| Based in | Germany |
| Storage | 1 – 1,000 GB |
| Price | €1.00/mo. |
| Free Tier | Up to 1 GB |
| Website | Tutanota.com |
Tutanota is a secure email service run by a small team of privacy enthusiasts in Germany. Although it may not be widely known, Tutanota is a serious player among secure email providers. It uses a hybrid encryption system that avoids some of the drawbacks of PGP, and is protected by the GDPR and other pro-privacy EU regulations.
In this new and updated Tutanota review, we’ll be posting hands-on test results while sharing our research findings and personal experience in using this email provider for the past few years.
The Tutanota team has a strong vision for their product:
In the future Tutanota will be the privacy-respecting alternative for Google with a calendar, notes, cloud storage – everything encrypted by default!
That being the case, we’re really going to put Tutanota through the wringer to see if they deserve your hard-earned money and attention. Let’s take a look!
+ Pros
- Encrypted messages (including Subject lines) Address Book, Inbox Rules and Filters, Search Index, encrypted at rest and stored on German servers
- Can search body of encrypted messages
- Can send encrypted messages to non-users
- Strips IP address from emails
- Desktop, mobile, and web apps
- Open source code (including mobile apps)
- Good apps for mobile devices
- Free accounts with 1 GB of storage
- Encrypted calendar with iCard support
- Encrypted contacts
- Inbox rules with Spam filter
- Multiple email addresses (aliases)
- Support for custom domains and other price+ features
- Discounts and additional support for non-profits
- Two factor authentication (2FA) support
- Publishes regular Transparency Reports
– Cons
- Does not work with PGP
- Potential delays with account approval
- Currently no way to import existing emails
- Based in a 14 eyes country (Germany)
- Can be affected by EU’s schizophrenic stance on encryption
- Only accepts credit card or PayPal; no cryptocurrency payments
Tutanota features overview
Tutanota uses industry-standard end-to-end encryption algorithms for email and other user data. All data is encrypted at rest and only decrypted in your browser or email client. Because it does not use PGP encryption, Tutanota also encrypts the subject line of messages. This is a noteworthy difference from some other secure email services, as we discussed in the ProtonMail review.
Additional interesting features of Tutanota include:
- Anonymous signup process does not require you to give them a phone number or other personally identifiable information.
- Open source code, including apps.
- Web app and desktop apps for Windows, Mac OS, and Linux.
- Android and iOS mobile apps, with Google-free access to Android app through F-Droid.
- Premium accounts with a range of additional benefits, including a Whitelabel (brandable) Business account.
- The ability to send encrypted emails to non-Tutanota users.
- Whitelabel and Secure Connect are supported in paid plans for an additional fee.
- Dark and Light themes.
Tutanota launched in 2011 (not long before Edward Snowden began leaking information), and is based in Hanover, Germany.
According to their website:
With its unique open source technology Tutanota fights for privacy and freedom of speech online, allowing everybody including NGOs, journalists and activists to send encrypted emails on desktop and mobile. In addition, Tutanota’s affordable business version enables companies and organisations of all sizes to easily secure their email communication.
Germany has strong privacy laws, including the Bundesdatenschutzgesetz and GDPR. That said, as elsewhere in the West, there is political pressure to reduce personal privacy rights to “counter terrorism”.
In addition, Germany is a member of the 14 Eyes intelligence alliance. This isn’t ideal, but Tutanota provides a detailed explanation of the laws that apply to them and the data they may be forced by law to disclose. In recent years, two court cases affirmed that Tutanota was not subject to nasty data retention laws that Germany applies to Internet Service Providers (ISPs).
Unfortunately, what the government giveth, the government taketh away. At the end of 2020, a regional court in Germany ignored the previous cases and decided to impose the ISP regulations on Tutanota. The court ordered the company to develop a way to monitor an individual’s account. At the time of this review, Tutanota is appealing the ruling. And as you will soon see, thanks to this secure email service’s end-to-end encryption, there really is very little point to the court’s ruling.
Tutanota technical specifications
Tutanota uses a couple of different encryption algorithms to ensure that your messages cannot be read or tampered with:
Tutanota uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end (E2E). When both parties use Tutanota, all emails are automatically end-to-end encrypted (asymmetric encryption). For an encrypted email to an external recipient, a password for encrypting & decrypting the email (symmetric encryption) must be exchanged once. The company suggests doing so using Signal messenger.
On top of its automatic end-to-end encryption, Tutanota uses STARTTLS with an extended validation certificate, Perfect Forward Secrecy, DNSSEC, DANE, DMARC, and DKIM to secure your connection to Tutanota to the maximum.
Check here for more info on Tutanota’s TLS encryption.
Tutanota ensures users that even they cannot access your inbox, due to the open source encryption standards they use.
AES-128 is more than secure enough for protecting your messages. Reportedly even the fastest computers in the world would need many billions of years to crack AES-128.
Tutanota is currently working together with Leibniz University Hanover to make their encryption standards future-proof against quantum computer attacks.
Tutanota hands-on testing
We’ve based this Tutanota review on the browser-based client. If you decide to stick with Tutanota, you can easily upgrade to a paid plan, with similar functionality and more storage, email aliases, and other options.
Signing up for Tutanota
Signing up for Tutanota goes about the way you would expect. Click the Sign Up button on website here to begin the process.
The first step will be to choose your service plan.
On the Subscription screen, click the red Select button under the plan you want to use. Although I have been using Tutanota since 2017, for purposes of this review, I have created a new, Free private account. This is the ideal way to test out the service.
Next you will need to enter your account information. You’ll select an email address using one of the domain names Tutanota makes available for free users. You’ll also need to enter a Password, and check all the relevant boxes on the screen, including the one that confirms you are at least 16 years old.
Note that you are not required to give Tutanota a phone number or other personally identifiable information. This means you can have a truly anonymous free account. As we’ll see in a moment, Tutanota has a process in place to prevent spammers from taking advantage of the service. Unfortunately, that process can be a real headache for regular people.
The last step in this process is to record your 64-character Recovery Code. Tutanota doesn’t know your password (or the optional second factor you can set later) so the only way to recover your account if you lose either of these is by using the Recovery Code.
You can copy the code by hand, or click the round Copy or Print buttons. Once you’ve recorded your code, hit Ok and you’ll be ready to log in. Enter your Password and hit the Log in button.
An annoying automated delay
You are probably anxious to get into Tutanota and start exploring, but at this point, you may run into that anti-spammer process we mentioned earlier. Your account may be automatically “marked for approval.” This puts a 48-hour hold on your ability to send or receive messages, as you can see below.
As Tutanota states in this blog post,
Sometimes accounts are automatically marked for [manual] approval to prevent spammers from signing up. This is often the case when you sign up via Tor or a VPN, for example, because unfortunately spammers like to abuse Tor. In case your account gets marked for approval, you will be able to start using it within 48 hours after registration once it has been approved.
They claim that your account will automatically be approved within 48 hours after registration. However, if your account has not been approved after 48 hours, Tutanota recommends you contact Support and give them the email address you are trying to register.
I ran into a problem with this system while working on the first edition of this review. After waiting four days, I contacted Support about the problem, and someone got back to me within minutes. However, the account was not approved until the 5th day. Not ideal.
On a positive note, this manual account approval takes the place of more invasive verification procedures, such as phone verification, which many other email providers use. While the delay was somewhat annoying, I’d still take this over phone verification.
The look and feel of Tutanota
Once you click Ok, you will see Tutanota’s standard 3-pane layout like most other email programs. Here is a screenshot from our tests:
One feature you may like is the built-in support for a Dark mode, which looks like this:
If you happen to work a lot at night, or just get tired of the glare from the screen, this mode could be for you.
The folder list appears on the left, with messages in the center, and the content of the selected message on the right. A basic set of folders comes pre-defined in the left-most pane, and you can create more at will.
Note: Tutanota will automatically switch to a 2-pane view on smaller displays, such as tablets.
Tutanota has two factor authentication
Before you go any further, this would be a great time to enable 2FA. In the leftmost pane, click Settings, then Login. You will see several login-related settings in the middle pane. Scroll down to Second factor authentication and click the plus sign (circled in the following image).
You’ll see the dialog box you need to connect 2FA.
For more details on how to configure the various types of 2FA Tutanota supports, visit this help page.
Okay, let’s get back to exploring the Tutanota user interface (UI).
Composing, sending, and receiving messages
Composing messages works as you would expect. Click the New email button at the top of the leftmost to create a new message. While an early complaint about Tutanota was the lack of message formatting commands, today there is a full range of formatting options.
To see the menu of formatting options, click the T icon on the Subject line of the new message (circled in red below).
Click Send (in the top right corner of the message window) to transmit the message.
When you receive messages you open them normally, whether received from a Tutanota user or someone else. If a message is from another Tutanota user, all the encrypting and decrypting is done automatically in the background.
Like most secure email programs, Tutanota blocks images from appearing by default. If a message contains images, you can display them by clicking the icon circled in red at the top right of the message, as you can see here:
So far, so good. But what if you want to send a message to a person who doesn’t use Tutanota? This is where things get a bit more complicated.
Sending messages to non-Tutanota users
When you are composing a message, Tutanota checks to see if the recipient is a Tutanota user or not. If not, you have to specify whether you want the message to be sent encrypted or not. If you have this option, Tutanota will display a lock icon on the Subject line (circled in red) with a status message.
Clicking the lock icon will cause Tutanota to send the message either in the clear (unencrypted), or E2E encrypted.
When sending an encrypted message to a non-Tutanota user, you must enter a pre-agreed password that is used for symmetrically encrypting and decrypting the message. Instead of receiving the message in its encrypted form, the recipient will receive a link to view the message. Here’s what that looks like:
Note: Sending the password to someone using the same medium of communication (Tutanota) that you will use to send encrypted messages to that person is a bad idea. A better way to go would be to use a secure messaging app like Signal Messenger to share the password. Check out our Signal Messenger review to see why this is such a good idea for your situation.
Searching for messages
Tutanota has implemented a full text search feature for messages. This is actually a challenging endeavor since the contents of your inbox are stored fully encrypted.
When you enter a term to search for, Tutanota will create an encrypted search index. This might take a minute or two depending on the size of your inbox. Like messages and everything else in Tutanota, the search index is encrypted at rest. This prevents someone from hacking into your system and spying on you by analyzing the search index.
After the search index is populated, the matching hits (emails) will display below. Tutanota’s search feature also gives you the ability to search specific periods of time as well as custom fields (subject, email body, from/to, and attachment name). This is a pretty good system in my opinion.
Comparison: As we noted in the recently updated ProtonMail review, you can now search the body of messages. You can have ProtonMail created an encrypted index of the bodies of emails which it then searches. This seems very similar to the Tutanota approach.
Rules and Filters
Tutanota offers both rules and filters for email, but they are pretty basic. Under the Spam rules you can designate individual email addresses as spam (put in the Spam folder), not spam (leave in the Inbox), or discard (send to the Trash folder).
Mailbox rules are more flexible, but are only available as part of paid plans.
Contacts and calendars
Tutanota supports both Contacts and Calendars.
These function as you would expect, but it is important to note that all Contacts and Calendars are encrypted when at rest. As we noted earlier, one of the main goals for the Tutanota team is for all your data to be encrypted, protecting you from snooping third parties.
The encrypted Tutanota calendar looks like this:
You can see the calendar features here.
Tutanota mobile apps (Android and iOS)
Tutanota has apps for both iOS and Android. I’ve been working with the Android app.
Whereas I had some issues with this app when it first came out, it now functions well. At the time of this Tutanota review, the Android app had over 6,600 reviews with a rating of 4.0 out of 5 stars. (Available on F-Droid too) The Tutanota iOS app had 343 reviews with a rating of 3.8 out of 5 stars.
Tutanota desktop app
Tutanota has a desktop client for Windows, Mac OS, and Linux. I’ve been using it for a long time now and it continues to work well, basically giving you all the features of the webmail app, including the encrypted contacts and calendar.
As you can see, the desktop app looks very much like the web app.
Tutanota business features
Tutanota also offers secure business email accounts designed to let you,
Save time and money by hosting all your business emails end-to-end encrypted on Tutanota’s secure servers based in Germany.
Here’s a partial list of the Business Email features currently available:
- Custom email domains with optional catch-all
- The Secure Connect encrypted contact form
- Multi-user support so you can manage all your users yourself
- Scalable shared storage for all your business accounts
- Zero-knowledge full text search of messages and contacts
- A large set of Whitelabel customizations
- Two Factor Authentication (2FA) available
Secure Connect encrypted contact form
One cool feature for website owners is Tutanota’s Secure Connect form. This gives you the ability to incorporate an encrypted contact form that facilitates completely anonymous two-way communication. In May 2019, Tutanota launched Secure Connect and made it, “free for news sites so that whistleblowers can get in touch with journalists securely.” Very cool.
Unfortunately, if you don’t meet the criteria to get it free (not a news site) then this feature will cost you €240 per year – certainly not cheap. You can read more about Secure Connect here.
Tutanota support
When reviewing email services, we create fresh accounts and go through the setup process as average users.
We’ve contacted Tutanota Support numerous times during our years of using the service. In almost all cases, the customer support team has responded to our queries in about one business day – so overall very good.
Tutanota plans and pricing
Tutanota pricing has grown more complicated over time. Today, they now offer six plans (three Private plans and three Business plans) along with a range of custom options and add-ons. This allows you to create exactly the service you need for your personal or business needs.
At the time of this Tutanota review, here is a breakdown of the plans and prices
- Free Private plan, €0
- Premium Private plan, €12 yearly, €1.20 monthly
- Teams Private plan, €48 yearly, €4.80 monthly
- Premium Business plan, €24 yearly, €2.40 monthly
- Teams Business plan, €60 yearly, €6 monthly
- Pro Business plan, €84 yearly, €8.40 monthly
Beyond the standard plans you can add more storage (10 GB, 100 GB, 1 TB), and more email aliases (20, 40, 100). As if this wasn’t complicated enough, the company keeps adding useful new features like Whitelabel, Sharing (of calendars), Business (specific features), and Secure Connect to their product. As a result, your best option is to scroll down the Pricing page to the Pricing Calculator and let it give you an exact price for the particular configuration you want.
Note: If you are an NPO (non-profit organization), you may be entitled to a reduced price on Tutanota. See here for details.
No cryptocurrency payment options
Unfortunately, Tutanota has still not integrated support for cryptocurrency payment options. This has been on their Roadmap for years now. You can donate to them with cryptocurrency, but standard crypto payments are still not an option.
If you want more privacy with payments, you could check out the services listed in our new Ultimate Guide to Private and Anonymous Payment Methods.
Tutanota alternatives
If Tutanota doesn’t look like the best email service for you, you may want to check out our ProtonMail review. The services are similar, although we like Tutanota’s approach to message encryption better since it encrypts the Subject line as well as the body of the message.
That said, either one of these services should be more than sufficient for normal users who want to protect their privacy while using email. Neither service can guarantee you protection against state actors like the NSA or the various domestic intelligence agencies. Nonetheless, they are both secure alternatives to Gmail that respect your privacy.
You can also see our secure email roundup for a list of other providers.
Tutanota FAQ
Here are some common questions (and answers) people raise about Tutanota.
Is Tutanota really secure?
Tutanota is certainly more secure than the vast majority of email services. Is it bulletproof? No. No system is, so you have to think about your threat model and decide if any given service is secure enough for your purposes. So let’s take a look at potential weaknesses in Tutanota’s security.
The browser and desktop Tutanota apps rely on JavaScript for encryption and decryption. Using JavaScript for these functions is generally considered to be less secure than other approaches. Using a secure browser when using the web app version of Tutanota will help here. You can also use the mobile apps which should be a bit more secure than the others.
There are some cases where Tutanota is bound by law to disclose information about you. According to their Transparency Report, between July 1, 2021 and December 31, 2021, Tutanota released data to the authorities more than 50 times. Understanding exactly what this means is complicated. If you want the details, you will need to examine the latest Transparency Report and related documents. It is important to note that in some cases, Tutanota may be forced to record IP Addresses by a valid court order, as well as the contents of messages that arrive unencrypted at a user’s mailbox.
Note: All email services must abide by the laws in the jurisdiction in which they are based. To have more anonymity when you use Tutanota (or any email service), consider using a good VPN service to hide your IP address and encrypt your traffic. We have reviewed many popular options, including NordVPN and Surfshark, ExpressVPN, IPVanish, CyberGhost, and more.
Is Tutanota the best secure email service for you?
Is Tutanota the best secure email for you? Here is a summary of the factors to consider when switching to a secure email provider, and how they apply to Tutanota:
- Jurisdiction – Tutanota is based in Germany and your data is stored there.
- PGP support – Does not support PGP (read about PGP problems).
- Import feature – While it has been discussed for more than a year, Tutanota still cannot import email messages. It can import calendar data and contacts.
- Email apps – A web-based client as well as desktop apps for Windows, macOS, and Linux, along with iOS and Android apps.
- Encryption – Emails and attachments can be sent end-to-end encrypted and everything is stored encrypted at rest.
- Features – Includes a built-in calendar and contacts along with full text search of messages.
Can Tutanota be traced?
I assume by this question you want to know if your use of Tutanota can be traced. They don’t track you in any way. They don’t post targeted ads in your mailbox. They also don’t log your IP address (unless forced to), or even require you to enter any personal information (no phone number, no email address). So Tutanota isn’t tracking or tracing what you do.
Your email, contacts, and calendar are all encrypted, so no one, not even Tutanota, can read them. Right now, Tutanota is battling German court demands to spy on one specific email account. Even if the company loses this battle, all they can do is monitor future unencrypted mail coming to the account. They literally have no way to decrypt encrypted messages, regardless of how hard some judge pushes them.
In other words, there is little anyone can do to trace you in Tutanota.
Tutanota review conclusion
Tutanota is a strong choice for anyone who wants a secure email service for general use. While the service itself provides strong security, for maximum security, you can use the mobile apps, or access the browser-based app through a secure web browser. Additionally, you can add another layer of protection by using one of the best VPN services.
While Tutanota may not get as much attention as some other email providers, we believe it is a market leader in the secure email space, if not the best option available for serious users. Check it out here, or see some of our other secure email reviews to investigate other options:
ProtonMail Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
This Tutanota review was last updated May 1, 2022.
I’ve been a big fan of “secure” and “private” services for years. Finally decided to try Tutanota partly because of the reviews and comments here. I was sceptical because Germany doesn’t sound like a privacy destination to me. Even privacy, forget about the anonymity. But there are sadly not so many options around so i figured to give it a try.
Well, when i started searching through their website, i found that they actually *kinda* support cryptocurrency, but in a way of buying gift cards from a third party, their partner. That was okay with me so i signed up. What turned out to be the reality is that you can’t just buy a gift card from a basic (free) account. The option to add a gift card to your account is only available to paid members *clown emoji*
So first of all, you give them all your KYC data and THEN hohoho sure, we’ll let you update your account for another period with BTC. Nice. Very dissappointing but looks like i won’t become a Tutanota customer after all and will delete my account. And to think i’ve planned to migrate to a Tutanota business account for one of my businesses. Hahaha.
Another terrible part is the customer service. The google-esque no-email-support-for-peasants must go. I’ve used Protonmail email accounts for years now, BOTH plus and free, and even for my free account issues, the support was always amazing and you could always email them and get a rather prompt reply. With Tutanota it’s like screaming into the void. No emails, just badly organized FAQ’s. Welp thanks.
Good article Sven, what do you think of labavit, the email that Snowden used, will you do a Review soon?
Lavabit is still based in the USA, and therefore still vulnerable to the problems that forced it to close down in the first place in 2013. I think there are better options to consider, no plans for a review at this time.
I’ve decided to delete my “Tutanota” account and to open one at Proton (Mail).
Two major reasons:
#1 “Tutanota” looks totally wacky on a job application. I’ve actually seen firsthand someone frown thinking “what the shit?” when handing them a paper. In a different place, I was asked “what’s a Tutanota?” I don’t care if it is supposedly a Latin combination meaning “secure message”, it was always an incredibly ugly choice of brand name. Tutamail is stupid too.
#2 If you don’t pay them money, your account will get deleted after 6 months of not logging in.
Interesting! Since I am considering switching form ProtonMail to Tutanota. Sorry to hear about your account being deleted. They usually do that to free accounts that remain unused up to 6 months. If you or anyone else is curious as to why, it is largely due to the statement in this article comparing the two:
“ProtonMail focuses on highly secure email services (though arguably not as secure as Tutanota) that are still easy to use and convenient for all users.”
https://www.makeuseof.com/which-email-more-secure-tutanota-protonmail/
Don’t get me wrong, ProtonMail is an excellent email service. However, it looks like they tend to put their time and effort into features with their product that is of little significance to the user. For example, they just changed the look of their dashboard, but their calendar and cloud services are still in Beta and they just recently implemented Wireguard into their VPN despite other VPN’s already having it.
ProtonMail’s cosmetic changes are nice, but I would rather be able to use ProtonCalendar and Drive before being able to change my dashboard’s color scheme.
Whoops! I left out a part of the paragraph I quoted to make my point:
“On the one hand, Tutanota is more concerned with maintaining your privacy. ProtonMail focuses on highly secure email services (though arguably not as secure as Tutanota) that are still easy to use and convenient for all users.”
After having used ProtonMail for sometime, I tend to agree that Tutanota is more privacy-focused than ProtonMail.
As a customer, i will forever choose Protonmail (no matter how many questions and concerns we have for them) over Tutanota for letting me pay 1) with cryptocurrency 2) with a cash sent in an envelope. Tutanota have promised to add non-KYC payment options for years and here we are in 2022. Makes you think.
Strange that you don’t mention on any of these reviews whether the service supports IMAP, so I can access it with my existing email client. I know ProtonMail has an ‘IMAP Bridge’ which supposedly does. But what about the others?
(1) Receiving an E-mail to your inbox often takes so long that verification codes (for account login/creation) sent from other websites (such as your online banking website) arrive after they’ve already expired.
(2) Tutanota now blocks your access to your own free account if you haven’t logged into it for 6 months.
They then hold the account ransom.
The only way to regain access to the account is to give them money.
(3) Tutanota’s unwillingness to accept crypto payments is a pretty strong indicator that they aren’t actually the strong privacy proponents they claim to be.
(4) Tutanota has begun taking stances on political theatre issues and broadcasting those stances to their users via E-mails. Their stances demonstrate blind faith in the claims of corrupt intelligence agencies, corrupt television ‘news’ networks and corrupt politicians.
For now I’ll keep my email account as long as they don’t tamper with it. It’s really annoying having to switch emails and change every site account associated with that email address.
As of about 20Jan22, Tutanota only supports Chromium based browsers. Legacy browsers such as Pale Moon, WaterFox, etc. are kaput! On Reddit, there is a discussion of this, with comments by one of their very arrogant ‘developers’.
Time to dump these people.
Ever since they deleted/deactivated my week old account for no reason whatsoever, I lost faith in Tutanota. That’s the last thing any company would do to its users.
About my deactivated account, I opened it and sent a single email it to my other account, so that I could remember the new account. Nothing did I do more than that. I had to go through customer service to get it back or at least had to give a try. I said nah.. not worth it.
Other account being that of Protonmail. I am fully aware of Tutanota’s one person one free account policy
Same things happened here. Garbage company.
A German court, pressured by the US govt, can force Tutanota to attempt to allow service handlers by default, which allows them to access your emails. (This happened to me once). Since they have the encryption keys on their servers, they can decrypt any communications. If the keys are on your device, they could initiate whats called key exfiltration. Not sure if they can read my emails.
We need to develop a system where the key itself is encrypted, password protected, in a hidden volume, on a hidden os on a usb key that is encrypted with Veracrypt. Hidden os, hidden volume on usb and pc.
Tutanota is a rip-off as far as I’m concerned. I paid in full early this year, so my account should of been good until around February. Not so. Tutanota closed my account recently for not logging in every six months. R U Serious?!! Who does that to a paid account? Tutanota! My advice is stick with the free account, don’t trust them with money….and log in every five months…they require more hand-holding and reassurances than a needy girlfriend.
You said near the bottom of the review, “It is important to note that in some cases, Tutanota may be forced to record IP Addresses by a valid court order, as well as the contents of messages that arrive unencrypted at a user’s mailbox.”
What determines whether a message arrives encrypted vs nonencrypted into your mailbox? I’m other words, how can a person ensure that messages arrive encrypted into one’s mailbox?
Joe shared part of the welcome email from Tutanota that says that emails that arrive nonencrypted will be encrypted as soon as the arrive in your mailbox. But according to this review, if they arrive unencrypted, they can be recorded and shared, with a valid court order.
That means we need to ensure that messages arrive encrypted. Unless I am missing something. Please advise. Thank you.
If you send or receive emails to another Tutanota user, they will be fully encrypted and are unreadable in transit and when stored. If you send or receive emails with a non-Tutanota user, they will NOT be encrypted in transit, but will be encrypted when stored in your inbox (encrypted at rest).
Also, this only happened because Tutanota was specifically forced to do this against a specific individual who was the subject of a criminal court case in Germany. You need to remember that to put the situation into context. It’s not a blanket action against all users. If you are not a criminal working in Germany and using Tutanota to exploit and harass victims in Germany, I would think the chances of this happening to you are essentially zero.
So, when an email from a non-Tutanota user first arrives in my Tutanota inbox, will it be encrypted or unencrypted?
My understanding is that it will initially be unencrypted and then very shortly after, encrypted as it rests in the inbox. But since emails that initially arrive unencrypted can be compelled to be released, I’m wondering how to ensure that they are encrypted upon arrival so that they will not be available to be released, as described in your article. Thank you.
“My understanding is that it will initially be unencrypted and then very shortly after, encrypted as it rests in the inbox.”
Correct.
“But since emails that initially arrive unencrypted can be compelled to be released, I’m wondering how to ensure that they are encrypted upon arrival so that they will not be available to be released, as described in your article.”
Again, as I said before, the only solution is to send and receive emails from other Tutanota users to get the benefit of full encryption. So ask people to open a Tutanota account and use it to send you emails. Or find a better way to communicate, such as with a secure messaging app. Those are your two options if you want full encryption.
I have considerations to make.
I see this blog defending tutanota a lot.
This already sounds strange, because who in their right mind considers rtutanota better and more private than CTemplar?
But my point of comparison now is not with CTemplar, but with Protonmail.
Tutanota says that they doesn’t use cookies, actually, when you access their site’s homepage or your e-mail, in fact, I didn’t notice any cookies, but I noticed something that was disguised and it’s worrying.
When I accessed tutanota e-mail, I realized that they wanted access to my motion sensor, why? This already sounds very strange.
Second point: INSIDE tutanota website, in the blog, I found no less than 5 COOKIES. That is, on the home page there are no cookies, but just click on the blog link and they appear. But hadn’t tutanota guaranteed that he didn’t use cookies?
I did the same test with protonmail, here is the result:
0 cookies on the protonmail home page
0 cookies on the protonVPN home page
0 cookies on all links I accessed from the protonmail blog
Question:
Is tutanota really concerned about privacy?
I continue to use protonmail and recommend CTemplar as well. Tutanota really has good features, but when we catch privacy companies with little lies, suspicion must be high.
I used to be a Tutanota Premium user. However, I ultimately switched to Mailfence. I have encouraged many of my five siblings to make the switch from Google to the free version of Tutanota. Try it for as long as they like, then get a premium account if it suits them. After getting 4 of the 5 siblings to switch, we recently had a problem with Tutanota thinking they were spamming. There are seven of us in the email (counting my mom), so this certainly doesn’t constitute spamming. I have come to the conclusion that Tutanota is having some very poor business practices in trying to get free subscribers to pay for a premium account. The one sibling that has a premium account is the only one that did not get a notice about spamming, or “exceeded the limit” and it would be a day or two before they could resume emailing again. I do not recommend Tutanota for free or paid subscriptions because of this devious way of manipulating people.
I’ve been with Tutanota since the beginning, with both a paid and a free account. Great experience with both, and very several privacy reasons choose to keep my paid accts at Tutanota instead of Protonmail.
In your case, It’s possible that a contact of one or more family members has very non-secure habits and, even without y’all knowing, has leaks or poor practices that have exposed family addresses to those who generate spam. That volume of junk is not what exceptional services like Tutanota should bear at the expense of free users who carefully monitor and protect accounts, settings, contacts.
There are few to whom I will give my real contact info because of how insecure most people’s phones and computers are; how much worse their contacts practices may be; how quickly such people add others to group lists and cc lists, etc.
Tutanota is probably the weirdest and most inconsistent “privacy-focused” email providers among all the others.
I’ve personally also had experience with both the free and paid versions. In fact, I paid within a week of using it, simply due to how simple it’s interface is, and it’s promises and assurances of true privacy on their blog.
However, in my experience, even as a paid member, I was offered absolutely horrible customer service. I was asking for some assistance, and the replies I got from their customer service was literally one or two sentence replies, and did not address my concerns at all (can’t remember exactly what those were, but anyhow).
So yeah, I proceeded to cancel my paid subscription and ask for a refund (even though I have to say their service is the cheapest paid one, and that’s great). This followed with more of their crappy customer service, and it took multiple attempts and convincing for them to finally give me the refund.
To me, that was a major make or break. Poor customer service means poor business model. If you don’t treat your customers well, I don’t care how good your encryption and security is.
That was my personal experience with tutanota. That said, they continue to look like a promising email service provider, but until they step up their game on customer support, I’m not going to use them as a daily driver. At least not their paid tier, even though it is cheap.
I would say that the customer service you describe is typical for email support and also VPN support based abroad. I don’t like to generalize, but in this case, what can I say? The ones I have used, and am using, all have only email support and, depending on your luck, might indeed reply as if it were chat, very cryptic and not always to the point so that there is a needless back and forth over the course of several days just over nonsense. Put that together with the time difference (6 hours ahead of EST), and the fact that they apparently only work 9-5 with weekends off, it means that you’d better not have an emergency on your hands (especially on a Friday!) or you’ll be totally screwed.
I’m sorry for whatever I’ve overlooked–I’m right now devastated–and numb.
Is it possible that Tutanota does not encrypt “Contacts”?
Since a long time ago when I *first* started having horrible problems with my (very abusive, in myriad ways) ex-spouse hiring a hacker to wreck my and our children’s lives, I’ve tried to follow all Sven’s exceptional advice.
(By the way, it may or may not be relevant that Ex works for the U.S. government–not the intelligence community or whatnow, but for the Department of Commerce.)
Anyhow, I NEVER go online without Perfect Privacy VPN set up (perfectly and all). I use only hardened Firefox. I never miss updates of any sort. I stay away from apps unless I really need one and I have good reason to believe it isn’t something insecure or otherwise sinister. For what I [used to] consider “not that important” stuff, I did allow myself to use my ipad pro [with EVERY privacy precaution enabled]–you know, just for reading, benign web-searching, sending “everyday” sorts of email *always via Tutanota*.
But more often, I used either my “Linuxbook” [my older macbook I stripped of MacOS so that it would run only a Linux distro–and utilize all the other precautions mentioned]. But, around the time covid appeared and I had to do more stuff online, I realized some important-for-my-profession software was not available for Linux, so I did begin using an early 2020 Macbook, which I’ve been just as careful on. I connected to the internet via ethernet only. Never wifi.
I search only with Metager. Never share location. It took forever to find a [believe me–necessary] home security system because so many of them are awful in the privacy/security sense. No Siri or Alexa or any such thing is allowed in our place. Black tape on all potentially internet-connected webcams; and I started using these “MicLock” things that actually do prevent others spying on you with your mics.
You’d be very hard-pressed to find someone who has password-setting (and regularly changing) policies that rival mine. My family is always laughing when they see me typing in these crazy-long passwords, using all the “randomization” stuff and stored only in a small book I keep well hidden—and no one who lives here cares at all about my boring online life. My computers and one device are never in anyone else’s possession. The laptops don’t leave, and the ipad pro leaves only when absolutely necessary in my locked briefcase.
The earlier hacking was part of a pattern of [extremely bad] abusiveness that was so traumatizing that, for example, now I REFUSE to use a mobile phone of any sort. (My kids know I can always be reached by them via a text or whatever to the ipad if I was out–but preferably via Signal.)
I could go on and on, but I won’t.
The only thing that comes to mind that I failed to do: I bought a new, more secure, recommended-here router that I wanted to replace the one our internet company provided. I felt mildly uneasy about the internet-company router, and I was going to put one of the recommended VPNs on the new one (in addition to having my computers and ipad running my current Perfect Privacy VPN). But, after I twice tried installing it without success, and after my teenage son (who does things like put together gaming computers for himself and friends and checks out open source software, etc.–you know, more technically savvy than his Gen-X mum) ran into the same problem with it—and after someone on some tech-helpline finally told me [perhaps just to get me off the phone when none of their suggestions worked?] that the router wouldn’t work with my internet company, I guess I’d become so tired of worrying and trying to put out or prevent all these fires Ex would set, I just decided, “Well, I connect with my ethernet cable whenever I do [what I previously thought was] anything important, so I’ll let this slide for now.”
But, sort of lately, I’d been feeling better about being able to be online, etc. Things had started feeling “lighter.”
Until today.
I am too afraid to access my email even to check out whether anything else has happened. (I know that I should have received several pieces of correspondence that I hadn’t but it’s possible the couple people are really busy.)
Here’s the deal: You know how you can enter a contact just by typing the first couple letters and then the entire address appears and you just glance at it, click, and you’re on your way?
Well, I just realized something very bad. I was trying to send communication [again, via Tutanota, as always] to an entity that is very important to my children and to me, and which has a restricted domain ending–but, what I was sending was not, in itself, something you’d think of as a big-dea type of message.
Well, I just realized that someone [ex + hacker] had changed the contact info essentialy to this:
[specific/accurate department of organization].[essentially name/domain-name of organization, which even in abbreviated form is somewhat legthy in reality]–and ALL that seems perfectly fine/correct–but THEN. this: “@gmail.com”!!
GMAIL!?
No way! I *don’t really deal* at all with Google, though of course I must to the extent I need to solve CAPTHCHAs and such.
And I’m not so stupid that I’d think a very important entity that legitimately needed info from me concerning my children would use a freaking gmail address.
In the distant past, my emails were sent correctly to the right address I’d originlly typed in (and I never had any reason at ALL to change it—I NEVER DID change it, and no one in my household would want this stuff unsent, plus no one knows my passwords—and I don’t do fingerprint- or face-recogntion).
None of these communications required a response, but the oganization did need those messages from me.
And, this Ex’s M.O. is: Make her seem very irresponsible, not-that-bright, crazy.
He does a great job at that, btw. But this isn’t who I am.
I quickly checked an email I sent *seven months ago* to this place, and it had gone to this stupid gmail address! They never got it, or any other thing I sent at least since then.
And ex and hacker apparently created a gmail account to receive all these emails–so I wouldn’t be informed that the address was wrong–and, I’m sure so sx could see what I was sending, though it wasn’t anything about him.
Oh.
I’m sorry.
I need some help here.
Crazy things like this happen far too often—not always digitial stuff. It’s gotten to the point even my loving family is obvously sort of starting to doubt me on certain similar things, though they KNOW I’d never type in this address with “@gmail.com.” Sometimes I think even they are beginning to believe I really am crazy, or stupid. I can just hear one of my kids: “Why would he do that? Why would he put so much time into THAT?”
But that’s WHAT he does now—makes it seem I’m incorrigible/ditzy/irresponsible/stupid/hapless/nuts–and therefore not easily believed by “important people” in the lives of my children and me.
Sometimes, I start thinking, “Maybe I AM crazy, despite all I’ve accomplished in my life–maybe the ex is right–that, finally I’m all “washed up,” utterly defeated, and I must be doing stupid things I can’t even imagine doing—maybe I’m crazy without even remembering bizarre, truly-unlike-me things I do somehow?”
Well, yeah, I guess that’s the old gaslighting thing. Been around forever, but this ex (and many of those of others) can do this rubbish so covertly and strategically that few recognize there’s actually a target who’s being chronically mischaracterized. Scapegoated, to draw attention away from the jerks’ real and quite apparent abuses of the type that have occurred in homes against relatively powerless people—to induce “important others” to question the “never-been-in-‘trouble’, otherwise very credible (because they are), protective (non-abusive) truths that she and her children finally built the courage to speak.
Can someone just let me know if/how it’s possible this Tutanota-contacts thing could have occurred?
And maybe what I should do. I have no privacy/security it seems from this sociopath who WILL NEVER GIVE ME ANY PEACE. Today, someone asked me to go for a walk, but I just felt so . . . . . “watched.” I’m starting to think I’ll never escape this harrassment and character assassination. Worst of all, my children suffer from this in many ways.
I’m sorry I cannot write succinctly. I’m sorry. I need some help–and not because I’m crazy. Please don’t be harsh. I’m sorry. It’s all been going on so long. I find someone STILL has so much control over my life, my kids’ lives. I don’t know what I can do to escape it for us, and I’m beginning to think I never will.
Thank you,
P.
Have you previously received anything from this gmail address? Then it would pop up in your address book when typing. You would have two options to choose from, the original and the new.
When sending an email to an external client, or someone that doesn’t use Tutanota, you need to choose a password for that client for the email to be encrypted.
I hope your email address is one that is kept secret when you send confidential information.
I’m sorry this happened to you. As the recipient of the kind of abuse you are talking about, I know it can become all-consuming.
You’re doing the right thing to protect yourself and to stand in your reality and not let the distortions in. There are others who have gone through what you have and will understand. Those who haven’t been through it won’t get it, and there’s no point trying to convince them, as people have psychological defence mechanisms to protect themselves from knowing that such malevolence exists. I think most of us would rather have bruises or broken bones that we could point to instead of convoluted gaslighting campaigns and subtle attacks by the other parent against their own children as a way of breaking us down.
Chin up. Keep going forward. He’s a broken human being, and you are learning his tricks, and after a while the tricks will be predictable and you will be bully-proof and not care what he does one way or another.
Hello Sven
Which is the best Protonmail or tutanota for daily use ?
I like Mailfence for daily use 😉
Try both ProtonMail and Tutanota with the free accounts they have. Then keep the one you like best.
Thanks
I will give them a try
Just use protonmail .com or.ch the Swiss address will confuse people but that’s what I like. I am a Cryptology expert; Only the subject line comes in clear text and can be investigated by the Swiss court but that’s probably never gonna happen just don’t be obsessive compulsive take it it
Hey Sven —
Any thoughts on the past week’s blowout at /r/Tutanota over the big Premium-tier devaluation? It makes them more expensive (to get useful features) but they were unsustainably cheap anyway. It seems like more of a problem that they made such an egregious business decision and executed it so badly — can they stay in business with skills like that? And then it seems like MUCH more of a problem that through the whole debacle they were making one false statement after another, including a false claim, an edit to an old blog post to support the false claim, and then when that was caught an edit to the edit to cover up the coverup. Not too very attractive; they did not exactly cover themselves in glory.
I assume most subscribers won’t be too bothered, but to me it’s just as though they’ve said “The things we say are not to be relied on,” which pretty much wipes out their usefulness in a trust-based business. For me anyway.
Hi Philip, I did not see the controversy and have not had time to research what exactly happened. Feel free to fill other readers in on what transpired in the comments if you want.
Okay… I’ll try to keep it manageable. Late last week they announced a “new feature”, which was actually that a couple of Premium-tier features were being taken away and restricted to Business-class. There was a commotion; their next announcement was here:
https://www.reddit.com/r/tutanota/comments/lsu1zw/update_existing_subscribers_can_get_the_business/
After that, lots more commotion; a couple of the more worthwhile posts:
https://www.reddit.com/r/tutanota/comments/lsp1d9/a_suggestion_re_price_increase/
https://www.reddit.com/r/tutanota/comments/lts33j/we_should_give_the_tuta_team_time_until_next_week/
This one was interesting — apparently they never made the announcement about the half-baked compensation offer in German (nor did they ever send it out in email — only at Reddit):
https://www.reddit.com/r/tutanota/comments/luacle/bitte_aktuelle_situation_auch_auf_deutsch/
And then here is where they were caught out by a sharp-eyed person checking the permanent record:
https://www.reddit.com/r/tutanota/comments/lvbd3x/explanation_on_subscription_changes/gpbi0rx
I’ve seen that you’re a Tutanota fan — and with reason. But their misrepresenting themselves and monkeying with the historical record is just low behavior. Some people might judge for perfectly good reasons that this doesn’t matter for them. For me the good-faith relationship is essential; I think a privacy provider can’t work any other way.
Thanks for filling us in, Philip. It looks like they did not execute this change very well! Yes, we have liked, recommended, and personally used Tutanota over the years, but that also applies to ProtonMail, Mailfence, Posteo, CTemplar, and more.
Philip,
Thanks for the info.
While this is sad, it is not unexpected from what I have seen.
Appreciate the heads up.
First off, thank you so much for this website. Really great content.
I have a lot of emails that I’d not likely worry about sending e2e. What isn’t clear to me, is whether or not those correspondences are automatically encrypted once they land in my Tutanota inbox/outbox. In other words, is an “unencrypted” email safer in a Tutanota inbox than, say, Thunderbird?
The court case that was posted below seems to suggest that Tutanota encrypts everything on their servers, but they can somehow still provide messages that were sent to their servers unencrypted. I must be missing something.
I can’t stand the Tutanota aproach of 3-pane layout. There’s no option to turn to 2 panes. It’s the only obstacle to keep me from adopt this as main main email service. A so narrow folder subjects (the pane in the midle) is useles! Why dont theres a option to choose 2 panes with the full subject of the content of a folder (inbox for example). I can’t work with this, sorry.
Tutanota? Don’t use it.
I just tried to create a free account, my FIRST and ONLY one, but was blocked IMMEDIATELY. I was given NO waiting period – just told it could not be created due to abuse!!! (LOL). All I had done was enter a DECENT user name and password (some abuse!!!).
I read Tutanota’s blog on reddit and now other review sites and MORE WORRYING is that other people complained of having their Tutanota accounts suddenly deleted and other NASTY treatment. Can users RISK using Tutanota? My answer is a BIG NO.
I will continue to use Protonmail (a happy user now for 6 years) and my scoring is:
Protonmail 10, Tutanota 0
Tutanota = AVOID.
Sven,
What are your thoughts on this as for Tutanota being forced by court to have a backdoor; if they lose their appeal? Will they drop in your rankings of best email services, if they are forced by court order? I like Tutanota, and hate to see them lose their appeal. They have been a really good service.
https://techcrunch.com/2020/12/08/german-secure-email-provider-tutanota-forced-to-monitor-an-account-after-regional-court-ruling/
https://www.theregister.com/2020/12/08/tutanota_backdoor_court_order/
Yes we are monitoring this situation and will update recommendations accordingly.
@Sven,
Not sure of all the legaliese, but could they move to Switzerland, Iceland, Virgin Islands, etc. And re-establish?
It would be a bonus to them and whatever country they would go to.
Yes, I would think that is a possibility.
@Sven,
Thanks.
I do not recommend Tutanota at all, at least not an unpaid account. Firstly, I would repeatedly receive spam emails from supposed tutanota admin asking for verification of my account. When I would go to verify, the links very often were broken. I also was often unable to log into my account. Additionally, I would receive emails twice. Secondly, I could not search through my archived emails (which is only an option through premium). All of these inconveniences were worth it, however, as moving away from Gmail and mainstream online services is very important to me. Eventually, however, my email was hacked and as I was going to change my password, I was kicked out of the system and have not been able to log back in since. I have records of the original recovery code and have tried to use it to reset my password, but to no avail. There is no way I could have updated my recover code because I didn’t even know this was an option until this fiasco arose. The Tutanota time has done very little to help me or compensate in any way. They are very difficult to reach and pretty inaccessible. I have switched over to protonmail with which I am very happy. I would recommend avoiding this service.
For those of you with any doubt about the reliability of Tutanota check out their twitter:
https://mobile.twitter.com/TutanotaTeam/status/1296940311420248065?p=v
If you click on any of the tweets you tend to get irritable customers complaining about the downtime.It is sad that a service with such potential continually fails to deliver a reliable service.
Every month for the past year you can guarantee you won’t have access to your emails for at least 24 hours.
As of today, I’m quitting Tutanota. They twitted/blog an article about BLM solidarity. As any smart people would know, BLM is bu****it and it’s sad that tech companies in privacy use that.
Except for the price, it wasn’t very good anyway in terms of android app, always having notifications of emails that I had read on my computer, slow sync, etc..
@Joe,
Agree. This is the third time they have done something like this.
My answer to them because they ignored my email is this, and I hope they read this:
“Show up, shut up, and do your job. If and ONLY IF I want your opinion, I will ask.”
Haha well said.
Companies and entreprises should not be part of politics and surf on the ‘tendance’.. That’s why I despise social networks that have too much influence on people (Instagram to name only one)
I’m trying Protonmail again. The development is unfortunately less active than Tutanota..
Agree. I am proud to say that I have never had and will never have a Fakebook…errr…Facebook account.
Many are shocked at that but, no, I never have. Don’t want one either.
I am using Protonmail and while their development is slower, their stuff works when it comes out. I gave a link to a site to voice what you would like (I believe that link is under the Protonmail review) and it does get views from their developers.
Tutanota could be good. They could do a lot. But maybe I am jaded against them when I was first trying to set up a paid account and what I had to go through with them.
I opened a paid protonmail account for my business. I had a problem and a couple of questions so e-mailed them. It’s been more than 24 hours and I have not heard back anything. Very disappointing customer support. As a paid user and trusting them with my business e-mail accounts, I expect a response within 24 hours. I will be leaving them. A company with poor customer support is not one I am willing to work with.
@Ann,
Are you saying you opened a ProtonMail account, or a Tutanota? Your comment is under tutanota.
I will also say that I am sorry for the time. I am a Visionary Account holder with PM and they usually take a day or two to get back to me as well.
I would also say that if you are sending in requests to their main email, they generate a response that says it is usually very full and takes time. There is a quicker way to get a response, and I have done it a few times. I cannot guarantee a response time, but for me I have gotten a response in less than an hour. The link to that is here: https://protonmail.com/support-form.
Depending on your account level will really depend on their time of response. They will check that off your Username. Hope this helps.
BLM is bullshit if you are never affected by the thing people are protesting about. This comment is hilariously stupid.
A perfect example of Racial Equivocation (Key word here).
I am only going to give you the start and it is up to you to see the truth.
https://christianintellectual.com/racial-equivocation-serpentine-shepherds/
And
https://christianintellectual.com/structural-racism/
They are long reads, but if, and only if, you are willing to see truth, will you read.
Since this site is for the aspect of privacy and security, and Tutanota is supporting a group that believes in neither, our original diologe is pertenant.
However, this is as far as I am going to go out of that stream because it does not flow with the stated purpose. However, I do believe that truth should be declared and that ALL points (and not a predisposed ideological speaking point only) should be given a place.
Truth, objective truth, will always win. Narratives and ideology can only win by the use of force.
This is, by my choice, my only response that will be given and will not reply.
Sorry @Sven. I am being careful not to sidetrack here. Or trying to be.
J.M., my good man… you’re citing a site of one of our fellow Great Apes who claims to know the will of a god.
Truth is that which comports to reality; that so-called ‘intellectual’ source is but a poor man’s sophist.
Still, the point remains: it wasn’t _that_ long ago they removed mention from their website how the founders of BLM were unabashed in braying they’re trained Marxists. Even Bill ‘Sun goes down, Sun comes up; you can’t explain that!’ O’Reilly knows it.
Hi Sven, thanks for the very informative article. I’m still learning about these issues, so please bear with me – how do I exchange a password with someone outside the Tutanota system and still stay anonymous? The Tutanota ‘How To’ says to do it in person or via Signal. I don’t know what Signal is. But I’ve already sent an email to recipients outside Tutanota, and need to send them the password. Thanks!
Yes, this can be tricky. Signal is a secure messenger, like WhatsApp, but more secure and private (see our Signal review). And here’s our roundup of the best secure messengers.
I’m looking to (slowly) transition from Gmail to a private email like Tutanota (probably not 100% but certainly things like bills and receipts). In the interest of privacy, would it be better to use the different aliases Tutanota provides for different services? Like use one alias for Amazon, another for PayPal, another for eBay, etc.? I imagine that way it’d be more difficult to cross-reference between corporate databases, although 5 might not be enough in that case.
Yep, you’ve got the idea.
“Même les e-mails envoyés ou reçus non chiffrés sont stockés chiffrés sur nos propres serveurs basés en Allemagne.”
It’s in the welcome email from them.
It means that even sent email or received emails not encrypted, are encrypted as soon as they are in your mail box on their Germany based servers.