Sending encrypted email from the command line traditionally means piping through gpg, manually managing keyrings, and building PGP/MIME messages by hand. Most developers skip it because the tooling friction isn't worth it for a quick message.
Nylas CLI has built-in GPG support. Sign, encrypt, or both — with a single flag. It auto-fetches recipient keys from keyservers, handles RFC 3156 PGP/MIME formatting, and works with Gmail, Outlook, Exchange, Yahoo, iCloud, and IMAP.
Prerequisites
You need GPG installed and a keypair generated:
# Install GPG (if not already present)
# macOS
brew install gnupg
# Ubuntu/Debian
sudo apt install gnupg
# Generate a key if you don't have one
gpg --full-generate-key
And Nylas CLI installed and authenticated:
brew install nylas/nylas-cli/nylas
nylas auth login
Full setup: Getting Started with Nylas CLI
Sign an email
Digital signatures prove the email came from you and wasn't tampered with in transit:
nylas email send \
--to "colleague@company.com" \
--subject "Signed release notes" \
--body "v2.1.0 is ready for deployment." \
--sign
The CLI finds your default GPG key, signs the message, and sends it as a PGP/MIME signed message. Recipients with GPG can verify the signature automatically.
Encrypt an email
End-to-end encryption means only the recipient can read the message:
nylas email send \
--to "legal@partner.com" \
--subject "Contract terms" \
--body "See the updated terms in the attachment." \
--encrypt
The CLI fetches the recipient's public key from keyservers (keys.openpgp.org, keyserver.ubuntu.com) automatically. No manual key import needed.
Sign and encrypt
For maximum security — authenticate the sender AND protect the content:
nylas email send \
--to "legal@partner.com" \
--subject "Confidential: Merger documents" \
--body "Encrypted and signed. Please verify signature." \
--sign --encrypt
Verify incoming signed emails
# Read a message and verify its GPG signature
nylas email read msg_abc123 --verify
# Output shows verification status
# => ✓ Good signature from "Alice Smith <alice@company.com>"
# => Key: 4096R/0xABCD1234 (expires 2027-01-01)
Decrypt incoming encrypted emails
# Decrypt and display an encrypted message
nylas email read msg_xyz789 --decrypt
# Requires your private key to be in your GPG keyring
Key management
# List keys in your keyring
gpg --list-keys
# Import a colleague's public key
gpg --keyserver keys.openpgp.org --recv-keys 0xABCD1234
# Export your public key for sharing
gpg --armor --export you@company.com > my-public-key.asc
The CLI auto-fetches keys when you use --encrypt, but you can pre-import keys for faster sends.
Encrypted email with attachments
nylas email send \
--to "legal@partner.com" \
--subject "Contract v3" \
--body "Latest revision attached." \
--attach "contract-v3.pdf" \
--sign --encrypt
The attachment is encrypted along with the message body inside the PGP/MIME envelope.
When to use GPG email
| Scenario | Sign | Encrypt | Both |
|---|---|---|---|
| Release announcements | Yes | No | No |
| Code review comments | Optional | No | No |
| Legal documents | Yes | Yes | Yes |
| Security incident reports | Yes | Yes | Yes |
| API key sharing | No | Yes | Yes |
| Compliance communications | Yes | Optional | Yes |
Automation: sign all outgoing email
For compliance workflows where every message must be signed:
# Wrapper script: signed-send.sh
#!/bin/bash
nylas email send "$@" --sign --yes
For credential management and API key rotation in automated workflows, see Secure Email Handling for CLI.
Verify email deliverability
Signed emails can trigger spam filters if SPF, DKIM, and DMARC aren't configured correctly. Debug delivery issues:
# Check SPF records
dig TXT company.com | grep spf
# Verify DKIM
dig TXT selector._domainkey.company.com
Full guide: SPF, DKIM, DMARC: Debug Email Deliverability
Works with any provider
GPG signing and encryption work across all Nylas CLI providers:
- Gmail (List Gmail Emails)
- Outlook (Send Outlook Email)
- Exchange (List Exchange Emails)
- Yahoo (Send Yahoo Email)
- iCloud (Send iCloud Email)
Compared to manual GPG + sendmail
| Task | GPG + sendmail | GPG + mutt | Nylas CLI |
|---|---|---|---|
| Sign email | 5+ commands | Config + command | --sign |
| Encrypt email | Manual key fetch + pipe | Config + command | --encrypt |
| Auto-fetch keys | No | No | Yes |
| PGP/MIME format | Manual | Built-in | Built-in |
| Multi-provider | SMTP only | IMAP/SMTP | OAuth (6 providers) |
| Read + verify | No | Yes | Yes |
For a full comparison of CLI email tools: Best CLI Email Tools Compared
Full guide with key management, batch operations, and compliance workflows: GPG Encrypted Email from the CLI
Related guides:
- Send Email from the Command Line
- Secure Email Handling for CLI
- AI Agent Audit Logs
- Replace Send-MailMessage in PowerShell
- Give Your AI Agent an Email Address
- Extract OTP Codes from Email
All guides: cli.nylas.com/guides
Top comments (0)