Are your emails and attachments safe from prying eyes?
Unless you are using a secure email service that respects your privacy, the answer is probably no. Most large email providers, such as Gmail and Yahoo, do not respect the privacy of your inbox. For example,
- Gmail was caught giving third parties full access to user emails and also tracking all of your purchases.
- Advertisers have been allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
- Yahoo has been caught scanning emails in real-time for US surveillance agencies.
While Gmail does allow users to opt out of some invasive features, the basic business model of these services revolves around data collection.
Big-name email services put lots of money into security, but they are also large targets and not invulnerable. In March, the big news was the ease with which hackers were able to compromise thousands of Microsoft Exchange email servers. You might well be safer using a smaller, less well-known email service.
Another concern is where your email service is located and how this may affect your data and privacy. Some jurisdictions have laws to protect data privacy (Switzerland), while others have laws in place to erode it (the US and Australia). We’ll cover this in more detail below.
On a positive note, there is a relatively simple solution for keeping your inbox more secure: switch to a secure email provider that respects your privacy.
What is the best secure email service in 2022?
With so many different types of users, there is no single “best secure email” service that will be the top choice for everyone.
While some may prioritize maximum security and strong encryption, others may want convenience and simplicity with user-friendly apps for all devices.
Here are just a few factors to consider when switching to a secure email provider:
- Jurisdiction – Where is the service located and how does this affect user privacy? Where is your data physically stored?
- PGP support – Some secure email providers support PGP, while others do not use PGP due to its vulnerabilities and weaknesses.
- Import feature – Can you import your existing emails and contacts?
- Email apps – Due to encryption, many secure email services cannot be used with third-party email clients, but some also offer dedicated apps.
- Encryption – Are the emails end-to-end encrypted in transit? Are emails and attachments encrypted at rest?
- Features – Some features you may want to consider are contacts, calendars, file storage, inbox search, collaboration tools, and support for DAV services.
- Security – What are the provider’s security standards and policies?
- Privacy – How does the email service protect your privacy? What data is being collected, for how long, and why?
- Threat model – How much privacy and security do you need and which service best fits those needs?
The goal of this guide is to help you find the best secure email solution for your unique needs.
This list is not in rank order. (Choose the best secure email service for you based on your own unique needs!)
Here are the most secure email providers that protect your privacy.
1. Mailfence – Fully-featured secure email in Belgium
Based in | Belgium |
Storage | 5-50 GB |
Price | €2.50/mo. |
Free Tier | Up to 500 MB |
Website | Mailfence.com |
Mailfence is a fully-featured secure email provider offering calendar and contacts functionality, file storage, and PGP encryption support. It is based in Belgium, which is a good privacy jurisdiction with strict data protection laws.
For those wanting full PGP control and interoperability, without plugins or add-ons, Mailfence is a solid choice. Whether you are a personal user or you need a secure email solution for your business or team, Mailfence likely has all the features and options you’d want.
While many secure email services sacrifice features and functionality for security, you can have it all with Mailfence. This makes Mailfence a great alternative to full email and productivity suites, such as G Suite or Office 365.
In testing everything out for the Mailfence review, I found it to work very well with an intuitive design, slick layout, and tons of features. Mailfence also offers email and phone support, in addition to cryptocurrency payment options.
+ Pros
- Offers end-to-end encryption and digital signatures
- Mobile and web apps
- Data is stored on Belgian servers
- Offers OpenPGP encryption
- Messages, Documents, Calendar, Contacts, and Groups
- SMTP, POP, and IMAP support
- Can synchronize with other email clients
- Supports password-protected messages with expiration time
- Removes IP addresses from mail headers
- OpenPGP user keystore
- Great user interface (recently updated)
- Cryptocurrency payment options
– Cons
- Logging of IP address and some other data
- Code is not open source
Website: https://Mailfence.com
See our Mailfence review for more info.
2. Tutanota – Private and secure email in Germany
Based in | Germany |
Storage | 1 – 1,000 GB |
Price | €1.00/mo. |
Free Tier | Up to 1 GB |
Website | Tutanota.com |
Tutanota is a Germany-based secure email service run by a small team of privacy enthusiasts, with no outside investors or owners. Although it is not as widely known as ProtonMail, Tutanota is a serious player among secure email providers. Its hybrid encryption system overcomes some of the drawbacks of PGP, and your privacy rights are protected by the GDPR and other pro-privacy EU regulations.
Note: Tutanota claims that their encryption can be updated/strengthened if necessary against quantum-computer attacks.
All messages in your inbox, contacts, and calendar are encrypted at rest on servers in Germany. For sending encrypted emails with Tutanota, you have two options:
- Emailing another Tutanota user, which encrypts everything automatically (asymmetric encryption)
- Emailing an external (non-Tutanota) user with a link to the message and sharing a password key for encrypting/decrypting messages (symmetric encryption).
While Tutanota uses high encryption standards and is arguably one of the most secure email providers anywhere, it also comes with some tradeoffs. This includes no support for PGP, IMAP, POP, or SMTP. Additionally, you cannot import existing emails into your encrypted Tutanota inbox.
To explain why Tutanota does not rely on PGP standards, Tutanota cofounder Matthias Pfau wrote this piece for Restore Privacy readers, Let PGP Die: Why We Need a New Standard for Email Encryption.
If you are looking for a transparent, high-security email provider run by a team of privacy enthusiasts, Tutanota is a solid choice.
