Tutanota Review

When email was developed back in the Seventies and early Eighties, it was a rarefied communication form used almost exclusive my a tiny set of post-grad university nerds. And so the need to make it private and secure simply never occurred to anyone involved at the time.

Fast-forward 40 or so years to a world in which email has become the default means of communication for almost the entire human race., with a staggering 293.6 billion emails sent every day!

But email is no more secure or private than it was back in the Seventies. This is a big problem in a world where most email providers scan their customers' emails in order to profile them for ever more targeted advertising, and in which governments perform mass surveillance operations on a scale that would make George Orwell’s Big Brother green with envy.

Following Edward Snowden’s shocking revelations in 2013 ProtonMail shook up the email industry by offering an end-to-end encrypted email service which focused on privacy and security. It wasn’t long before other services started to appear, one of the most prominent of which is Tutanota.

Our score
4 / 5
Pricing
$13.23/mo - $66.00/mo
Free option
Available
Country
Germany
Visit Tutanota

Pricing

Tutanota offers a very useful free plan, although its premium plan is hardly expensive. A pricier pro plan is also available, but this only really makes sense for businesses and the like. If you buy a yearly subscription then Tutanota throws in two months for free.

Tutanota Price

Plans can be tailored to your needs by adding storage and email aliases at varying costs. Monthly subscriptions auto-renew by default.

Enterprise features such as calendar sharing and white label functionality are also available, although are not covered in the review.  Non-profit organizations (NPOs) are offered a 50% discount.

You can start with the free plan and upgrade at any time. Payment is via card or PayPal. Cryptocurrency payments are not accepted yet, but are on Tutanota’s roadmap.

Get Tutanota

Features (base Premium Plan)

  • E2e encrypted emails to other users
  • Can also send e2e encrypted emails to and     receive them from non-Tutanota users
  • The entire email is encrypted - subject, body,  and attachment
  • E2e encrypted storage
  • E2e encrypted address book
  • No ads
  • No IP logging
  • No phone number required (but also no  anonymous payment yet)
  • Strips IP from sent emails
  • Attachments up to 25 Mb
  • 1 Gb storage
  • Custom domains
  • Unlimited search
  • 5 aliases
  • Inbox rules with smart filters
  • Encrypted calendar
  • Web app
  • Android and iOS apps
  • Desktop clients for Windows, macOS, and Linux (all beta)
  • Open-source
  • Eco-friendly
  • Spam detection
  • 2FA support
  • Secure Connect (see below)
  • Secure password reset

It is worth noting here that Tutanota does not use or support PGP, which may be a sticking point for some. Also not supported is the retrieval of emails via SMTP in third party email clients, as this would not guarantee end-to-end encryption for data.

Free users cannot use custom domains or aliases, have more limited search capabilities, and cannot set Inbox rules. On the other hand, free users can use Tutanota anonymously, since the only meaningful data Tutanota retains is payment details

Aliases

Aliases are alternative email addresses tied to your account. You can have up to five aliases on the base premium plan, with the option to purchase more.

Add email alias

Unlimited search

Every aspect of an email can be searched, for, including a full-text search. The ability to search your emails may seem unremarkable, but being able to securely search encrypted data is no easy task. When a search is enabled, data is indexed and the search index stored locally (and can use up more memory on your device). 

Encrypted calendar

One of the biggest inconveniences when moving away from services such as Gmail, is that many secure alternatives do not provide calendar functionality. Tutanota does, and it is easy to import your existing calendars using standard iCal files. 

Encrypted calendar

Eco-friendly

The Tutanota data centers use 100% renewable energy.

2FA supported

Two-factor authentication is supported via U2F security keys (such as the YubuKey) and via TOTP authenticator apps such as FreeOTP+, as well as  OTP, Authenticator, and Authy.

Secure Connect

Secure connect is an encrypted contact form that allows visitors to a website to contact its owners confidentially. Although this review concentrates on Tutanota as a personal email service, this feature just too cool not to mention.

Privacy and security

 Jurisdiction

Tutanota and its servers are based in Germany. This is a country known for its strong data privacy laws, and in 2018 was the first country to fully align its data protection legislation with the GDPR.

Despite this, it has enacted the now invalid-on-human-rights-grounds EU Data Retention Directive into local law. This came into force in 2016 and requires all telecommunications and internet service providers to retain user metadata for up to 10 weeks. According to Tutanota, however, the law explicitly excludes email communications.

