ProtonMail provides built-in PGP support for encrypting emails, but the experience differs significantly when communicating with ProtonMail users versus external recipients using other email providers. This guide covers the technical details developers and power users need to send encrypted emails from ProtonMail to non-ProtonMail recipients.

Table of Contents

• Prerequisites
• Troubleshooting Common Issues
• Advanced - Programmatic Integration
• Security Considerations

Prerequisites

Before you begin, make sure you have the following ready:

• A computer running macOS, Linux, or Windows
• Terminal or command-line access
• Administrator or sudo privileges (for system-level changes)
• A stable internet connection for downloading tools

Step 1 - Understand ProtonMail’s PGP Architecture

ProtonMail implements PGP encryption at the server level, which means your private keys never leave ProtonMail’s encrypted storage. When both sender and recipient use ProtonMail, encryption happens automatically and transparently. However, when sending to external addresses, you need to handle key management manually.

ProtonMail supports two methods for external recipient encryption:

1. Address Book PGP Keys: Store recipient public keys in your ProtonMail address book
2. Manual Encryption: Copy and paste public keys for each message

Understanding why ProtonMail’s approach differs from traditional PGP clients is helpful context. In a standard desktop PGP setup, your key management happens entirely on your machine. GPG handles the keyring, encryption, and decryption locally. ProtonMail’s zero-knowledge architecture stores your private key encrypted with your account password, decrypting it only in your browser session. This means you get PGP’s security guarantees without managing key files directly, but it also means external key storage (WKD, keyservers, manual exchange) must happen through ProtonMail’s contact management interface.

Step 2 - Retrieve Your ProtonMail Public Key

Before sending encrypted emails to external recipients, ensure your public key is accessible. In ProtonMail:

1. Go to Settings → Keys → Public Keys
2. Find your primary key and click Export Public Key
3. Save the ASCII-armored block

You can also generate your public key URL for easy sharing:

https://api.protonmail.ch/pks/lookup?op=get&search=your-email@protonmail.com

This allows external users to retrieve your key programmatically:

gpg --keyserver hkps://api.protonmail.ch --search-keys your-email@protonmail.com
gpg --keyserver hkps://api.protonmail.ch --recv-keys KEY_ID

Step 3 - Obtaining Recipient Public Keys

External recipients must provide their PGP public keys. Several methods exist for key exchange:

Method 1 - Key Servers

Many users upload keys to public key servers:

gpg --keyserver keys.openpgp.org --search-keys recipient@example.com
gpg --keyserver keys.openpgp.org --recv-keys RECIPIENT_KEY_ID

Method 2 - Direct Request

For sensitive communications, request keys via a verified channel:

echo "Please send your PGP public key" | gpg --encrypt --armor \
  --recipient recipient@example.com --output request.asc

Method 3 - Manual Key Blocks

Recipients can export keys directly:

gpg --armor --export recipient@example.com > recipient-pubkey.asc

Method 4 - Web Key Directory (WKD)

WKD is a modern key discovery mechanism that lets mail servers advertise public keys at a well-known URL path. Many privacy-conscious email providers support it. To check if a recipient’s domain supports WKD:

Check WKD availability for recipient@example.com
curl https://example.com/.well-known/openpgpkey/hu/$(echo -n "recipient" | sha1sum | cut -d' ' -f1)

Or use gpg directly (gpg 2.2.12+ with WKD support)
gpg --locate-keys recipient@example.com

If WKD is supported, gpg --locate-keys automatically downloads and imports the key. This is the most reliable automated method for key discovery when keyserver publishing is not available.

Step 4 - Configure ProtonMail for External Encryption

Once you have the recipient’s public key, store it in ProtonMail:

1. Open Contacts in ProtonMail
2. Create or edit the contact
3. Navigate to the Encryption tab
4. Paste the public key in the designated field
5. Save the contact

When composing an email to this contact, ProtonMail automatically detects the stored key and offers encryption options.

Step 5 - Sending Encrypted Emails: Step-by-Step

Scenario - Sending to a Gmail User

Assume you need to send an encrypted message to developer@gmail.com who uses G Suite and has published their key.

Step 1 - Obtain the public key

gpg --keyserver keys.openpgp.org --search-keys developer@gmail.com
Note the key ID from the search results
gpg --keyserver keys.openpgp.org --recv-keys 0x1234567890ABCDEF

Step 2 - Export and save to ProtonMail

gpg --armor --export 0x1234567890ABCDEF

Copy the output and save it to the contact in ProtonMail.

Step 3 - Compose and encrypt

When composing your email:

• Enter the recipient address
• ProtonMail detects the stored key
• Select Encrypt before sending
• The email is encrypted using the recipient’s public key

The recipient receives an encrypted email. To decrypt, they need their corresponding private key and passphrase.

Step 6 - Technical Implementation Details

Key Verification

For security-critical communications, verify key fingerprints out-of-band:

gpg --fingerprint recipient@example.com
Compare the fingerprint via a trusted channel (phone, in-person)

Fingerprint verification prevents a man-in-the-middle attack where an adversary substitutes their own key for the recipient’s. The 40-character fingerprint uniquely identifies a key. if the fingerprint you retrieve from a keyserver matches what the recipient reads to you over the phone, you can be confident you have their authentic key.

Encryption Process

When ProtonMail encrypts for external recipients, it:

1. Generates a random session key
2. Encrypts the message body with the session key (AES-256)
3. Encrypts the session key with the recipient’s public key (RSA or ECIES)
4. Packages both into an encrypted MIME structure

You can verify this structure manually:

View encrypted message headers
Look for - Content-Type: application/pgp-encrypted
          Content-Type: application/octet-stream (encrypted payload)

Handling Attachments

ProtonMail encrypts attachments alongside the message body. The process:

Attachment → Compress → Encrypt (AES-256) → Embed in encrypted message

For additional security with large attachments, consider encrypting separately:

Encrypt file before attaching
gpg --symmetric --cipher-algo AES256 --output document.pdf.gpg document.pdf

Step 7 - Signing Emails for Authenticity

Encryption protects message confidentiality, but it does not prove the message came from you. Digital signatures address this. When you sign a message with your ProtonMail private key, the recipient can verify the signature using your public key. confirming the message was authored by the key holder and was not altered in transit.

ProtonMail signs outgoing messages automatically when sending to contacts with stored keys. For external recipients who want to verify signatures using GPG:

Recipient imports your ProtonMail public key
gpg --keyserver hkps://api.protonmail.ch --recv-keys YOUR_KEY_ID

Verify signature on received message saved as message.asc
gpg --verify message.asc

A successful verification output looks like:

gpg: Good signature from "Your Name <you@protonmail.com>"
Primary key fingerprint - XXXX XXXX XXXX XXXX XXXX

An “Unknown signature” result means the recipient has not yet imported your key. A “Bad signature” indicates the message was tampered with in transit.

Troubleshooting Common Issues

Key Not Found

If ProtonMail cannot find a recipient’s key:

• Verify the email address matches exactly
• Check if the key was uploaded to a different server
• Request the key directly from the recipient

Encryption Fails

Common causes:

1. Expired keys: Check key expiration with gpg --list-keys
2. Revoked keys: Verify key status on keyserver
3. Invalid format: Ensure proper ASCII-armor formatting

Check key validity
gpg --check-signatures recipient@example.com

Decryption Issues

Recipients may encounter problems if:

• Their private key is corrupted
• Passphrase is incorrect
• Key and message were not properly exchanged

Advanced - Programmatic Integration

For developers building automated systems:

import gnupg

gpg = gnupg.GPG(gnupghome='/path/to/gnupg/home')

Encrypt for external recipient
def encrypt_for_protonmail_recipient(message, recipient_key_path):
    with open(recipient_key_path, 'r') as key_file:
        recipient_key = key_file.read()

    # Import key first
    import_result = gpg.import_keys(recipient_key)
    key_id = import_result.fingerprints[0]

    # Encrypt
    encrypted = gpg.encrypt(
        message,
        recipients=[key_id],
        always_trust=True
    )

    return str(encrypted)

Security Considerations

When using PGP with external recipients:

• Key lifecycle: Regularly rotate keys (annually recommended)
• Trust model: Use web of trust or verify fingerprints personally
• Metadata: Remember that subject lines and headers remain unencrypted
• Forward secrecy: PGP does not provide forward secrecy; consider Signal for real-time messaging

The metadata limitation deserves particular attention in threat models involving surveillance. Even with strong encryption, your email provider and network observers can see who you correspond with, how frequently, and when. If communication metadata is itself sensitive. as it might be for journalists, lawyers, or activists. consider layering email encryption with additional operational security measures, such as using Tor to access ProtonMail’s .onion address (protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion), which hides your IP from ProtonMail’s own servers.

Frequently Asked Questions

How long does it take to use pgp encrypted email with protonmail to non?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles

• How To Set Up Pgp Encrypted Email In Thunderbird Step
• Protonmail Vpn Integration How Combining Email And Vpn
• Protonmail Vs Tutanota For Daily Email Use Honest Comparison
• ProtonMail Security Model Explained: A Technical Deep-Dive
• ProtonMail iOS Android App Review 2026
• AI Coding Assistant Session Data Lifecycle Built by theluckystrike. More at zovo.one