If you’re reading this, there’s a good chance you’ve sent an email today. But how can you be sure that message was only read by yourself and the recipient?
It would be nice if email services were always secure. But this simply isn’t the case. In 2018, we learned that Google had permitted numerous app developers to access Gmail users’ accounts.
And Gmail isn’t alone. Many mainstream email providers offer insecure services. The messages you send via these providers is hardly ever encrypted, and their content can be intercepted in a number of ways. Moreover, hackers have managed to obtain account details from providers on multiple occasions – a sign that the companies involved don’t take email security as seriously as they should.
In response, this has led to the emergence of a cluster of genuinely secure email services. And one of the leading lights is Tutanota. So let’s explore what Tutanota encrypted email service have to offer, and why they might (or might not) be a good fit for your communication needs.
Introducing Tutanota mail: an innovative open source email provider
Tutanota mail (“secure message” in Latin) was founded in Germany in 2011 and had a radical aim. It sought to create one of the first open source email client projects which could guarantee user privacy.
At around about the time when Edward Snowden’s revelations about the NSA surfaced, Tutanota email started to become much better known, but the developers didn’t seek to take a mainstream commercialization route. The source code for Tutanota’s client is still available on Github for coders to check out, and it’s also stored on F-Droid – an open source app distribution platform.
What does Tutanota do and how does it work?
The Tutanota email service is cloud-based and uses a separate email client. Unlike some cloud email providers, Tutanota mail puts encryption at the core of everything it does. The whole point of the project is to protect every packet sent by users – to a degree that no commercial alternative had ever attempted.
You can use the client to send AES-256 encrypted mail to fellow Tutanota users, so if you like what you see, be sure to refer the company to your contacts.
However, it’s also relatively easy to send mail to people who don’t use the service. In that case, the app creates a unique Tutanota email account for each message, and if the recipient has the required password, they can access the content of the mail.
Key features of the Tutanota email client
A list of the main features offered by the Tutanota mail service gives a much fuller idea of what we’re talking about:
- All emails are sent via end-to-end military grade (AES-128 or AES-256) encryption.
- Passwords never pass in their entirety to Tutanota email servers. Instead, a Bcrypt hashing function is used, which sends a “fingerprint” of your password.
- Apps are available for Android and iOS phones, as well as desktop operating systems. And the Android app is Google-free – so there’s no likelihood of the search giant intruding upon your online affairs.
- A free service is available, which provides 1GB of storage, but comes with advertisements. After all, Tutanota email is not geared towards profits and must raise funds somehow. However, their paid-for packages come without any ads.
- All email accounts are anonymous if desired, allowing you to send and receive messages without anyone knowing who you are. There’s no IP address logging at any stage.
- Similarly, if you need to reset your password for any reason, Tutanota’s admins have no way of knowing this, and no access to your login details.
- Email domain names can also be customized, just as with many mainstream email services, and this is funded by a small supplementary monthly fee.
- All payments can be made in Bitcoin, ensuring a high level of anonymity.
All of these features are designed to deliver anonymity and privacy. However, the company does admit that some user data is required. While Tutanota email apps try to keep permissions to an absolute minimum, they do ask for:
- Full network access
- The ability to receive data from the internet
- View network connections
- Access to contact lists
- The ability to read data from SD cards
- Control vibration to deliver email alerts
- Deactivate sleeping mode – again, to deliver alerts
How to use the Tutanota mail app
The company’s app functions just like a normal email client. You supply login details and set a password, and enter these into fields as you usually would.
However, there are some features that won’t be so familiar to users of mainstream services. For example, Tutanota mail recommends using their 2-factors authentication options to add an extra layer of security. This can be set up easily via the “Settings” > “Login” menu. This can entail using security keys provided by companies like YuBikey, or app-based alternatives like Authy.
Another difference is that you can’t recover your password if you lose it. So you’ll need to record both your password and a recovery code when you sign up.
Aside from that, the actual experience of using the Tutanota mail client will be very familiar, with folders, trash, spam filters, email search, attachments etc..
One other difference will appear when you send emails to external recipients. In this case, you’ll have to supply a password for each email. The recipient then uses this password to access the encrypted message.
Is Tutanota mail safe to use?
On the face of things, Tutanota seems very reliable and safe. The community attends to security issues as they arise, the encryption is top of the line, and customer feedback is generally very positive.
The only potential weakness is that the actual email encryption used by Tutanota takes place via JavaScript within the user’s browser. In 2014, the company had to admit that this vulnerability had allowed hackers to launch Cross-Site Scripting attacks. And this reliance on JavaScript remains a minor security issue.
To increase safety, many users are using a VPN (Virtual Private Network) to help anonymize them, as well as to encrypt all their data. You see, VPNs work by creating a secure tunnel for your data to be transferred through. It also helps to hide your IP address by allowing you to use another one in a location of your choosing.
Using both a VPN and Tutanota can offer you greater privacy and safety than using Tutanota alone. You can browse our Best VPNs Guide and subscribe to one of the top VPN providers, such as ExpressVPN or NordVPN.
A quick guide to troubleshooting some Tutanota issues
Another good way to get an idea of how Tutanota works is to think about a couple of common issues that all email users could confront.
Firstly, what happens if you need to recover your password? In this case, as we briefly noted earlier, you’re in trouble. There is absolutely no way to recover a lost password unless you have a recovery code which was set when you signed up.
But if someone hasn’t kept a copy of their password, they are unlikely to have the recovery code close by. The only advice for users here is to record their password and recovery code and have them ready in an emergency.
Secondly, what about deleting a Tutanota account? Can you be sure that your data is wiped clean and removed from their servers?
All free accounts are automatically deleted if the user is inactive for 6 months – including all data. And the account cannot be recycled, ensuring that the user’s privacy isn’t compromised.
If users need to remove their account before then, they can upgrade to a paid account and use Tutanota’s deletion process. Here’s how to do so:
- Go to the left-hand side panel on your email inbox.
- Choose the “Subscriptions” option and then “Upgrade.”
- Pick either the “Premium” or “Pro” options and whether you are a private or business user. Now proceed to payment.
- When that’s done, you can add “Extensions” free of charge. This includes a “Delete Account” extension.
- You can either completely delete your emails or choose “Take over email address” to transfer them and your contacts to a new Tutanota email account.
So, the situation isn’t ideal for free users who want to remove their account quickly. But the process is flexible and easy for paying customers.
Tutanota vs ProtonMail
Finally, it’s helpful to put Tutanota into context by comparing it to ProtonMail, which is probably the main competitor. Here’s how the two stack up:
Tutanota | ProtonMail | |
Owning company | German project run by a team of developers. It’s a profit-making organization, but is run on an open-source basis, and provides specialist support for not-for-profit organizations. | It was created by the trio of Dr. Andy Yen, Jason Stockman, and Wei Sun, and is a private business. |
Release date | 2011 | 2014 |
Location | Germany | Switzerland |
Free version available | Premium (EUR12/year) Pro (EUR60/year) | Plus (EUR48/year) Pro (EUR75/year) Visionary (EUR288/year) |
Mailbox storage | Premium – 1GB Pro – 10GB | Plus – 5GB Pro – 5GB Visionary – 20GB |
Max. attachment limit | 25MB | 25MB |
Security features | End-to-end 256-bit AES encryption External 2FA TLS encryption GDPR compliant Complete password protection No tracking No IP logging Uses only ISO 27001 certified data centers in Germany No targeted ads External content in emails must have user consent IP info is stripped from headers Phishing protection Anonymous signups Cryptocurrency supported Symmetric encryption with external recipients | End-to-end encryption Data stored on servers is encrypted Zero access to user data Uses secure implementations of AES, RSA, and PGP Swiss jurisdiction Own and manage own data centers No tracking Zero logs Anonymous signups Can set “self destruct” time limit for emails All connections SSL secured Symmetric encryption with external recipients |
Contributing Writer
Mikaela is an investigative journalist that likes to cover the ever-changing world of technology. She tries to keep her finger on the pulse of digital trends and share her insights on the most relevant topics, including big tech, security, privacy, and data breaches.
thx 🍄
I used to be a Tutanota Premium user. However, I ultimately switched to Mailfence. I have encouraged many of my five siblings to make the switch from Google to the free version of Tutanota. Try it for as long as they like, then get a premium account if it suits them. After getting 4 of the 5 siblings to switch, we recently had a problem with Tutanota thinking they were spamming. There are seven of us in the email (counting my mom), so this certainly doesn’t constitute spamming. I have come to the conclusion that Tutanota is having some very poor business practices in trying to get free subscribers to pay for a premium account. The one sibling that has a premium account is the only one that did not get a notice about spamming, or “exceeded the limit” and it would be a day or two before they could resume emailing again. I do not recommend Tutanota for free or paid subscriptions because of this devious way of manipulating people.
I have a lot of emails that I’d not likely worry about sending e2e. What isn’t clear to me, is whether or not those correspondences are automatically encrypted once they land in my Tutanota inbox/outbox. In other words, is an “unencrypted” email safer in a Tutanota inbox than, say, Thunderbird?
The court case against Tutanota seems to suggest that they encrypt everything on their servers, but they can somehow still provide messages that were sent to their servers unencrypted. I must be missing something.
Hello, Jacob. The emails that end up in your Tutanota inbox are unencrypted. So in this sense, they are not safer than they would be in Thunderbird, provided you use a password of similar strength. However, I’d say that hacking into your Thunderbird inbox without using a password would be easier when compared to Tutanota. Besides, if you use 2FA, reading your unencrypted emails becomes almost impossible.
If I purchase pet supplies from chewy.vom will I receive spam from them? What about other online purchases? I want to get rid of my gmail which is so inundated with spam.
Hello, Tamaran. Using a dedicated email for creating unimportant accounts is probably your best bet. I also think that such online shops should give you an option to unsubscribe from marketing-related content. But if you want to register with a Tutanota email, I think that marking it as spam once should be enough to keep your inbox clean. Good luck!
Tutanota does not work for me. I tried to sign up for a premium account. The back end would not process my credit card. Then Tutanota defaulted me to a free account, but the account can neither send nor receive email. And as a free account, I cannot contact any help or support option to fix the situation, and I cannot even close the account.
What a mess.
I feel this one is really interesting, I totally get that have ads on the free plan, because at some point great technology never comes free, so I think if you cant afford a paying subscription the free one will be just fine.
I have the free version of Tutanota and Protonmail and I never see ads on either. I’ve never understood that.
Same here I’ve never seen ads
Hmmm, I like this a lot, although ProtonMail seems to be safer, at least as far as I can tell. ProtonMail doesn’t have that problem with the JavaScript, does it? Cause I would rather choose a solution that didn’t have that, if I can.
I like this one, but ProtonMail wins by a hair for me because it’s in Switzerland. Can’t beat those Swiss privacy laws. I might be tempted to try this one out, though, just to see what it’s all about. I like the look of it, and I like the sound of military-grade encryption. Could be great paired with the right VPN.
Being in Switzerland does not make Protonmail immune to USA “information requests”. Protonmail maintains a dedicated office in USA, rather than Tutanota.
The 1GB service with the ads is totally understandable. I mean, you are getting a great service for free so there must be a small price to pay. The Tutanota paid plans are cheaper than ProtonMail but they are probably not as secure as the later.
My company is at the verge of opting for a more secure mailing services with encription. Been reading about Tutanota and Proton mail and kind of confused on which to go for since they almost offer same features. Just want to ask, does Tutanota Supports two-factor authentication. and includes spam blocker??
Thank you so much in anticipation for your responses.
Emily
Hi Emily,
Yes, Tutanota includes both.