Tools & Software Reviews

Encrypted Email Services: ProtonMail, Tutanota, and Alternatives

By AntiPhishers Published

Encrypted Email Services: ProtonMail, Tutanota, and Alternatives

Standard email services like Gmail and Outlook encrypt messages in transit using TLS, but the provider can still read your messages on their servers. End-to-end encrypted email services eliminate this access by encrypting messages so that only the sender and recipient can read them, not even the email provider itself. For individuals and organizations handling sensitive communications, this distinction is fundamental to maintaining genuine privacy.

How End-to-End Email Encryption Works

End-to-end encrypted email services use public key cryptography. Each user has a key pair: a public key that others use to encrypt messages to them, and a private key that only they possess to decrypt incoming messages. When two users on the same encrypted platform exchange emails, the encryption and decryption happen automatically without any manual key management.

The challenge arises when sending encrypted messages to recipients who use standard email providers. Different services handle this differently. Some send a link to a secure portal where the recipient can read and reply to the encrypted message. Others support the PGP standard for interoperability with users who manage their own encryption keys.

Zero-knowledge architecture means the provider stores your encrypted data but does not possess the keys to decrypt it. If the provider’s servers are breached, attackers obtain only encrypted data they cannot read. This architecture also means the provider cannot comply with requests to hand over readable email content, though metadata such as sender, recipient, and timestamp may still be available.

Leading Encrypted Email Services

Proton Mail, based in Switzerland, is the most widely used end-to-end encrypted email service. It supports automatic encryption between Proton Mail users and offers password-protected encrypted messages to external recipients. The free tier provides 1 GB of storage and a single email address, which is sufficient for personal use. Paid tiers add custom domains, increased storage, and additional addresses. Proton Mail has undergone independent security audits and has open-sourced its client applications for public review. The web interface and mobile apps provide a user experience comparable to mainstream email services, which has been key to its adoption.

Tuta (formerly Tutanota), headquartered in Germany, takes a similarly strong approach to encryption. It encrypts not only message bodies but also subject lines, which Proton Mail does not encrypt by default. Tuta uses its own encryption protocol rather than PGP, which provides certain technical advantages but limits interoperability with PGP-using external contacts. The free tier is more limited than Proton Mail’s but still functional for basic use. Tuta’s calendar and contact applications are also end-to-end encrypted.

Mailfence, based in Belgium, supports PGP encryption with a more traditional email interface. It includes calendar, contacts, documents, and group features alongside encrypted email. Mailfence allows users to manage their own PGP keys and exchange encrypted messages with any PGP user regardless of their email provider, which provides more flexibility than platform-locked encryption.

Skiff Mail offered end-to-end encrypted email, calendar, and document collaboration before being acquired by Notion in 2024. Users were given a transition period to migrate, highlighting the risk of relying on smaller encrypted email providers. When evaluating any service, consider the provider’s financial stability and long-term viability.

StartMail, from the Netherlands, focuses on privacy features like disposable aliases and PGP encryption. It is a paid-only service with no free tier, which may indicate a more sustainable business model that does not depend on converting free users.

Key Factors for Your Decision

Encryption scope varies between services. Some encrypt only the message body while leaving subject lines, attachment names, and metadata unencrypted. Others encrypt subject lines but cannot encrypt metadata like sender and recipient addresses because email routing requires this information in the clear. Understand what each service protects and what remains exposed.

Interoperability with external contacts determines how practical the service is for your actual communication patterns. If most of your contacts use Gmail or Outlook, you need a service that handles external encryption gracefully. Proton Mail’s password-protected messages and Mailfence’s PGP support offer different approaches to this challenge.

Ease of migration affects whether you can realistically switch. Moving years of email history, updating every account that uses your email address, and training yourself on a new interface are real costs. Most encrypted email services offer import tools for migrating existing mail, and some support using your existing custom domain so your email address does not change.

For broader email security practices that complement encrypted email, including phishing awareness and authentication protocols, see our Email Security Best Practices guide.

Configuration Recommendations

Enable two-factor authentication on your encrypted email account immediately. An encrypted email service protects message content, but if an attacker gains access to your account through a weak password, they can read everything. Use a hardware security key or authenticator app rather than SMS for the second factor.

Set up encrypted email aliases for different purposes: one for financial accounts, one for social media, one for subscriptions. This compartmentalization limits the impact of any single alias being compromised or leaked in a data breach.

Configure your encrypted email client to strip metadata from attachments before sending. Images, documents, and PDFs often contain embedded metadata such as GPS coordinates, author names, and editing history that can reveal information you did not intend to share.

Understanding the Limitations

End-to-end encryption protects message content but does not prevent phishing attacks. An encrypted email from an attacker is still a phishing email. You must apply the same critical evaluation to messages received on encrypted platforms as on any other email service. Encryption protects privacy, not judgment. Combining encrypted email with strong phishing awareness remains essential for comprehensive email security.

More in Tools & Software Reviews

Vulnerability Scanner Review: Finding Weaknesses Before Attackers Do Encrypted Cloud Storage Review: Zero-Knowledge Providers Email Filtering Tools Compared: Blocking Phishing at the Gateway Network Monitoring Tools: Detecting Intrusions and Anomalies

View all Tools & Software Reviews articles →