Tutanota is a fully encrypted email service based in Germany. It’s different from the likes of Gmail in that even though Google encrypts the stored messages on their servers, they hold the encryption keys. This means that the provider has all the access to your data at will. You can also check how many subpoenas or search warrants Google grants every year.
What distinguishes Tutanota is their privacy-first approach. This means that they have no access to your data, and theirs is one of the most discrete email communication services. Or so the developers claim, let’s get into it and find out whether it’s true.
Table of Contents
- Automatically strips IP addresses from the sent email
- Doesn’t require a phone number to sign-up for an email box
- Two-factor authentication
- Open-source client and apps
- Possible to set up unique domain names
- Possible to receive an encrypted reply from other email users
- 1 GB free data storage
- SHA256 password hashing
- AES-128, and SSL encryption
- Bulk contacts import
- Auto-response isn’t supported
- No IMAP, OR Pop3
Tutanota has a variety of additional features that might not be a deal maker just by themselves. However, when they add up, it can indeed be a contributing factor when deciding should you opt-in for this email provider. Here’s what set it apart from the competition.
If you want your email to reflect your green attitude, Tutanota runs on 100% eco-friendly energy. It might not be a big deal to you if you compare that Google is the largest corporate renewable energy buyer in the world. However, the difference is that Tutanota is of much smaller size, and it’s commendable that they don’t cut any corners there. We shouldn’t ignore such initiatives. Business ethics rarely play a role when picking the best service providers.
The developers of Tutanota added an encrypted search index that decrypts items locally, and then enables you to search for particular keywords. Many other encrypted email services have dropped the search function altogether and have not implemented a convenient solution. It’s excellent that Tutanota adds a feature that most people already got used to, without compromising your privacy.
You might have used the search feature countless times on your Gmail account, without it ever occurring to you what the whole process means. The reality is that it’s easy for Google to implement a search function because your emails are on their servers. The indexing of each line of text is effortless in such a case. Also, it shows how easy would it be for them to retrieve your email contents.
The calendar is one of the most sensitive pieces of information that you could have. It accurately displays where you will be and what you will do. Understanding the risks involved, Tutanota developers came up with an encrypted calendar version built into their email client.
What’s particular about the Tutanota calendar is that even the notifications are encrypted, which helps against malicious agents scraping your data. The calendar is cloud-based, but only the encrypted data strings are stored, and it’s only retrieved locally. It also works on every device. Many other email services are still en-route to develop their proprietary takes on secure calendars.
If you’re running a website, and its topics are delicate, you might need to provide an option for your users to contact you privately. Secure Connect features enable you to embed a contact form that will be encrypted and will allow your users to reach out without compromising their privacy. It might not be useful for many users. Still, seeing how Tutanota is aiming to be the go-to choice for non-profit organizations, this feature is much needed.
You can hide your tracks and fool spamming bots by using aliases. You can configure this under your Extensions tab.
This interesting feature allows adding additional email addresses that all fall under your account. If your alias gets an email, it gets transferred to your primary mailbox. It may be handy if you’re covering your digital footprint by using several different addresses for safety reasons. It will help you not lose track of which accounts get what messages.
Inbox Rules lets you organize the emails before they’ve even reached your mailbox. You can assign which user’s emails should go into what folders. You can include all sorts of filters and keywords to filter your messages and control your mailbox without letting it get overwhelmed with messages. It can also act as your spam filter. Add the domains that you don’t want to ever see again and poof! You’ll see them no more.
Tutanota security and privacy
I’ll go through the essential privacy and security features that Tutanota email brings to the table. It will help you stack the service against the competitors if you’re deciding between this and some other service.
Tutanota combines two methods of encryption, symmetric and asymmetric, to deliver one of the safest email services you could hope to find. If you want to get more technical, it’s AES 128 military-grade encryption combined with RSA 2048 to provide a secure combination to protect your communications.
Its implemented in such a way that when a user is sending an email to other Tutanota users, the encryption automates the key handling and key exchange procedure. It means that your private key acts as your Tutanota login password, which locally decrypts your emails on the device. Using something that’s called end-to-end encryption, even Tutanota don’t know what your emails contain. This even covers email subject lines – something rarely found on the market.
When sending emails to other provider’s clients, key exchange isn’t automated, and you’ll manually need to exchange private encryption keys with each other to establish a secure communication channel.
Also, Tutanota adds Transport Layer Security (TLS) encryption to push the safety to the max by securing the emails when they are in transit. According to a Security Headers report, it enforces the use of HTTPS when sending and receiving data packets.
In short, everything that could benefit from encryption is probably already implemented on Tutanota. You could not find any other service that would be such a powerhouse of safety measures done right.
