diff --git a/src/dc_receive_imf.rs b/src/dc_receive_imf.rs
index ceab5133a..3109d9bab 100644
--- a/src/dc_receive_imf.rs
+++ b/src/dc_receive_imf.rs
@@ -1679,6 +1679,11 @@ async fn check_verified_properties(
 
     ensure!(mimeparser.was_encrypted(), "This message is not encrypted.");
 
+    ensure!(
+        mimeparser.get(HeaderDef::ChatVerified).is_some(),
+        "Sender did not mark the message as protected."
+    );
+
     // ensure, the contact is verified
     // and the message is signed with a verified key of the sender.
     // this check is skipped for SELF as there is no proper SELF-peerstate
diff --git a/src/mimeparser.rs b/src/mimeparser.rs
index 42911a5bd..eddbf6f07 100644
--- a/src/mimeparser.rs
+++ b/src/mimeparser.rs
@@ -127,6 +127,7 @@ impl MimeMessage {
 
         // remove headers that are allowed _only_ in the encrypted part
         headers.remove("secure-join-fingerprint");
+        headers.remove("chat-verified");
 
         // Memory location for a possible decrypted message.
         let mail_raw;