KMail does not allow to encrypt to expired certificates. It is OK to warn about that (and would be a failure not to do so) but not allowing to encrypt to this key is a severe security failure because it does not make any sense and forces the user to use a different key (if available, usually not) or to send the mail unencrypted.
This is similar to the old (meanwhile solved) problem that you could not encrypt to non-valid keys. Of course, encrypting to a non-valid (i.e. never has been valid) key is much more severe that encrypting to an expired one which a purely formal problem not a technical one.
Steps to Reproduce:
1. Let a certificate expire.
2. Try to send a mail encrypted to this certificate.
Email cannot be sent.
Warning which can be overridden.
I have to "suspend" this bug report as it turned out that this is a problem of the underlying GnuPG (at least gpg) which currently does not allow this. Maybe this will be changed in future versions.
But I don't know whether this problem affects gpgme, though.
There is no concensus in the community what is the right behaviour.
Still valid for KMail 5.1.3 (KDE Frameworks 5.21.0 on openSUSE 42.1)
Another attempt to get this fixed.
You already came to the conclusion that this is a limitation of the underlying gnupg, so I close this bug as UPSTREAM.