Germany is a close ally of the United States, with the NSA basing its European headquarters in the country.  The 2016 Communications Intelligence Gathering Act authorized Germany’s Federal Intelligence Service (BND) extensive powers to monitor all internet traffic entering and leaving the country.

It should be noted, though, that thanks to Tutanota’s use of secure end-to-end encryption, even if emails are intercepted then only a very small amount of metadata is exposed.

Logs

Tutanota does not log IP addresses (unless required to in specific cases by law). It also strips IP addresses from sent emails, although it can still see the sender, the recipient, and when the email was sent

The recipient email service will also be able to see this metadata. Other than that, all data is automatically encrypted both in the mailbox and in sent emails. This includes subject, content and attachments.

Tutanota clearly tracks subscriptions and payment details for paying customers. 

Open-source

Tutanota’s web application and clients are all fully open source. This means that anyone qualified to do so can examine the code and audit it for weaknesses and deliberate backdoors.

Tutanota’s backend is not open-source, although this is planned for the future. This has invited criticism, but it should be stressed that encryption is performed client-side so it shouldn’t really matter what’s going on server-side.

Tutanota says that its web application was independently audited by Syss GmbH (way back in 2011), but we can find no corroboration for this, let alone an actual report of its findings. For what it's worth, the apps are just wrappers for the web application. 

Technical security

All encryption is performed client-side before it leaves your device, meaning that Tutanota offers end-to-end-encryption (e2ee).

Emails between Tutanota users are encrypted using “a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm.” These being AES-128 and RSA-2048, respectively.

In an age of almost ubiquitous AES-256 symmetric key encryption the use of AES-128 might raise the odd eyebrow. But it is cryptographically secure, and a stronger key schedule actually makes it arguably more secure than AES-256.

Emails to non-Tutanota users are encrypted using AES-128. Passwords are hashed using bcrypt and SHA256. Connections to the Tutanota servers are secured using  TLS. You can further improve the security of TLS connections by installing the DANE browser add-on.

This all sounds very secure, although a problem with all browser-based cryptography is that it is vulnerable to malicious code being pushed from compromised servers. Since the stand-alone clients are basically wrappers for the web interface, we presume this also applies to them.

Password reset

Interestingly, for an e2ee service, it is possible to reset your password using a recovery code. This recovery code can only be viewed by signing into your encrypted mailbox, and it is recommended that you store it offline somewhere.

The Tutanota website provides a huge amount of information, including good FAQs and plenty of easy-to-follow setup guides. Premium users can also ask for help via email.

Get Tutanota

Ease of use

In addition to the web console, Tutanota offers apps for Android, iOS, Windows, macOS, and Linux.

The web console

The beating heart of Tutanota is its web console, where you can do all the things you would normally expect of an email client. It even comes with an optional dark mode!

The web console

Premium users can configure sophisticated Inbox rules.

Inbox rules send recipient

Emails sent to other Tutanota users are seamlessly e2e encrypted. By default, emails sent to non-Tutanota users are also e2e encrypted and secured with a password of your choosing. A nice touch is that you can send the notification email in a very wide selection of languages. 

Emaiil encryption settings

The recipient receives an email containing just a link to the content, which can only be opened with the password you specified. You will, of course, need to communicate this password to the recipient via other channels.

sending an email

The subject line is hidden, as is all text and attachments. The IP address of the sender is also not shown. Sending an email to a non-Tutanota user creates a new encrypted mailbox for them, which only they can access using the agreed-upon password.

tutanota inbox

From within their private mailbox non-Tutanota users can reply to your emails, and these replies will also be securely end-to-end encrypted!

This is an elegant solution for sending e2e encrypted emails to just about anybody, to say that’s much easier than PGP is a serious understatement. Indeed, it's this feature that sets Tutanota apart from every other private and secure email service out there.

Although emails to non-users are sent confidential by default, it is possible to send regular plain text emails as well when required.

The mobile apps

The Android and iOS apps are basically identical, although there is an optimized version available for the iPad. These are really just wrappers for the web console, and so provide the full range of features available through the web interface (including the calendar).

the mobile apps

The apps are available from the Google and Android stores, although Android users can also download a Google-free version of the app from F-Droid. Nice.

