Apple-focused shortcut
Need the easiest Apple-focused workflow?
Learn the concepts here, then use SMIME Toolkit to generate keys on-device, build the CSR, export a .p12 identity, and complete the manual Apple setup path.
If Apple Mail lets you sign messages but not encrypt them, the most likely explanation is not that Apple Mail forgot how S/MIME works. The more likely explanation is that one of encryption’s extra prerequisites is missing.
The first question to ask
Do you have the recipient’s public certificate?
That question solves more Apple Mail encryption mysteries than almost any other.
Why your own certificate is not enough
Your own S/MIME certificate helps with:
- signing your outbound mail
- identifying yourself in certificate-backed workflows
It does not automatically give you what you need to encrypt mail to someone else. Encryption requires the recipient’s public certificate so the message can be encrypted for that recipient.
Other reasons encryption may be unavailable
- the issuing chain is not trusted
- the certificate identity does not match the active account
- the imported identity is incomplete
- Apple Mail does not see a usable recipient certificate
What to do next
- confirm your own identity is usable for signing
- confirm recipient certificate availability
- confirm trust-chain status if private CA material is involved
- verify account identity alignment
Practical takeaway
If encryption is unavailable while signing works, focus on the recipient side of the trust model first. That is where the missing condition usually lives.
Apple-focused shortcut
Ready to move from theory to setup?
If you are working through S/MIME on iPhone or iPad, use the app-specific workflow and Apple guides next.