When it comes to secure email providers, Tutanota is often one of the top two most mentioned. Of course there are more than just two, however these two are the most commonly mentioned.
Tutanota provides an end-to-end encrypted email service, based out of Germany. The team is small but committed, and the user base numbers over 2 million (as of the last statistics I was able to find). They do not advertise, nor do they have investors. They are self-sufficient based on the users who pay for premium service (of which I am one!) and donations. Of course, they don’t skim or sell your data either!
When you sign up for an account, a 2048 bit public/private RSA keypair is generated in your browser. The private key that is sent to the server is AES-128 encrypted with your password you used when you sign up (so be sure to pick a good one!). Your emails are AES-128 encrypted using your public/private keypair.
As I mentioned before, Tutanota provides end-to-end encrypted emails, but that comes with a caveat. Pay careful attention here…
Emails from one Tutanota user to another are end-to-end encrypted, including the email content and the subject line (note that most email providers are not capable of encrypting subject line!).
When you send email to other users, things get a bit trickier. Tutanota allows you to encrypt emails to others using a fixed password (which is assumed to have been shared in advance via other means). The other user will receive an email from Tutanota indicating they have received an encrypted email, and will be provided a link which takes them to a custom mailbox on Tutanota’s site that includes the encrypted emails exchanged between you and this other user. From this custom inbox, you and the other user can exchange encrypted emails back and forth forever. There is no limit to the number of emails that can be exchanged via this method.
Of course you can always send your email in cleartext to any recipient. The email is still encrypted in your mailbox on Tutanota’s side, however it will be in plain text on the recipient’s side. Keep this in mind.
Apps and Code
The code for Tutanota is open source and available for review and contributions. The source for the back-end server functions has not been opened sourced, however the company has stated that they do intend to release that code in the future.
In addition to the ability to log in via the web, Tutanota offers apps for every platform — Windows, Mac, Linux, iOS and Android. The code for this is open source as well.
Due to the nature of being an end-to-end encrypted solution, you cannot access your email through regular methods such as IMAP or POP3. You can only use the web access or the available apps.
The mail server logs are stored a maximum of 30 days, which include details such as sender and recipient, as well as time and date. No IP information is stored in the logs according to Tutanota.1 The service does however use IP addresses for processing, however with the exception of “anonymous” IPs (i.e. TOR nodes, etc) these IPs are not stored anywhere.
Tutanota is a German company, headquartered in Hannover. For those who are ultra privacy conscious, Germany is a 14 Eyes country, and Germany has known NSA operations taking place within its borders. That said, the NSA is capable of global surveillance, so the fact that Germany has a partnership agreement with the US in this regard is a bit of a moot point in my opinion.
One area where Tutanota really shines is in email tracking. When I used the Email Privacy Tester, an email delivered to and opened by a Tutanota email account tripped none of the tests. That’s right, none. Zero. Zip. Zilch. Nada. That said, if you choose to show any images in the email, or click on any links, then the game is over and you can still be tracked. But if you only read the content of the email, without following a link or viewing an image, then the sender will never have any idea that you’ve read their email.
Pricing on Tutanota is relatively straightforward. Anyone can sign up for free, and you get 1GB of storage and you can perform full-text searches of your mailbox for up to 1 month back. Full-text search of emails on encrypted mail providers can be hit or miss, so it’s awesome that Tutanota offers this capability, along with the technical way in which they implement it.
You can upgrade your account to premium for 12 Euro a year, or pro for 60 Euro a year. Premium unlocks the following:
- Ability to search all of your email (not just the past month),
- Custom domain support
- 5 aliases
- Inbox rules
- Email support
Pro adds the following:
- Increases storage from 1GB to 10GB
- Increases aliases from 5 to 20
- Priority support
- Custom domain login with your own logo and colors
You can add additional accounts to your plan, for example if you’re going to create email accounts for your family members as well. However, this is the one place where I actually have a grievance with Tutanota.
If you’re on the premium tier, you can add additional accounts for 12 Euro/year/each, and for the pro tier it’s an additional 24 Euro/year/each, however, these additional users do not get their own quotas.
What I mean by that is this: If you sign up for a free account, you get your own 1GB of storage. Pay 12 Euro to upgrade to premium and you get all the above benefits I mentioned (5 aliases, custom domain, etc). However, if you add someone to your plan and pay the 12 Euro for them as well, you both share the 1GB and 5 aliases that you had before. Even though if that person registered on their own, they would get their own quotas. If you add them to your plan, and pay the exact same amount that they would pay on their own, they do not get anything except an email address. They don’t get their own 1GB. They don’t get their own 5 aliases.
I exchanged emails with their support team about this, and honestly they seemed very blasé about it. In fact, in the last email exchange with them where I tried to point out how silly this policy seemed (in my opinion), they replied simply with “Thanks for your feedback.” As if to say “So what?” That didn’t exactly make me feel as though my concerns were being heard and considered. While it seems like a small thing, in my mind, it’s not. I’m paying the exact same price and getting less than I would if I registered two accounts separately.
That said, this is really the only thing I could see as an issue with Tutanota.
I’ve found myself impressed by Tutanota. I’ve submitted bugs I’ve found in their apps, which I’ve seen being addressed. My only hesitation with the service is the peculiarities around how they handle adding accounts to an existing plan. The fact that doing so costs as much as an account by itself, but comes with none of the quotas of said account, makes it difficult to justify making this my primary go-to for my entire family. None the less, I have a premium account and will likely maintain that for a long time. I’ll continue to watch this service develop and mature, and hopefully one day the quota issue will be sorted out.
- Note that a very recent ruling by a German court indicates that German service providers are required to log IP addresses. See https://www.reddit.com/r/privacy/comments/al0711/email_provider_in_germany_must_log_ip_addresses/ [↩]