Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (
Help us improve Python packaging - Donate today!

A Django email backend that encrypts outgoing mail with S/MIME.

Project Description

A Django email backend that encrypts outgoing mail with S/MIME.


It automatically encrypts messages to recipients for whom certificates are available, falling back to cleartext for any recipients that don’t have certificates on file.

Add certificates for the addresses in settings.ADMINS and you can relax (a little) about emailing notifications, Django error reports, or other potentially sensitive information.

It supports multiple certificates per recipient address, so you can define ADMINS as an alias, configure each recipient’s address and certificate and they’ll all be able to read the messages.

If a private key is associated with a sending address, messages from that sender will also be signed.


You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

See the file COPYING for the full text of the CC0 Public Domain Dedication, also available at:


pip install django-djembe


  1. Add djembe to your INSTALLED_APPS setting.

  2. Create its model tables with migrate djembe.

  3. To use it as your default email backend, add this setting:

    EMAIL_BACKEND = 'djembe.backends.EncryptingSMTPBackend'
  4. To use a cipher other than the default AES-256, specify it in settings.DJEMBE_CIPHER:

    DJEMBE_CIPHER = 'des_ede3_cbc'  # triple DES

    The intersection of M2Crypto’s ciphers and RFC 3851 are:

    • des_ede3_cbc (required by the RFC)
    • aes_128_cbc (recommended, not required, by the RFC)
    • aes_192_cbc (recommended, not required, by the RFC)
    • aes_256_cbc (recommended, not required, by the RFC)
    • rc2_40_cbc (RFC requires support, but it’s weak – don’t use it)

    RFC 5751 requires AES-128, and indicates that higher key lengths are of course the future. It marks tripleDES with “SHOULD-“, meaning it’s on its way out.

    The following mail clients have worked fine with AES-256 in my testing.

    • 6.2 (Mac)
    • Thunderbird 17 (Mac, Linux)
    • Windows Live Mail (Windows 7)

    I’d recommend you try the default and fall back to 3DES if necessary.

  5. Use the Django admin to add recipients that should receive encrypted mail.

    The simplest case is an Identity with a certificate. Any mail sent to that Identity will be encrypted.

    To create signing Identities, supply both a certificate and a private key – which must not have a passphrase, obviously. Any mail sent from the Identity’s address will be signed with the private key.

    You can create multiple Identity records with the same address, but different certificates. This is how you encrypt mail to an alias or mailing list.


The project is on Github. If you find a bug or have a feature request, please add an issue there. Patches or pull requests are of course welcome, too. I won’t even make you add tests; just make sure you don’t break what’s already there – you can check by running python test in your working copy.

Release History

This version
History Node


History Node


Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Hash SHA256 Hash Help Version File Type Upload Date
(15.4 kB) Copy SHA256 Hash SHA256
Source Jan 27, 2015

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting