diff --git a/CHANGELOG b/CHANGELOG
index 88da40ce2..dfdc63500 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -57,6 +57,7 @@ RELEASE 1.4.4
 - Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
 - Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
 - Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
+- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
 
 RELEASE 1.4.3
 -------------
diff --git a/program/js/app.js b/program/js/app.js
index 09365ebea..c27555d8b 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -4015,7 +4015,7 @@ function rcube_webmail()
       ref.display_message(error.message, 'error');
     };
 
-    mailvelope.createDisplayContainer(selector, data, keyring, { showExternalContent: this.env.safemode }).then(function(status) {
+    mailvelope.createDisplayContainer(selector, data, keyring, { senderAddress: this.env.sender }).then(function(status) {
       if (status.error && status.error.message) {
         return error_handler(status.error);
       }