages
Taking charge of email organization with rules and other measures
Backing up and restoring email
Importing email from other apps, older versions of Mail, or another Mac
Deciding whether you should encrypt your email, along with detailed, real-world steps for signing and encrypting messages
Taking Mail to the next level with AppleScript and Automator
18 things everyone should know about Mail in iOS
Fixing problems: receiving, sending, logging in, bad mailboxes, and more
Although this book primarily covers the Mojave and High Sierra versions of Mail, nearly all of it is also applicable to the Sierra version.
Take Control publisher Joe Kissell has written more than 60 books about technology, including many popular Take Control books. He also runs Interesting Thing of the Day and is a contributing editor of TidBITS and a senior contributor to Macworld.
Version 4.1 is a relatively minor update that covers what’s new in Mail in macOS 10.14 Mojave and iOS 12. In particular, the following topics are either new or significantly revised:
Explained where to find the new preference for toggling Dark Mode in Mail
Added a Filing topic to explain how to move or copy messages, including the use of Mail’s suggested mailboxes
Added a Continuity Camera topic describing how to add photos and scans from your iOS device to a Mail message
Included a tip about moving messages to Favorite folders using the keyboard
Provided more detail about showing messages from VIPs in all mailboxes or only from your inboxes
Thoroughly overhauled the third-party plugins discussion to cover the new ways of dealing with plugins in Mojave, and adjusted the list of noteworthy plugins to reflect current names and compatibility
Added a sidebar The Not-Junk Previous Recipient Problem to describe an old and confusing Mail behavior
Expanded the chapter on encryption to include a section about the EFAIL vulnerability
Mentioned the new color picker in Markup for iOS 12
The fourth edition (version 4.0) brought the book up to date with the numerous changes in Mail running under macOS 10.13 High Sierra (or 10.12 Sierra) and iOS 11. Along with hundreds of small changes in the book, major revisions included:
Added detail to the “Master Mail Concepts” chapter:
Updated the discussion of gestures to cover the Magic Mouse
Explained new behaviors and options in full-screen mode
Updated the description of addressing email to explain the new way Mail chooses From addresses
Updated the descriptions of Markup (for macOS Mail) and Handoff (cross-platform) to reflect their current capabilities
In the “Customize Mail” chapter, added new topics on tabbed windows and message filters
Revamped the coverage of third-party plugins to remove plugins that are no longer available (or just not very useful anymore) and add Mailbutler and Universal Mailer
Compressed and modernized the chapter “Use Gmail with Mail”
Made a variety of updates in the “Find Your Messages” chapter, including a new sidebar about top hits, and descriptions of Mail’s current behavior with automatic tokens and search terms in quotation marks
Developed the “Take Control of Your Inbox” chapter more fully:
Updated the description of how Mail handles spam
Greatly expanded coverage of backing up and restoring email
Added a new topic about how to import email from another app, including a sidebar about moving from another Mac
Enhanced the “Become a Better Correspondent” chapter:
Added a tip about backing out of bulleted or numbered lists
Added instructions for avoiding inline attachments if that’s your preference
Updated instructions for sending attachments in iOS to mention Mail Drop
Made a number of improvements to the chapter “Sign and Encrypt Messages,” including a new sidebar about ProtonMail
Updated procedures and removed outdated advice in the chapter “Fix Mail Problems,” and added a new topic about dealing with recovered messages
Made big improvements to the “Use Mail in iOS” chapter, including:
Updated the discussion of iOS Mail vs. macOS Mail to reflect the current truth, and added a sidebar about three-pane view for users of the 12.9-inch iPad Pro
Expanded the topic formerly called “15 Things Every iOS Mail User Should Know” to “18 Things Every iOS Mail User Should Know” by adding “Add an Inline Drawing,” “Use Drag and Drop,” and “Leave a Mailing List”; also updated the remaining 15 things, with especially important modifications in “Change Account Settings,” “Handle Attachments,” and “Manage Notifications,” plus new sidebars about 3D Touch gestures and suggested destinations
Do you have any books about older versions of Apple Mail?
Yes. After you download this ebook, you can follow its Ebook Extras link to download the first, second, or third edition of the book (look in the Blog) about earlier versions of Mail.
It’s been a while since the previous edition of Take Control of Apple Mail was published, so I had a lot to catch up on in my interview with Chuck Joiner on MacVoices. I’m not exactly a green rage monster this time, but there are a number of things about Mail I’m…less than happy about. If you feel the same way, I hope you find this interview therapeutic.
Note: Please see the end of this article for updates.
Just hours before the scheduled release of Take Control of Apple Mail, Fourth Edition, my Twitter feed started blowing up with Urgent! Breathless! Warnings! about a newly discovered vulnerability that affects email messages encrypted with S/MIME or OpenPGP, about which I have a whole chapter in my book (“Sign and Encrypt Messages”). And my first thought was, oh, great, my book needs revising before it’s even out. I’ve now examined the original report that prompted the warnings and have a better understanding of the situation, which I’d like to share with you here, and which I plan to update as new facts emerge. Let me start with this, however:
The sky is not falling.
Yes, there is a problem, but (a) the odds that you will encounter it, even if you regularly use email encryption—and most people don’t—are incredibly small; (b) there are easy temporary workarounds; and (c) it is being fixed even as I type these words.
Let’s go over the details.
