diff --git a/src/key.js b/src/key.js
index b07d6912..91fd5e67 100644
--- a/src/key.js
+++ b/src/key.js
@@ -491,28 +491,29 @@ Key.prototype.getExpirationTime = async function() {
  * @async
  */
 Key.prototype.getPrimaryUser = async function(date=new Date(), userId={}) {
-  if (!this.users.length) {
-    return null;
-  }
-  // sort by userId, primary user flag and signature creation time
-  const primaryUser = this.users.map(function(user, index) {
+  const users = this.users.map(function(user, index) {
     const selfCertification = getLatestSignature(user.selfCertifications, date);
     return { index, user, selfCertification };
-  }).sort(function(a, b) {
-    const A = a.selfCertification;
-    const B = b.selfCertification;
-    return (
-      (a.user.userId.email === userId.email) - (b.user.userId.email === userId.email) ||
-      (a.user.userId.name === userId.name) - (b.user.userId.name === userId.name) ||
-      (a.user.userId.comment === userId.comment) - (b.user.userId.comment === userId.comment) ||
-      A.isPrimaryUserID - B.isPrimaryUserID ||
-      A.created - B.created
+  }).filter(({ user }) => {
+    return user.userId && (
+      (userId.name === undefined || user.userId.name === userId.name) &&
+      (userId.email === undefined || user.userId.email === userId.email) &&
+      (userId.comment === undefined || user.userId.comment === userId.comment)
     );
-  }).pop();
-  const { user, selfCertification: cert } = primaryUser;
-  if (!user.userId) {
+  });
+  if (!users.length) {
+    if (userId) {
+      throw new Error('Could not find user that matches that user ID');
+    }
     return null;
   }
+  // sort by primary user flag and signature creation time
+  const primaryUser = users.sort(function(a, b) {
+    const A = a.selfCertification;
+    const B = b.selfCertification;
+    return A.isPrimaryUserID - B.isPrimaryUserID || A.created - B.created;
+  }).pop();
+  const { user, selfCertification: cert } = primaryUser;
   const { primaryKey } = this;
   const dataToVerify = { userid: user.userId , key: primaryKey };
   // skip if certificates is invalid, revoked, or expired
diff --git a/test/general/key.js b/test/general/key.js
index 3a01aa67..7e53d1af 100644
--- a/test/general/key.js
+++ b/test/general/key.js
@@ -1555,6 +1555,7 @@ p92yZgB3r2+f6/GIe2+7
     publicKey.users[1].selfCertifications[0].preferredSymmetricAlgorithms = [openpgp.enums.symmetric.aes128];
     const encrypted = await openpgp.encrypt({data: 'hello', publicKeys: publicKey, privateKeys: privateKey, toUserId: {name: 'Test User', email: 'b@c.com'}, armor: false});
     expect(encrypted.message.packets[0].sessionKeyAlgorithm).to.equal('aes128');
+    await expect(openpgp.encrypt({data: 'hello', publicKeys: publicKey, privateKeys: privateKey, toUserId: {name: 'Test User', email: 'c@c.com'}, armor: false})).to.be.rejectedWith('Could not find user that matches that user ID');
   });
 
   it('Sign - specific user', async function() {
@@ -1574,6 +1575,7 @@ p92yZgB3r2+f6/GIe2+7
     expect(signed.message.signature.packets[0].hashAlgorithm).to.equal(openpgp.enums.hash.sha512);
     const encrypted = await openpgp.encrypt({data: 'hello', publicKeys: publicKey, privateKeys: privateKey, fromUserId: {name: 'Test McTestington', email: 'test@example.com'}, detached: true, armor: false});
     expect(encrypted.signature.packets[0].hashAlgorithm).to.equal(openpgp.enums.hash.sha512);
+    await expect(openpgp.encrypt({data: 'hello', publicKeys: publicKey, privateKeys: privateKey, fromUserId: {name: 'Not Test McTestington', email: 'test@example.com'}, detached: true, armor: false})).to.be.rejectedWith('Could not find user that matches that user ID');
   });
 
   it('Reformat key without passphrase', function() {