Secure E-Mail

email infrastructure

Image Email change content

MX / SPF (after 20th of August 2021)

Type Data
preference: 20
ttl: 3600
SPF v=spf1 a mx ip4: ip4: ~al

Secure E-Mail Communication

With the Secure E-Mail System, Hamburg Commercial Bank is reacting to the increasing threats posed to e-mail communication via the Internet, thus allowing it to offer its customers and partners the possibility of exchanging confidential information securely.

An unencrypted e-mail is comparable with a postcard in terms of security: during its transmission via the Internet it can be read by third parties with relative ease, or have its contents manipulated. Furthermore, the sender details of an e-mail can be falsified without difficulty.

By utilising Secure E-Mail we make an important contribution to safeguarding the following three points in e-mail communication between Hamburg Commercial Bank and you:

confidentiality, authenticity and integrity

What is the meaning of confidentiality, authenticity and integrity in detail?

Every unencrypted e-mail is comparable to a postcard, which can be read by anyone while on its way to the recipient. It is important to be aware of the fact that “listening in” to the global data stream is possible today with basic software programmes. Any information contained in unprotected e-mails can be read by such software without any issue. Sensitive information can therefore land in the wrong hands under certain circumstances. Today, it is beyond doubt that certain organisations dedicate their professional operations to “listening in” and assessing e-mail correspondence.

The e-mail programme displays the sender. But did you also know that the sender information in e-mails can be manipulated very easily? This can also be done by individuals using very limited resources and without any training.

E-mails can be manipulated en route from the sender to the recipient. And with relatively little technical effort.

Guide and FAQ

Secure E-Mail – What are the options and what do I need?

Hamburg Commercial Bank offers its communications partners the following options for encrypted e-mail communication.

  1. Encryption set-up for all e-mail addresses in your domain
    In order to employ encrypted communication with us in future, we offer you the possibility of using encryption with your mail domain, or transmission encryption with standard encryption methods. This ensures that all e-mails exchanged between your e-mail gateway and Hamburg Commercial Bank are encrypted.

    In order to establish a shared set-up we require a technical contact person from your IT department and/or your IT provider.
  2. Individual encryption for your e-mail address only:
    We offer two alternatives for encrypted communication using a single e-mail address, which you can as a rule use straight after registering:
    1. Registering online in a protected WebMail portal
      You can use Hamburg Commercial Bank’s WebMail portal. This involves registering via your Internet browser on your PC or mobile device with your username and password, and having your own e-mail account for encrypted communication with Hamburg Commercial Bank.
    2. Encryption using own certificate or key
      In order to be able to use your own e-mail programme you require an S/MIME certificate or PGP key issued in your name and for your e-mail address.

      Should you have neither an S/MIME certificate or a PGP key, we recommend requesting the issuance of an S/MIME certificate (minimum of class 2) through a certification body .

      Such a certificate is only ever issued for a specific person and e-mail address, and enables this person to conduct encrypted e-mail communication with any other communications partner, not just Hamburg Commercial Bank.

Secure E-Mail – how does the set-up/registration work?

  1. Encryption set-up for the e-mail addresses of your mail domain
    If you decide on encrypting all addresses within your mail domain, the set-up is done in coordination with your IT contact person / provider and the IT provider for Hamburg Commercial Bank.

    When setting up, your IT contact person can get in touch with our IT Service Center directly via the email adress, or you can notify your contact person at Hamburg Commercial Bank regarding the contact data of your contact person in IT.
  2. Encryption set-up for your e-mail address only:
    The necessary registration process is triggered by an encrypted e-mail, which is sent to you by an employee of Hamburg Commercial Bank.

    This e-mail is initially withheld by our e-mail encryption system, and instead a registration e-mail is sent. The original e-mail is then sent after successful registration.

    It can occur when the registration e-mail is received that your e-mail programme issues a warning, because the Hamburg Commercial Bank certificate contained in the e-mail is unknown to your system. Further details can be found in the following FAQ (last question).

