If you’re reading this, there’s a good chance you’ve sent an email today. But how can you be sure that message was only read by yourself and the recipient?

It would be nice if email services were always secure. But this simply isn’t the case. In 2018, we learned that Google had permitted numerous app developers to access Gmail users’ accounts.

And Gmail isn’t alone. Many mainstream email providers offer insecure services. The messages you send via these providers is hardly ever encrypted, and their content can be intercepted in a number of ways. Moreover, hackers have managed to obtain account details from providers on multiple occasions – a sign that the companies involved don’t take email security as seriously as they should.

In response, this has led to the emergence of a cluster of genuinely secure email services. And one of the leading lights is Tutanota. So let’s explore what Tutanota encrypted email service have to offer, and why they might (or might not) be a good fit for your communication needs.

Introducing Tutanota mail: an innovative open source email provider

Tutanota mail (“secure message” in Latin) was founded in Germany in 2011 and had a radical aim. It sought to create one of the first open source email client projects which could guarantee user privacy.

At around about the time when Edward Snowden’s revelations about the NSA surfaced, Tutanota email started to become much better known, but the developers didn’t seek to take a mainstream commercialization route. The source code for Tutanota’s client is still available on Github for coders to check out, and it’s also stored on F-Droid – an open source app distribution platform.

What does Tutanota do and how does it work?

The Tutanota email service is cloud-based and uses a separate email client. Unlike some cloud email providers, Tutanota mail puts encryption at the core of everything it does. The whole point of the project is to protect every packet sent by users – to a degree that no commercial alternative had ever attempted.

You can use the client to send AES-256 encrypted mail to fellow Tutanota users, so if you like what you see, be sure to refer the company to your contacts.

However, it’s also relatively easy to send mail to people who don’t use the service. In that case, the app creates a unique Tutanota email account for each message, and if the recipient has the required password, they can access the content of the mail.

Key features of the Tutanota email client

A list of the main features offered by the Tutanota mail service gives a much fuller idea of what we’re talking about:

  • All emails are sent via end-to-end military grade (AES-128 or AES-256) encryption.
  • Passwords never pass in their entirety to Tutanota email servers. Instead, a Bcrypt hashing function is used, which sends a “fingerprint” of your password.
  • Apps are available for Android and iOS phones, as well as desktop operating systems. And the Android app is Google-free – so there’s no likelihood of the search giant intruding upon your online affairs.
  • A free service is available, which provides 1GB of storage, but comes with advertisements. After all, Tutanota email is not geared towards profits and must raise funds somehow. However, their paid-for packages come without any ads.
  • All email accounts are anonymous if desired, allowing you to send and receive messages without anyone knowing who you are. There’s no IP address logging at any stage.
  • Similarly, if you need to reset your password for any reason, Tutanota’s admins have no way of knowing this, and no access to your login details.
  • Email domain names can also be customized, just as with many mainstream email services, and this is funded by a small supplementary monthly fee.
  • All payments can be made in Bitcoin, ensuring a high level of anonymity.

All of these features are designed to deliver anonymity and privacy. However, the company does admit that some user data is required. While Tutanota email apps try to keep permissions to an absolute minimum, they do ask for:

  • Full network access
  • The ability to receive data from the internet
  • View network connections
  • Access to contact lists
  • The ability to read data from SD cards
  • Control vibration to deliver email alerts
  • Deactivate sleeping mode – again, to deliver alerts

How to use the Tutanota mail app

The company’s app functions just like a normal email client. You supply login details and set a password, and enter these into fields as you usually would.

However, there are some features that won’t be so familiar to users of mainstream services. For example, Tutanota mail recommends using their 2-factors authentication options to add an extra layer of security. This can be set up easily via the “Settings” > “Login” menu. This can entail using security keys provided by companies like YuBikey, or app-based alternatives like Authy.

Another difference is that you can’t recover your password if you lose it. So you’ll need to record both your password and a recovery code when you sign up.

Aside from that, the actual experience of using the Tutanota mail client will be very familiar, with folders, trash, spam filters, email search, attachments etc..

One other difference will appear when you send emails to external recipients. In this case, you’ll have to supply a password for each email. The recipient then uses this password to access the encrypted message.

Is Tutanota mail safe to use?

On the face of things, Tutanota seems very reliable and safe. The community attends to security issues as they arise, the encryption is top of the line, and customer feedback is generally very positive.

The only potential weakness is that the actual email encryption used by Tutanota takes place via JavaScript within the user’s browser. In 2014, the company had to admit that this vulnerability had allowed hackers to launch Cross-Site Scripting attacks. And this reliance on JavaScript remains a minor security issue.

To increase safety, many users are using a VPN (Virtual Private Network) to help anonymize them, as well as to encrypt all their data. You see, VPNs work by creating a secure tunnel for your data to be transferred through. It also helps to hide your IP address by allowing you to use another one in a location of your choosing.

Using both a VPN and Tutanota can offer you greater privacy and safety than using Tutanota alone. You can browse our Best VPNs Guide and subscribe to one of the top VPN providers, such as ExpressVPN or NordVPN.

A quick guide to troubleshooting some Tutanota issues

Another good way to get an idea of how Tutanota works is to think about a couple of common issues that all email users could confront.

Firstly, what happens if you need to recover your password? In this case, as we briefly noted earlier, you’re in trouble. There is absolutely no way to recover a lost password unless you have a recovery code which was set when you signed up.

But if someone hasn’t kept a copy of their password, they are unlikely to have the recovery code close by. The only advice for users here is to record their password and recovery code and have them ready in an emergency.

Secondly, what about deleting a Tutanota account? Can you be sure that your data is wiped clean and removed from their servers?

All free accounts are automatically deleted if the user is inactive for 6 months – including all data. And the account cannot be recycled, ensuring that the user’s privacy isn’t compromised.

If users need to remove their account before then, they can upgrade to a paid account and use Tutanota’s deletion process. Here’s how to do so:

  1. Go to the left-hand side panel on your email inbox.
  2. Choose the “Subscriptions” option and then “Upgrade.”
  3. Pick either the “Premium” or “Pro” options and whether you are a private or business user. Now proceed to payment.
  4. When that’s done, you can add “Extensions” free of charge. This includes a “Delete Account” extension.
  5. You can either completely delete your emails or choose “Take over email address” to transfer them and your contacts to a new Tutanota email account.

So, the situation isn’t ideal for free users who want to remove their account quickly. But the process is flexible and easy for paying customers.

Tutanota vs ProtonMail

Finally, it’s helpful to put Tutanota into context by comparing it to ProtonMail, which is probably the main competitor. Here’s how the two stack up:

TutanotaProtonMail
Owning companyGerman project run by a team of developers. It’s a profit-making organization, but is run on an open-source basis, and provides specialist support for not-for-profit organizations.It was created by the trio of Dr. Andy Yen, Jason Stockman, and Wei Sun, and is a private business.
Release date20112014
LocationGermanySwitzerland
Free version availablePremium (EUR12/year)
Pro (EUR60/year)
Plus (EUR48/year)
Pro (EUR75/year)
Visionary (EUR288/year)
Mailbox storage
Premium – 1GB
Pro – 10GB
Plus – 5GB
Pro – 5GB
Visionary – 20GB
Max. attachment limit25MB25MB
Security featuresEnd-to-end 256-bit AES encryption
External 2FA
TLS encryption
GDPR compliant
Complete password protection
No tracking
No IP logging
Uses only ISO 27001 certified data centers in Germany
No targeted ads
External content in emails must have user consent
IP info is stripped from headers
Phishing protection
Anonymous signups
Cryptocurrency supported
Symmetric encryption with external recipients
End-to-end encryption
Data stored on servers is encrypted
Zero access to user data
Uses secure implementations of AES, RSA, and PGP
Swiss jurisdiction
Own and manage own data centers
No tracking
Zero logs
Anonymous signups
Can set “self destruct” time limit for emails
All connections SSL secured
Symmetric encryption with external recipients