A team of European researchers found a vulnerability that they’ve dubbed EFAIL. That site summarizes the issue; their complete technical paper (PDF) is here. The very short version of the problem is that there is a technique that an attacker could potentially use to cause your email client to send the decrypted contents of an encrypted message to outside parties. This technique exploits a combination of weaknesses in two encryption standards, design flaws in certain modern email clients (Apple Mail among them, on both macOS and iOS), and less-than-ideal default settings. It works only when you receive and open a message that contains a hidden copy of encrypted email you’ve already sent or received—meaning you are almost certainly being targeted directly. And it affects both of the most common encryption methods—S/MIME (built into most email clients) and OpenPGP (used by GnuPG and other software).
In order for this exploit to work, the attacker must already have encrypted messages sent to or from you. (There are numerous ways these could be obtained, but all of them require the extra, and sometimes quite challenging, step of first hacking into your email in some way.) Once that’s done, the attacker takes the encrypted contents of one or more of these messages and hides it in a new, specially crafted, encrypted message sent to one of the original senders or recipients (and, presumably, made to look as though it comes from a trusted source). When the victim opens this message, their email client decrypts it and sends the attacker the plaintext contents of the encrypted message(s) hidden within it. So, this doesn’t give the attacker the ability to freely read all your encrypted email, only those specific messages sent to you or the other party in the email transaction in this sneaky way.
Why You Probably Don’t Have to Worry
EFAIL almost certainly won’t affect you, even if you take no action. Here’s why:
Very few people encrypt their email anyway. If you’re not using S/MIME or OpenPGP—and believe me, you’d know it if you were—there’s just nothing to see here.
I have seen no evidence, or even hints, that this exploit is being used, or has ever been used, in the wild. As far as I know, only the researchers who discovered the technique have actually tried it. (Obviously, that could change in hours or days, but it’s not like the bad guys have been actively using this already.) And remember, even if or when it does get out into the wild, an attacker can’t use this on you without first obtaining the existing encrypted email messages from your account that they want the contents of. That’s a nontrivial extra step.
The companies that make the affected email clients and third-party software are working on fixes right now. For example, the team that makes GPGTools has already tweeted that a mitigation is imminent, in GPGTools 2018.2, and that there’s an easy workaround in the meantime (about which, read on). And if Apple doesn’t address this in macOS 10.3.5 and iOS 11.4 within days, I’ll be shocked. (In other words: the vulnerability will likely be eliminated before anyone has time to exploit it.)
As the EFAIL researchers point out, although the developers of apps like Apple Mail, Thunderbird, and GPGTools can and should fix a variety of vulnerabilities, a complete and permanent fix requires changes to the S/MIME and OpenPGP standards, which will take longer. Even so, I fully expect the problem to resolve itself before it has any meaningful real-world effect.
What You Can Do Now
Long story short, flipping one switch is probably adequate.
If you are using Apple Mail on a Mac, and are actively using S/MIME or OpenPGP, the quickest and easiest way to immunize yourself against the most likely forms of this attack is simply to uncheck one box:
Go to Mail > Preferences > Viewing.
Uncheck “Load remote content in messages.”
Close the Preferences window.
(I already had this unchecked in my copy of Mail, and have long recommended that other people do so too, because loading images from HTML messages is often used for tracking, and although some of this tracking is entirely benign, I prefer a little more privacy than the default.)
The Electronic Frontier Foundation (EFF) recommends going further—removing the GPGMail plugin (if you use it) to prevent Mail from decrypting messages automatically at all. But I agree with the GPGTools developers that this step is entirely unnecessary.
On an iOS device, do this:
Go to Settings > Mail.
Turn “Load Remote Images” off.
And that’s it.
A Few Last Remarks
In the paper that kicked off this whole crisis, the researchers included tables detailing which of the tested clients, on various platforms, are vulnerable to each of several variations on this attack. Interestingly, Canary Mail for iOS, an OpenPGP client I mention in my book, is not vulnerable. (The researchers didn’t test the Mac version, but I assume it’s also safe.) So, if you rely on OpenPGP-encrypted email on a Mac or iOS device, switching (even temporarily) to this client might be something to consider.
Finally, and I’ve said this many times in many books, keep your software up to date. All these fixes that developers are working on do you no good if you don’t install them. So please, keep up with system updates and security fixes for macOS and iOS, and make sure your third-party apps are also up to date.
If any significant new developments arise, I’ll update this article accordingly.
Update 2 (June 9, 2018): On June 4, GPG Suite from GPGTools was updated to version 2018.02, with mitigations for EFAIL. Apple also says that macOS 10.13.5 (released on June 1) addresses S/MIME vulnerabilities, although testing by the GPGTools developers indicates that Mail remains vulnerable to some EFAIL-related exploits.
Update 1 (May 31, 2018): Contrary to my expectations, neither Apple nor GPGTools has yet delivered an update to address this problem. I still expect fixes soon, but they didn’t happen as soon as they should have. In addition, one researcher has published a proof of concept exploit that could theoretically put your email at risk even if you disable the loading of remote images as described above. (And in any case, I should note that any mitigations you undertake on your own devices won’t help if your correspondents’ devices are compromised.) Even so, I have yet to hear of any real-world attacks involving the EFAIL vulnerability, and I still believe the sky is not falling. But I sure wish the security folks at Apple and elsewhere would kick their bug-fixing into high gear.
January 6, 2020—We hope to release an update to this book to cover changes in Catalina and iOS 13/iPadOS 13 in the first half of 2020.