+ Pros
- Encrypted messages (including Subject lines) Address Book, Inbox Rules and Filters, Search Index, encrypted at rest and stored on German servers
- Can search body of encrypted messages
- Can send encrypted messages to non-users
- Strips IP address from emails
- Desktop, mobile, and web apps
- Open source code (including mobile apps)
- Great apps for mobile devices
- Free accounts with 1 GB of storage
- Encrypted calendar with iCard support
- Encrypted contacts
- Inbox rules with Spam filter
- Multiple email addresses (aliases)
- Support for custom domains and other price+ features
- Discounts and additional support for non-profits
- Publishes regular Transparency Reports
– Cons
- Does not work with PGP
- Currently no way to import existing emails
- Based in a 14 eyes country (Germany)
- Only accepts credit card or PayPal; no cryptocurrency payments
Website: https://Tutanota.com
See our Tutanota review for more info.
3. ProtonMail – Secure email in Switzerland
Based in | Switzerland |
Storage | 5-20 GB |
Price | $4.00/mo. |
Free Tier | Up to 500 MB |
Website | ProtonMail.com |
UPDATE: ProtonMail was forced by a Swiss court to log user IP addresses for a specific criminal complaint. Get more info in our article on the ProtonMail logging case here.
ProtonMail is a Switzerland-based email service that enjoys a great reputation in the privacy community. It was started by a team of academics working at MIT and CERN in 2014. Shortly thereafter, it was promoted in American media as “the only email system the NSA can’t access” – which was around the time Lavabit was shut down for not cooperating with the US government.
Looking at the service itself, ProtonMail does a lot of things right. It utilizes PGP encryption standards for email and stores all messages and attachments encrypted at rest on Swiss servers. ProtonMail has a unique feature for “self-destructing messages” and they have also added address verification and full PGP support.
Regarding encryption, however, it’s important to note that ProtonMail does not encrypt subject lines of emails or certain metadata, inherent limitations of the PGP standard. Most of the email services we discuss here use PGP, but I wouldn’t count on any of them to keep me safe from the NSA or their counterparts in other major countries.
Additionally, the ProtonMail search function can only search subject lines within your inbox, but not the actual content of your emails. This is another functional limitation that comes from integrating more encryption and security into the service.
ProtonMail does offer some great apps for mobile devices (Android and iOS). You can also use ProtonMail with third-party apps through the ProtonMail Bridge feature (restricted to paid users).
Overall ProtonMail is a well-regarded email provider and should be a great secure email option for most users. Switzerland remains a strong privacy jurisdiction that is not a member of any surveillance alliances.
In addition to email, the same team also offers a VPN service, which we have tested for the ProtonVPN review.
+ Pros
- End-to-end (E2E) and zero-access encryption for Email, Calendar, and Contact information
- Operates under Swiss jurisdiction
- All data stored on servers in Switzerland
- Apps for Android and iOS mobile devices
- Web client, encryption algorithms, Android and iOS code are all open source
- Support for custom domains
- Strips IP address from emails
- Can be used with third-party email clients through the ProtonMail Bridge feature
- Can import contacts and emails
– Cons
- ProtonMail does not encrypt email subject lines
- Sometimes requires personal information for verification of new accounts
- Above-average pricing
- Incredibly long beta test cycles
- May be forced to log user IP addresses by court order
Website: https://ProtonMail.com/
See our ProtonMail review for more info.
4. Mailbox.org – Private email in Germany
Based in | Germany |
Storage | 2 – 100 GB |
Price | €1.00/mo. |
Free Tier | None |
Website | Mailbox.org |
Another Germany-based secure email provider worth considering is Mailbox.org. Not only does it protect your email with top-end security protocols, Mailbox.org is a full-featured email and productivity suite, similar to Office 365. It offers a huge lineup of features: Mail, Calendar, Address Book, Drive (cloud storage), Tasks, Portal, Text, Spreadsheet, Presentation, and Webchat. Despite all the features, the layout and design of Mailbox.org still manages to be user-friendly.
When choosing a secure email provider, you often have to choose between features and security. With Mailbox.org, you can arguably get the best of both worlds. From the security and encryption side, Mailbox.org offers full PGP support and options to easily encrypt all your data at rest on their secure servers in Germany. You can also use Mailbox.org with mobile apps and third-party email clients.
Lastly, Mailbox.org is very affordable, with basic plans starting at only €1 per month and going up for more storage and features. You can pick up a free 30-day trial if you want to test-drive this privacy-focused email provider.
+ Pros
- PGP support (server-side or E2E through Mailvelope app)
- Company and servers located in Germany with strong privacy protections
- HSTS and PFS for messages in transit
- Protected against man-in-the-middle attacks
- Message and spam filters
- Virus protection
- Full text search
- POP, IMAP, SMTP, ActiveSync support
- vCard, CardDAV, CalDav support
- Messages are encrypted at rest
- Supports custom domains
- Mobile apps for some of the Office features
- Open source
– Cons
- No mobile email clients (but can be used with third-party email clients)
- Some tracking during registration
- PGP encryption leaves message subject and metadata exposed
Website: https://Mailbox.org/
Check out our Mailbox.org review for more details.
5. Posteo – Privacy-focused email in Germany
Based in | Germany |
Storage | 2 – 20 GB |
Price | €1.00/mo. |
Free Tier | None |
Website | Posteo.de |
Posteo is yet another German email provider that offers a high level of privacy and security for its users. In some respects, it has much in common with Mailbox.org. Both are fully-featured email providers that utilize PGP encryption standards, with similar prices. But in a few key areas, Posteo is a bit different:
- Custom domains are not supported.
- There is no spam folder (all emails are either delivered to your inbox or rejected).
- There’s no trial or free tier (but still quite affordable).
In terms of privacy, Posteo really makes an effort to protect the privacy of its users. IP addresses are automatically stripped from emails, no logs are kept, and they offer strong encryption standards. In short, this email takes security and privacy very seriously.
Posteo also supports completely anonymous registration and anonymous payments – even allowing you to send cash in the mail for no digital trail. (We see this trend with VPN services as well.) And if you pay with a credit card, PayPal, or some other digital method, they manually separate account details from payment info.
+ Pros
- Mail, Calendar, Contacts, and Notes are encrypted at rest with OpenPGP on secure servers in Germany
- Configurable spam filter
- Migration service for moving from another email service to Posteo
- Subject, headers, body, metadata, and attachments are encrypted
- Includes Messages, Calendar, Contacts (Address Book), and Notes
- Completely Open Source
- Strong commitment to privacy, sustainable energy, and other social initiatives
- Self-financed; good track record (operating since 2009)
- No logs, IP address stripping, secure email storage with daily backups
- Allows anonymous (cash) payments
- Supports SMTP, POP, and IMAP protocols
– Cons
- Custom domains not supported; no “.com” options available
- No spam folder (spam emails are either rejected or delivered to regular inbox)
- Germany is a 14 Eyes country
- No trial or free version
- Cryptocurrency payments not supported
Website: https://Posteo.de/
See the Posteo review for more info.
6. Runbox – Private and sustainable email in Norway
Based in | Norway |
Storage | 2 – 50 GB |
Price | $1.31/mo. |
Free Tier | 30 day trial |
Website | Runbox.com |
Runbox is a long-running private email service in Norway that has been operating for over 20 years. Norway is also a good jurisdiction with a strong legal framework for privacy. All Runbox servers are located in secure Norwegian data centers, running on clean, renewable, hydropower energy.
One unique feature of Runbox is that it gives you 100 aliases to use with your account. Secure file storage is also included, with different pricing tiers. Runbox fully supports SMTP, POP, and IMAP protocols and can be used with third-party email clients. This year they released Runbox 7, which is a webmail client, but they do not offer custom mobile or desktop clients.
Unlike some other secure email providers, Runbox does not have a built-in option for encrypting your entire mailbox. And while you can use PGP with Runbox, it is not yet built into the platform. Another drawback is that Runbox does not offer a built-in calendar, but this feature may be included in Version 7 (when released).
Runbox offers 30 day free trials and makes importing your existing emails simple with the guides on their site.
+ Pros
- IP addresses stripped from messages
- Includes Webmail, Contacts, and Files
- Servers run on renewable energy
- Supports SMTP, POP, and IMAP protocols
- Synchronizes with other email clients
- GDPR compliant
- Norway has strong data protection laws
- 100 email aliases per mailbox
- Custom domain names on some paid accounts
- Numerous payment methods accepted (including cash and cryptocurrencies)
– Cons
- Browser-based; no desktop or mobile apps
- Not open source
- Data not encrypted within the Runbox system or at rest
- No business-specific features
Website: https://Runbox.com
Check out our Runbox review here.
7. CounterMail – Private and secure Swedish email service
Based in | Sweden |
Storage | 4 GB+ |
Price | $4.83/mo. |
Free Tier | 7 day free trial |
Website | CounterMail.com |
Next up on our list is CounterMail, a secure email provider based in Sweden. CounterMail has been operating for over 10 years with a philosophy to “offer the most secure online email service on the Internet, with excellent free support.” CounterMail uses OpenPGP encryption with 4,096-bit encryption keys. CounterMail also protects users from identity leaks and Man-In-The-Middle attacks with RSA and AES-CBC encryption on top of SSL.
They also keep no logs and store your mail on diskless servers to protect user privacy. Countermail anonymizes email headers and also strips the sender’s IP address. All emails and attachments are stored encrypted at rest using OpenPGP on servers in Sweden.
While CounterMail is a bit more expensive than some other secure email providers, they explain this price difference comes from using only high-quality servers and implementing strong security measures. It may not have all the frills, but CounterMail is a serious security-focused email provider with a 10+ year track record.
+ Pros
- Supports cryptocurrency payments
- Secure, built-in password manager
- All emails and attachments stored encrypted on no-logs, secure servers in Sweden
- Custom domain support
- Message filter and autoresponder features
- Uses RSA, AES-CBC, and SSL encryption to protect against leaks and MITM attacks
– Cons
- Design and UI feels outdated
- More expensive than other secure email options
https://CounterMail.com
8. Kolab Now – Fully-featured Swiss email
Based in | Switzerland |
Storage | 2 GB+ |
Price | $5.47/mo. |
Free Tier | 30 day trial |
Website | KolabNow.com |
Based in Switzerland, Kolab Now is a private email service offering lots of features and full email suite functionality. A Kolab Now subscription includes email, contacts, calendar, scheduling, collaboration/sharing tools, and cloud file storage. Right now they are running a public beta of their voice and videoconferencing system. All of the features and options make Kolab Now an excellent choice for business users, teams, and privacy-focused individuals.
While Kolab now does offer numerous features and support for all major operating systems and devices, it also does not offer as much encryption for those who want the highest levels of security. End-to-end encryption for emails is not built-in and emails are not stored encrypted at rest.
The price is also on the higher end, especially if you want access to all features and more storage. However, for those wanting a feature-rich email suite hosted in Switzerland, Kolab Now may be a good fit.
+ Pros
- Accepts cryptocurrency payments
- Full support for POP, SMTP, and IMAP
- Switzerland jurisdiction with strong privacy protection
- Full email suite with numerous features to replace Gmail, Office365, etc.
- Support for custom domains, teams, and business users
- End-to-end (E2E) encryption is available, but not built in
– Cons
- Email not encrypted at rest (but stored in high-security Swiss data center)
- Expensive
Website: https://KolabNow.com
9. StartMail – Private email hosted in The Netherlands
Based in | The Netherlands |
Storage | 10-20 GB |
Price | $5.00/mo. |
Free Tier | 7 day trial |
Website | StartMail.com |
StartMail is a secure email service brought to you by the team behind Startpage, a private search engine based in the Netherlands. While there was surprising news about System1 investing in Startpage, StartMail is its own unique entity under StartMail B.V. – a company operating under Dutch law in The Netherlands.
