Tuta (formerly Tutanota) is a secure email service run by a small team of privacy enthusiasts in Germany. Although it may not be widely known, Tuta is a serious player among secure email providers. It uses a hybrid encryption system that avoids some of the drawbacks of PGP, and is protected by the GDPR and other pro-privacy EU regulations.
In this new and updated Tuta review, we’ll be posting hands-on test results while sharing our research findings and personal experience in using this email provider for the past few years.
The Tuta team has a strong vision for their product:
In the future Tuta will be the privacy-respecting alternative for Google with a calendar, notes, cloud storage – everything encrypted by default!
That being the case, we’re really going to put Tuta through the wringer to see if they deserve your hard-earned money and attention. Let’s take a look!
|1 – 1,000 GB
|Up to 1 GB
- Encrypted messages (including Subject lines) Address Book, Inbox Rules and Filters, Search Index, encrypted at rest and stored on German servers
- Can search body of encrypted messages
- Can send encrypted messages to non-users
- Strips IP address from emails
- Desktop, mobile, and web apps
- Open source code (including mobile apps)
- Good apps for mobile devices
- Free accounts with 1 GB of storage
- Encrypted calendar with iCard support
- Encrypted contacts
- Inbox rules with Spam filter
- Multiple email addresses (aliases)
- Support for custom domains and other price+ features
- Discounts and additional support for non-profits
- Two factor authentication (2FA) support
- Publishes regular Transparency Reports
- Does not work with PGP
- Potential delays with account approval
- Currently no way to import existing emails
- Can be affected by EU’s schizophrenic stance on encryption
- Only accepts credit card or PayPal; no cryptocurrency payments
Tuta features overview
Tuta uses industry-standard end-to-end encryption algorithms for email and other user data. All data is encrypted at rest and only decrypted in your browser or email client. Because it does not use PGP encryption, Tuta also encrypts the subject line of messages. This is a noteworthy difference from some other secure email services, as we discussed in the ProtonMail review.
Additional interesting features of Tuta include:
- Anonymous signup process does not require you to give them a phone number or other personally identifiable information.
- Open source code, including apps.
- Web app and desktop apps for Windows, Mac OS, and Linux.
- Android and iOS mobile apps, with Google-free access to Android app through F-Droid.
- Premium accounts with a range of additional benefits, including a Whitelabel (brandable) Business account.
- The ability to send encrypted emails to non-Tuta users.
- Whitelabel and Secure Connect are supported in paid plans for an additional fee.
- Dark and Light themes.
Tuta launched in 2011 (not long before Edward Snowden began leaking information), and is based in Hanover, Germany.
According to their website:
With its unique open source technology Tutanota fights for privacy and freedom of speech online, allowing everybody including NGOs, journalists and activists to send encrypted emails on desktop and mobile. In addition, Tutanota’s affordable business version enables companies and organisations of all sizes to easily secure their email communication.
Germany has strong privacy laws, including the Bundesdatenschutzgesetz and GDPR. That said, as elsewhere in the West, there is political pressure to reduce personal privacy rights to “counter terrorism”.
In addition, Germany is a member of the 14 Eyes intelligence alliance. This isn’t ideal, but Tuta provides a detailed explanation of the laws that apply to them and the data they may be forced by law to disclose. In recent years, two court cases affirmed that Tuta was not subject to nasty data retention laws that Germany applies to Internet Service Providers (ISPs).
Unfortunately, what the government giveth, the government taketh away. At the end of 2020, a regional court in Germany ignored the previous cases and decided to impose the ISP regulations on Tuta. The court ordered the company to develop a way to monitor an individual’s account. At the time of this review, Tuta is appealing the ruling. And as you will soon see, thanks to this secure email service’s end-to-end encryption, there really is very little point to the court’s ruling.
Tuta technical specifications
Tuta uses a couple of different encryption algorithms to ensure that your messages cannot be read or tampered with:
Tuta uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end (E2E). When both parties use Tuta, all emails are automatically end-to-end encrypted (asymmetric encryption). For an encrypted email to an external recipient, a password for encrypting & decrypting the email (symmetric encryption) must be exchanged once. The company suggests doing so using Signal messenger.
On top of its automatic end-to-end encryption, Tuta uses STARTTLS with an extended validation certificate, Perfect Forward Secrecy, DNSSEC, DANE, DMARC, and DKIM to secure your connection to Tuta to the maximum.
Check here for more info on Tuta’s TLS encryption.
Tuta ensures users that even they cannot access your inbox, due to the open source encryption standards they use.
AES-128 is more than secure enough for protecting your messages. Reportedly even the fastest computers in the world would need many billions of years to crack AES-128.
Tuta is currently working together with Leibniz University Hanover to make their encryption standards future-proof against quantum computer attacks.
Tuta hands-on testing
We’ve based this Tuta review on the browser-based client. If you decide to stick with Tuta, you can easily upgrade to a paid plan, with similar functionality and more storage, email aliases, and other options.
Signing up for Tuta
Signing up for Tuta goes about the way you would expect. Click the Sign Up button on website here to begin the process.
The first step will be to choose your service plan.
On the Subscription screen, click the red Select button under the plan you want to use. Although I have been using Tuta since 2017, for purposes of this review, I have created a new, Free private account. This is the ideal way to test out the service.
Next you will need to enter your account information. You’ll select an email address using one of the domain names Tuta makes available for free users. You’ll also need to enter a Password, and check all the relevant boxes on the screen, including the one that confirms you are at least 16 years old.
Note that you are not required to give Tuta a phone number or other personally identifiable information. This means you can have a truly anonymous free account. As we’ll see in a moment, Tuta has a process in place to prevent spammers from taking advantage of the service. Unfortunately, that process can be a real headache for regular people.
The last step in this process is to record your 64-character Recovery Code. Tuta doesn’t know your password (or the optional second factor you can set later) so the only way to recover your account if you lose either of these is by using the Recovery Code.
You can copy the code by hand, or click the round Copy or Print buttons. Once you’ve recorded your code, hit Ok and you’ll be ready to log in. Enter your Password and hit the Log in button.
An annoying automated delay
You are probably anxious to get into Tuta and start exploring, but at this point, you may run into that anti-spammer process we mentioned earlier. Your account may be automatically “marked for approval.” This puts a 48-hour hold on your ability to send or receive messages, as you can see below.
As Tuta states in this blog post,
Sometimes accounts are automatically marked for [manual] approval to prevent spammers from signing up. This is often the case when you sign up via Tor or a VPN, for example, because unfortunately spammers like to abuse Tor. In case your account gets marked for approval, you will be able to start using it within 48 hours after registration once it has been approved.
They claim that your account will automatically be approved within 48 hours after registration. However, if your account has not been approved after 48 hours, Tuta recommends you contact Support and give them the email address you are trying to register.
I ran into a problem with this system while working on the first edition of this review. After waiting four days, I contacted Support about the problem, and someone got back to me within minutes. However, the account was not approved until the 5th day. Not ideal.
On a positive note, this manual account approval takes the place of more invasive verification procedures, such as phone verification, which many other email providers use. While the delay was somewhat annoying, I’d still take this over phone verification.
The look and feel of Tuta
Once you click Ok, you will see Tuta’s standard 3-pane layout like most other email programs. Here is a screenshot from our tests:
One feature you may like is the built-in support for a Dark mode, which looks like this:
If you happen to work a lot at night, or just get tired of the glare from the screen, this mode could be for you.
The folder list appears on the left, with messages in the center, and the content of the selected message on the right. A basic set of folders comes pre-defined in the left-most pane, and you can create more at will.
Note: Tuta will automatically switch to a 2-pane view on smaller displays, such as tablets.
Tuta has two factor authentication
Before you go any further, this would be a great time to enable 2FA. In the leftmost pane, click Settings, then Login. You will see several login-related settings in the middle pane. Scroll down to Second factor authentication and click the plus sign (circled in the following image).
You’ll see the dialog box you need to connect 2FA.
For more details on how to configure the various types of 2FA Tuta supports, visit this help page.
Okay, let’s get back to exploring the Tuta user interface (UI).
Composing, sending, and receiving messages
Composing messages works as you would expect. Click the New email button at the top of the leftmost to create a new message. While an early complaint about Tuta was the lack of message formatting commands, today there is a full range of formatting options.
To see the menu of formatting options, click the T icon on the Subject line of the new message (circled in red below).
Click Send (in the top right corner of the message window) to transmit the message.
When you receive messages you open them normally, whether received from a Tuta user or someone else. If a message is from another Tuta user, all the encrypting and decrypting is done automatically in the background.
Like most secure email programs, Tuta blocks images from appearing by default. If a message contains images, you can display them by clicking the icon circled in red at the top right of the message, as you can see here:
So far, so good. But what if you want to send a message to a person who doesn’t use Tuta? This is where things get a bit more complicated.
