What is email encryption and why it matters
When email came about, your emails were sent over the internet in plaintext (unencrypted) form. If anyone used a packet analyzer to intercept the letter, it could be easily read. This is less than ideal, as email was and is still used to deliver a great deal of personal and business information.
The higher demand for security leads to email encryption standards being developed. The goal of encryption is to make a message incomprehensible to anyone but the intended receiver of the message. Basically, the encryption scrambles the contents of a message so that they will look like nonsense to anyone who doesn’t have the key needed to unscramble it. That way, even if it’s intercepted, it’s useless to the hacker – modern encryption can take a computer millions of years to crack.
Major email platforms now employ transport-level encryption. This means that the email is encrypted in transit from you to the server. It’s not the safest solution, as the contents of the email are accessible on the server. This is already bad as the service provider can sift through your email to produce targeted ads. It would be a lot worse if a hacker was to access all that unsecured data.
End-to-end encryption is a lot safer. The email is encrypted through the entire trip, right up to the point where you enter your special encryption key to check the inbox. It’s harder to implement and is more resource intensive, but it foils anyone trying to steal your emails on the way.
With that in mind, let’s look at some of the best encrypted email options out there.
Note: to understand standard abbreviations used throughout the comparison, refer to “Other features to look for in your encrypted email service” section at the end of this article.
ProtonMail – Most Reputable Encrypted Email Provider
Created by the European Organization for Nuclear Research (CERN) and Massachusetts Institute of Technology (MIT) scientists and developers, ProtonMail is currently the world’s largest encrypted email service.
Praised for its transparency and dedication to privacy, ProtonMail is an end-to-end encrypted service. This means that data is encrypted when it’s transferred and stored on their servers. Thus, not even ProtonMail can access the contents of your letters. In fact, if you lose your password, they can’t even retrieve your emails. That’s why you should set up recovery information.
ProtonMail is a no-log email service, so your emails won’t be traced back to you. It doesn’t keep your IP address information either.
- Free of charge (you can pay for more space and built-in VPN)
- Does not keep any IP address information
- Allows you to download your PGP keys if you use the Pretty Great Privacy encryption software
- Works from any device
- Does not support IMAP, SMTP, or POP3 data transfer protocols, so you can’t use it with email programs. Given the EFAIL vulnerability that allowed Gmail, Apple and Outlook clients leak contents of encrypted emails, this may be more secure
Hushmail – Best For Business Users
Hushmail has been around since 1999 and has an excellent reputation. It has both business and personal options, a modern web interface, and it keeps your email secure enough that even Hushmail can’t read it.
Hushmail offers many options for businesses and non-profits. It also allows you to create secure web forms with a drag-and-drop creator. It’s part of what makes it very attractive for health professionals that want a HIPAA-compliant email account.
- Supports IMAP and POP, meaning email soft compatibility
- Offers two-step authentication
- Includes a spam filter
- Unlimited aliases mean you don’t need to have more than one account
- You have to hand over your phone number as well as an alternate email address to sign up
- No free option outside of 14-day-trial
Mailfence – Best For Secure Emails With Any Domain
Based in Belgium, Mailfence is an OpenPGP-based (most widely used email encryption standard) service that provides end-to-end encryption. And that’s on top of its integrated keystore (to store all of your encryption keys), focus on digital signatures, and 2-Factor Authentication (meaning there’s an extra step logging in). You can also use it with custom domains to get the @weedbong.com email you always wanted.
Belgium has strict data protection laws, which places this in a good jurisdiction. However, Mailfence complies with user identification requests from Belgian courts. It serves the statistics of requests received and fulfilled and provides a warrant canary.
- Supports digital signatures to prevent email spoofing
- Includes a spam filter
- Imports contacts
- Includes a calendar
- POPS, IMAPS, and SMTPS are available for secure connection
- Can be used to send faxes and text messages, albeit not for free
- Limited free storage
- Requires an alternate email address
- Stores the private keys on its servers
- Can only send to people with an OpenPGP key
- Does not allow others to inspect their code, so you can’t know if they have malicious processes inserted into their services
- Will identify users if Belgian courts submit a valid demand
Tutanota – Most Flexible Pricing
Based in Germany, Tutanota is operated by a small team of developers who take privacy seriously. The services encrypt the entire mailbox, which includes both your address book and emails. The files are also stored in an end-to-end encrypted format while at rest (stored) at Tutanota.
Free at the basic level, Tutanota comes with flexible pricing options. For businesses, Tutanota offers excellent features like white labels and secure, shared calendars.
- Automatically encrypts your entire mailbox
- Verification does not require a phone number
- Encrypted emails can be sent to users who don’t have the service (a pre-shared password is used)
- Automatically encrypts email headers, subject lines, and body
- High level of encryption and security
- Provides support for custom domains, encrypted contact forms, and business email
- Does not support SMTP, IMAP or POP3 – only accessible via web
- A cryptocurrency payment option is still in development
- Somewhat barebones at the free level
Runbox – Best Protected Server Location
Based in Norway, Runbox is a secure email provider that protects your information under the jurisdiction of Norwegian privacy legislation. This is important to note as a court order is needed before any of your data is disclosed to another party.
Runbox’s data center operates out of a place that was built for the Norwegian government. It contains a lot of security and safety measures that ensure the integrity of servers. It’s also run on green energy.
While the secure email service places quite a bit of focus on security and privacy, it does have a user-friendly feel and plenty of features. Runbox will run via dedicated mobile apps as well as on third-party email clients.
- Supports various means of access
- Physically stores all emails in its own high-security data center
- Features spam protection and advanced virus scanning capabilities
- Has a history of excellent uptime
- Accepts anonymous cash payments and cryptocurrency
- To ensure end-to-end encryption, you must utilize PGP or S/MINE encryption types, which is a bit involved for regular users
- No business features
- Data not encrypted while it’s stored in the Runbox system
Posteo – Best Anonymous Sign Up
Posteo is a secure email provider with robust encryption options and IMAP support – great for using the service on different devices or different email clients.
The company does not keep any logs and automatically strips IP addresses from your email. You may even sign up anonymously by making an anonymous payment.
Users are provided with end-to-end encryption of individual emails, so nobody is intercepting them. You also have the ability to encrypt your address book, calendar, and saved emails. Access protection is provided in layers with a salted hash password, optional one-time password, and hard disk encryption.
- Encryption of email subject, body, headers, metadata and attachments
- Emails are encrypted in storage by using OpenPGP
- Supports anonymous payments utilizing cash or cryptocurrency
- Good track record and self-financed
- IP address stripping
- No logs and secure email storage
- No spam folder (emails are either rejected or delivered to your inbox)
- No custom domains
StartMail – Best For Disposable Temporary Emails
StartMail is a secure email service by the developers of the Startpage, a private search engine based in the Netherlands. Privacy is important in this country.
A unique feature of StartMail is that they handle the encryption functions on the server-side, instead of in the browser. You can use PGP encryption, and all emails are encrypted while at rest.
Another feature unique to StartMail is the ability to quickly create disposable email addresses, which can be utilized with different services. The service also supports IMAP and SMTP if you want to use third-party apps.
- You can pay with cryptocurrency
- Supports custom domains
- Support for SMTP and IMAP for those desktop app users
- The IP address is stripped from emails as well as headers
- Allows creating temporary, disposable addresses
- No plug-ins for email software
Mailbox.org – Best All-Rounder
Mailbox.org is another secure email provider that’s based in Germany. Its development team has experience going back to the 1990s. Their services utilize transport-level encryption, and the company also uses Extended Validation Certificates for added security.
The service provides support for SMTP, IMAP, POP, and DAV services and secure cloud storage. You also have access to features such as full PGP key management, groupware, calendar, and contacts. Additionally, their infrastructure is located at two separate locations for geo-redundancy.
- Virus protection and advanced spam filters
- Provides support for anonymous payment and anonymous registration
- Accepts cash payments (by mail) and cryptocurrency
- Cloud storage for all accounts
- PGP encryption on stored emails
- Provides full migration services, groupware, contacts, and calendar
- Utilizes security processes like CSP, CAA, HSTS, X-XSS and MTA-STS to prevent in-transit attacks
- IP addresses are logged for security and then erased after four days
Other features to look for in your encrypted email service
Encryption is the key feature of secure email services, but not the only one. Here’s what you can also consider:
PGP: Pretty Good Privacy is an encryption program that was developed in the 1990s. It uses a pair of public (ones that you can tell others) and private (ones that you keep to yourself) to encrypt messages. An upside of PGP is that it can be done with software outside of the email, though secure email providers can have the process run in the background.
Two-factor authentication: commonly abbreviated as “2FA,” it’s a commonly used security measure that introduces an additional step when you log in. For example, if you have to enter your password and then type in a code you received on your phone to see your email inbox, you are using two-factor authentication.
Open source: commercial software usually doesn’t demonstrate its code – the guts that make it work – to customers. Open-source software can be easily looked into. It makes it possible to publicly ascertain if the developer hasn’t inserted any functions unfriendly to the users into the code.
Stripping metadata: your email isn’t just the words you wrote and the picture of the cute cat that you attached. Metadata is the embedded information about your computer, browser, and so on. Good secure email services strip it away.
Server location: you want your email provider’s server to be located in a country with tight privacy laws to decrease the chances of the government asking for access to the content of your mail and getting it. That means you want to avoid countries that belong to the “Five Eyes” intelligence alliance (Australia, Canada, New Zealand, the United Kingdom, and the United States). You may also want to be wary of ones belonging to “Nine Eyes” and “Fourteen Eyes:” Denmark, France, the Netherlands, and Norway in the former, joined by Germany, Belgium, Italy, Spain, and Sweden in the latter.
Anonymous sign-up: sometimes, you might not even want to leave a trace of having signed up for a secure email. That’s why you may want to consider getting an encrypted email provider that doesn’t require any personally-identifiable data, accepts cryptocurrency and cash, and so on.
Getting the right encrypted email service is a crucial step towards greater privacy online. As you can, paying for the service comes with many benefits, like the newest security features and reputability.
However, it takes more than just encrypted email to stay secure. A VPN can protect your other data:
- Masks IP address and DNS: this makes you very hard to trace by scrambling the two most identifiable technical details.
- Encrypts data: it’s like transport-level encryption for all of your information.
- Connects to a VPN server outside of your country: this way, you can make the entire internet believe that you are in that country.
- Hides your activities from your internet service provider: they can’t store your metadata for transferring to authorities or selling it to advertisers.
- Keeps your data secure when you log in via public Wi-Fi: even if hackers intercept it, they can’t read the encrypted contents.
So once you find the encrypted email provider you like, add a new layer of security by using a VPN.