The Netherlands is a good jurisdiction for privacy and StartMail aims to keep as little data as possible to run their operations (see privacy policy). Unlike most secure email providers, StartMail handles encryption server-side, rather than in the browser – see their white paper explaining why.
StartMail allows users to utilize PGP encryption with emails also being encrypted at rest on their Dutch servers. One cool feature with StartMail is they give you the ability to create temporary, disposable email addresses “on the fly” to use with different services. IMAP and SMTP are also supported if you want to use StartMail with third-party apps such as Thunderbird.
+ Pros
- Can create temporary, disposable email addresses
- Accepts cryptocurrency payment
- IMAP and SMTP support; can use custom domains
- Headers and IP address stripped from all emails
- Accounts come with 10 GB file storage
– Cons
- No custom mobile apps
- Not open source
- Higher prices
Website: https://www.StartMail.com
10. Soverin – Basic private email in Netherlands
Based in | The Netherlands |
Storage | 25 GB |
Price | €3.25/mo. |
Free Tier | No |
Website | Soverin.net |
Soverin provides a basic and private email service at a reasonable price. Plans come with 25 GB of storage and custom domains are supported. All data is stored on servers in Germany. Soverin strips IP addresses from headers while also using strong encryption standards, although email is not stored encrypted at rest by default.
For those wanting a basic private email with lots of storage that is protected by European privacy laws, Soverin may be a good choice. It can also be used with third-party email clients and importing old emails is relatively simple.
+ Pros
- 25 GB of data storage for all plans
- Data protected under Dutch privacy laws and GDPR
- Can be used with third-party email clients
– Cons
- No custom mobile apps
- Not open source
- No built-in encryption options
Website: https://Soverin.net
11. Thexyz – A fully-featured private email service in Canada
Based in | Canada |
Storage | 25-100 GB |
Price | $2.95/mo. |
Free Tier | No |
Website | www.Thexyz.com |
Another privacy-focused email service worth noting is Thexyz. It is a secure email and web hosting business based in Canada that offers solutions for businesses and private users. The email arm of Thexyz has been operating since 2009, as explained on the about page. While Canada may not be the best jurisdiction for privacy (Five Eyes), this may not be too concerning depending on your needs and threat model.
Thexyz does offer some great privacy and security features. Accounts come with encrypted cloud storage as well as contacts, calendar, and team collaboration tools. All emails are stored encrypted at rest using AES 256-bit encryption, with double geo-location redundancy. With a basic account, you get unlimited aliases and 25 GB of storage (upgradable to 100 GB). Even with all the perks and features, Thexyz is still very affordable at $2.49/mo with the premium webmail plan.
+ Pros
- Great applications and user interface
- Email encrypted at rest with 256-bit AES
- Subscriptions include calendar, contacts, chat, and encrypted cloud storage
- Unlimited aliases; emails can include up to 50 MB attachments
- Support for custom domains
- Autoresponder, spam filters, and incoming email filtering
- Apps for iOS and Android
- Accounts come with 25 GB of email storage (upgradable to 100 GB)
– Cons
- Based in Canada (not the best privacy jurisdiction)
- Support for end-to-end email encryption is not built-in
Website: https://www.thexyz.com
Worth mentioning
Aside from the secure email services we discussed above, we are also keeping our eye out for new services emerging into this niche.
CyberFear Anonymous Email
CyberFear is an anonymous e-mail service in Poland that has caught our attention. It does not serve ads or log IP addresses, while also offering full encryption on par with our other recommendations. Here is an overview of CyberFear:
- End-to-end encryption of emails and metadata
- At rest, all of the following email elements are encrypted: email body, subject line, attachments, sender address, recipient address
- Anonymous registration with only username and password
- No IP logs
- Offshore servers (Poland)
- Cryptocurrency payments supported
- TOR support (Onion address is cyberfear4hlcsac.onion)
- Disposable aliases
- Custom domains supported
- No external scripts nor captchas
- PGP support
- Sending encrypted emails outside (will require password to decrypt)
- Option to host CyberFear frontend on your own computer
- Push notifications
- Open source frontend (and backend coming soon)
So far, CyberFear is looking good. You can learn more on their website here.
Email jurisdiction and data privacy
Where your email service is located (jurisdiction) can seriously impact the security of your data. Depending on your threat model, this could be a major consideration. For an overview of jurisdiction and privacy, you may want to read our article on the Five/9/14 Eyes surveillance alliances.
Here are some reasons to pay attention to jurisdiction.
United States (leading member of the Five Eyes)
Tech companies in the US can be forced to give government agencies direct access to their servers for “extensive, in-depth surveillance on live communications and stored information” – as explained in the PRISM surveillance program. Data requests can also be accompanied by gag orders, which forbids the company from disclosing what’s going on (see also National Security Letters).
There are a few known cases of US email providers being forced to give up data. In one prominent example, Lavabit decided to shut down the business rather than give up user data. Another US email provider, Riseup, was also forced to give up data to authorities.
After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization).
There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary” [warrant canary that warns users about these events].
Germany (member of the 14 Eyes)
While Germany has long been a rock-solid jurisdiction for privacy-focused tech companies, I’ve noticed some troubling trends recently:
- In January 2019, a German court ruled that Posteo must log IP addresses if required by a valid court order. Posteo explained they would not change their system to log all users’ IP addresses, but would comply for specific users, if ordered by a German court.
- In November 2019, a German court ruling forced Tutanota to provide real-time access to unencrypted emails for specific users targeted by a court order. As Tutanota explained, only unencrypted messages sent after the court order was received would be affected.
Europe in General
Once again politicians in Europe are trying to find an excuse to limit or ban the use of encryption by their people. This time around, the argument is that encryption must be banned to fight child abuse. Once again it is up to tech companies including Tutanota and Mailfence to protect the privacy rights of the populace. In April, a group of companies sent an open letter to the European Parliament arguing against the mass surveillance that the elimination of encryption would be meant to enable.
How this will turn out is unclear, but the possibility of the EU banning encryption casts doubts on the viability of any secure email service based in the EU.
We’ll let you know what happens with this.
All email providers must comply with the law
While these examples may seem alarming, the truth is that all email providers must comply with legal requirements in the country they are operating in. For example, ProtonMail, a Switzerland email provider, has also been forced to log IP addresses and disable accounts by valid court orders, as they disclose in their transparency report.
(Note: If you are concerned about your email service logging your IP address, then simply use a good VPN service.)
Considering everything, some jurisdictions are much better than others, so choose wisely. As a general rule, I’d still avoid email services in the US, and perhaps other Five Eyes jurisdictions.
Want secure email? Pay for it.
The unlimited “free” email business model is fundamentally flawed. It offers a free service, which is used to collect data and thereby monetize the user and make money on ads. With these privacy-abusing “free” services, you are actually paying for the product with your data.
In contrast, here we recommend privacy-friendly, secure, ad-free email services. While some of these private email services offer limited free subscriptions, you will need to upgrade to a paid plan for more storage and premium features (the freemium business model).
Support good privacy businesses
Fortunately, you can “vote with your dollars” by supporting these privacy-respecting businesses and upgrade to paid accounts. This will help secure email providers to grow, improve, and serve more people with an ethical business model that does not rely on exploiting their users’ data.
Secure email shortcomings and PGP flaws
Most secure email solutions mentioned in this guide utilize PGP for end-to-end encrypted email. PGP, which stands for Pretty Good Privacy and was invented back in 1991 by Phil Zimmermann.
PGP flaws – While PGP is considered a trustworthy, secure encryption method, there have been some flaws in implementing PGP that have made headlines recently – see also the EFAIL vulnerabilities.
While the news did attract lots of attention, the “flaws” were mainly limited to the incorrect implementation of PGP by third parties. To my knowledge, this did not affect the secure email providers mentioned in this guide.
Limited Use – Another fundamental problem with adopting secure email is that few people are willing to go through the hassle of PGP key management, encryption, decryption, etc. There are some solutions, to this, however, and by some measures encrypted email usage continues to grow.
Many providers address this issue by making encryption automatic and seamless. Tutanota, for example, uses built-in AES encryption that automatically encrypts emails between Tutanota users, including headers, subject line, body, and attachments. They also provide a secure, two-way communication contact form called Secure Connect.
Vulnerabilities – Even when using a secure browser, there are still vulnerabilities to consider with browser-based email clients. Phil Zimmermann gave an interview highlighting some of these shortcomings:
“The browser is not a terribly safe place to run code. Browsers have a large attack surface,” he said. Wherever encryption and decryption take place, though, it’s a vast improvement on no encryption. But even encrypting messages may not be enough, depending on the threat model. The very nature of email makes it vulnerable.
“Email has an enormous attack surface,” Zimmermann said. “You’ve not only got cryptographic issues but you’ve got things like spam and phishing and loading images from a server somewhere that might have things embedded inside.”
On a positive note, however, there are many options for securing and hardening your browser – see the secure browser and Firefox privacy guides. Furthermore, most secure email providers offer protection against these attack vectors by blocking email images by default while also utilizing virus filters.
Keep in mind, however, that non-browser email clients can also be problematic – potentially revealing unique information about your operating system (user agent) as well as your IP address and location.
Regardless of these limitations, using a secure email provider will help keep large tech companies from harvesting your email data for third parties.
Secure email vs secure messaging apps
Depending on your threat model, you may also want to consider using secure messaging apps, which do not have all of the vulnerabilities discussed above with email.
We have tested many different encrypted and secure messaging apps and compiled a list of our favorites. Here are a few reviews of some of the best options we’ve tested:
Encrypted messaging apps generally offer a higher level of security over email, plus they are much easier to use than PGP email encryption.
Finally, encrypted messaging apps are also convenient for back-and-forth conversations, document sharing, and collaboration with others. For more information, check out our roundup guide on the best secure messaging apps.
Always use a good VPN with email
One fundamental problem with email is that it can expose your IP address and location to third parties, by design.
While some secure email services strip IP addresses and conceal metadata, many others do not. And as we saw with the ProtonMail logging case, email services may be forced to log user IP addresses by valid court orders, without disclosing any information to the user. We’ve seen this with email providers in the US, Germany, and even Switzerland.
Finally, there’s also the fact that many email services keep logs for security, which may include user IP addresses, connection times, and other metadata. Of course, whenever you have logs, this data could end up with third parties (for various reasons).
To effectively conceal your IP address and location, you will need to use a good VPN (Virtual Private Network) service.
A VPN creates a secure tunnel between your device and a VPN server, encrypting your traffic and concealing your real IP address and location. The VPN will encrypt and anonymize your internet traffic, while you carry on with business as usual. Some of the larger providers, such as NordVPN and Surfshark, offer apps for all major operating systems and devices, along with large server networks around the world.
Due to the security and privacy benefits a VPN offers, it’s a smart idea to use one whenever you’re online. Internet providers in many countries are recording user browsing history by logging DNS requests. Depending on local laws, this information could then be sold to advertisers or handed to government agencies in countries with mandatory data retention laws. With a VPN, your DNS requests are encrypted and handled by the VPN server and unreadable to your ISP or other parties.
For more info, see these best VPN services.
Conclusion on secure and private email services in 2022
Whatever your situation is, using a secure and private email provider is a smart step to protect your data. Gmail, Yahoo, Microsoft, and the other big email players do not place the highest priority on your privacy. Paying for a good email service that values privacy ensures you aren’t paying with your personal data.
Once you switch to one of these email services you will be much more secure. Then all you need to do is avoid non-technical attacks, like the typical email scams that never seem to go away.
See the main privacy tools guide for other privacy and security essentials.
We also have a guide on encrypting email.
And if you want more info on these secure email providers, you could check out the reviews below:
- ProtonMail Review
- Tutanota Review
- Mailfence Review
- Mailbox.org Review
- Hushmail Review
- Posteo Review
- Fastmail Review
- Runbox Review
Have you used one of these secure email providers? Feel free to leave your feedback/review of the service below.
This secure email guide was last updated on May 10, 2022.
I am very angry! CTemplar is good product, open source, in Iceland and on F-droid. I don’t trust Switzerland anymore because of the terrorism law last year. Anyone can be considered as terrorist by the Swiss authorithies. So ProtonMail, no thank you!
I hope Ctemplar will move in another country because this story stinks of government… But for the moment, I think I will change for Tutanota.
Today, I tried to create an account at Tutanota. It’s impossible with a VPN or TOR. On Android, the app doesn’t work because Android System Webview is not updated… Privacy with Tutanota? HAHAHA!
Mailfence not open source; Mailbox with some tracking; Posteo no cryptocurrency payment; etc. All the email services above are liars about privacy. Only with CTemplar, I didn’t have those problems!!!
I am not tech savvy, but I do try to avoid email as much as possible and stick with Signal as my message app of choice, sadly emails appear to be a necessary evil and in the spirit of compartmentalization I like to have a few email accounts
Whilst my threat model doesn’t include any govt agencies I still want to avoid mass surveillance. I am looking for an email service to compliment Disroot and Tutanota, since the upcoming closure of CTemplar.
Protonmail seems the obvious choice, however I have 1 question that I am hoping someone smarter than me can answer. Whilst the service is based in Switzerland, which is a great country for privacy, I am of the understanding they have offices the USA. So my question is, does the location of these offices bind Protonmail to USA jurisdiction.
I know its on the cards and I am interested in the deep dive of Swisscows email when you get around to it
Keep up the good work, this site is a wealth of knowledge
“So my question is, does the location of these offices bind Protonmail to USA jurisdiction”
Answer: No, ProtonMail only falls under Switzerland jurisdiction, where it legally operates, although it (and any other company) can have offices and employees around the world, without affecting the company’s jurisdiction.
Thank you kindly
Why is CTemplar shutting down?
I don’t know why and it does not appear that they have provided any clear answers, other than announcing they will be closing down. Here is the official announcement and discussion on reddit:
https://old.reddit.com/r/ctemplar/comments/uc9hfi/closing_notice/
Flashback to 2013: The owner/operator of Lavabit email abruptly shut down the service after getting pressured by the US gov to hand over encryption keys.
https://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email
CTemplar is shutting down.
https://ctemplar.com/ctemplar-is-shutting-down/
MAJOR ANNOUNCEMENT:
CTemplar is shutting down!
https://ctemplar.com/ctemplar-is-shutting-down/
I am sorry to see this go this way. They had been very responsive for my needs and helped me out a lot on many things. I am sorry to see them go this way.
Wonderful survey, Sven Taylor! Thank you for founding and operating RestorePrivacy!
I belong to a world religion that remains largely clueless about the need for online security, particularly email.
How would you weigh the pros and cons of choosing a secure email service (plus other services: VPN, secure messaging, secure chat rooms, online conferencing) versus setting up one or more of these services in-house through the IT department based at the world centre or possibly distributed around the world?
I’d tend to favor professional services that have the experience and expertise in their chosen field, rather than rolling out my own solution, but that’s just me…
I’m 80+ and was forced here because my checking account was emptied. I traced the source to my Hushmail account. They allow me to view current account openings and listed their IP address.
I want an encrypted email for financial and online buying. I have obtained a security key for online service that supports FIDO2. My search for Secure Email leaves me without understanding.
Do both ends of email require the same service? Can I send a message to someone on Gmail that they can open and read. The more I search Secure Email, I begin to think it is for private messaging between two with the same apps.
Thanks for any help
George
Hi George, the answer to your question depends. If you are using services like ProtonMail or Tutanota that utilize built-in encryption, then emails between other users (on the same email service) will be automatically encrypted. But an email to a different service, such as a gmail account for example, would not be end-to-end encrypted. However, if you want to go through the hassle of managing PGP keys and emailing other people who are also managing PGP keys, then you could go that route with an email service that supports PGP encryption. But most people you interact with probably are not managing PGP keys and will not want to start.
Tip: I’d recommend brushing up on how to create a secure password and also secure password managers. In many cases where accounts are breached, the same (or similar) password is used across different services. Attackers can breach one website, and then crack user accounts across different services. Having a secure and unique password for every single website/service will greatly increase your security, regardless of which email service you use. And then, a secure password manager, such as Bitwarden, will help you safely manage all of those secure passwords.
If you haven’t done so already, creating new, secure passwords for all of your online accounts, would be a good first step. Enabling two factor authentication on these accounts will also help.
Sven Taylor,
I have over 50 different PWs, using letters, numbers and symbols 12 or more characters long.
Manually managed on a flash drive and printed for use. Bitwarden indicates the my PWs are strong and will take centuries to crack. I use Edge to manage PWs
After reading Password Managers – “Everything You Need to Know” I compromised my strong password with Edge pw manger. My paid email account was not secure. Duckduckgo Search engine is good, but the links I go to are not.
I appreciate your thoroughness of covering a subject. You seem to have a genuine love of privacy.
After studying your many articles and other linked articles, I think I have enough understanding to choose “Tutanota Email,” “Bitwarden password manger” and “VPN.ac” with my “Yubi Security Key” for a more private experience. I hope to use the Yubi Key for all three.
Bitwarden uses identifiers that are foreign to me. (Enter the domain name, free SSL certificate, environment file, Docker Hub, Triggers tab. containers ) I don’t think that I need all of that info entered. I can get a lot of instructions on the various use, but have been unable to find a simple instruction that allows me to add my most used website that I want to use, one by one.
Thank you for sharing your knowledge.
George
Sounds like a good plan, George, good luck!
thexyz is the worst experience I ever had…
This is the worst experience I ever had with setting up e-mail. Tried signing up for their so-called “premium” e-mail service. Payment seemed to go through but when I tried logging in my account was tagged as “pending.” Tried their online chat system to try and determine what was going on. Had to wait for 20-30 minutes before someone finally answered. But Lucy could not help in any way apart from assuring me she would mark the matter a priority. She didn’t seem too confident that would help since she also advised me to open a support ticket which I did. The next morning the issue was still not resolved. I decided there might have been a payment issue since when I entered credit card info my computer had auto-filled certain blanks which I had to correct (I have 2 credit cards and I suspected data from the 2 might have gotten mixed). I went into my account and entered correct details for the card I meant to use, making it the default card, thinking that might resolve the issue but it didn’t. When I later tried to check whether they’d answered my support ticket I was greeted by a message that they had banned my IP! What?! I opened a new chat session to ask what the hell was going on with this but got no answer for the 40 minutes I waited before needing to leave. They finally sent me an e-mail “response” stating they’ve “become more picky” about who they allow to be their customers! Can you believe this?! What an outrage! And meantime they have details for 2 of my credit cards in their system. These people are dishonest crooks and no one should ever do business with them. I hope their company dies a slow and painful death. Imbecileiots. Avoid at all costs! Meantime they have the gall to send me e-mails asking me to “let them know about the quality of my experience” – right, when you’ve blocked my IP and closed my account?
Is it too soon to tell if they charged you any money?
I have a solution 100% private and 100% anonymous. However it’s not for everybody, weaklings and addicted zombies, please stay away from this post.
If you stay out of the digital world, you are 100% private and 100% anonymous…
No phone, no connection, live the real life outside of the matrix…
I totally agree with that idea so I applaud your comments. Problem is, in this day and age it is basically impossible to do so as many state organizations in the US are turning to this platform and forcing the public’s hand if they should need to use their services. It’s sad but it’s so.
Still, thanks for sharing. 🙂
I don’t know if anyone was aware of this, but last year Tutanota was ordered by a German court to allow police to monitor a customer’s incoming and outgoing unencrypted emails as part of an investigation law enforcement was conducting on a blackmail case. It was originally thought to have been a decision to mandate a backdoor, but turned out to be otherwise.
https://www.hackread.com/encrypted-email-provider-tutanota-backdoor-service/
Yep, we discussed that a bit before with regard to their transparency report, I believe in the Tutanota review. It’s important to keep in mind these are targeted court orders against specific individuals who have gotten the attention of law enforcement, rather than blanking mandates affecting all Tutanota users. Either way, not a very reassuring situation though.
There are obviously many people who would love to jump to a more secure, private email service, but many could not take the leap for a variety of reasons. Therefore, for those who want to keep their web-based email accounts with web-based services, like GMail, there is a solution.
Mailvelope is a free, open source add-on or extension (for Chrome and Firefox browsers) people can use that will provide end-to-end encryption for people’s existing email address. I have used Mailvelope before jumping to ProtonMail and it is pretty good! Though it is recommended to avoid using your browser to access email, for those that do, Mailvelope is a good solution to help keep you emails secure.
https://mailvelope.com/en
I see Swisscows email is now available. Can we get a critique?
The guys behind this website are super busy so a review may take a while. Care to outline why you like it? Is the email service open source?
Great article.
You have missed out Mutant Mail.
They are making a lot of headway.
Are they open source? Why do you like them?
There are services available so that emails can be forwarded anonymously to your email address and when you reply I believe they will use your alias too. They’re also available for use on my platforms as well.
1) SimpleLogin – https://simplelogin.io/
2) AnonAddy – https://anonaddy.com/
AnonAddy supports GPG or OpenPGP encryption.
So, Sven, on the whole, given what we know about the pros and cons regarding email apps that live on your phone vs email clients you need to open in a secure browser, which is preferable? It’s maybe mostly a question of which of the two are you most concerned about, the email app having greater insight into your whole OS, or the emails you open that can more easily track you when you open them in a browser? Come to think of it, even from inside an app, they will open in an outside browser….
I really don’t know how technically these things work, who gets to see/track what, where and when.
(I did notice though that Criptext, contrary to Tutanota, will only work with a JavaScript enabled browser, which kind of makes me feel better about Tuta)
“regarding email apps that live on your phone vs email clients you need to open in a secure browser”
I’m the wrong guy to ask about privacy with mobile devices to be honest. I avoid mobile devices as much as possible and am not up on the latest privacy trends/tips with mobile, but someone else may chime in here.
try “fairmail” only in mobile
Quick question about Criptext – someone ne ruined that it has been “ruined by sketchy characters” or something like that. I looked for more about this online but came up empty. Is this this for real, and what’s the problem?
Thanks
By the way, I just discovered there’s another Matt here. Maybe I should change to Matt2?
I’m not tech savvy and would like to know if I can copy folders and/or emails from my current email provider to a new one?
This can be challenging, and the exact answer is different for every email provider.
Sven’s right, can vary between providers and servers. Typically each email has its own three-letter filename extension, like *.eml for example.
In a lot of cases, most aggegate mail compilers (like Thunderbird, a corollary to Firefox) and providers themselves typically have an “import” function (Thunderbird Menu/Tools/Import) which will then import “everything” (like emails, settings, attachments, contacts, filters, folders) and place them within T-Bird for viewing.
Likewise “export” (or “download”) to a special folder on your system (usually they hide it so it’s not easily erased/amended).
The problem lies with “converting” the three letter filename extension exclusive to the original provider. Ditto contacts: *.vcf –or– *.vcards
….luckily, many platforms use *.eml, but you generally can’t determine attachments except by size of the particular email…open it in an email aggregator (like T-Bird, Outlook, GMail, Eudora) can usually solve that problem.
In a lot of cases, one can determine (by the size of the downloaded file) whether it has a pic attachment or not (most pics are from 200 – 900 kbs). I just select the filters on top of columns in downloaded mail folder to the “size” (of document), and open those up individually, typically your photo editor will open it as a pic.
Fortunately, you can go online for converters, which can convert within the browser for individual files, or download the software to convert [*.eml—> to *.emix (Apple) *.pbx (Outlook)].
Hope that helps
ProtonMail has an Easy Switch function. It seems to be what you are talking about
I am an average and completely tech-stupid person. All I need is a personal email for banking, paying credit cards online, amazon email, communicating with friends and family, etc. I don’t really understand encryption other than it is safer. I don’t want to have to run another program, or ask friends and family to do so, to “read” my emails. (And maybe you don’t have to do that with encrypted emails…I don’t know because I am too stupid to understand it….really!) I have used yahoo for 18 or so years with no issues at all, then all of a sudden I’m getting 50+ spams a day that are coming into my regular inbox. I’m over it. What do you recommend for a paid service for me? I’ve read this and other articles and it’s overwhelming and I still don’t understand which one I can use that is simple, where other people can read (my emails) without extra work. Sorry for the long explanation/question and I hope it makes sense! Thank you 🙂
I’d recommend checking out Mailfence for your situation.
I will do that. Thank you so much!!
Hi Lisa,
You might want to look into Privacy.com for credit card and online shopping. I am definitely not a Tech or Privacy expert, but maybe one of the real experts here would be kind enough to lend a hand, or opinion. Good Luck.
Oh dear, is that available in the US? I’m not sure what the price is…is that euros? (told you I’m not that smart)
Yes it is available to anyone, anywhere. It’s free with 500 MB of data, and after that (for more space), it’s still pretty cheap.
CTemplar, for all of the rough edges, seems to be a very responsive company.
I was not sure about them at first, but every issue I have had, they responded very quickly, professionally, and accurately on fixing the issues.
Do know it is not the smoothest or most polished service but They have been good in helping me.
Potentially looking at cyberfear as an email service. Any thoughts on them?
Been using cyberfear for over 10 months now server only down once. Happy with them hope they will be in business for a longtime.
Is source routing possible for POP and SMTP access?
My meaning is, a client has a fixed IP and only the users’ should be accessing the mail gateway for sending and receiving, with a firewall permit:
#allow-IP=203.33.xxx.x#
#deny-IP>≉<203.33.xxx.x#
thx
It would be really helpful if you could put the email services with their features into an online spreadsheet- so we can compare features in a side-by-side manner. Great Article! Thank you.
That would be awesome!
Great article. How about fastmail? Are they secure
Here is the Fastmail review.
sekur.com
never heard of it?
no review on your site!
That’s correct, we have not yet reviewed sekur.com email.
Excellent article on the best secure email providers with pros and cons. I’m using the RMail services for years, which provides the free plan and starts from $7 only.
RMail specializes in elegantly easy to use email encryption for privacy and compliance, e-signatures, legal e-delivery proof, secure file sharing, email impostor protection, document rights management, and AI-infused services to prevent data leaks and human e-security errors.
question. And which Linux from is safe to use? Which distribution is free? thanks.
A good starting question is, What do you want from Linux? Plug and play, full customization?
Location? Desktop looks?
As for free, most are (Red Hat is one exception).
I would suggest checking out distrowatch.com.
I have used Mint, Zorin, AntiX, PureOS, and Spark Linux.
So help us by telling us what you want Linux for.
What about a secure email client to manage my emails in one app interface? Do you have any thoughts or recommendations? I would rather have something like that than the default email management apps that come on my computer and phone. Thanks.
Thunderbird
What about Swiss Cows’ new secure email, or their secure messaging program, are they good? I found them while using their secure search, one of your site’s recommendations. Thanks.
We’ll check them out in the coming months.
I would like to introduce you to: Infomaniak Email Service
The all-in-one email experience from Infomaniak, developed and hosted in Switzerland that is advertising-free and privacy-friendly. You get 20 GB for mails and 15 GB for your documents and photos with free access to kDrive. It also has a contacts management and a calendar. Also Infomaniak is a local company that’s strongly committed to a sustainable economy and listening to its customers. Infomaniak doesn’t finance its free services by selling your personal data either.
Check it out! [https://www.infomaniak.com/en/free-email]
Any commenta from the author?
Infomaniak requires not only your name, but also telephone number and address!
https://www.infomaniak.com/en/legal/confidentiality-policy
Too bad they don’t take privacy as seriously as they do carbon capture.
https://www.infomaniak.com/en/ecology
Sure, I can understand that. But the point with “Too bad they don’t take privacy as seriously as they do carbon capture.” is not true. They require a lot of data when registering, but they are not sold in any case. Ultimately, everyone must decide for themselves who they trust and who not. I love Infomaniak’s services.
Thank you for this.
Ive used this service yet the email was hacked and password changed!
If I may make a suggestion, could you also look at the ability to export emails and add that to your pro and cons list. Not all of these providers support exporting “your” email messages from the free tier. For me personally that is a big deal when using a free tier, because I like to have full control over my messages.
I know that e.g. ProtonMail support that, but Mailfence and Tutanota don’t.