By default KMail will show HTML messages in plain text. If you prefer to view messages with HTML formatting and layout automatically, select this option. However, we recommend leaving this option off, as security problems with HTML might show up.

You can still easily view messages in HTML format by clicking the plain message/HTML message toggle bar on the left hand side of the preview pane.

If checked, KMail can load external images, style sheets, etc. from the Internet when you view an HTML message. We strongly recommend that you leave this option off (although it has no effect until you enable HTML).

By adding external references to their messages, people sending spam can detect when you have looked at their message, your location, and a lot of other information that may get logged on web servers. Note that this option has no effect on Java™ or JavaScript, as these are not supported in KMail at all.

As email has become more popular, email scams have proliferated. Email scams may include emails made to appear as if they come from legitimate companies, even though they really link to malicious web sites requesting your personal information. This may lead to identity theft, and worse. By default KMail analyzes messages for common scams, and will inform you if a message is a suspected scam. We recommend that you keep this feature enabled. If you wish to disable these warnings, uncheck Informs if message reading is a suspected email scam.

If legitimate emails are being flagged, (e.g., from trusted friends), you can add their email addresses to the Whitelist: by clicking the Add... button and entering an address into the dialog that pops up. Please note that at this time, only complete email addresses can be whitelisted.

Select this option to force KMail to consult Google's database of suspected phishing web sites when URLs are embedded in a message, and to warn you whenever a match is found.

By default, KMail will automatically check URLs embedded in HTML messages, and warn you if any of them appear to be trying to track you.

By default, KMail will automatically attempt to decrypt encrypted messages when you view them. If you prefer to do this manually, unselect this option.

If checked, KMail automatically imports any attachments containing OpenPGP keys into your local keyring, and any attachments containing S/MIME keys into your local key box.

MDNs are a generalization of what is commonly called a “read receipt”. The message author requests a disposition notification to be sent, and the receiver's email program generates a reply from which the author can learn what happened to his message. Common disposition types include “displayed” (i.e., read), “deleted”, and “dispatched” (i.e., forwarded).

The following options (listed as Send policy) are available to control when KMail sends MDNs.

If you are unsure, experiment a while with Ask. Then, if you find KMail's questions annoying, switch to Ignore.

The following options (listed as Quote original message) are available to control how much of the original message KMail sends back with MDNs.

If unsure, leave this option set to the default value (nothing).

This option suppresses the sending of MDNs if the message is encrypted (partially or in whole). This thwarts attempts to use KMail's MDN feature as an oracle to deduce whether you were able to decrypt the message or not.

Strictly speaking, this option is not needed, since KMail sends MDNs whether the message could be successfully decrypted, or not (the disposition notification request resides in the unencrypted part of the message); but it gives the security-conscious user a choice: either to send them when requested (option unchecked), or never (option checked).

If unsure, leave this option checked (the default value).

If checked, the Options → Sign Message option in the composer will default to on.

However, you can still switch it on and off on a per-message basis.

If checked, any message that is encrypted to the recipients will additionally be encrypted to yourself.

If checked, messages are stored in your sent-mail folder just as you sent them (i.e. if they were encrypted, they are also stored that way).

If unchecked, messages will always be stored unencrypted in your sent-mail folder, even if they are sent encrypted.

If checked, every time you encrypt a message, a dialog will appear that presents you with the encryption keys that will be used for each recipient. You may then review the choice of keys, change them, and approve or cancel the encryption operation. We recommend to keep this option checked, since it makes the encryption process more transparent.

Also called “opportunistic encryption”. If checked, KMail will try to match recipients to (OpenPGP or S/MIME) keys even when you did not specifically request encryption. If usable keys are found for all recipients, KMail will ask whether or not you want to encrypt the message.

It is highly recommended to turn this on, as it makes encryption really easy to use.

If checked, KMail will not attempt to sign and/or encrypt messages that are merely saved to the drafts folder. This is more convenient, and does not result in a gross loss of security, provided the drafts folder is safe. IMAP users might want this option turned off, if their drafts folder is on the server.

If checked, KMail will show a warning if for whatever reason a message would be sent without being digitally signed.

If checked, KMail will show a warning if for whatever reason a message would be sent without being encrypted.

If checked, KMail will warn when an S/MIME certificate or OpenPGP key is used which will expire soon.

The period in which to warn before key/certificate expiration can then be configured separately for signing and encryption keys, as well as (in the case of S/MIME), for end-user certificates, intermediate CA certificates and root certificates.

Click on this button to open an extensive dialog which configures the interactions between KMail and GPG, the Gnu Privacy Guard program. GPG is too complex to document here. For details you should refer to The GNU Privacy Handbook. Unless you're an encryption expert, you probably ought to accept the default settings here.

Apart from the main warnings described above, there are many warning and informational messages, each containing an option not to show them again. If you would like to re-enable these messages after suppressing them, you can achieve that by pressing this button. ^[4]

If checked, S/MIME certificates are validated using Certificate Revocation Lists (CRLs). This is the default configuration option.

If this option is selected, S/MIME certificates are validated using the Online Certificates Status Protocol (OCSP).

Enter the address of the server for online validation of certificates. This URL usually starts with https://.

Select or change and enter the S/MIME key to use.

Check this option to skip online validation using the OCSP. This option requires dirmngr >= 0.9.0.

By default, GnuPG uses the file ~/.gnupg/policies.txt to check if a certificate policy is allowed. If this option is selected, such policies are not checked.

If this option is checked, Certificate Revocation Lists are never used to validate S/MIME certificates.

Check this option if you want the missing issuer certificates to be fetched when necessary. This applies to both validation methods, CRLs and OCSP.

Entirely disables the use of HTTP for S/MIME.

When looking for the location of a CRL, the “to-be-tested” certificate usually contains what are known as CRL Distribution Point (DP) entries, which are URLs describing the way to access the URL. The first found DP entry is used. With this option all entries using the HTTP scheme are ignored when looking for a suitable DP.

If this option is selected, the value of the HTTP proxy shown on the right (which comes from the environment variable http_proxy) will be used for any HTTP request.

Enter the location of your HTTP Proxy here, which will be used for all HTTP requests relating to S/MIME. The syntax is “host:port”, for example, myproxy.nowhere.com:3128.

Entirely disables the use of LDAP for S/MIME.

When looking for the location of a CRL, the “to-be-tested” certificate usually contains what are known as CRL Distribution Point (DP) entries, which are URLs describing the way to access the URL. The first found DP entry is used. With this option all entries using the LDAP scheme are ignored when looking for a suitable DP.

Entering a LDAP server here will make all LDAP requests go to that server first. More precisely, this setting overrides any specified host and port part in a LDAP URL and will also be used if host and port have been omitted from the URL. Other LDAP servers will be used only if the connection to the proxy failed. The syntax is HOST or HOST:PORT. If PORT is omitted, “port 389” (standard LDAP port) is used.