Tutanota Review

Tutanota

When email was developed back in the Seventies and early Eighties, it was a rarefied communication form used almost exclusive my a tiny set of post-grad university nerds. And so the need to make it private and secure simply never occurred to anyone involved at the time.

Fast-forward 40 or so years to a world in which email has become the default means of communication for almost the entire human race., with a staggering 293.6 billion emails sent every day!

ProPrivacy.com Score 8 out of 10
Visit Site

Summary

But email is no more secure or private than it was back in the Seventies. This is a big problem in a world where most email providers scan their customers' emails in order to profile them for ever more targeted advertising, and in which governments perform mass surveillance operations on a scale that would make George Orwell’s Big Brother green with envy.

Following Edward Snowden’s shocking revelations in 2013 ProtonMail shook up the email industry by offering an end-to-end encrypted email service which focused on privacy and security. It wasn’t long before other services started to appear, one of the most prominent of which is Tutanota.

Pricing

Tutanota offers a very useful free plan, although its premium plan is hardly expensive. A pricier pro plan is also available, but this only really makes sense for businesses and the like. If you buy a yearly subscription then Tutanota throws in two months for free.

Tutanota Price

Plans can be tailored to your needs by adding storage and email aliases at varying costs. Monthly subscriptions auto-renew by default.

Enterprise features such as calendar sharing and white label functionality are also available, although are not covered in the review.  Non-profit organizations (NPOs) are offered a 50% discount.

You can start with the free plan and upgrade at any time. Payment is via card or PayPal. Cryptocurrency payments are not accepted yet, but are on Tutanota’s roadmap.

Features (base Premium Plan)

  • E2e encrypted emails to other users
  • Can also send e2e encrypted emails to and     receive them from non-Tutanota users
  • The entire email is encrypted - subject, body,  and attachment
  • E2e encrypted storage
  • E2e encrypted address book
  • No ads
  • No IP logging
  • No phone number required (but also no  anonymous payment yet)
  • Strips IP from sent emails
  • Attachments up to 25 Mb
  • 1 Gb storage
  • Custom domains
  • Unlimited search
  • 5 aliases
  • Inbox rules with smart filters
  • Encrypted calendar
  • Web app
  • Android and iOS apps
  • Desktop clients for Windows, macOS, and Linux (all beta)
  • Open-source
  • Eco-friendly
  • Spam detection
  • 2FA support
  • Secure Connect (see below)
  • Secure password reset

It is worth noting here that Tutanota does not use or support PGP, which may be a sticking point for some. Also not supported is the retrieval of emails via SMTP in third party email clients, as this would not guarantee end-to-end encryption for data.

Free users cannot use custom domains or aliases, have more limited search capabilities, and cannot set Inbox rules. On the other hand, free users can use Tutanota anonymously, since the only meaningful data Tutanota retains is payment details

Aliases

Aliases are alternative email addresses tied to your account. You can have up to five aliases on the base premium plan, with the option to purchase more.

Add email alias

Unlimited search

Every aspect of an email can be searched, for, including a full-text search. The ability to search your emails may seem unremarkable, but being able to securely search encrypted data is no easy task. When a search is enabled, data is indexed and the search index stored locally (and can use up more memory on your device). 

Encrypted calendar

One of the biggest inconveniences when moving away from services such as Gmail, is that many secure alternatives do not provide calendar functionality. Tutanota does, and it is easy to import your existing calendars using standard iCal files. 

Encrypted calendar

Eco-friendly

The Tutanota data centers use 100% renewable energy.

2FA supported

Two-factor authentication is supported via U2F security keys (such as the YubuKey) and via TOTP authenticator apps such as FreeOTP+, as well as  OTP, Authenticator, and Authy.

Secure Connect

Secure connect is an encrypted contact form that allows visitors to a website to contact its owners confidentially. Although this review concentrates on Tutanota as a personal email service, this feature just too cool not to mention.

Privacy and security

 Jurisdiction

Tutanota and its servers are based in Germany. This is a country known for its strong data privacy laws, and in 2018 was the first country to fully align its data protection legislation with the GDPR.

Despite this, it has enacted the now invalid-on-human-rights-grounds EU Data Retention Directive into local law. This came into force in 2016 and requires all telecommunications and internet service providers to retain user metadata for up to 10 weeks. According to Tutanota, however, the law explicitly excludes email communications.

Germany is a close ally of the United States, with the NSA basing its European headquarters in the country.  The 2016 Communications Intelligence Gathering Act authorized Germany’s Federal Intelligence Service (BND) extensive powers to monitor all internet traffic entering and leaving the country.

It should be noted, though, that thanks to Tutanota’s use of secure end-to-end encryption, even if emails are intercepted then only a very small amount of metadata is exposed.

Logs

Tutanota does not log IP addresses (unless required to in specific cases by law). It also strips IP addresses from sent emails, although it can still see the sender, the recipient, and when the email was sent

The recipient email service will also be able to see this metadata. Other than that, all data is automatically encrypted both in the mailbox and in sent emails. This includes subject, content and attachments.

Tutanota clearly tracks subscriptions and payment details for paying customers. 

Open-source

Tutanota’s web application and clients are all fully open source. This means that anyone qualified to do so can examine the code and audit it for weaknesses and deliberate backdoors.

Tutanota’s backend is not open-source, although this is planned for the future. This has invited criticism, but it should be stressed that encryption is performed client-side so it shouldn’t really matter what’s going on server-side.

Tutanota says that its web application was independently audited by Syss GmbH (way back in 2011), but we can find no corroboration for this, let alone an actual report of its findings. For what it's worth, the apps are just wrappers for the web application. 

Technical security

All encryption is performed client-side before it leaves your device, meaning that Tutanota offers end-to-end-encryption (e2ee).

Emails between Tutanota users are encrypted using “a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm.” These being AES-128 and RSA-2048, respectively.

In an age of almost ubiquitous AES-256 symmetric key encryption the use of AES-128 might raise the odd eyebrow. But it is cryptographically secure, and a stronger key schedule actually makes it arguably more secure than AES-256.

Emails to non-Tutanota users are encrypted using AES-128. Passwords are hashed using bcrypt and SHA256. Connections to the Tutanota servers are secured using  TLS. You can further improve the security of TLS connections by installing the DANE browser add-on.

This all sounds very secure, although a problem with all browser-based cryptography is that it is vulnerable to malicious code being pushed from compromised servers. Since the stand-alone clients are basically wrappers for the web interface, we presume this also applies to them.

Password reset

Interestingly, for an e2ee service, it is possible to reset your password using a recovery code. This recovery code can only be viewed by signing into your encrypted mailbox, and it is recommended that you store it offline somewhere.

The Tutanota website provides a huge amount of information, including good FAQs and plenty of easy-to-follow setup guides. Premium users can also ask for help via email.

Ease of use

In addition to the web console, Tutanota offers apps for Android, iOS, Windows, macOS, and Linux.

The web console

The beating heart of Tutanota is its web console, where you can do all the things you would normally expect of an email client. It even comes with an optional dark mode!

The web console

Premium users can configure sophisticated Inbox rules.

Inbox rules send recipient

Emails sent to other Tutanota users are seamlessly e2e encrypted. By default, emails sent to non-Tutanota users are also e2e encrypted and secured with a password of your choosing. A nice touch is that you can send the notification email in a very wide selection of languages. 

Emaiil encryption settings

The recipient receives an email containing just a link to the content, which can only be opened with the password you specified. You will, of course, need to communicate this password to the recipient via other channels.

sending an email

The subject line is hidden, as is all text and attachments. The IP address of the sender is also not shown. Sending an email to a non-Tutanota user creates a new encrypted mailbox for them, which only they can access using the agreed-upon password.

tutanota inbox

From within their private mailbox non-Tutanota users can reply to your emails, and these replies will also be securely end-to-end encrypted!

This is an elegant solution for sending e2e encrypted emails to just about anybody, to say that’s much easier than PGP is a serious understatement. Indeed, it's this feature that sets Tutanota apart from every other private and secure email service out there.

Although emails to non-users are sent confidential by default, it is possible to send regular plain text emails as well when required.

The mobile apps

The Android and iOS apps are basically identical, although there is an optimized version available for the iPad. These are really just wrappers for the web console, and so provide the full range of features available through the web interface (including the calendar).

the mobile apps

The apps are available from the Google and Android stores, although Android users can also download a Google-free version of the app from F-Droid. Nice.

The desktop apps

The desktop apps for Windows, macOS, and Linux are officially labeled beta. This means there may be some bugs that need ironing out, and they may not be as secure as the web console or mobile apps.

That said, they are straight ports of the web console using Electron, rather than being true native clients. So there shouldn’t really be much that can go wrong.

windows app

Final thoughts

Tutanota is a good looking and fully-featured email service. It does everything that the likes of Gmail does, without spying on you or targeting you with ads. No email service should be considered as secure as messaging apps such as Signal, but Tutanota is pretty darn secure. 

Tutanota's free plan is very usable, although at around a dollar a month there is little excuse not to support Tutanota by upgrading to the Premium plan. Lack of any kind of PGP support may be a sticking point for some, but PGP is hard to use. So hard, in fact, that almost nobody does use it. 

Ditching PGP, Tutanota allows you to send secure and private emails in a way that anyone will be able to open and reply to. Which is quite an achievement. Unless you absolutely need PGP then there is little not to like about Tutanota. 

We are not entirely convinced that Germany is the best place for such a service to be based, and the ability to pay anonymously with cryptocurrencies can't come soon enough, but overall we are very impressed by the service. We would be happy to recommend it. 

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

76 Comments

  1. Alex Song

    on June 13, 2018
    Reply

    Based on my recent experience as a casual user, Tutanota's support team has been both unprofessional and uncommitted. Other users have reported to me the same kind of careless "follow up". Story short: they abruptly suspended my account. I contacted them since my password wouldn't allow for me to log in anymore and their answer was "Hi there, that account was used to send spam, so it was suspended. Cheers, Arne" As I said to them, I have never spammed anyone. My connections were also entirely secured, so no one else has logged in on the account besides me. I cannot log in or do anything with the email anymore. If it's happening to me, it has happened to others and will happen again. No detailed information. No resolution. "Account suspended. Cheers." I'm making sure people know how Tutanota handles extremely basic situations such as this one.

    1. HS replied to Alex Song

      on September 13, 2018
      Reply

      Thanks Alex, your comment helps.

  2. knightdragon

    on June 16, 2017
    Reply

    I have created two email accounts, both times even if I punch in the correct password I am told that it is invalid. what is up?

    1. Douglas Crawford replied to knightdragon

      on June 19, 2017
      Reply

      Hi knightdragon, I'm afraid that you need to ask Tutanota's support about this.

  3. tutavsprot

    on May 11, 2017
    Reply

    ProtonMail Allegedly Proxied by Israeli Firm with IDF Links https://cryptome.org/2015/11/protonmail-ddos.htm Protonmail has routed all their server to Israeli Radware for scanning for DDos attacks BUT Israeli IDF spy network now has total a grip of protonmail privacy. Is this really an issue? Just because a company has done business with the Israeli military, does that make it a tool of and spy for that industry? ProtonMail is/was under large scale DDoS attack, with bold and resourced attackers unafraid to cause collateral damage to provider infrastructure. ProtonMail said likely attacker is/was nation-state. ProtonMail subsequently announced they received support to filter the attack, rescuing the service. Let us examine final 5 traceroute hops to ProtonMail: 6. be2115.agr21.fra03.atlas.cogentco.com 7. 149.6.141.150 8. 10.1.100.3 9. ??? 10. 185.70.40.182 Hop 7 is "Internet Binat" based in Israel. %rwhois V-1.5:0010b0:00 rwhois.cogentco.com (CGNT rwhoisd 0.0.0) network:ID:NET4-95068D941E network:Network-Name:NET4-95068D941E network:IP-Network:149.6.141.148/30 network:Org-Name:Internet Binat network:Street-Address:Habarzel 27 Tel Aviv Or Building A 69710 Israel network:City:tel aviv network:Country:IL network:Tech-Contact:ZC108-ARIN network:Updated:2015-07-08 17:07:25 Internet Binat is synonymous with "Bynet Data Communications" which built the Israeli Defense Forces "cloud" server farm, and the IDF Intelligence Corps "technology campus" in the Negev, in deals brokered by Lockheed Martin. http://www.israeldefense.co.il/en/content/defense-sector-will-switch-cloud-computing-nevertheless http://www.globes.co.il/en/article-1000849860 Binat and Bynet spell their names identically (vet-yud-nun-tuff) in Hebrew, share the same Habarzel 27 address, and are linked by Binat CEO Shmulik Haber. https://il.linkedin.com/in/shmulik-haber-9871a94 Likely the DDoS attack on ProtonMail was orchestrated to follow with an offer of generous "help" it could not refuse, necessarily a re-route of all traffic through third-party "anti-DDoS" systems. Now the "Switzerland" based privacy firm is proxied by an Israeli firm for traffic analysis, network exploitation of users, cryptographic monkeying. Israeli expertise in the latter is unmatched. Classic gov-mil cyber op with great PR happy ending for exploited asset. Users of ProtonMail must not fret; they got lucky with this fumble. Don't trust this security faker; don't trust the next one. https://protonmail.com/support/knowledge-base/protonmail-israel-radware/ They explain first that they work with Radware, which has offices all over the world. I think they work with the German office. But the headquarters is in Israel. Further, all the traffic for DDoS filtering goes through encrypted tunnels. The traffic, when DDoS filtering is active, goes through servers in Germany, not Israel. So it's is false that they are proxied in Israel--both because that's not where the servers are and because they are not being "proxied," which is a misunderstanding of the technology being used. And lastly when they setup the DDoS filtering they went out of their way to find a solution that did not affect the privacy of Protonmail, which required a more expensive complex solution than basic DNS protection. Do you know where in germany ? At frankfurt !!! Frankfurt where was located the nsa team ... proton mail is compromised , works with the nsa by a contract with an israely firm. Protonmail runs a smart challenge for an ideal (free software on the front-end - unknown back-end) & for their private ambition (education & origin & competence - not mature : borderline -) applying a trick & tip plan, repeats that they learnt blindly : make money without conscience, morality, involvement. That is their signature where the frontier between scam & corruption brings trouble & confusion. More importantly, the article focuses on one of the hops when you connect to Protonmail's servers. But you also hop through a whole slew of other servers that could also do traffic analysis. We already know that NSA can and does set up servers on the internet backbone to watch traffic. I feel that protonmail attacks has came from the same people who offered Protonmail an offer that they could not refuse. ProtonMail seems to be just a good business oriented email provider with bunch of folks coming from elite universities claiming that switzerland is the safest country for encrypted email provider. I don’t see a reason why it has to be in Switzerland, since it should be encrypted in a way that there is no possibility for decryption. Tutanota does it that way and then it doesnt matter anymore where the servers are, except of the USA where such email provider company cannot even start to operate. So any user of an encrypted email service like Protonmail should probably assume that using such a service means they're email traffic is being watched. If Protonmail's encryption can't handle that, then it's a useless service anyway. And indeed, the whole reason there are encrypted email services to begin with is because email traffic is being watched. Users should already assume their traffic is being analyzed and intercepted. That's why they use encryption. Much is made of the fact that ProtonMail is based in Switzerland (or at least its servers are, the team hails from Harvard University in the US), which because of its strict privacy laws is widely regarded as privacy-friendly. This is, however, to a large extent an illusion, as data retention laws and NSA-style surveillance are alive and well there. Protonmail was developed at CERN, the same people who play god with particle accelerators and manufacture black holes. They also started the WWW, which is the very source of most privacy concerns. Trusting them with anything is like trusting drunks with explosives. Oh wait, that's how we celebrate America's birthday in this age of terror fears; Protonmail was designed by AMERICANS at CERN. Anyone from Europe and Asia can tell you just how amazingly intelligent Americans are. I'd go with Tutanota, as Germany knows from personal experience just where American "freedom" is heading. Americans don't even know what privacy or security truly mean. Maps on Wikipedia and probably elsewhere show the location of the Protonmail servers, information you shouldn't blather about the web if you truly understand those concepts. Tutanota is based in Germany, which also has strict privacy laws, but which also practices widespread surveillance of its own, and is provides the base for the NSA’s extensive European operations. There is nothing stopping Tutanota (or ProtonMail ect.) from updating the JavaScript sent to your browser with bad code. This one of the main reasons that browser-based JavaScript cryptography is considered very insecure. Basically, services such as Tutanota, ProtonMail are much more private than regular webmail services, but are no protection against a targeted attack by the likes of the NSA. * The .com top level domain (TLD) is under the control of the US government (more specifically, the .com TLD is managed by VeriSign which is a US company under US jurisdiction). However, for users who wish to always avoid .com domains, an alternative webmail access is provided.

  4. Dave None Or Your Business

    on May 4, 2017
    Reply

    Tutanota out right lies to it's users. They say that they do not track you IP addresses. However make two accounts on the same day from the same pc. And the 2nd account can not send email until they review your account. There for they know your IP addresses. Also it's kind of a dumb move on there part. Because they only know my user name and IP address, what are they reviewing. So no I do not like Tutanota.

    1. Douglas Crawford replied to Dave None Or Your Business

      on May 4, 2017
      Reply

      Hi Dave, Hmm. This is something you will need to ask Tutanota about. I know that Tutanota has had issues with abuse of its system before (fake accounts setup for use by spambots). It might be possible to detect that two account are being used at the same time in realtime, withot the need to log IPs as such. But as I say, you will need to ask Tutanota about this.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: