There have been numerous privacy scandals with large email providers over the past few years, prompting many to look for the best secure email that respects user privacy.Here are just a few examples of how some “free” email services are violating your privacy and selling you out to third parties:
- Gmail was caught giving third parties full access to user emails.
- Advertisers are allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases”.
- Declassified documents from the PRISM surveillance program reveal that Apple, Microsoft, Yahoo, Google, and AOL give US surveillance agencies unilateral access to their servers to perform “extensive, in-depth surveillance on live communications and stored information”.
- Yahoo was also caught scanning emails in real-time for US surveillance agencies in 2016.
If you are using one of these popular, “free” email providers, you are likely getting sold out to advertisers and surveillance agencies without your consent, or the ability to “opt out”. Fortunately there is a simple solution: switch to a secure email provider that respects your privacy.
The best option for email is hosting your own, though there are others which I talk about here, they aren't the best, probably the only one I would recommend is Tutanota, problem is they don't offer IMAP/POP3/SMTP integration, but if you can get along without it then they are the best option. With so many different types of users, there is no single “best secure email” service that will be the top choice for everyone. While some may prioritize maximum security and strong encryption, others may want convenience and simplicity with user-friendly apps on all their devices. Therefore this list is not in rank order because the “best” secure email service will be different for each user. Here are just a few prerequisites to consider when switching to a secure email provider:
- Location – Where is the service located and how does this affect user privacy? Where is your data physically stored?
- PGP support – Some secure email providers support PGP, while others do not use PGP due to its vulnerabilities and weaknesses.
- Import feature – Can you import your existing emails and contacts?
- Email apps – Due to encryption, many secure email services cannot be used with third-party email clients, but some also offer dedicated apps.
- Encryption – Are the emails end-to-end encrypted in transit? Are emails and attachments encrypted at rest?
- Features – Some features you may want to consider are contacts, calendars, file storage, inbox search, collaboration tools, and support for DAV services.
- Security – What are the provider’s security standards and policies?
- Privacy – What data is being collected, for how long, and why?
- Threat model – How much privacy and security do you need and which service best fits those needs?
Whatever your situation is, using a secure email provider is a smart step to take in protecting your data.
The goal of this guide is to help you find the best secure email solution for your unique needs. So let’s get started!
Tutanota - ThePrivacyMachine Recommended
Tutanota is a Germany-based secure email service run by a small team of privacy enthusiasts. They respect user privacy and never require phone number verification, even when registering through Tor. While their service is focused on providing you with the highest levels of email security, it still remains user-friendly with good features.
Rather than using PGP and S/MIME, Tutanota utilizes their own encryption standard incorporating AES and RSA, which automatically encrypts the subject line, supports forward secrecy, and can be updated/strengthened if necessary against quantum-computer attacks, as they explain here. All emails are encrypted at rest and you can also send encrypted emails to non-Tutanota users. Emails between Tutanota users are seamlessly encrypted by default.
While Tutanota uses very high standards and is arguably the most secure email provider, this also comes with some tradeoffs, such as no support for PGP, IMAP, POP, or SMTP. Additionally, you cannot import existing emails into your encrypted Tutanota inbox, but they’re currently working on adding a migration feature.
If you are looking for a trustworthy, high-security email provider run by privacy enthusiasts, Tutanota is a solid choice.
- No phone number needed for verification (ever!)
- Apps for iOS and Android (available through F-Droid)
- Automatically encrypts entire mailbox and address book at rest
- Encrypted emails can be sent to non-Tutanota users (with pre-shared password)
- Subject line, headers, body, metadata, and all attachments are automatically encrypted; IP address stripped
- 100% open source
- Spam protection and inbox search features
- Highest security and encryption standards
- Support for business email, custom domains, and encrypted contact forms
- No feature to import existing emails (in development)
- Cannot pay with cryptocurrency (in development)
- IMAP, POP3, and SMTP not supported (not compatible with security model)
Plans: *Free tier: Up to 1GB
Mailfence is another great all-around secure email provider offering full calendar and contacts functionality, file storage, and PGP encryption support. It is based in Belgium, which is a great privacy jurisdiction with strict data protection laws.
For those wanting full PGP control and interoperability, without plugins or add-ons, Mailfence is a solid choice. Whether you are a personal user or you need a secure email solution for your business or team, Mailfence likely has all the features and options you’d want.
In personally using Mailfence over the past year I’ve found it to work very well – no glitches, bugs, or problems. I’ve also found their support team to be great if you need any assistance – highly recommended.
