Does Inky use encryption?


Yes. Inky communicates with servers using the Internet standard encrypted communication methods collectively known as SSL or TLS. Inky will always negotiate the most secure connection offered by the remote server, and will only connect to servers that offer encryption. At a very high level, Inky uses cryptography and other techniques suitable for use with classified data. 

Inky requires SSL 3.0 or better with at least a 1024-bit key, and allows only AES, 3DES, and RC4 ciphers. Inky won’t connect to a server unless it can meet these minimum standards. Inky prefers TLS 1.2 and the ECDHE-RSA-AES256-GCM-SHA384 ciphersuite, and will always use this if the server supports it. Unfortunately, some servers still require antiquated ciphers (RC4) and key sizes (1024 bits), and Inky allows these for now, but we will likely stop supporting them in the near future.

Inky validates standard X.509 server certificates and will warn you if you connect to a server whose certificate does not validate or has been revoked. When you first add an account to Inky, it may prompt you to “allow” the remote server; when you do this, you are implicitly allowing that server’s X.509 certificate. However, if the certificate changes at some time in the future, and no longer validates, then Inky will refuse to connect until you explicitly allow the new certificate. This protects you against someone setting up a new server that pretends to be your mail host’s server.

Inky checks certificate revocation using standard Certificate Revocation List (CRL) distribution points. Inky also checks revocation using OCSP servers and via OCSP Stapling.

If you have specific cryptographic policy requirements, or require S/MIME or NIAP/FIPS certifications, Inky can meet your needs: please contact us directly via