The desktop apps

The desktop apps for Windows, macOS, and Linux are officially labeled beta. This means there may be some bugs that need ironing out, and they may not be as secure as the web console or mobile apps.

That said, they are straight ports of the web console using Electron, rather than being true native clients. So there shouldn’t really be much that can go wrong.

windows app

Final thoughts

Tutanota is a good looking and fully-featured email service. It does everything that the likes of Gmail does, without spying on you or targeting you with ads. No email service should be considered as secure as messaging apps such as Signal, but Tutanota is pretty darn secure. 

Tutanota's free plan is very usable, although at around a dollar a month there is little excuse not to support Tutanota by upgrading to the Premium plan. Lack of any kind of PGP support may be a sticking point for some, but PGP is hard to use. So hard, in fact, that almost nobody does use it. 

Ditching PGP, Tutanota allows you to send secure and private emails in a way that anyone will be able to open and reply to. Which is quite an achievement. Unless you absolutely need PGP then there is little not to like about Tutanota. 

We are not entirely convinced that Germany is the best place for such a service to be based, and the ability to pay anonymously with cryptocurrencies can't come soon enough, but overall we are very impressed by the service. We would be happy to recommend it. 

Get Tutanota

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

83 Comments

John
on May 15, 2020
Reply
Actually, good idea for email service - end2end encryption and others. BUT - very bad in reality. I saw some comments on this site, so I decide to add something from my experiance. Web version of service is not so bad, even it is not good location of button to logout, to attach some file, especially settings options etc. Mobile app (for android) is very very bad. I think even basic programmer will get better idea for options. First- it is not acceptable to have email app where without internet you cannot access your inbox. Second, if ou try to access (with Wifi-of), you get some error. Trying to access it again with wifi-on - you got same error. Even I tried to delete cache (but not logout) - same error. From my perspective as I already said - very bad. On the other hand - ProtonMail app for android is great! I think in the really near future I will choose the pay-option; why not to pay to something that is earned to be paid? Options - disable taking screenshot while using app, pin option to lock the inbox (which works even on disabled wifi) and etc etc. Regards, John.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to John
on May 15, 2020
Reply
Hi John. Thanks for taking the time to write in with your experiences. I must say that I've never noticed that you need an internet connection to access your emails in the mobile app. I've just checked, though, and can confirm this is (annoyingly) correct.
Pey
on March 7, 2020
Reply
Thanks Douglas for the in-depth review. Could kindly review CTemplar and /e/ (NextCloud) email services?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Pey
on March 31, 2020
Reply
Hi Pey. Sorry for the delay in replying - we' had some issues with our comments system. Thosre are great suggestions, which add to my to-do list. Thanks!
Ferdinand
on February 16, 2020
Reply
I'd like to note that this paragraph is wrong: "Following Edward Snowden’s shocking revelations in 2013 ProtonMail shook up the email industry by offering an end-to-end encrypted email service which focused on privacy and security. It wasn’t long before other services started to appear, one of the most prominent of which is Tutanota." Tutanota states in its About page that they were founded in 2011, which is supported by the Archive.org records of its website, the oldest of which goes back to February 2012 and shows that the service was in development with an expected release in Fall 2013. The Snowden revelations coincidentally happened in June of that year. ProtonMail was founded on the wake of them in 2014.
John replied to Ferdinand
on May 15, 2020
Reply
This sound interesting. Thank you Pey!
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Ferdinand
on February 24, 2020
Reply
Hi Ferdinand. Hmm. Interesting. I've modified the text accordingly. Thanks.
Alex Song
on June 13, 2018
Reply
Based on my recent experience as a casual user, Tutanota's support team has been both unprofessional and uncommitted. Other users have reported to me the same kind of careless "follow up". Story short: they abruptly suspended my account. I contacted them since my password wouldn't allow for me to log in anymore and their answer was "Hi there, that account was used to send spam, so it was suspended. Cheers, Arne" As I said to them, I have never spammed anyone. My connections were also entirely secured, so no one else has logged in on the account besides me. I cannot log in or do anything with the email anymore. If it's happening to me, it has happened to others and will happen again. No detailed information. No resolution. "Account suspended. Cheers." I'm making sure people know how Tutanota handles extremely basic situations such as this one.
HS replied to Alex Song
on September 13, 2018
Reply
Thanks Alex, your comment helps.
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: