Please let me suggest a different design pattern (This is what PayPal and other sophisticated sites use).
When you have a message for me, use the current DATETIME, my client id, and the message content and make up a message digest using md5(). Store my message and the md5() string in your data base.
Send me a plain-text email with a link to the message-reader script. The script has the md5() key in the URL and it is only available behind HTTPS.
The script requires my client ID and password and validates these. Then when I am authenticated it shows the message over the HTTPS web page.
In this design pattern you have essentially no risk of interception of the email -- anyone who sniffs it would still need to know the UID and Password. And since you present the message over HTTPS, you do not need to encrypt anything, and your client does not need to decrypt anything - it is all automatic. You could even use advanced HTML styling to make your message look nice!
Does that make sense for your app?
Best, ~Ray
