Tutanota is a secure email service based in Germany. It’s different from the likes of Gmail in that even though Google encrypts the stored messages on their servers, they hold the encryption keys. This means that the provider has all the access to your data at will. You can also check how many subpoenas or search warrants Google grants every year.
What distinguishes Tutanota is their privacy-first approach. This means that they have no access to your data, and theirs is one of the most discrete email communication services. Or so the developers claim, let’s get into it and find out whether it’s true in our Tutanota review.
Tutanota: main pros & cons
- No-logs policy
- Spam filter
- 20+ supported languages
- Encrypted calendar
- Fourteen Eyes country
- No support for PGP and IMAP
- Expensive extra storage
Tutanota has a variety of additional features that might not be a deal maker just by themselves. However, when they add up, it can indeed be a contributing factor when deciding should you opt-in for this email provider. Here’s what set it apart from the competition:
- Green email
- Encrypted search
- Zero-knowledge calendar
- Secure connect
- Email aliases
If you want your email to reflect your green attitude, Tutanota runs on 100% eco-friendly energy. It might not be a big deal to you if you compare that Google is the largest corporate renewable energy buyer in the world. However, the difference is that Tutanota is of much smaller size, and it’s commendable that they don’t cut any corners there. We shouldn’t ignore such initiatives. Business ethics rarely play a role when picking the best service providers.
The developers of Tutanota added an encrypted search index that decrypts items locally, and then enables you to search for particular keywords. Many other encrypted email services have dropped the search function altogether and have not implemented a convenient solution. It’s excellent that Tutanota adds a feature that most people already got used to, without compromising your privacy.
You might have used the search feature countless times on your Gmail account, without it ever occurring to you what the whole process means. The reality is that it’s easy for Google to implement a search function because your emails are on their servers. The indexing of each line of text is effortless in such a case. Also, it shows how easy would it be for them to retrieve your email contents.
The calendar is one of the most sensitive pieces of information that you could have. It accurately displays where you will be and what you will do. Understanding the risks involved, Tutanota developers came up with an encrypted calendar version built into their email client.
What’s particular about the Tutanota calendar is that even the notifications are encrypted, which helps against malicious agents scraping your data. The calendar is cloud-based, but only the encrypted data strings are stored, and it’s only retrieved locally. It also works on every device. Many other email services are still en-route to develop their proprietary takes on secure calendars.
If you’re running a website, and its topics are delicate, you might need to provide an option for your users to contact you privately. Secure Connect features enable you to embed a contact form that will be encrypted and will allow your users to reach out without compromising their privacy. It might not be useful for many users. Still, seeing how Tutanota is aiming to be the go-to choice for non-profit organizations, this feature is much needed.
You can hide your tracks and fool spamming bots by using aliases. You can configure this under your Extensions tab.
This interesting feature allows adding additional email addresses that all fall under your account. If your alias gets an email, it gets transferred to your primary mailbox. It may be handy if you’re covering your digital footprint by using several different addresses for safety reasons. It will help you not lose track of which accounts get what messages.
Inbox Rules lets you organize the emails before they’ve even reached your mailbox. You can assign which user’s emails should go into what folders. You can include all sorts of filters and keywords to filter your messages and control your mailbox without letting it get overwhelmed with messages. It can also act as your spam filter. Add the domains that you don’t want to ever see again and poof! You’ll see them no more.
Tutanota security and privacy
I’ll go through the essential privacy and security features that Tutanota email brings to the table:
- Tutanota encryption
- Two-factor authentication
- Tutanota anonymity
- Tutanota data centers
It will help you stack the service against the competitors if you’re deciding between this and some other service.
Tutanota combines two methods of encryption, symmetric and asymmetric, to deliver one of the safest email services you could hope to find. If you want to get more technical, it’s AES 128 military-grade encryption combined with RSA 2048 to provide a secure combination to protect your communications.
Its implemented in such a way that when a user is sending an email to other Tutanota users, the encryption automates the key handling and key exchange procedure. It means that your private key acts as your Tutanota login password, which locally decrypts your emails on the device. Using something that’s called end-to-end encryption, even Tutanota don’t know what your emails contain. This even covers email subject lines – something rarely found on the market.
When sending emails to other provider’s clients, key exchange isn’t automated, and you’ll manually need to exchange private encryption keys with each other to establish a secure communication channel.
Also, Tutanota adds Transport Layer Security (TLS) encryption to push the safety to the max by securing the emails when they are in transit. According to a Security Headers report, it enforces the use of HTTPS when sending and receiving data packets.
In short, everything that could benefit from encryption is probably already implemented on Tutanota. You could not find any other service that would be such a powerhouse of safety measures done right.
For account security, Tutanota offers two-factor authentication (2FA). Previously it was only possible to use 2FA only as a supplementary measure alongside Universal 2nd Factor (U2F).
In its current implementation, you can generate codes using Google Authenticator and a variety of other tools. It adds a layer of protection when authorizing logins to your Tutanota mailbox. In this case, should your password ever end up in the wrong hands, the perpetrator couldn’t get into your mailbox.
Here’s what options are available to set it up on your device:
- Universal 2nd Factor
- Authenticator app (time-based one-time passcodes or one time passwords)
U2F will require a separate hardware device, and it will only work in Chrome and Opera, with Firefox and Edge support planned in the pipeline. An authenticator app means you have to consider the safety of your mobile device because your email will be as safe as your phone.
Although Tutanota is based in Germany, which is a 14 Eyes country, it isn’t all bad. Your data is protected by Bundesdatenschutzgesetz (BDSG), which is the German spin on the General Data Protection Regulation (GDPR). Although it sounds unnecessarily complicated, this means that your data is collected and used with your consent only.
Many mainstream providers like Google heavily monitor what you’re doing when you’re on their service. This also extends to your mailbox, which isn’t the best news for you if you value your privacy. Tutanota doesn’t serve you ads, and they don’t collect data on you.
Besides, Tutanota integrates privacy features that neutralize tracking attempts. For example, the client automatically blocks the loading of images, which is a common email tracking mechanism. Plus, emails you send go without header information because the client strips it to hide your originating IP address.
If you’re still wondering whether Tutanota is anonymous, you should remember that when logging in, only your passwords hash is being sent to their server to authorize your entry. Hashing is a one-way process only, so it’s impossible to re-create your password from it. In other words, Tutanota has no clue what your password is.
If you ever forget your password, they have implemented a randomly generated recovery code, which is shown during the creation of the account and from the settings screen when you create your account. It’s not possible to reset your email by sending the password to another email, for example.
Such security practices combine with safe encryption protocols means that with Tutanota, you should feel invisible.
Tutanota data centers
All of Tutanota’s data is in data centers all over Germany. For the server to make the cut, it has to be compliant to ISO/IEC 27001 information security standards. The standard requires the inspection of system infrastructure risks and vulnerabilities and the implementation of a suite of information management for the best possible blend between safety and privacy.
The only people that have access to their servers are administrators who must authenticate themselves before being allowed entry. Also, Tutanota’s infrastructure is under close monitoring to avoid disruptions in the service and to check for suspicious patterns in the network. It’s one of the services with the least downtime.
Tutanota plans and pricing
Tutanota pricing has similar tiers for individuals and businesses.
Let’s take a closer look at their pricing.
For private users, Tutanota is available as a free service with 1 GB of storage. This isn’t such a low amount as it would seem because of unencrypted email compression. Hence, with 1 GB on Tutanota, you get what would feel like 5 GB on Gmail. You’re also limited to one user, cannot set up other domain names, and you cannot search for emails older than four weeks. You’ll also have to make do with one calendar. It’s the most barebones version.
Premium Tutanota client costs 1.20 EUR/month (or 12 EUR/year) and adds a custom domain option. You can add additional users, but it will cost you an extra 1.20 EUR/month (or 12 EUR/year per user). It also greatly expands on the search feature, allowing you to search for emails in an unlimited date range. With it, you can also set up multiple encrypted calendars, get five aliases that don’t require a separate login, and inbox rules feature. Plus, it unlocks support via email. It’s an option for individual users that need more features.