- Can use with custom domains
- Supports WebDAV, CalDEV, CardDEV
- Supports POP, IMAP, and SMTP
- Complete email suite with Calendar, Contacts, Documents, Groups, and other tools
- Full control over OpenPGP key management via an integrated keystore
- Not open source Plans: *Free tier: Up to 500 MB
Posteo is a Germany-based secure email provider that is affordable, trustworthy, and very privacy-focused. It has been operating since 2009 in Berlin and is entirely self-financed, with no loans, debts, or outside investors from foreign countries. While Posteo gives you strong encryption options, they also support IMAP which allows you to use it on any device with different email clients.
Posteo goes above and beyond most email services to protect the privacy of their users. IP addresses are automatically stripped from emails, no logs are kept, and they offer strong encryption standards. They also support completely anonymous registration and anonymous payment – even allowing you to send cash in the mail for no digital trail. And if you pay with a credit card, PayPal, or some other digital method, they manually separate account details from payment info to further protect user privacy.
- Subject, headers, body, metadata, and attachments are encrypted
- Mail, attachments, calendar, and contacts are encrypted at rest with OpenPGP on secure servers in Germany
- Completely open source
- Supports cryptocurrency and anonymous cash payment
- Strong commitment to privacy, sustainable energy, and other social initiatives
- Self-financed; good track record (operating since 2009)
- Maximum privacy: no logs, IP address stripping, secure email storage with daily backups
- Custom domains not allowed
- No spam folder (spam emails are either rejected or delivered to regular inbox) Plans: *14 day free trial
StartMail allows users to utilize PGP encryption with emails also being encrypted at rest on their Dutch servers. One cool feature with StartMail is they give you the ability to create temporary, disposable email addresses “on the fly” to use with different services. IMAP and SMTP are also supported if you want to use StartMail with third-party apps such as Thunderbird.
- Can create temporary, disposable email addresses
- Accepts cryptocurrency payment
- IMAP and SMTP support; can use custom domains
- Headers and IP address stripped from all emails
- Paid accounts come with 10 GB file storage
- No custom mobile apps
- Not open source
- Interface feels a bit outdated Plans: *7 day free trial
Next up is Runbox, a privacy-focused email provider in Norway with a proven track record. It’s important to note that Norway is a good jurisdiction with constitutionally-guaranteed privacy rights, which is why Runbox maintains all servers within the country. The history and values of the company are also interesting. Runbox has been operating secure email services since 2000 and their business uses only clean, renewable, hydropower energy in Norway.
While Runbox places a heavy emphasis on privacy and security, their email service is still user-friendly and fully-featured. You can use Runbox on third-party email clients and they also offer dedicated mobile apps. Runbox offers 30 day free trials and makes importing your existing emails simple with the guides on their site. They are currently offering a discount “2 years for the price of 1” on their website here.
- Up to 100 MB email message size
- Excellent uptime
- 100 email aliases to use with every account
- Support for IMAP, POP, SMTP, FTP and DAV services
- Advanced virus scanning and spam protection features
- Account access control features
- All emails physically stored in a high-security data center in Norway on servers owned by Runbox
- Accepts cryptocurrency and anonymous cash payment
- End-to-end encryption not built in
Plans: *30 Day free trial
Another Germany-based secure email provider worth considering is Mailbox.org. The Mailbox.org team members are internet veterans with a proven track record going back 25 years. Under the leadership of Peer Heinlein, Mailbox.org was launched in 2014 to offer a secure, privacy-focused email service in the wake of the Snowden revelations.
Mailbox.org offers lots of great features for individuals, teams, or businesses. These features include calendar, contacts, groupware, full PGP key management, and secure cloud storage with all accounts. Mailbox.org can be used with third-party email clients with support for POP, IMAP, SMTP, and all DAV services. All emails are physically stored in two separate data centers in Germany for geo-redundancy.
- Support for anonymous registration and anonymous payment options with cryptocurrency and cash payment by mail
- Advanced spam and virus-protection filters
- All accounts come with secure cloud storage
- Calendar, contacts, groupware, and full migration services
- Full PGP functionality and key management
- Emails stored encrypted at rest with PGP
Next up on our list is CounterMail, a secure email provider based in Sweden. CounterMail has been operating for over 10 years with a philosophy to “offer the most secure online email service on the Internet, with excellent free support.” CounterMail uses OpenPGPG encryption with 4,096-bit encryption keys along with no-logs, diskless servers to protect user privacy. Countermail anonymizes email headers and also strips the sender’s IP address. All emails and attachments are stored encrypted at rest using OpenPGP on servers in Sweden.
While CounterMail is a bit more expensive than some other secure email providers, they explain this price difference comes from using only high-quality servers and implementing strong security. CounterMail also protects users from identity leaks and Man-In-The-Middle attacks with RSA and AES-CBC encryption on top of SSL. It may not have all the frills, but CounterMail is a serious security-focused email provider with a 10+ year track record.
- Supports cryptocurrency payments
- Secure, built-in password manager
- All emails and attachments stored encrypted on no-logs, secure servers in Sweden
- Custom domain support
- Message filter and autoresponder features
- Uses RSA, AES-CBC, and SSL encryption to protect against leaks and MITM attacks
- Design and UI feels outdated
- Slightly more expensive than other secure email options Plans: *7 day free trial
Based in Switzerland, Kolab Now is a great secure email provider offering numerous features and full email suite functionality. A Kolab Now subscription includes email, contacts, calendar, scheduling, collaboration/sharing tools, and cloud file storage. All of the features and options make Kolab Now an excellent choice for business users, teams, and privacy-focused individuals.
While Kolab now does offer numerous features and support for all major operating systems and devices, it also does not offer as much encryption for those who want the highest levels of security. End-to-end encryption for emails is not built-in and emails are not stored encrypted at rest. For those wanting a feature-rich email suite that also does well with privacy and security, Kolab Now would be a great choice.
- Accepts cryptocurrency payments
- Full support for POP, SMTP, and IMAP
- Switzerland jurisdiction with strong privacy protection
- Full email suite with numerous features to replace Gmail, Office365, etc.
- Support for custom domains, teams, and business users
- End-to-end email encryption is not built-in
- Email not encrypted at rest (but stored in high-security Swiss data center)
- Higher price Plans: *30 day money-back guarantee
ProtonMail is a Switzerland-based email service that has become quite popular in the past few years. It appeared on the scene in the wake of the Snowden revelations and was promoted by American media as “The Only Email System the NSA Can’t Access” right after Lavabit was shut down for not cooperating with the US government. ProtonMail claims to have been developed at CERN in Switzerland, but reports from 2014 also point out its ties to MIT in the United States:
The company is advised by the MIT Venture Mentoring Service and is developed, in part at MIT. Earlier this year, ProtonMail was a semi-finalist in the 2014 MIT 100K Startup Launch competition.
Regarding the investors and owners of ProtonMail, we also find here that it was financed by both the Venture Monitoring Service and Charles River Ventures in Boston:
We have been working with VMS since the very beginning and our mentors have been key to our success. Our mentors helped us make some of our most important early hires and also helped introduce us to investors. At the start, we had no experience in running a company so the advice from VMS was crucial in helping us make the transition from idea to product to market success.
While some may be concerned with ProtonMail’s ties to American investors and US research institutions, it should be noted that Proton is technically a Switzerland-based company under the name Proton Technologies AG.
Looking at the service itself, ProtonMail does a lot of things right. They utilize strong end-to-end encryption standards for email and store all messages and attachments encrypted at rest. ProtonMail has a unique feature for “self-destructing messages” and they have also added address verification and full PGP support. Regarding encryption, it’s important to note, however, that ProtonMail is does not encrypt metadata, headers, or subject lines of emails, unlike some of the other secure email services mentioned in this guide.
Overall ProtonMail is a well-regarded email provider and they offer a solid service worth considering. Nonetheless, if you are looking for the highest standards of security and anonymity, including full encryption of metadata, headers, and subject lines, you may want to consider alternatives.
- Can import contacts and emails through bridge feature
- Strips IP address from emails
- Emails are encrypted at rest and stored on Swiss servers
- Officially under Switzerland jurisdiction
- Apps for mobile devices
- Can be used with email clients through the Bridge feature
- ProtonMail does not encrypt headers, metadata, or subject lines
- Strong ties to US research institutions and funded by US investors
- Utilizes phone number verification
- Quick to suspend accounts without warning
- Mobile apps, IMAP bridge, and backend are closed source Plans: *Free tier: Up to 500 MB
While it has not gotten much attention in the privacy community, another secure email service worth noting is Thexyz. Thexyz is a secure email and web hosting business based in Canada. The email arm of their business has been operating since 2009, as they explain on their about page. One obvious drawback with Thexyz is that they are based in Canada, which is not an ideal privacy jurisdiction (Five Eyes). Nonetheless, this may not be a concern depending on your threat model.
Thexyz does offer some great privacy and security features. Accounts come with secure, encrypted cloud storage as well as contacts, calendars, and team collaboration tools. All emails are stored encrypted at rest using AES 256-bit encryption, with double geo-location redundancy. Even with all the perks and features, Thexyz is still very affordable at $1.95/mo with the premium webmail plan.
- Great applications and user interface
- Email encrypted at rest with 256-bit AES
- Subscriptions include calendar, contacts, chat, and encrypted cloud storage
- Unlimited aliases; emails can include up to 50 MB attachments
- Support for custom domains
- Autoresponder, spam filters, and incoming email filtering
- Apps for iOS and Android
- Based in Canada (not the best privacy jurisdiction)
- End-to-end encryption is not built-in
Plans: *30 Day refund window