For account security, Tutanota offers two-factor authentication (2FA). Previously it was only possible to use 2FA only as a supplementary measure alongside Universal 2nd Factor (U2F).
In its current implementation, you can generate codes using Google Authenticator and a variety of other tools. It adds a layer of protection when authorizing logins to your Tutanota mailbox. In this case, should your password ever end up in the wrong hands, the perpetrator couldn’t get into your mailbox.
Here’s what options are available to set it up on your device:
- Universal 2nd Factor
- Authenticator app (time-based one-time passcodes or one time passwords)
- SMS code
U2F will require a separate hardware device, and it will only work in Chrome and Opera, with Firefox and Edge support planned in the pipeline. An authenticator app means you have to consider the safety of your mobile device because your email will be as safe as your phone. The SMS option is overall the least secure because SMS messages are the most vulnerable to man-in-the-middle attacks. In either case, the mere addition of 2-factor authentication will make your account a lot safer.
Although Tutanota is based in Germany, which is a 14 Eyes country, it isn’t all bad. Your data is protected by Bundesdatenschutzgesetz (BDSG), which is the German spin on the General Data Protection Regulation (GDPR). Although it sounds unnecessarily complicated, this means that your data is collected and used with your consent only.
Many mainstream providers like Google heavily monitor what you’re doing when you’re on their service. This also extends to your mailbox, which isn’t the best news for you if you value your privacy. Tutanota doesn’t serve you ads, and they don’t collect data on you.
Besides, Tutanota integrates privacy features that neutralize tracking attempts. For example, the client automatically blocks the loading of images, which is a common email tracking mechanism. Plus, emails you send go without header information because the client strips it to hide your originating IP address.
If you’re still wondering whether Tutanota is anonymous, you should remember that when logging in, only your passwords hash is being sent to their server to authorize your entry. Hashing is a one-way process only, so it’s impossible to re-create your password from it. In other words, Tutanota has no clue what your password is.
If you ever forget your password, they have implemented a randomly generated recovery code, which is shown during the creation of the account and from the settings screen when you create your account. It’s not possible to reset your email by sending the password to another email, for example.
Such security practices combine with safe encryption protocols means that with Tutanota, you should feel invisible.
Tutanota data centers
All of Tutanota’s data is in data centers all over Germany. For the server to make the cut, it has to be compliant to ISO/IEC 27001 information security standards. The standard requires the inspection of system infrastructure risks and vulnerabilities and the implementation of a suite of information management for the best possible blend between safety and privacy.
The only people that have access to their servers are administrators who must authenticate themselves before being allowed entry. Also, Tutanota’s infrastructure is under close monitoring to avoid disruptions in the service and to check for suspicious patterns in the network. It’s one of the services with the least downtime.
Tutanota plans and pricing
For private users, Tutanota is available as a free service with 1 GB of storage. This isn’t such a low amount as it would seem because of unencrypted email compression. Hence, with 1 GB on Tutanota, you get what would feel like 5 GB on Gmail. You’re also limited to one user, cannot set up other domain names, and you cannot search for emails older than four weeks. You’ll also have to make do with one calendar.
Premium Tutanota client costs 1.20 EUR/month (or 12 EUR/year) and adds the option of a custom domain. You can add additional users, but it will cost you an extra 1.20 EUR/month (or 12 EUR/year per user). It also greatly expands on the search feature, allowing you to search for emails in an unlimited date range. With it, you can also set up multiple encrypted calendars, get five aliases that don’t require a separate login, and an inbox rules feature. Plus, it unlocks support via email.
You can also opt for the Teams plan for 4.80 EUR/month (or 48 EUR/year). Each user on top will cost an additional 2.40 EUR/month (or 24 EUR/year). Other features are the same as the Premium version, but it has a couple of more aces up its sleeve. For example, a storage cap is 10 GB, which should be enough for a lot of emails, and you won’t have to clear it up as often. Plus, the Teams plan adds an option to share your encrypted calendars with other people.
Business users can take it further with the Pro edition. It costs 7.20 EUR/month with each additional user costing 3.60 EUR per mailbox. It adds 20 aliases and priority customer support. Additionally, it’s possible to add a custom domain logo, colors, and contact forms. The latter will cost an additional 24 EUR.
If you don’t like what’s in the pre-made packages, you can tweak them according to your needs. Do you think you don’t have enough storage? No problem! This is solvable by purchasing additional storage: 10 GB for 2.40 EUR/month, 100 GB for 12 EUR/month, 1 TB for 60 EUR/month.
There are even more ways how you can tailor the service to yourself. With Whitelabel, you can customize how your service looks and works by adding or discarding features. This means that you will get only the bits and pieces that you need. It’s one of the most customer-friendly services considering how much you can customize. You’ll pay as much as you want, and for the features that are useful to you.
Non-profit organizations can take advantage of an evergreen Tutanota deal. NPO’s based in Austria, Belgium, Canada, France, Germany, Italy, the Netherlands, or Switzerland can get Tutanota’s business account for free.
Public schools and non-profits in other countries can get a hefty 50% discount on their subscription. The only caveat is that Tutanota (weirdly) doesn’t support anonymous payment options like cryptocurrencies.
Ease of use and setup
Primarily, Tutanota is a web client-based email service. However, they have open-source apps for Android and iOS devices. Plus, they have recently rolled out the beta versions of their desktop apps. Here’s a short overview of the offerings.
Web browser client
Tutanota’s web client is something you may expect from most email service providers. You get a clean-looking user interface, much of which you can customize according to your needs and preferences.
The particularity of Tutanota is that you get three different tabs for Emails, the Calendar, and Contacts. The latter you can import using vCard 3.0. Essentially, it enables you to keep everything you want in one place. All the items will be encrypted, so you should be calm about your data safety.
Encrypted search, 2FA, and spam rules configuration is possible. If you’re a power user, you should stick to this mode. You can even save encrypted IP addresses in your sessions’ audit log. Every other method to log into Tutanota pales in comparison to their web client.
Tutanota apps for iOS and Android enable you to get all the features that should be familiar from the web client. The apps come with push notifications, swipe gestures (depending on your device), and full-text search. Automatic synchronization between your mobile devices and desktop clients is possible, but keep in mind that desktop won’t have an offline mode.
It’s nice that the developer thought about users who have phones with a black notch in the upper part of their screen. Tutanota apps adjust to those in need, and you will not be losing functionality, no matter what kind of device you prefer.
Besides, you get encrypted search and 2FA. It makes it easier to connect through your mobile devices, without compromising your device’s safety.
You can set up beta versions of the Tutanota desktop app by downloading the installation files for Linux, Windows, and macOS from their website. As is often the case with beta versions, you will be missing out on some features as an early adopter tax. For example, you won’t find 2FA and will not be able to read emails in offline mode.
Otherwise, the apps look like a mirror image of the web browser, so you get the same looks minus the features. At this stage, this version is better suited to Tutanota enthusiasts that are submitting bug reports on their GitHub page. If you’re a regular user who wants to use the service, there isn’t much use to get the desktop version in favor of other options.
Customer support inquiries will only be accepted if you’re writing directly via your Tutanota email. It may create some problems if you cannot log into the service in the first place. It’s also strange that they have no dedicated customer support tab on their email page. To contact customer support, you’ll need to go to their “How can we help you?” page.
From there, you can enter your question. If the suggested replies don’t provide a useful solution, you’ll have the option to contact customer support. Mind you, this applies only to Premium users. If you’re using the Free version – no customer support for you.
They also suggest their managed Tutanota subreddit, where many users are exchanging tips and hints. Plus, its mods are Tutanota employees, so you should be able to find someone who will be able to help you.
Having only email contact forms and scraps of social media isn’t an optimal customer support solution. This is something that the Tutanota developers should look into. It’s one of the areas that could use some improvements.
ProtonMail is one of the most popular secure email providers. Just like Tutanota, it also has a free version with 500 MB of storage. There are also some search limitations, but otherwise, you’re getting a top-notch secure email service and possibly a bundle deal with a VPN subscription.
HushMail integrated end-to-end encryption just like Tutanota. The Canada-based provider has also tweaked their apps to the max, adding verification via Face ID, and more.
CounterMail is a true alternative to the Tutanota mail if you still need encrypted email services. They’re using RAM-only servers that don’t keep any identifiable information. The developers have combined symmetrical and asymmetrical encryption methods to keep you as safe as possible.
ZohoMail is a secure email service that you probably haven’t ever heard of. However, this has nothing to do with its quality. The company behind it has a long history with various password managers and other security products. With the free version, you get end-to-end encryption with 5 GB of storage.
Tutanota: the bottom line
The biggest drawback of Tutanota is its limited customer support. Email-only inquiries and community forum options don’t sit as the only options in a premium email service resume. Having that said, Tutanota is more than spectacular when it comes to its privacy and security options.
They’re able to deliver a full-fledged service for free. If you opt to pay just a tiny bit of money every month, this service has almost everything Gmail offers minus the data collection. The developer clearly shows a privacy-focused attitude, which is a rare thing to find nowadays – I wholeheartedly recommend it.
If you’re interested about other secure email providers be sure to check out our top list here.