Secure Privacy Email Options 2020

These are the most secure privacy email options

  1. ProtonMail
  2. Tutanota
  3. Posteo
  4. Mailfence
  5. StartMail
  6. Mailbox.org

In this article on secure privacy email options, we look at various ways to make your email more, well… secure and private. We pay particular attention to the relatively new breed of end-to-end encrypted webmail services, but also survey the pros and cons of more traditional alternatives.

Email is not private or secure

As a technology, email was not designed with privacy or security in mind. The need for such, in fact, never crossed the minds of the early pioneers of networking. So, when it later became clear that internet consumers were unwilling to pay for the hugely expensive and complex technologies they use every day and with hardly a second thought, email providers had an easy way at hand to monetize their services.

The most successful business model was developed by Google, which realized that an individual’s personal data is incredibly valuable. The more of it you collect, the more valuable it is.

After all, if you have a good idea of what a person does and doesn't like, where they go, what their hobbies are, and who they hang out with, then it is easy to target them with products and services that they are likely to be interested in purchasing. Cha-ching!

Now, you may know that Google tracks your search history and your browsing habits to get an idea of your interests, but did you know that Google scans all emails sent via its Gmail service? And this doesn't mean only messages sent between Gmail users, but any emails sent to Gmail users from other email services as well! That all seems excessively invasive, and it certainly is.

In 2017 Google somewhat disingenuously announced that it would no longer scan emails in order to target users with tailored ads, but this does not mean it has stopped scanning emails for other purposes. Its much-touted AI-based smart reply feature proves this beyond all doubt, as does its full list of everything you have purchased from any online retailer since 2015!

Government spying

Whatever the situation with Google, it is normal for email services to scan users’ emails for advertising purposes.

And what can be collected for advertising revenue is also incredibly valuable to “collect it all” security agencies such as the NSA.

Google cooperated with the NSA to spy on its users for years and only stopped when caught with its pants down by Edward Snowden’s revelations in 2013. Or at least it claims to have stopped. Yahoo, on the other hand, continued to betray its users to the NSA right up until at least October 2016.

Pay for It!

As the old adage goes, “if you aren’t paying for a product, then you are the product.”

There are some free, secure email services out there, however, they often have data caps and do not include all the features offered by the premium version of the service.

It costs a lot of money and time to run an email service, so you need to consider very carefully how that service is funded. Services such as RiseUp and Autistici are run by politically motivated activists and are designed primarily to provide privacy for similarly minded activists.

Such services are willing to run at a financial loss thanks to the political ideology of their founders. As such, they are small and not very well-funded. Users should certainly consider donating towards them if they can afford to do so.

PGP-encrypted emails can be securely sent over any regular email service, but the simple reality is that very few of your contacts (if any) will also use PGP. This means that you will still require a private email service for day-to-day use…

All Browser-based encryption is insecure

Webmail services are very convenient, as they can be easily accessed from within any web browser. Unfortunately, cryptography in browsers is implemented using JavaScript, and JavaScript cryptography in browsers is inherently insecure.

This is because a compromised server or man-in-the-middle attack can push compromised encryption keys to both you and your recipient’s browsers.

Does this make webmail services useless? No. It all depends on your threat model. For most users, they are probably absolutely fine. But no webmail service is going to be anywhere near as secure as using PGP with a dedicated email client.

If you access an encrypted webmail service via its mobile app or a dedicated email client only (i.e. not through a browser), then this issue does not apply.

Use Signal Instead

I have recently come to the conclusion that e-mail is fundamentally unsecurable. The things we want out of e-mail, and an e-mail system, are not readily compatible with encryption. I advise people who want communications security to not use e-mail, but instead use an encrypted message client like OTR or Signal.

Bruce Scheier

Encrypted messaging apps are much easier to use than PGP (what isn’t?!), and are much more secure than any kind of email. Signal messenger is widely regarded as the most secure way to communicate with another person yet devised, short of actually whispering something into their ear.

Signal is, therefore, the best solution currently available for keeping the actual contents of messages secure. OTR is also a good option for desktop users.

End-to-end (e2e) privacy Email services

Why use a privacy-focused email service?

If you need a conversation to be as private as possible, then use Signal instead of email. But the simple fact of the matter is that email is not going away, and it remains the single most popular means of communicating on the planet. Using a private and secure email service of the kind described below means:

The best Private Email services

ProtonMail provides users all the convenience and functionality of a webmail service, along with all the security and privacy features you require.

  • Free option

    Yes

    Pricing

    From  $4.00 - $8.00

ProtonMail was the first in a post-Snowden “new-wave” of webmail services that aim to provide all the functionality of Gmail and its ilk, but which respect users’ privacy and provide full end-to-end encryption (e2ee) for emails.


Users can send anyone an encrypted email, to which they can also respond securely.


ProtonMail is based in Switzerland, which has strong privacy laws and is outside the NSA and GCHQ’s direct area of influence. Being based there is therefore usually considered a strong feature of the service.


Newly passed government surveillance laws are worrying, however, and despite reassurances from ProtonMail, it is still unclear if these laws affect services such as ProtonMail.


The great news is that ProtonMail introduced full OpenPGP support in 2018. This means users can send PGP encrypted emails to non-ProtonMail contacts, and open PGP encrypted emails sent to their ProtonMail account.


Please see our ProtonMail Review for an in-depth look at this service.

Tutanota offers users excellent security with perfect forward secrecy.

  • Free option

    Yes

    Pricing

    From  $13.23 - $66.00

Tutanota is similar in many ways to ProtonMail, but the service is based in Germany, which can raise a few eyebrows amongst privacy-conscious users. Though Germany has strict privacy laws, the German government also practices widespread surveillance of its own, provides the base for the NSA’s extensive European operations, and is known to collaborate with the NSA. But since all emails are stored e2e encrypted, this shouldn’t matter.


Tutanota encrypts messages with an AES-128 cipher, RSA-2048 handshake, and perfect forward secrecy, rather than using PGP. This enables it to encrypt email subject lines when sent to other Tutanota users, but it means the system is not interoperable with “regular” PGP users.

Posteo guarantees complete privacy and insulates users from authorities by not storing any personally identifiable information.

  • Pricing

    From  $1.13

Also based in Germany, Posteo is a somewhat different beast to Tutanota and ProtonMail. It is a secure email service that encrypts its server connections with TLS (using DANE and perfect forward secrecy), and stores all emails on AES-encrypted hard drives (key size unknown).

By default, Posteo is not an e2e encrypted service. e2e email encryption is supported, however, via “one-click” OpenPGP and S/MIME support within the browser. Recipients must have the same kind of encryption software installed on their computers (OpenPGP or S/MIME, whichever is used), but need not be Posteo users.

Posteo also runs its own PGP key directory, which is more private than conventional PGP key servers. The Roundcube web interface works well inside mobile browsers, but Posteo has no dedicated mobile apps. IMAP support, however, means that third-party email apps can be used with the service.

In 2013, this service proved its privacy chops by successfully resisting demands by the police for the identity of a Posteo account holder who was thought to be using the service for illicit purposes. The fact that it does not store any data on its customers' identities made handing over such information impossible.

Mailfence is a Belgian-based provider, an excellent location for privacy.

  • Free option

    Yes

    Pricing

    From  $2.75 - $8.30

Mailfence is based in Belgium, a country with strong privacy laws and no track record of cooperation with the NSA and GCHQ. ISPs are required to perform extensive blanket data retention, but access to this data is strictly regulated and requires a warrant.


Mailfence uses easy “one-click” OpenPGP encryption to secure emails and emails sent to other Mailfence users are encrypted automatically (and do not leave Mailfence’s servers).


Emails to non-members can be sent encrypted by PGP, or sent unencrypted, but digitally signed with a PGP key. Alternatively, symmetric-encrypted emails can be sent to non-PGP users using a shared secret to secure them.


And because Mailfence uses a standard implementation of OpenPGP with full key management available, the service is interoperable with “regular” PGP users. Mailbox runs its own key server. PGP keys are generated in the browser and stored on Mailfence’s servers using an AES-256 cipher.


The browser-based PGP encryption is open-source, but much of the back-end environment is closed-source. Deleted messages are kept for two weeks for backup purposes. More worrying is that Mailfence logs all email metadata, including “IP addresses, message-ID’s, sender and recipient addresses, subjects, browser versions, countries and timestamps.”


Other superb features Mailfence provides are secure and exportable calendars and secure document storage.


One potential drawback for some users is that unfortunately, Mailfence does not currently offer any mobile apps, although messages can be synced to iOS and Android devices using Microsoft Exchange ActiveSync and supports for POP and IMAC means you can use third-party apps with the service (paid users only). It also offers a cut-down web interface specially designed for mobile devices.

StartMail gives users the option to create unlimited disposable email addresses.

  • Pricing

    From  $4.99

StartMail is a privacy-focused email service operated by the same people who run the StartPage privacy search engine.


Because of its integrated use of PGP, StartMail is fully interoperable with other PGP users. It is also possible to send encrypted emails to non-PGP users, who must know a secret chosen by you in order to open the email.


One of the most notable features of this service is that PGP encryption is performed server side. In other words, it is not end-to-end. StartPage cites the very real problems with JavaScript-based browser encryption that we discussed in the introduction to this article as the reason for this, but it is undoubtedly a controversial decision.


This situation is not helped by the fact that StartPage uses a mix of both open source and closed source components.


StartMail is based in the Netherlands. Much like Switzerland, this is a country traditionally seen as privacy-friendly but which has recently passed alarming new surveillance laws.


One thing we really like with StartMail is the ability to create unlimited disposable email addresses. There are no dedicated mobile apps, but full IMAP and SMTP support means you can use any third-party email app with the service.

Mailbox.org provides users with the option to store sent and received emails in a PGP-encrypted Guard mailbox.

  • Free option

    Yes

Like Tutanota, mailbox.org is based in Germany. The German government has strict privacy laws, but also practices widespread surveillance of its own, provides the base for the NSA’s extensive European operations, and is known to collaborate with the NSA.


PGP encryption can be performed server side for convenience, but this not end-to-end. mailbox.org mitigates this problem by also requiring a password to access encrypted emails, which is known only to the account user. A certain level of trust is still required, however.


Alternatively, you can e2e encrypt PGP emails in your browser using the Mailvelope browser add-on, which has been pre-configured to work with mailbox.org without requiring any further configuration steps.


All sent and received emails are optionally stored in a PGP-encrypted Guard mailbox. Unencrypted emails are still vulnerable to interception during transit, but should be secure at rest. As with its server-side full PGP encryption of individual emails, Guard mailboxes are further secured by a password that only the user knows.


There are no mobile apps, but mailbox.org supports IMAP and POP for use with third-party email apps. Contacts and calendars can be synced to mobile via ActiveSync.

Honorable mentions

Disroot and Runbox are privacy-friendly email services that store emails on encrypted hard drives. They do not, however, offer any form of end-to-end encryption. Kolab Now is also a privacy-friendly email service but does not store emails encrypted.

When we initially published this article several years ago, the recently resurrected Lavabit service looked promising. Most of the promised privacy and security features have yet to materialize, however, and we have difficulty recommending any service based in the US (as evidenced rather dramatically by Lavabit's own initial demise!).

Pretty Good Privacy (PGP)

PGP was developed as a protocol for securely encrypting emails, and although the original standard is no longer open source (it is now the property of Symantec), the Free Software Foundation has taken up the open-source banner in the form of the 100 percent interoperable OpenPGP standard.

sender and recipient

The most traditional (and still the most secure) way to use PGP is GNU Privacy Guard (also known as GnuPG or just GPG). This is available for Windows, macOS, and Linux, with a standalone email client such as Claw-Mail or Thunderbird.

Although the basic program uses a simple command-line interface, more sophisticated versions are available for Windows (Gpg4win) and Mac (GPGTools). We have a guide to securing your email with our Gpg4win guide elsewhere. It may well be worth reading through it to help understand how OpenPGP works.

Note that with PGP, the metadata - email addresses of sender and recipient, date and time of sending, and e-mail’s subject line- are not encrypted. Just the body and any attachments. And any service that wishes to be compatible with PGP will necessarily suffer the same limitations.

Another problem with PGP is that it does not use Perfect Forward Secrecy (PFS). So once keys for one encrypted email are broken, all other emails encrypted using the same keys will also be compromised. This is an area where e2e PGP email web services shine because the use of Diffie-Hellman or ECDE key exchanges in their TLS connections introduces PFS.

We should note that this is a problem that affects all implementations of PGP, including the email providers listed in this article.

