Secure Privacy Email Options 2019

In this article on secure privacy email options, we look at various ways to make your email more, well… secure and private. We pay particular attention to the relatively new breed of end-to-end encrypted webmail services, but also survey the pros and cons of more traditional alternatives.

 

The Best Secure private Email providers 

Below we have listed the most secure and private Email providers. For more information about any of the services in this list, scroll down the article for a summary of each service or click through to the provider's website.

  1. ProtonMail - Price: Free (500 MB/1 address), $5 per month (5 GB/5 addresses).
  2. Tutanota - Price: Free (1 GB/1 address), $1.35 per month (1 GB (expandable)/5 addresses).
  3. Posteo - Price: €2 per month (expandable).
  4. Mailfence - Price: Free (500 MB / 1 address), €2.50 per month (5 GB / 10 addresses), €7.50 per month (20 GB / 50 addresses)
  5. StartMail - Price: 7-day trial, $59.95 annually (10GB storage / 10 addresses).
  6. Mailbox.org - Price: 30-day trial, €1 per month (2GB mail storage, 3 addresses), €2.50 per month (5GB mail storage, 25 addresses). Pricing can be personalized to your needs.
  7. Neomailbox - Price: $49.95 annually (1GB mailbox, 1 address), $79.95 per year (5GB mailbox, 1 address), additional pricing tiers expand mailbox size up to $240.95GB/40GB mailbox.

Email is not private or secure

As a technology, email was not designed with privacy or security in mind. The need for such, in fact, never crossed the minds of the early pioneers of networking. So, when it later became clear that internet consumers were unwilling to pay for the hugely expensive and complex technologies they use every day and with hardly a second thought, email providers had an easy way at hand to monetize their services.

The most successful business model was developed by Google, which realized that an individual’s personal data is incredibly valuable. The more of it you collect, the more valuable it is.

After all, if you have a good idea of what a person does and doesn't like, where they go, what their hobbies are, and who they hang out with, then it is easy to target them with products and services that they are likely to be interested in purchasing. Cha-ching!

In addition to using its search engine to track users’ interests, Google scans all emails sent via its Gmail service. Note that this means emails not only belonging to Gmail users, but any emails sent to Gmail users from other email services!

In 2017 Google somewhat disingenuously announced that it would no longer scan emails in order to target users with tailored ads, but this does not mean it has stopped scanning emails for other purposes. Its much-touted AI-based smart reply feature proves this beyond all doubt, as does its full list of everything you have purchased from any online retailer since 2015!

Government spying

Whatever the situation with Google, it is normal for email services to scan users’ emails for advertising purposes.

And what can be collected for advertising revenue is also incredibly valuable to “collect it all” security agencies such as the NSA.

Google cooperated with the NSA to spy on its users for years and only stopped when caught with its pants down by Edward Snowden’s revelations in 2013. Or at least it claims to have stopped. Yahoo, on the other hand, continued to betray its users to the NSA right up until at least October 2016.

Pay for It!

As the old adage goes, “if you aren’t paying for a product, then you are the product.”

There are some free, secure email services out there, however, they often have data caps and do not include all the features offered by the premium version of the service.

It costs a lot of money and time to run an email service, so you need to consider very carefully how that service is funded. Services such as RiseUp and Autistici are run by politically motivated activists, and are designed primarily to provide privacy for similarly minded activists.

Such services are willing to run at a financial loss thanks to the political ideology of their founders. As such, they are small and not very well-funded. Users should certainly consider donating towards them if they can afford to do so.

PGP-encrypted emails can be securely sent over any regular email service, but the simple reality is that very few of your contacts (if any) will also use PGP. This means that you will still require a private email service for day-to-day use…

All Browser-based encryption is insecure

Webmail services are very convenient, as they can be easily accessed from within any web browser. Unfortunately, cryptography in browsers is implemented using JavaScript, and JavaScript cryptography in browsers is inherently insecure.

This is because a compromised server or man-in-the-middle attack can push compromised encryption keys to both you and your recipient’s browsers.

Does this make webmail services useless? No. It all depends on your threat model. For most users, they are probably absolutely fine. But no webmail service is going to be anywhere near as secure as using PGP with a dedicated email client.

If you access an encrypted webmail service via its mobile app or a dedicated email client only (i.e. not through a browser), then this issue does not apply.

Use Signal Instead

“I have recently come to the conclusion that e-mail is fundamentally unsecurable. The things we want out of e-mail, and an e-mail system, are not readily compatible with encryption. I advise people who want communications security to not use e-mail, but instead use an encrypted message client like OTR or Signal.Bruce Scheier.

Encrypted messaging apps are much easier to use than PGP (what isn’t?!), and are much more secure than any kind of email. Signal messenger is widely regarded as the most secure way to communicate with another person yet devised, short of actually whispering something into their ear.

Signal is, therefore, the best solution currently available for keeping the actual contents of messages secure. OTR is also a good option for desktop users.

End-to-end (e2e) privacy Email services

Why use a privacy-focused email service?

If you need a conversation to be as private as possible, then use Signal instead of email. But email is not going away and remains the single most popular means of communicating on the planet. Using a private and secure email service of the kind described below means:

  • The service will not scan your emails (for advertising or any other purpose)
  • They use end-to-end encryption (e2ee). You encrypt and decrypt your emails on your own device so that neither your email provider or the NSA can access them.
  • No Ads

The best Private Email services

1. ProtonMail

  • Pricing

    From $0.00 / month

ProtonMail was the first in a post-Snowden “new-wave” of webmail services that aim to provide all the functionality of Gmail and its ilk, but which respect users’ privacy and provide full end-to-end encryption (e2ee) for emails.

Users can send anyone an encrypted email, to which they can also respond securely.

ProtonMail is based in Switzerland, which has strong privacy laws and is outside the NSA and GCHQ’s direct area of influence. Being based there is therefore usually considered a strong feature of the service.

Newly passed government surveillance laws are worrying, however, and despite reassurances from ProtonMail, it is still unclear if these laws affect services such as ProtonMail.

The great news is that ProtonMail introduced full OpenPGP support in 2018. This means users can send PGP encrypted emails to non-ProtonMail contacts, and open PGP encrypted emails sent to their ProtonMail account.

Please see our ProtonMail Review for an in-depth look at this service.

2. Tutanota

Price: Free (1 GB/1 address), $1.35 per month (1 GB (expandable)/5 addresses).

  • Pricing

    From $0.00 / month

Tutanota is similar in many ways to ProtonMail, they're based in Germany. This has strict privacy laws, but also practices widespread surveillance of its own, provides the base for the NSA’s extensive European operations, and is known to collaborate with the NSA. But all emails are stored e2e encrypted, so this shouldn’t matter.

Tutanota encrypts messages with an AES-128 cipher, RSA-2048 handshake, and perfect forward secrecy, rather than using PGP. This enables it to encrypt email subject lines when sent to other Tutanota users but it means the system is not interoperable with “regular” PGP users.

3. Posteo

Price: €2 per month (expandable).

  • Pricing

    From $0 / month

Also based in Germany, Posteo is a somewhat different beast to Tutanota and ProtonMail. It is a secure email service that encrypts its server connections with TLS (using DANE and perfect forward secrecy), and stores all emails on AES-encrypted hard drives (key size unknown).

By default, Posteo is not an e2e encrypted service. e2e email encryption is supported, however, via “one-click” OpenPGP and S/MIME support within the browser. Recipients must have the same kind of encryption software installed on their computers (OpenPGP or S/MIME, whichever is used), but need not be Posteo users.

Posteo also runs its own PGP key directory, which is more private than conventional PGP key servers. The Roundcube web interface works well inside mobile browsers, but Posteo has no dedicated mobile apps. IMAP support, however, means that third-party email apps can be used with the service.

In 2013, this service proved its privacy chops by successfully resisting demands by the police for the identity of a Posteo account holder who was thought to be using the service for illicit purposes. The fact that it does not store any data on its customers' identities made handing over such information impossible.

4. Mailfence

Price: Free (500 MB / 1 address), €2.50 per month (5 GB / 10 addresses), €7.50 per month (20 GB / 50 addresses)

  • Pricing

    From $0 / month

Mailfence is based in Belgium, a country with strong privacy laws and no track record of cooperation with the NSA and GCHQ. ISPs are required to perform extensive blanket data retention, but access to this data is strictly regulated and requires a warrant.

Mailfence uses easy “one-click” OpenPGP encryption to secure emails and emails sent to other Mailfence users are encrypted automatically (and do not leave Mailfence’s servers).

Emails to non-members can sent encrypted by PGP, or sent unencrypted but digitally signed with a PGP key. Alternatively, symmetric-encrypted emails can be sent to non-PGP users using a shared secret to secure them.

And because Mailfence uses a standard implementation of OpenPGP with full key management available, the service is interoperable with “regular” PGP users. Mailbox runs its own key server. PGP keys are generated in the browser and stored on Mailfence’s servers using an AES-256 cipher.

The browser-based PGP encryption is open-source, but much of the backend environment is closed-source. Deleted messages are kept for two weeks for backup purposes. More worrying is that Mailfence logs all email metadata, including “IP addresses, message-ID’s, sender and recipient addresses, subjects, browser versions, countries and timestamps.”

A big draw for this service is that it provides secure and exportable calendars and secure document storage.

Unfortunately, Mailfence does not currently offer any mobile apps, although messages can be synced to iOS and Android devices using Microsoft Exchange ActiveSync and supports for POP and IMAC means you can use third-party apps with the service (paid users only). It also offers a cut-down web interface specially designed for mobile devices.

5. StartMail

  • Pricing

    From $0 / month

StartMail is a privacy-focused email service operated by the people who also run the StartPage privacy search engine.

Because of its integrated use of PGP, StartMail is fully interoperable with other PGP users. It is also possible to send encrypted emails to non-PGP users, who must know a secret chosen by you in order to open the email.

One of the most notable features of this service is that PGP encryption is performed serverside. In other words, it is not end-to-end. StartPage cites the very real problems with JavaScript-based browser encryption that we discussed in the introduction to this article as the reason for this, but it is undoubtedly a controversial decision.

This situation is not helped by the fact that StartPage uses a mix of both open source and closed source components.

StartMail is based in the Netherlands. Much like Switzerland, this is a country traditionally seen as privacy-friendly but which has recently passed alarming new surveillance laws.

One thing we really like with StartMail is the ability to create unlimited disposable email addresses. There are no dedicated mobile apps, but full IMAP and SMTP support means you can use any third-party email app with the service.

6. Mailbox.org

  • Pricing

    From $0 / month

Like Tutanota, mailbox.org is based in Germany. This has strict privacy laws, but also practices widespread surveillance of its own, provides the base for the NSA’s extensive European operations, and is known to collaborate with the NSA.

PGP encryption can be performed serverside for convenience, but this not end-to-end. mailbox.org mitigates this problem by also requiring a password to access encrypted emails, which is known only to the account user. A certain level of trust is still required, however.

Alternatively, you can e2e encrypt PGP emails in your browser using the Mailvelope browser add-on, which has been pre-configured to work with mailbox.org without requiring any further configuration steps.

All sent and received emails are optionally stored in a PGP-encrypted Guard mailbox. Unencrypted emails are still vulnerable to interception during transit, but should be secure at rest. As with its serverside full PGP encryption of individual emails, Guard mailboxes are further secured by a password that only the user knows.

There are no mobile apps, but mailbox.org supports IMAP and POP for use with third-party email apps. Contacts and calendars can be synced to mobile via ActiveSync.

7. Neomailbox

  • Pricing

    From $0 / month

Neomailbox is based in Switzerland. As we discuss in our look at ProtonMail, uncertainly over how its new surveillance laws will be exercised undermines this country’s traditional reputation for being privacy-friendly.

Neomailbox does not allow you to send or receive PGP-encrypted emails, but it does provide the option to automatically encrypt emails stored on its servers using your public PGP key. This means Neomailbox cannot access your emails, but requires the use of external tools such as Mailvelope or Gpg4win in order to generate your PGP key pair.

Unlimited aliases are permitted with no advance setup, although these all use your unique subdomain name. These aliases can be blocked and unblocked at will, making them ideal for use as disposable addresses.

Honorable mentions

Disroot and Runbox are privacy-friendly email services that store emails on encrypted hard drives. They do not, however, offer any form of end-to-end encryption. Kolab Now is also a privacy-friendly email service but does not store emails encrypted.

When we initially published this article some three years ago the recently resurrected Lavabit service looked promising. Most of the promised privacy and security features have yet to materialize, however, and we have difficulty recommending any service based in the US (as evidenced rather dramatically by Lavabits own initial demise!).

Pretty Good Privacy (PGP)

PGP was developed as a protocol for securely encrypting emails, and although the original standard is no longer open source (it is now the property of Symantec), the Free Software Foundation has taken up the open-source banner in the form of the 100 percent interoperable OpenPGP standard.

The most traditional (and still the most secure) way to use PGP is GNU Privacy Guard (also known as GnuPG or just GPG). This is available for Windows, macOS, and Linux, with a standalone email client such as Claw-Mail or Thunderbird.

Although the basic program uses a simple command-line interface, more sophisticated versions are available for Windows (Gpg4win) and Mac (GPGTools). We have a guide to securing your email with Gpg4win guide elsewhere. It may well be worth reading through it to help understand how OpenPGP works.

Note that with PGP, the metadata - email addresses of sender and recipient, date and time of sending, and e-mail’s subject line- are not encrypted. Just the body and any attachments. And any service that wishes to be compatible with PGP will necessarily suffer the same limitations.

Another problem with PGP is that it does not use Perfect Forward Secrecy (PFS). So once keys for one encrypted email are broken, all other emails encrypted using the same keys will also be compromised. This is an area where e2e PGP email web services shine because the use of Diffie-Hellman or ECDE key exchanges in their TLS connections introduces PFS.

We should note that this is a problem that affects all implementations of PGP, including the email providers listed in this article.

Mailvelope - making PGP easier

Even a casual glance through our Gpg4win guide will amply demonstrate why PGP has not caught on with the public. It is complex to the point of being confusing and is hard to get right. Most of the e2e webmail services listed above use PGP, but aim to make it as user-friendly and “idiot-proof” as possible.

In this, they are largely successful, but at a price in security. As already discussed, browser-based cryptography is deeply flawed. A third option exists, however, that provides something of a “middle way”.

Mailvelope is an OpenPGP browser plugin that is much easier to use than the more traditional setup (although not as easy as “one-click” webmail solutions).

Self-hosted email

A more extreme option to all the above is to self-host your own email server. This can be done either on your own PC or on a rented server. To do so pretty much guarantees that Google and other big corporations will not be snooping on your emails (at least directly – they will still be able to read unencrypted emails sent to other users of their services).

Setting up and maintaining your own email server, however, is a non-trivial job for even the more technically inclined. And ensuring that it is secure is even harder. In fact, if not done right, running your own email server can be actively dangerous, as it can provide a false sense of security.

This is not to say it is impossible, and there are certainly privacy fanatics out there who swear by self-hosting their email. This is certainly a subject we may write a guide to at some point in the future!

Software such as Mail-in-a Box and Mailcow make the job easier by automating the process, but for maximum security, you should build your own server from scratch (so to speak). Great tutorials on how to do this can be found here and here.

Image credit: wk1003mike/shutterstock.com
Image credit: xaedes & jfreax & Acdx, PGP diagram, CC BY-SA 3.0

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

30 Comments

  1. Teikirisi

    on August 4, 2019
    Reply

    Countermail?

    1. Douglas Crawford replied to Teikirisi

      on August 5, 2019
      Reply

      Hi Teikirisi. Good call. I must admit that I'm not very familiar with CounterMail, but I will look more closely at it when I next update this article.

      1. Josh replied to Douglas Crawford

        on September 30, 2019
        Reply

        I suggest you look into Criptext. It uses Signal Protocol to encrypt all your messages, and your messages are stored on your devices only.

        1. Douglas Crawford replied to Josh

          on October 1, 2019
          Reply

          Hi Josh. Criptext is not open source (although it uses the open source Signal Protocol). This means that I, for one, will never trust it.

  2. michelle

    on June 24, 2018
    Reply

    I have had the neighbours from hell in the north of the UK, hacking all my emails for 4 years. They have been harassing me to death, stalking me at home and leaking all my personal information they get from my emails. It doesn't really help to pay for an encrypted email services if your Dell/Intel computer and Bill Gates team have granted a back access to let hackers target your laptop daily.

  3. Pooter

    on June 8, 2018
    Reply

    I am considering Startmail, I just want to clarify concerns about their .com domain. It was mentioned somewhere that in theory the u s a could seize the domain - what in effect does that mean, and if they did seize it could they do so without us Europeans knowing it had been seized? I just want an email service which stays in Europe, not spied on by those other people. Just my sense of privacy, not interested in pgp etc.

    1. Pooter replied to Pooter

      on June 13, 2018
      Reply

      If you sign up for posteo using the Deutsch page you will get a .de account!

    2. Pooter replied to Pooter

      on June 10, 2018
      Reply

      Thanks, that's partly reassuring. Can I complicate the question - some email providers only offer the main address as .com, but allow several aliases with choices of .de, .nl etc. Could one then safely avoid the hazard by only using the aliases, even if all emails received by these aliases go into the same inbox, which is the main .com one, if that makes sense?

      1. Douglas Crawford replied to Pooter

        on June 11, 2018
        Reply

        Hi Pooter, Not if the aliases simply redirect to the main .com domain. As I say, though, this is not a major problem because StartMail (or any other company) could simply use another domain if needed. This is exactly what happened for years with infamous torrent site The Pirate Bay - its domains kept on being seized (including .com), but it kept on just switching to new domains without any interruption to its service. Indeed, its enemies seem to have given up seizing its domains (for now) as even though it was seized in the past, it has kept its current .org domain for quite a while.

    3. Douglas Crawford replied to Pooter

      on June 9, 2018
      Reply

      Hi Pooter, Seizing the domain would simply mean that you would not be able to access the service using the domain name startmail.com. It would in no way affect the service itself, and would not compromise it in any way. Europeans would know because they would not be able to access the service on that domain. In such a situation it would be easy enough for Startmail to setup an alternative domain that is not under US control(for example .eu or.nl).

  4. Shane

    on June 5, 2018
    Reply

    Another provider that I have found with a good privacy focus is thexyz. Although they are based in Canada I like their stance on privacy with no ads, trackers etc. I have also found it to be very reliable with solid spam filtering.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: