Of all the web-based tools people use every day, email is possibly the least secure. Tech giants such as Google and Yahoo have been actively compromising their users’ privacy for years by selling data to third-party companies, and Google, in particular, has helped the NSA to spy on US citizens for years.

As such, people are now turning to more secure email services to prevent their data from being blindly surrendered to every Tom, Dick, and Harry. SCRYPTmail is one of those services that promise greater security for email users, so we’re going to take a look at it in our SCRYPTmail review.

What is SCRYPTmail?

SCRYPTmail is advertised as an ultra-private email service that offers end-to-end encryption. It is developed by Sergei Krutov, a data protection consultant based in Spokane, Washington.

Prior to launching SCRYPTmail in November 2014, Krutov developed or co-developed a number of programs, including Minapsys, an online group collaboration tool, and EASYWEB, a remote computer troubleshooting tool.

While Minapsys is now used by some Big Pharma companies, it is difficult to gain an accurate picture of Krutov’s industry experience. This, of course, is fairly important seeing as he seems to develop SCRYPTmail completely without any input from others.

Then there is the issue of the service’s development history. According to its website, there have been no updates since January 15, 2015—little over two months after it launched. SCRYPTmail’s latest tweet, furthermore, was posted almost two years later (December 2016).

These factors make it slightly difficult to properly trust SCRYPTmail as the privacy-friendly email service it presents itself as. Realistically, it’s unlikely one developer, working alone, can stand up to attacks from hackers, especially when he doesn’t seem to update it, ever.

Nevertheless, the aim of our SCRYPTmail review is to give the service a fair trial, so let’s take a closer look at some of its features to see how it holds up.

SCRYPTmail features

All emails sent through SCRYPTmail are protected with end-to-end encryption. This extends to attachments, which can also be encrypted. As with Gmail, these attachments can be up to 50 GB in size.

As well as this, SCRYPTmail uses two-factor authentication, which creates an extra layer of security at the access point. Users can choose to enable PIN-locks on their incoming mail, too.

One of the best features is disposable email addresses. You can have up to three of these at once, and you can keep them for as long as you wish.

This is great for avoiding spam, and especially for navigating websites that require your contact information but haven’t yet earned your trust.

Lastly, SCRYPTmail uses KeePass, a password manager that allows you to not only keep track of strong, non-reusable passwords but also to encrypt your password storage to ensure it remains totally secure.

Unfortunately, SCRYPTmail does not provide certain features that come standard in other email services. This includes custom apps for Android and iOS, even though millions of people now send emails via their mobile device.

Then there is the inability for users to switch between languages—it is only available in English. This seems like an enormous oversight, especially seeing as SCRYPTmail’s developer is not himself a native English speaker.

The most controversial feature is that SCRYPTmail is free. While everyone loves getting good things without having to pay for them, the reality is that the best software usually needs to be funded by paying customers.

How does SCRYPTmail work?

In mainstream email services, data is indeed encrypted, but it is then passed through servers—usually third-party ones—that have the ability to decrypt the contents of the email.

SCRYPTmail, on the other hand, offers end-to-end encryption in the classic sense: using a secret phrase that is then shared between the sender and the recipient only.

This secret phrase (or key) should be communicated with the other user outside of SCRYPTmail, as they will be unable to decrypt the email without it.

This negates the possibility of ‘middle-men’ attacks, such as interception, monitoring, and hacking. Users also have the ability to change their secret phrases whenever they please.

SCRYPTmail then encrypts your metadata and protects your personal inbox through AES-256-bit encryption. As a result of not having access to your shared key, even SCRYPTmail cannot view the contents of your emails.

Is SCRYPTmail secure?

AES-256-bit encryption is very secure. This cipher creates a “keychain” for your inbox that is practically impenetrable, and simply cannot be accessed through brute-force attacks. It’s so secure, in fact, that it’s used by government and financial institutions.

Even if someone physically gets hold of your device, the two-factor authentication at the login point should be enough to throw them off.

As such, we have confidence in SCRYPTmail’s ability to keep user data secure and untouchable.

Is SCRYPTmail anonymous?

SCRYPTmail allows its users to pay through Bitcoin, which makes for a more anonymous sign-up process. Users are also able to sign-up through Tor, and SCRYPTmail itself can also run on the Tor network itself.

The big worry, though, is that SCRYPTmail is based in the US, a 14 Eyes country. This means increased surveillance and the possibility of data about you traveling across borders.

This could certainly make users paranoid about using SCRYPTmail, and taking a look at the company’s warrant canary makes those fears more grounded. Right after stating, “We have had contact with law enforcement agency, but we have never released user data,” the canary states that all 8 law enforcement requests for IP and access times had been granted.

Worse yet, the word on warrant canaries is that, if one hasn’t been updated, then users should assume that the company has been served with a subpoena and its data has been compromised. The SCRYPTmail warrant canary hasn’t been updated since May 2017.

With SCRYPTmail’s encryption credentials, it is difficult to imagine precisely what information could have been claimed by the authorities. However, it doesn’t look good.

Conclusion

Our SCRYPTmail review finds the service in need of an update and more stringent privacy practices. The fact that there isn’t much new information about SCRYPTmail is also a bad sign. In short, we advise users to go for some of the more well-regarded names in the secure email sphere.