    The registration e-mail received contains information regarding the registration process, and you can choose between the alternatives listed above:
    1. Registering online in a protected WebMail portal
      By choosing the WebMail portal solution, please note that the encrypted e-mails are not made available via your own personal inbox, but rather via the secure access WebPortal of Hamburg Commercial Bank.
    2. Encryption using own certificate or key
      If you are already using an S/MIME certificate, simply respond to the registration e-mail.

      If you already have a PGP key, please respond by e-mail to the registration e-mail with your public PGP key in the appendix.

      Should you require assistance regarding the potential provision of a registration password, please get in touch with our IT Infrastructure Team:

What do I need for encrypted e-mail communication with Hamburg Commercial Bank with my own e-mail programme?

Either an S/MIME or a PGP key is required.

What should I do if I don't have a certificate or key?

Then you may use the Secure E-Mail WebPortal provided by Hamburg Commercial Bank. To do so, you require access to the Internet via an Internet browser.

What is the difference between encrypted e-mail communication using a certificate/key/designated domain encryption and the WebMail portal?

When using the WebMail portal the e-mail remains on Hamburg Commercial Bank’s server, and you authenticate yourself via your Internet browser with your username and password.

If a new e-mail lands in your inbox in the WebMail portal you will receive a notification e-mail from our e-mail encryption system, which contains a link allowing you to access the WebMail portal. File attachments can be stored from the WebMail portal on the local computer drive.

With e-mail encryption that uses a certificate, key or designated domain encryption you will always receive an e-mail and any attachments directly via the e-mail programme you are using. The encryption and decryption of messages takes place automatically between our e-mail system and your e-mail system.

What happens if I decide on using the WebMail portal, but later receive a certificate/key instead?

The WebMail portal affords you the opportunity to upload your certificate or your key.
From this moment in time, e-mails can no longer be accessed via the WebMail portal, but rather as encrypted e-mails in your e-mail programme.

If I have an S/MIME certificate or PGP key and send this and/or these to Secure E-Mail, will this and/or these then be used immediately?

As a rule yes. A wide range of privacy settings for certificates have already been installed in our e-mail encryption system, so that many certificates being received are trusted directly. A manual check is conducted by Administration where this is not yet the case. This can be linked with a telephone-based matching of the digital fingerprint stored in the certificate or key. But don't worry, the procedure is for security reasons, key owners are familiar with it and it helps create trust.

My e-mail programme cannot verify an Hamburg Commercial Bank certificate, how can I solve this problem?

Please check the following points:

  1. Does your e-mail programme recognise and trust the Hamburg Commercial Bank root certificate? If this is not the case you can download and integrate the root certificate. When doing so you must verify the certificate’s trust setting.
  2. Does your e-mail programme require a Certificate Revocation List (CRL), in which up-to-date information is available regarding revoked Hamburg Commercial Bank certificates?
    In this case you can find the CRL at:

Root Certificate, Valid Certificates, Certificate Revocation List of Hamburg Commercial Bank

  1. a) Root certificate
    Comparing the so-called fingerprint serves to check the authenticity of the Hamburg Commercial Bank root certificate. Only when the fingerprint contained in the root certificate received is identical to the one stored can you assume its authenticity.

    Fingerprint root certificate Hamburg Commercial Bank: 5e 8e 84 61 d8 2c a0 72 80 0c 82 89 05 c7 06 b0 d7 f7 1d 88

    If the root certificate is not yet available in your e-mail programme, you can download the root certificate here .

    You must explicitly verify that you trust this certificate in your e-mail programme. Further instructions can be found on this page.
  2. b) Trustworthy certificates and accepted certificate issuers
    There are some certificate issuers for whom we have already explicitly expressed our trust.

    If you possess a certificate from one of these issuers, you may exchange secure e-mails with Hamburg Commercial Bank directly. If you use the certificate of another issuer, this must initially be examined by our Administration and must explicitly be deemed trustworthy.

    If you have any further questions, please contact our IT Infrastructure Team at
  3. Certificate Revocation List
    In order to increase the level of security and protection against misuse it may be necessary to block Hamburg Commercial Bank employee certificates. In order to ascertain the current status of the certificate, the Certificate Revocation List (CRL) is created and published on a daily basis. The current CRL can be found at:

    In order to use the CRL, please save and integrate it manually.

Contact persons

If you have any further questions, please contact our IT Infrastructure Team at