Sending messages to non-Tuta users
When you are composing a message, Tuta checks to see if the recipient is a Tuta user or not. If not, you have to specify whether you want the message to be sent encrypted or not. If you have this option, Tuta will display a lock icon on the Subject line (circled in red) with a status message.
Clicking the lock icon will cause Tuta to send the message either in the clear (unencrypted), or E2E encrypted.
When sending an encrypted message to a non-Tuta user, you must enter a pre-agreed password that is used for symmetrically encrypting and decrypting the message. Instead of receiving the message in its encrypted form, the recipient will receive a link to view the message.
Note: Sending the password to someone using the same medium of communication (Tuta) that you will use to send encrypted messages to that person is a bad idea. A better way to go would be to use a secure messaging app like Signal Messenger to share the password. Check out our Signal Messenger review to see why this is such a good idea for your situation.
Searching for messages
Tuta has implemented a full text search feature for messages. This is actually a challenging endeavor since the contents of your inbox are stored fully encrypted.
When you enter a term to search for, Tuta will create an encrypted search index. This might take a minute or two depending on the size of your inbox. Like messages and everything else in Tuta, the search index is encrypted at rest. This prevents someone from hacking into your system and spying on you by analyzing the search index.
After the search index is populated, the matching hits (emails) will display below. Tuta’s search feature also gives you the ability to search specific periods of time as well as custom fields (subject, email body, from/to, and attachment name). This is a pretty good system in my opinion.
Comparison: As we noted in the recently updated ProtonMail review, you can now search the body of messages. You can have ProtonMail created an encrypted index of the bodies of emails which it then searches. This seems very similar to the Tuta approach.
Rules and Filters
Tuta offers both rules and filters for email, but they are pretty basic. Under the Spam rules you can designate individual email addresses as spam (put in the Spam folder), not spam (leave in the Inbox), or discard (send to the Trash folder).
Mailbox rules are more flexible, but are only available as part of paid plans.
Contacts and calendars
Tuta supports both Contacts and Calendars.
These function as you would expect, but it is important to note that all Contacts and Calendars are encrypted when at rest. As we noted earlier, one of the main goals for the Tuta team is for all your data to be encrypted, protecting you from snooping third parties.
The encrypted Tuta calendar looks like this:
You can see the calendar features here.
Tuta mobile apps (Android and iOS)
Tuta has apps for both iOS and Android. I’ve been working with the Android app.
Whereas I had some issues with this app when it first came out, it now functions well. At the time of this Tuta review, the Android app had over 6,600 reviews with a rating of 4.0 out of 5 stars. (Available on F-Droid too) The Tuta iOS app had 343 reviews with a rating of 3.8 out of 5 stars.
Tuta desktop app
Tuta has a desktop client for Windows, Mac OS, and Linux. I’ve been using it for a long time now and it continues to work well, basically giving you all the features of the webmail app, including the encrypted contacts and calendar.
As you can see, the desktop app looks very much like the web app.
Tuta business features
Tuta also offers secure business email accounts designed to let you,
Save time and money by hosting all your business emails end-to-end encrypted on Tuta’s secure servers based in Germany.
Here’s a partial list of the Business Email features currently available:
- Custom email domains with optional catch-all
- The Secure Connect encrypted contact form
- Multi-user support so you can manage all your users yourself
- Scalable shared storage for all your business accounts
- Zero-knowledge full text search of messages and contacts
- A large set of Whitelabel customizations
- Two Factor Authentication (2FA) available
Secure Connect encrypted contact form
One cool feature for website owners is Tuta’s Secure Connect form. This gives you the ability to incorporate an encrypted contact form that facilitates completely anonymous two-way communication. In May 2019, Tuta launched Secure Connect and made it, “free for news sites so that whistleblowers can get in touch with journalists securely.” Very cool.
Unfortunately, if you don’t meet the criteria to get it free (not a news site) then this feature will cost you €240 per year – certainly not cheap. You can read more about Secure Connect here.
When reviewing email services, we create fresh accounts and go through the setup process as average users.
We’ve contacted Tuta Support numerous times during our years of using the service. In almost all cases, the customer support team has responded to our queries in about one business day – so overall very good.
Tuta plans and pricing
Tuta pricing has grown more complicated over time. Today, they now offer six plans (three Private plans and three Business plans) along with a range of custom options and add-ons. This allows you to create exactly the service you need for your personal or business needs.
At the time of this Tuta review, here is a breakdown of the plans and prices
- Free Private plan, €0
- Revolutionary plan, €36 yearly, €3.00 monthly
- Legend plan, €96 yearly, €8.00 monthly
- Essential plan, €72 yearly, €6 monthly
- Advanced plan, €96 yearly, €8 monthly
- Unlimited plan, €144 yearly, €12 monthly
Beyond the standard plans you can add more storage (10 GB, 100 GB, 1 TB), and more email aliases (20, 40, 100). As if this wasn’t complicated enough, the company keeps adding useful new features like Whitelabel, Sharing (of calendars), Business (specific features), and Secure Connect to their product. As a result, your best option is to scroll down the Pricing page to the Pricing Calculator and let it give you an exact price for the particular configuration you want.
Note: If you are an NPO (non-profit organization), you may be entitled to a reduced price on Tuta. See here for details.
No cryptocurrency payment options
Unfortunately, Tuta has still not integrated support for cryptocurrency payment options. This has been on their Roadmap for years now. You can donate to them with cryptocurrency, but standard crypto payments are still not an option.
If you want more privacy with payments, you could check out the services listed in our new Ultimate Guide to Private and Anonymous Payment Methods.
If Tuta doesn’t look like the best email service for you, you may want to check out our ProtonMail review. The services are similar, although we like Tuta’s approach to message encryption better since it encrypts the Subject line as well as the body of the message.
That said, either one of these services should be more than sufficient for normal users who want to protect their privacy while using email. Neither service can guarantee you protection against state actors like the NSA or the various domestic intelligence agencies. Nonetheless, they are both secure alternatives to Gmail that respect your privacy.
You can also see our secure email roundup for a list of other providers.
Here are some common questions (and answers) people raise about Tuta.
Is Tuta really secure?
Tuta is certainly more secure than the vast majority of email services. Is it bulletproof? No. No system is, so you have to think about your threat model and decide if any given service is secure enough for your purposes. So let’s take a look at potential weaknesses in Tuta’s security.
There are some cases where Tuta is bound by law to disclose information about you. According to their Transparency Report, between July 1, 2021 and December 31, 2021, Tuta released data to the authorities more than 50 times. Understanding exactly what this means is complicated. If you want the details, you will need to examine the latest Transparency Report and related documents. It is important to note that in some cases, Tuta may be forced to record IP Addresses by a valid court order, as well as the contents of messages that arrive unencrypted at a user’s mailbox.
Note: All email services must abide by the laws in the jurisdiction in which they are based. To have more anonymity when you use Tuta (or any email service), consider using a good VPN service to hide your IP address and encrypt your traffic. We have reviewed many popular options, including NordVPN and Surfshark, ExpressVPN, IPVanish, CyberGhost, and more.
Is Tuta the best secure email service for you?
Is Tuta the best secure email for you? Here is a summary of the factors to consider when switching to a secure email provider, and how they apply to Tutanota:
- Jurisdiction – Tuta is based in Germany and your data is stored there.
- PGP support – Does not support PGP (read about PGP problems).
- Import feature – While it has been discussed for more than a year, Tuta still cannot import email messages. It can import calendar data and contacts.
- Email apps – A web-based client as well as desktop apps for Windows, macOS, and Linux, along with iOS and Android apps.
- Encryption – Emails and attachments can be sent end-to-end encrypted and everything is stored encrypted at rest.
- Features – Includes a built-in calendar and contacts along with full text search of messages.
Can Tuta be traced?
I assume by this question you want to know if your use of Tuta can be traced. They don’t track you in any way. They don’t post targeted ads in your mailbox. They also don’t log your IP address (unless forced to), or even require you to enter any personal information (no phone number, no email address). So Tutanota isn’t tracking or tracing what you do.
Your email, contacts, and calendar are all encrypted, so no one, not even Tuta, can read them. Right now, Tuta is battling German court demands to spy on one specific email account. Even if the company loses this battle, all they can do is monitor future unencrypted mail coming to the account. They literally have no way to decrypt encrypted messages, regardless of how hard some judge pushes them.
In other words, there is little anyone can do to trace you in Tuta.
Tuta review conclusion
Tuta is a strong choice for anyone who wants a secure email service for general use. While the service itself provides strong security, for maximum security, you can use the mobile apps, or access the browser-based app through a secure web browser. Additionally, you can add another layer of protection by using one of the best VPN services.
While Tuta may not get as much attention as some other email providers, we believe it is a market leader in the secure email space, if not the best option available for serious users. Check it out here, or see some of our other secure email reviews to investigate other options:
This Tutanota review was last updated January 19, 2024.