Tutanota Review

When email was developed back in the Seventies and early Eighties, it was a rarefied communication form used almost exclusive my a tiny set of post-grad university nerds. And so the need to make it private and secure simply never occurred to anyone involved at the time.

Fast-forward 40 or so years to a world in which email has become the default means of communication for almost the entire human race., with a staggering 293.6 billion emails sent every day!

But email is no more secure or private than it was back in the Seventies. This is a big problem in a world where most email providers scan their customers' emails in order to profile them for ever more targeted advertising, and in which governments perform mass surveillance operations on a scale that would make George Orwell’s Big Brother green with envy.

Following Edward Snowden’s shocking revelations in 2013, ProtonMail shook up the email industry by offering an end-to-end encrypted email service which focused on privacy and security. It wasn’t long before other services started to appear, one of the most prominent of which is Tutanota.

Our Score
4 / 5
Pricing
$13.23 - $66.00
Free option
Available
Country
Germany
Visit Tutanota

Pricing

Tutanota offers a very useful free plan, although its premium plan is hardly expensive. A pricier pro plan is also available, but this only really makes sense for businesses and the like. If you buy a yearly subscription, then Tutanota throws in two months for free.

Tutanota Price

Plans can be tailored to your needs by adding storage and email aliases at varying costs. Monthly subscriptions auto-renew by default.

Enterprise features such as calendar sharing and white label functionality are also available, although are not covered in the review.  Non-profit organizations (NPOs) are offered a 50% discount.

You can start with the free plan and upgrade at any time. Payment is via card or PayPal. Cryptocurrency payments are not accepted yet, but are on Tutanota’s roadmap.

Get Tutanota

Features (base Premium Plan)

  • E2e encrypted emails to other users
  • Can also send e2e encrypted emails to and receive them from non-Tutanota users
  • The entire email is encrypted - subject, body, and attachment
  • E2e encrypted storage
  • E2e encrypted address book
  • No ads
  • No IP logging
  • No phone number required (but also no anonymous payment yet)
  • Strips IP from sent emails
  • Attachments up to 25 Mb
  • 1 Gb storage
  • Custom domains
  • MTA-STS support for custom domains
  • Unlimited search
  • 5 aliases
  • Inbox rules with smart filters
  • Encrypted calendar
  • Web app
  • Android and iOS apps
  • Desktop clients for Windows, macOS, and Linux (all beta)
  • Open-source
  • Eco-friendly
  • Spam detection
  • 2FA support
  • Secure Connect (see below)
  • Secure password reset

It is worth noting here that Tutanota does not use or support PGP, which may be a sticking point for some. Also not supported is the retrieval of emails via SMTP in third party email clients, as this would not guarantee end-to-end encryption for data.

Free users cannot use custom domains or aliases, have more limited search capabilities, and cannot set Inbox rules. On the other hand, free users can use Tutanota anonymously, since the only meaningful data Tutanota retains is payment details.

Aliases

Aliases are alternative email addresses tied to your account. You can have up to five aliases on the base premium plan, with the option to purchase more.

Add email alias

Unlimited search

Every aspect of an email can be searched, for, including a full-text search. The ability to search your emails may seem unremarkable, but being able to securely search encrypted data is no easy task. When a search is enabled, data is indexed and the search index stored locally (and can use up more memory on your device). 

Encrypted calendar

One of the biggest inconveniences when moving away from services such as Gmail, is that many secure alternatives do not provide calendar functionality. Tutanota does, and it is easy to import your existing calendars using standard iCal files. 

Encrypted calendar

Eco-friendly

The Tutanota data centers use 100% renewable energy.

2FA supported

Two-factor authentication is supported via U2F security keys (such as the YubuKey) and via TOTP authenticator apps such as FreeOTP+, as well as  OTP, Authenticator, and Authy.

Secure Connect

Secure connect is an encrypted contact form that allows visitors to a website to contact its owners confidentially. Although this review concentrates on Tutanota as a personal email service, this feature just too cool not to mention.

Privacy and security

 Jurisdiction

Tutanota and its servers are based in Germany. This is a country known for its strong data privacy laws, and in 2018 was the first country to fully align its data protection legislation with the GDPR.

Despite this, it has enacted the now invalid-on-human-rights-grounds EU Data Retention Directive into local law. This came into force in 2016 and requires all telecommunications and internet service providers to retain user metadata for up to 10 weeks. According to Tutanota, however, the law explicitly excludes email communications.

