Tutanota Review

Tutanota is a secure email service run by a small team of privacy enthusiasts in Germany. Although it may not be widely known, Tutanota is a serious player among secure email providers. It uses a hybrid encryption system that avoids some of the drawbacks of PGP, and is protected by the GDPR and other pro-privacy EU regulations.

In this new and updated Tutanota review, we’ll be posting hands-on test results while sharing our research findings and personal experience in using this email provider for the past few years.

The Tutanota team has a strong vision for their product:

In the future Tutanota will be the privacy-respecting alternative for Google with a calendar, notes, cloud storage – everything encrypted by default!

That being the case, we’re really going to put Tutanota through the wringer to see if they deserve your hard-earned money and attention. Let’s take a look!

Tutanota features overview

Tutanota uses industry-standard end-to-end encryption algorithms for email and other user data. All data is encrypted at rest and only decrypted in your browser or email client. Because it does not use PGP encryption, Tutanota also encrypts the subject line of messages. This is a noteworthy difference from some other secure email services, as we discussed in the ProtonMail review.

Additional interesting features of Tutanota include:

• Anonymous signup process does not require you to give them a phone number or other personally identifiable information.
• Open source code, including apps.
• Web app and desktop apps for Windows, Mac OS, and Linux.
• Android and iOS mobile apps, with Google-free access to Android app through F-Droid.
• Premium accounts with a range of additional benefits, including a Whitelabel (brandable) Business account.
• The ability to send encrypted emails to non-Tutanota users.
• Whitelabel and Secure Connect are supported in paid plans for an additional fee.
• Dark and Light themes.

Tutanota launched in 2011 (not long before Edward Snowden began leaking information), and is based in Hanover, Germany.

According to their website:

With its unique open source technology Tutanota fights for privacy and freedom of speech online, allowing everybody including NGOs, journalists and activists to send encrypted emails on desktop and mobile. In addition, Tutanota’s affordable business version enables companies and organisations of all sizes to easily secure their email communication.

Germany has strong privacy laws, including the Bundesdatenschutzgesetz and GDPR. That said, as elsewhere in the West, there is political pressure to reduce personal privacy rights to “counter terrorism”.

In addition, Germany is a member of the 14 Eyes intelligence alliance. This isn’t ideal, but Tutanota provides a detailed explanation of the laws that apply to them and the data they may be forced by law to disclose. In recent years, two court cases affirmed that Tutanota was not subject to nasty data retention laws that Germany applies to Internet Service Providers (ISPs).

Unfortunately, what the government giveth, the government taketh away. At the end of 2020, a regional court in Germany ignored the previous cases and decided to impose the ISP regulations on Tutanota. The court ordered the company to develop a way to monitor an individual’s account. At the time of this review, Tutanota is appealing the ruling. And as you will soon see, thanks to this secure email service’s end-to-end encryption, there really is very little point to the court’s ruling.

Tutanota technical specifications

Tutanota uses a couple of different encryption algorithms to ensure that your messages cannot be read or tampered with:

Tutanota uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end (E2E). When both parties use Tutanota, all emails are automatically end-to-end encrypted (asymmetric encryption). For an encrypted email to an external recipient, a password for encrypting & decrypting the email (symmetric encryption) must be exchanged once. The company suggests doing so using Signal messenger.

On top of its automatic end-to-end encryption, Tutanota uses STARTTLS with an extended validation certificate, Perfect Forward Secrecy, DNSSEC, DANE, DMARC, and DKIM to secure your connection to Tutanota to the maximum.

Check here for more info on Tutanota’s TLS encryption.

Tutanota ensures users that even they cannot access your inbox, due to the open source encryption standards they use.

AES-128 is more than secure enough for protecting your messages. Reportedly even the fastest computers in the world would need many billions of years to crack AES-128.

Tutanota is currently working together with Leibniz University Hanover to make their encryption standards future-proof against quantum computer attacks.

Tutanota hands-on testing

We’ve based this Tutanota review on the browser-based client. If you decide to stick with Tutanota, you can easily upgrade to a paid plan, with similar functionality and more storage, email aliases, and other options.

Signing up for Tutanota

Signing up for Tutanota goes about the way you would expect. Click the Sign Up button on website here to begin the process.

The first step will be to choose your service plan.

On the Subscription screen, click the red Select button under the plan you want to use. Although I have been using Tutanota since 2017, for purposes of this review, I have created a new, Free private account. This is the ideal way to test out the service.

Next you will need to enter your account information. You’ll select an email address using one of the domain names Tutanota makes available for free users. You’ll also need to enter a Password, and check all the relevant boxes on the screen, including the one that confirms you are at least 16 years old.

Note that you are not required to give Tutanota a phone number or other personally identifiable information. This means you can have a truly anonymous free account. As we’ll see in a moment, Tutanota has a process in place to prevent spammers from taking advantage of the service. Unfortunately, that process can be a real headache for regular people.

The last step in this process is to record your 64-character Recovery Code. Tutanota doesn’t know your password (or the optional second factor you can set later) so the only way to recover your account if you lose either of these is by using the Recovery Code.

You can copy the code by hand, or click the round Copy or Print buttons. Once you’ve recorded your code, hit Ok and you’ll be ready to log in. Enter your Password and hit the Log in button.

An annoying automated delay

You are probably anxious to get into Tutanota and start exploring, but at this point, you may run into that anti-spammer process we mentioned earlier. Your account may be automatically “marked for approval.” This puts a 48-hour hold on your ability to send or receive messages, as you can see below.

As Tutanota states in this blog post,

Sometimes accounts are automatically marked for [manual] approval to prevent spammers from signing up. This is often the case when you sign up via Tor or a VPN, for example, because unfortunately spammers like to abuse Tor. In case your account gets marked for approval, you will be able to start using it within 48 hours after registration once it has been approved.

They claim that your account will automatically be approved within 48 hours after registration. However, if your account has not been approved after 48 hours, Tutanota recommends you contact Support and give them the email address you are trying to register.

I ran into a problem with this system while working on the first edition of this review. After waiting four days, I contacted Support about the problem, and someone got back to me within minutes. However, the account was not approved until the 5th day. Not ideal.

On a positive note, this manual account approval takes the place of more invasive verification procedures, such as phone verification, which many other email providers use. While the delay was somewhat annoying, I’d still take this over phone verification.

The look and feel of Tutanota

Once you click Ok, you will see Tutanota’s standard 3-pane layout like most other email programs. Here is a screenshot from our tests:

One feature you may like is the built-in support for a Dark mode, which looks like this:

If you happen to work a lot at night, or just get tired of the glare from the screen, this mode could be for you.

The folder list appears on the left, with messages in the center, and the content of the selected message on the right. A basic set of folders comes pre-defined in the left-most pane, and you can create more at will.

Note: Tutanota will automatically switch to a 2-pane view on smaller displays, such as tablets.

Tutanota has two factor authentication

Before you go any further, this would be a great time to enable 2FA. In the leftmost pane, click Settings, then Login. You will see several login-related settings in the middle pane. Scroll down to Second factor authentication and click the plus sign (circled in the following image).

You’ll see the dialog box you need to connect 2FA.

For more details on how to configure the various types of 2FA Tutanota supports, visit this help page.

Okay, let’s get back to exploring the Tutanota user interface (UI).

Composing, sending, and receiving messages

Composing messages works as you would expect. Click the New email button at the top of the leftmost to create a new message. While an early complaint about Tutanota was the lack of message formatting commands, today there is a full range of formatting options.

To see the menu of formatting options, click the T icon on the Subject line of the new message (circled in red below).

Click Send (in the top right corner of the message window) to transmit the message.

When you receive messages you open them normally, whether received from a Tutanota user or someone else. If a message is from another Tutanota user, all the encrypting and decrypting is done automatically in the background.

Like most secure email programs, Tutanota blocks images from appearing by default. If a message contains images, you can display them by clicking the icon circled in red at the top right of the message, as you can see here:

So far, so good. But what if you want to send a message to a person who doesn’t use Tutanota? This is where things get a bit more complicated.

Sending messages to non-Tutanota users

When you are composing a message, Tutanota checks to see if the recipient is a Tutanota user or not. If not, you have to specify whether you want the message to be sent encrypted or not. If you have this option, Tutanota will display a lock icon on the Subject line (circled in red) with a status message.

Clicking the lock icon will cause Tutanota to send the message either in the clear (unencrypted), or E2E encrypted.

When sending an encrypted message to a non-Tutanota user, you must enter a pre-agreed password that is used for symmetrically encrypting and decrypting the message. Instead of receiving the message in its encrypted form, the recipient will receive a link to view the message. Here’s what that looks like:

Note: Sending the password to someone using the same medium of communication (Tutanota) that you will use to send encrypted messages to that person is a bad idea. A better way to go would be to use a secure messaging app like Signal Messenger to share the password. Check out our Signal Messenger review to see why this is such a good idea for your situation.