Pro edition is the one that should be most relevant to small businesses or organizations. It costs 7.20 EUR/month with each additional user costing 3.60 EUR per mailbox. It adds 20 aliases and priority customer support. Additionally, it’s possible to add a custom domain logo, colors, and contact forms. The latter will cost an additional 24 EUR.
Tutanota Teams plan
You can also opt for the Teams plan for 4.80 EUR/month (or 48 EUR/year). Each user on top will cost an additional 2.40 EUR/month (or 24 EUR/year). Other features are the same as the Premium version, but it has a couple of more aces up its sleeve. For example, a storage cap is 10 GB, which should be enough for many emails, and you won’t have to clear it up as often. Plus, the Teams plan adds an option to share your encrypted calendars with other people.
Tutanota Custom plan
If you don’t like what’s in the pre-made packages, you can tweak them according to your needs. Do you think you don’t have enough storage? No problem! This is solvable by purchasing additional storage: 10 GB for 2.40 EUR/month, 100 GB for 12 EUR/month, 1 TB for 60 EUR/month.
There are even more ways how you can tailor the service to yourself. With Whitelabel, you can customize how your service looks and works by adding or discarding features. It means that you will get only the bits and pieces that you need. It’s one of the most customer-friendly services, considering how much you can customize. You’ll pay as much as you want, and for the features that are useful to you.
Non-profit organizations can take advantage of an evergreen Tutanota deal. NPO’s based in Austria, Belgium, Canada, France, Germany, Italy, the Netherlands, or Switzerland can get Tutanota’s business account for free. Public schools and non-profits in other countries can get a hefty 50% discount on their subscription. The only caveat is that Tutanota (weirdly) doesn’t support anonymous payment options like cryptocurrencies.
Ease of use and setup
Primarily, Tutanota is a web client-based email service. However, they have open-source apps for Android and iOS devices. Plus, they have recently rolled out the beta versions of their desktop apps. Here’s a short overview of the offerings.
Web browser client
Tutanota’s web client is something you may expect from most email service providers. You get a clean-looking user interface, much of which you can customize according to your needs and preferences.
The particularity of Tutanota is that you get three different tabs for Emails, the Calendar, and Contacts. The latter you can import using vCard 3.0. Essentially, it enables you to keep everything you want in one place. All the items are encrypted, so you should be calm about your data safety.
Encrypted search, 2FA, and spam rules configurations are possible. If you’re a power user, you should stick to this mode. You can even save encrypted IP addresses in your sessions’ audit log. Every other method to log into Tutanota pales in comparison to their web client.
Tutanota apps for iOS and Android enable you to get all the features that should be familiar from the web client. The apps come with push notifications, swipe gestures (depending on your device), and full-text search. Automatic synchronization between your mobile devices and desktop clients is possible, but keep in mind that desktop won’t have an offline mode.
It’s nice that the developer thought about users who have phones with a black notch in the upper part of their screen. Tutanota apps adjust to those in need, and you will not be losing functionality, no matter what kind of device you prefer.
Besides, you get encrypted search and 2FA. It makes it easier to connect through your mobile devices, without compromising your device’s safety.
You can set up beta versions of the Tutanota desktop app by downloading the installation files for Linux, Windows, and macOS from their website. As is often the case with beta versions, you will be missing out on some features as an early adopter tax. For example, you won’t find 2FA and will not be able to read emails in offline mode.
Otherwise, the apps look like a mirror image of the web browser, so you get the same looks minus the features. At this stage, this version works best for Tutanota enthusiasts that are submitting bug reports on their GitHub page. If you’re a regular user who wants to use the service, there isn’t much use to get the desktop version in favor of other options.
Customer support inquiries will only be accepted if you’re writing directly via your Tutanota email. It may create some problems if you cannot log into the service in the first place. It’s also strange that they have no dedicated customer support tab on their email page. To contact customer support, you’ll need to go to their “How can we help you?” page.
From there, you can enter your question. If the suggested replies don’t provide a useful solution, you’ll have the option to contact customer support. Mind you, this applies only to Premium users. If you’re using the Free version – no customer support for you.
They also suggest their managed Tutanota subreddit, where many users are exchanging tips and hints. Plus, its mods are Tutanota employees, so you should be able to find someone who will be able to help you.
Having only email contact forms and scraps of social media isn’t an optimal customer support solution. This is something that the Tutanota developers should look into. It’s one of the areas that could use some improvements.
ProtonMail is one of the most popular secure email providers. Just like Tutanota, it also has a free version with 500 MB of storage. There are also some search limitations that are absent in Tutanota. Still, otherwise, you’re getting a top-notch secure email service and possibly a bundle deal with a VPN subscription. To find out more, read our comparison: Tutanota vs Protonmail.
HushMail integrated end-to-end encryption just like Tutanota. The Canada-based provider has also tweaked their apps to the max, adding verification via Face ID, and more. It’s also possible to have back and forth secure communication just like with Tutanota. Hushmail also has a secure esignatures feature. If you need this feature integrated within the client, you will find it only on Hushmail.
CounterMail is a true alternative to the Tutanota mail if you still need encrypted email services. They’re using RAM-only servers that don’t keep any identifiable information. The developers have combined symmetrical and asymmetrical encryption methods to keep you as safe as possible. They’re using OpenPGP encryption standard which is just as strong as AES 256 that Tutanota uses.
ZohoMail is a secure email service that you probably haven’t ever heard of. However, this has nothing to do with its quality. The company behind it has a long history with various password managers and other security products. With the free version, you get end-to-end encryption with 5 GB of storage. Plus, your Zoho Mail account is useful for their other services like password managers, cloud storage, and the like. Learn more
Tutanota: the bottom line
The biggest drawback of Tutanota is its limited customer support. Email-only inquiries and community forum options don’t sit as the only options in a premium email service resume. Having that said, Tutanota is more than spectacular when it comes to its privacy and security options. It allows using encrypted and safe emails intuitively, just like you would be using a common one. Plus, it adds additional features that are useful on a day to day basis like calendars.
They’re able to deliver a full-fledged service for free. If you opt to pay just a tiny bit of money every month, this service has almost everything Gmail offers minus the data collection. The developer clearly shows a privacy-focused attitude, which is a rare thing to find nowadays – I wholeheartedly recommend it.
If you’re interested about other secure email providers, check out our top list here.
Can Tutanota be traced?
No. Every time you send an email, Tutanota strips the IP address from your email header, hiding your location. Also, even though Tutanota temporarily keeps the IP addresses of both open and closed sessions, they are encrypted in a way so that only you can access them. In addition, all this information is automatically deleted in one week.
Can someone read your Tutanota emails without you knowing?
Tutanota, as a service provider, encrypts all the emails that you have in your inbox. Due to encryption, it’s impossible to read them from the outside, even if you’re working at Tutanota. Besides, your password is never sent to them directly. The server authenticates you with only a hash derived from your password. You can be sure that no one at Tutanota knows what’s in your inbox.
How secure is my Tutanota account?
Tutanota uses a hybrid method of encryption using symmetrical and asymmetrical algorithms to make your data safe. If you need more details, that’s AES-128 bit military-grade cipher with 2048 bit RSA for communication between Tutanota’s users, and only AES-128 bit for the external recipients.
What to do if I forget my Tutanota password?
When you create a Tutanota account, you receive a recovery code that you should save somewhere safe. A password manager would undoubtedly help you with that. So if you forget your password, you’ll be able to recover your account using this code. Otherwise, it’s impossible to ask Tutanota support for access. If you lose your recovery code and forget your password, there’s no way to recover your account.
Can I receive notifications to another email account about incoming emails?
If you opt-in to a paid Tutanota subscription, you can set up any email in alias email sections. You then will be notified about all incoming emails to that separate box. It’s possible to get such push notifications in the browser and mobile apps.