Germany is a close ally of the United States, with the NSA basing its European headquarters in the country.  The 2016 Communications Intelligence Gathering Act authorized Germany’s Federal Intelligence Service (BND) extensive powers to monitor all internet traffic entering and leaving the country.

It should be noted, though, that thanks to Tutanota’s use of secure end-to-end encryption, even if emails are intercepted, then only a very small amount of metadata is exposed.

Logs

Tutanota does not log IP addresses (unless required to in specific cases by law). It also strips IP addresses from sent emails, although it can still see the sender, the recipient, and when the email was sent

The recipient email service will also be able to see this metadata. Other than that, all data is automatically encrypted both in the mailbox and in sent emails. This includes subject, content and attachments.

Tutanota clearly tracks subscriptions and payment details for paying customers. 

Open-source

Tutanota’s web application and clients are all fully open source. This means that anyone qualified to do so can examine the code and audit it for weaknesses and deliberate backdoors.

Tutanota’s backend is not open-source, although this is planned for the future. This has invited criticism, but it should be stressed that encryption is performed client-side so it shouldn’t really matter what’s going on server-side.

Tutanota says that its web application was independently audited by Syss GmbH (way back in 2011), but we can find no corroboration for this, let alone an actual report of its findings. For what it's worth, the apps are just wrappers for the web application. 

Technical security

All encryption is performed client-side before it leaves your device, meaning that Tutanota offers end-to-end-encryption (e2ee).

Emails between Tutanota users are encrypted using “a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm.” These being AES-128 and RSA-2048, respectively.

In an age of almost ubiquitous AES-256 symmetric key encryption, the use of AES-128 might raise the odd eyebrow. But it is cryptographically secure, and a stronger key schedule makes it arguably more secure than AES-256.

Emails to non-Tutanota users are encrypted using AES-128. Passwords are hashed using bcrypt and SHA256. Connections to the Tutanota servers are secured using  TLS. You can further improve the security of TLS connections by installing the DANE browser add-on.

This all sounds very secure, although a problem with all browser-based cryptography is that it is vulnerable to malicious code being pushed from compromised servers. Since the stand-alone clients are basically wrappers for the web interface, we presume this also applies to them.

Tutanota is even doing its best to future-proof itself, knowing that emails stored today could easily be decrypted with the next leap in technology. Partnering with the L3S Research of the Leibniz University of Hanover on a project dubbed PQmail, Tutanota hopes to make the service resistant to quantum computing. Of course, we can't talk much about the technology until it becomes a reality.

MTA-STS for custom domains

It is also worth noting that Tutanota has now teamed up with Let’s Encrypt to provide full name SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) not only for primary mail domains but also for user-created custom domains.

MTA-STS is an important new standard that improves the security of SMTP by allowing domain owners to opt into strict transport layer security that requires authentication and encryption. This improves security by preventing targeted downgrade attacks and DNS spoofing attacks.

This is a rare feature, because the vast majority of email services do not provide this important security measure for custom domains at all. And it is nice to see Tutanota now providing automatic handling of TLS certs for custom domains.

Password reset

Interestingly, for an e2ee service, it is possible to reset your password using a recovery code. This recovery code can only be viewed by signing into your encrypted mailbox, and it is recommended that you store it offline somewhere.

The Tutanota website provides a huge amount of information, including good FAQs and plenty of easy-to-follow setup guides. Premium users can also ask for help via email.

Get Tutanota

Ease of use

In addition to the web console, Tutanota offers apps for Android, iOS, Windows, macOS, and Linux.

The web console

The beating heart of Tutanota is its web console, where you can do all the things you would normally expect of an email client. It even comes with an optional dark mode!

The web console

Premium users can configure sophisticated Inbox rules.

Inbox rules send recipient

Emails sent to other Tutanota users are seamlessly e2e encrypted. By default, emails sent to non-Tutanota users are also e2e encrypted and secured with a password of your choosing. A nice touch is that you can send the notification email in a very wide selection of languages. 

Emaiil encryption settings

The recipient receives an email containing just a link to the content, which can only be opened with the password you specified. You will, of course, need to communicate this password to the recipient via other channels.

sending an email

The subject line is hidden, as is all text and attachments. The IP address of the sender is also not shown. Sending an email to a non-Tutanota user creates a new encrypted mailbox for them, which only they can access using the agreed-upon password.

tutanota inbox

From within their private mailbox, non-Tutanota users can reply to your emails, and these replies will also be securely end-to-end encrypted!

This is an elegant solution for sending e2e encrypted emails to just about anybody. To say that’s much easier than PGP is a serious understatement. Indeed, it's this feature that sets Tutanota apart from every other private and secure email service out there.

Although emails to non-users are sent confidential by default, it is possible to send regular plain text emails as well when required.

The mobile apps

The Android and iOS apps are basically identical, although there is an optimized version available for the iPad. These are really just wrappers for the web console, and so provide the full range of features available through the web interface (including the calendar).

the mobile apps

The apps are available from the Google and Android stores, although Android users can also download a Google-free version of the app from F-Droid. Nice.

The desktop apps

The desktop apps for Windows, macOS, and Linux are officially labeled beta. This means there may be some bugs that need ironing out, and they may not be as secure as the web console or mobile apps.

That said, they are straight ports of the web console using Electron, rather than being true native clients. So there shouldn’t really be much that can go wrong.

windows app

Final thoughts

Tutanota is a good looking and fully featured email service. It does everything that the likes of Gmail does, without spying on you or targeting you with ads. No email service should be considered as secure as messaging apps such as Signal, but Tutanota is pretty darn secure. 

Tutanota's free plan is very usable, although at around a dollar a month there is little excuse not to support Tutanota by upgrading to the Premium plan. Lack of any kind of PGP support may be a sticking point for some, but PGP is hard to use. So hard, in fact, that almost nobody does use it. 

Ditching PGP, Tutanota allows you to send secure and private emails in a way that anyone will be able to open and reply to, which is quite an achievement. Unless you absolutely need PGP, then there is little not to like about Tutanota. 

We are not entirely convinced that Germany is the best place for such a service to be based, and the ability to pay anonymously with cryptocurrencies can't come soon enough, but overall we are very impressed by the service. We would be happy to recommend it as it stands, but Tutanota isn't resting on its laurels as there is plenty more work to be done.

Get Tutanota

0 User Reviews

Leave a Review

Your comment has been sent to the queue. It will appear shortly.

Thanks for your review!

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

95 Comments

Jon
on February 20, 2024
tutanota.com seems to work fine for me
axlben
on May 1, 2023
Looking at many of these - negative - comments I have to add my recent impressions of this service I've been using during the last three months. I think it's a great alternative to pgp and any mail client. I'm do also use pgp but there are friends, family members and clients in a professional context who don't have the abilities to create and use a pgp based mail client. All of them could use this service. During the last three months not a single email was NOT send or received regardless if encrypted or not (you have the option to send mails not encrypted just like "normal" mails). I switched to a paid suscription after six weeks of testing. I have integrated my own domain and this also works smoothly. If you want to delete your account, you don't have to contact customer service but can do it via a button in the setting area. Finally, the previously illegal data retention was also suspended following a ruling by the ECJ in September 2022. Of course, one does not know what will follow here, but against the background of European case law, it is unlikely that such far-reaching data retention will occur. So, as for me, I'm very happy with this service. It's simply working! :)
pat
on December 3, 2022
i TRIED to sign up and got nowhere-and no customer service--and no help--i need a backup for my so-called free email from AT&T that never works-and they also gaslight their customers with either or demands that do not work--SOMEONE told me to get a secondary email like this to have a place to receive password resets for my ATT account--but now Tutunata will not function for me either and there is no customer support--i am not a computer geek-a senior with vision problems-and no cell phone of my own. Very discouraging-Tutonata was my hope to have a backup email service and that does not work either-and no way to communicate from my landline-no service number to sort out why it is not letting me sign up--ANY IDEAS?
Silvia
on September 7, 2022
This email does not work. It can't send or receive emails. if you doubt, just duckduckgo the expression "why tutanotadoes not work?" people can't received email from tutanota. So far I have received nothing and several people had emailed me, they have not received my emails either..tutanota says "undeliverable" to every email even though the address is correct...don't waste your time opening an account
NewToTutaNota replied to Silvia
on November 21, 2022
Sylvia and Sky, I have not had that unfortunate experience at all. So far, I have had the free version for about a month, and all sent emails have quickly arrived at their destinations, and all emails expected have quickly arrived in my Inbox. No problems at all, so far.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

StartMail is a Netherlands based secure email provider, offering 10Gb of storage, unlimited aliases and more.

A straightforward encryption service, with some cracking features, that lets you try before you buy - no credit card details required