Searching for messages

Tutanota has implemented a full text search feature for messages. This is actually a challenging endeavor since the contents of your inbox are stored fully encrypted.

When you enter a term to search for, Tutanota will create an encrypted search index. This might take a minute or two depending on the size of your inbox. Like messages and everything else in Tutanota, the search index is encrypted at rest. This prevents someone from hacking into your system and spying on you by analyzing the search index.

After the search index is populated, the matching hits (emails) will display below. Tutanota’s search feature also gives you the ability to search specific periods of time as well as custom fields (subject, email body, from/to, and attachment name). This is a pretty good system in my opinion.

Comparison: As we noted in the recently updated ProtonMail review, you can now search the body of messages. You can have ProtonMail created an encrypted index of the bodies of emails which it then searches. This seems very similar to the Tutanota approach.

Rules and Filters

Tutanota offers both rules and filters for email, but they are pretty basic. Under the Spam rules you can designate individual email addresses as spam (put in the Spam folder), not spam (leave in the Inbox), or discard (send to the Trash folder).

Mailbox rules are more flexible, but are only available as part of paid plans.

Contacts and calendars

Tutanota supports both Contacts and Calendars.

These function as you would expect, but it is important to note that all Contacts and Calendars are encrypted when at rest. As we noted earlier, one of the main goals for the Tutanota team is for all your data to be encrypted, protecting you from snooping third parties.

The encrypted Tutanota calendar looks like this:

You can see the calendar features here.

Tutanota mobile apps (Android and iOS)

Tutanota has apps for both iOS and Android. I’ve been working with the Android app.

Whereas I had some issues with this app when it first came out, it now functions well. At the time of this Tutanota review, the Android app had over 6,600 reviews with a rating of 4.0 out of 5 stars. (Available on F-Droid too) The Tutanota iOS app had 343 reviews with a rating of 3.8 out of 5 stars.

Tutanota desktop app

Tutanota has a desktop client for Windows, Mac OS, and Linux. I’ve been using it for a long time now and it continues to work well, basically giving you all the features of the webmail app, including the encrypted contacts and calendar.

As you can see, the desktop app looks very much like the web app.

Tutanota business features

Tutanota also offers secure business email accounts designed to let you,

Save time and money by hosting all your business emails end-to-end encrypted on Tutanota’s secure servers based in Germany.

Here’s a partial list of the Business Email features currently available:

• Custom email domains with optional catch-all
• The Secure Connect encrypted contact form
• Multi-user support so you can manage all your users yourself
• Scalable shared storage for all your business accounts
• Zero-knowledge full text search of messages and contacts
• A large set of Whitelabel customizations
• Two Factor Authentication (2FA) available

Secure Connect encrypted contact form

One cool feature for website owners is Tutanota’s Secure Connect form. This gives you the ability to incorporate an encrypted contact form that facilitates completely anonymous two-way communication. In May 2019, Tutanota launched Secure Connect and made it, “free for news sites so that whistleblowers can get in touch with journalists securely.” Very cool.

Unfortunately, if you don’t meet the criteria to get it free (not a news site) then this feature will cost you €240 per year – certainly not cheap. You can read more about Secure Connect here.

Tutanota support

When reviewing email services, we create fresh accounts and go through the setup process as average users.

We’ve contacted Tutanota Support numerous times during our years of using the service. In almost all cases, the customer support team has responded to our queries in about one business day – so overall very good.

Tutanota plans and pricing

Tutanota pricing has grown more complicated over time. Today, they now offer six plans (three Private plans and three Business plans) along with a range of custom options and add-ons. This allows you to create exactly the service you need for your personal or business needs.

At the time of this Tutanota review, here is a breakdown of the plans and prices

• Free Private plan, €0
• Premium Private plan, €12 yearly, €1.20 monthly
• Teams Private plan, €48 yearly, €4.80 monthly

• Premium Business plan, €24 yearly, €2.40 monthly
• Teams Business plan, €60 yearly, €6 monthly
• Pro Business plan, €84 yearly, €8.40 monthly

Beyond the standard plans you can add more storage (10 GB, 100 GB, 1 TB), and more email aliases (20, 40, 100). As if this wasn’t complicated enough, the company keeps adding useful new features like Whitelabel, Sharing (of calendars), Business (specific features), and Secure Connect to their product. As a result, your best option is to scroll down the Pricing page to the Pricing Calculator and let it give you an exact price for the particular configuration you want.

Note: If you are an NPO (non-profit organization), you may be entitled to a reduced price on Tutanota. See here for details.

No cryptocurrency payment options

Unfortunately, Tutanota has still not integrated support for cryptocurrency payment options. This has been on their Roadmap for years now. You can donate to them with cryptocurrency, but standard crypto payments are still not an option.

If you want more privacy with payments, you could check out the services listed in our new Ultimate Guide to Private and Anonymous Payment Methods.

Tutanota alternatives

If Tutanota doesn’t look like the best email service for you, you may want to check out our ProtonMail review. The services are similar, although we like Tutanota’s approach to message encryption better since it encrypts the Subject line as well as the body of the message.

That said, either one of these services should be more than sufficient for normal users who want to protect their privacy while using email. Neither service can guarantee you protection against state actors like the NSA or the various domestic intelligence agencies. Nonetheless, they are both secure alternatives to Gmail that respect your privacy.

You can also see our secure email roundup for a list of other providers.

Tutanota FAQ

Here are some common questions (and answers) people raise about Tutanota.

Is Tutanota really secure?

Tutanota is certainly more secure than the vast majority of email services. Is it bulletproof? No. No system is, so you have to think about your threat model and decide if any given service is secure enough for your purposes. So let’s take a look at potential weaknesses in Tutanota’s security.

The browser and desktop Tutanota apps rely on JavaScript for encryption and decryption. Using JavaScript for these functions is generally considered to be less secure than other approaches. Using a secure browser when using the web app version of Tutanota will help here. You can also use the mobile apps which should be a bit more secure than the others.

There are some cases where Tutanota is bound by law to disclose information about you. According to their Transparency Report, between July 1, 2021 and December 31, 2021, Tutanota released data to the authorities more than 50 times. Understanding exactly what this means is complicated. If you want the details, you will need to examine the latest Transparency Report and related documents. It is important to note that in some cases, Tutanota may be forced to record IP Addresses by a valid court order, as well as the contents of messages that arrive unencrypted at a user’s mailbox.

Note: All email services must abide by the laws in the jurisdiction in which they are based. To have more anonymity when you use Tutanota (or any email service), consider using a good VPN service to hide your IP address and encrypt your traffic. We have reviewed many popular options, including NordVPN and Surfshark, ExpressVPN, IPVanish, CyberGhost, and more.

Is Tutanota the best secure email service for you?

Is Tutanota the best secure email for you? Here is a summary of the factors to consider when switching to a secure email provider, and how they apply to Tutanota:

• Jurisdiction – Tutanota is based in Germany and your data is stored there.
• PGP support – Does not support PGP (read about PGP problems).
• Import feature – While it has been discussed for more than a year, Tutanota still cannot import email messages. It can import calendar data and contacts.
• Email apps – A web-based client as well as desktop apps for Windows, macOS, and Linux, along with iOS and Android apps.
• Encryption – Emails and attachments can be sent end-to-end encrypted and everything is stored encrypted at rest.
• Features – Includes a built-in calendar and contacts along with full text search of messages.

Can Tutanota be traced?

I assume by this question you want to know if your use of Tutanota can be traced. They don’t track you in any way. They don’t post targeted ads in your mailbox. They also don’t log your IP address (unless forced to), or even require you to enter any personal information (no phone number, no email address). So Tutanota isn’t tracking or tracing what you do.

Your email, contacts, and calendar are all encrypted, so no one, not even Tutanota, can read them. Right now, Tutanota is battling German court demands to spy on one specific email account. Even if the company loses this battle, all they can do is monitor future unencrypted mail coming to the account. They literally have no way to decrypt encrypted messages, regardless of how hard some judge pushes them.

In other words, there is little anyone can do to trace you in Tutanota.

Tutanota review conclusion

Tutanota is a strong choice for anyone who wants a secure email service for general use. While the service itself provides strong security, for maximum security, you can use the mobile apps, or access the browser-based app through a secure web browser. Additionally, you can add another layer of protection by using one of the best VPN services.

While Tutanota may not get as much attention as some other email providers, we believe it is a market leader in the secure email space, if not the best option available for serious users. Check it out here, or see some of our other secure email reviews to investigate other options:

ProtonMail Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review

This Tutanota review was last updated May 1, 2022.