Mailvelope - making PGP easier

Even a casual glance through our Gpg4win guide will amply demonstrate why PGP has not caught on with the public. It is complex to the point of being confusing and is hard to get right. Most of the e2e webmail services listed above use PGP, but aim to make it as user-friendly and “idiot-proof” as possible.

In this, they are largely successful, but at a price in security. As already discussed, browser-based cryptography is deeply flawed. A third option exists, however, that provides something of a “middle way”.

Mailvelope is an OpenPGP browser plugin that is much easier to use than the more traditional setup (although not as easy as “one-click” webmail solutions).

Self-hosted email

A more extreme option to all the above is to self-host your own email server. This can be done either on your own PC or on a rented server. To do so pretty much guarantees that Google and other big corporations will not be snooping on your emails (at least directly – they will still be able to read unencrypted emails sent to other users of their services).

Setting up and maintaining your own email server, however, is a non-trivial job for even some of the most technically inclined among us. And ensuring that it is secure is even more difficult. In fact, if not done right, running your own email server can be actively dangerous, as it can provide a false sense of security.

This is not to say it is impossible, and there are certainly privacy fanatics out there who swear by self-hosting their email. This is a subject we may indeed write a guide to at some point in the future!

Software such as Mail-in-a Box and Mailcow make the job easier by automating the process, but for maximum security, you should build your own server from scratch (so to speak). Great tutorials on how to do this can be found here and here.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

38 Comments

Samuel Meier
on March 29, 2020
Reply
Hello! The normal cost of an account at posteo.de costs only 1€/month.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Samuel Meier
on March 30, 2020
Reply
Hi Samuel. Hmm, I'm pretty sure I must have said the right price at the time this article was published, but you are right - the standard price is (now?) €1/month. Now updated. Thanks!
Emma
on January 4, 2020
Reply
Hi Douglas, I just found your website and some very useful suggestions. Thanks for that. For me, I prefer to use S/MIME to do email encryption, so do you have any recommendations or reviews about S/MIME encryption email clients? For example, MeSince encryption email client or any others, they provide email encryption and document digital signing, do you have any suggestions? I will very appreciate your feedback! Thank you!
StarCat replied to Emma
on June 14, 2020
Reply
A Chinese "secure" email provider. That's a laugh. I'd stay far away from MeSince.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Emma
on January 6, 2020
Reply
Hi Emma. Almost all email clients and webmail services (including Gmail, Apple Mail, Outlook etc.) support S/Mime encryption. I can't offer any concrete suggestions at the moment, but have slated S/Mime for a deep-dive article.
Emma replied to Douglas Crawford
on January 6, 2020
Reply
Thanks Douglas, waiting for the article about S/MIME! I am currently happy with MeSince, it's an good alternative to Gmail, outlook, because I don't need to configure the certificates and exchange the public keys manually, the client do it for me automatically. May worth you to have a look: https://www.mesince.com/en-us, I will keep an eye on the similar clients that can be easier to be used than Gmail or Outlook.
Teikirisi
on August 4, 2019
Reply
Countermail?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Teikirisi
on August 5, 2019
Reply
Hi Teikirisi. Good call. I must admit that I'm not very familiar with CounterMail, but I will look more closely at it when I next update this article.
Josh replied to Douglas Crawford
on September 30, 2019
Reply
I suggest you look into Criptext. It uses Signal Protocol to encrypt all your messages, and your messages are stored on your devices only.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Josh
on October 1, 2019
Reply
Hi Josh. Criptext is not open source (although it uses the open source Signal Protocol). This means that I, for one, will never trust it.
Clarck replied to Douglas Crawford
on November 29, 2019
Reply
This is completely incorrect, yes, Criptext is open source. https://github.com/Criptext
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Clarck
on December 9, 2019
Reply
Hi Clarck. Ah. My bad. As I say, I'm not very familiar with the project. You are correct - it does seem to be open source. When I have time (and my editors allow!), I'll take a closer look.
michelle
on June 24, 2018
Reply
I have had the neighbours from hell in the north of the UK, hacking all my emails for 4 years. They have been harassing me to death, stalking me at home and leaking all my personal information they get from my emails. It doesn't really help to pay for an encrypted email services if your Dell/Intel computer and Bill Gates team have granted a back access to let hackers target your laptop daily.
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: