As mentioned in the previous sections, all email protocols (SMTP, IMAP, and POP3) support SSL/TLS, where the transport layer information is encrypted and is not readable in Wireshark. In order to decrypt it, we need the SSL key used by the client.

These are the steps to follow:

1. Identify the SSL key used by the email client. Depending on the hardware and application, the procedure to get the SSL may vary:
   • In macOS, go to Applications and then to Utilities, and then open Keychain Access. This will list all the certificates and keys for different applications. Identify the right SSL key for the email client.
   • In Windows, go to Microsoft Management Console (MMC) and then to Certificates. This will list all the certificates for different applications. Identify the right certificate and export it.
2. Once the SSL key for the email client is identified, open Preference in Wireshark as follows:

3. Select SSL from Protocols.
4. Choose the SSL key in the highlighted field and click OK.

5. The preceding process will let Wireshark use the SSL key to decrypt the message and display the decrypted version of the packet capture.