Best Email Providers & Everything You Need to Know about Email Privacy

Even though instant messaging has somewhat replaced email for most use cases, everyone still needs to maintain at least one email account for online account signups, bank notifications, etc., most businesses still rely on email for their day-to-day activities. This ubiquitousness of email, coupled with …

Even though instant messaging has somewhat replaced email for most use cases, everyone still needs to maintain at least one email account for online account signups, bank notifications, etc., most businesses still rely on email for their day-to-day activities.

This ubiquitousness of email, coupled with the fact that most email services are not much keen on protecting privacy and security of their users, and have been victims of multiple attacks, leaves you with a pretty huge attack surface, creating a single point of failure.

If someone gets access to your email, they will have access to pretty much your entire online identity. Even if you use an end-to-end encrypted mailbox, there’ll still be some unencrypted metadata.

OpenPGP, the most popular way of implementing end-to-end encryption by encrypted mailbox providers, doesn’t encrypt the header portion, and also doesn’t support Forward Secrecy, which means if the recipient’s private key is stolen it will expose all previous messages.

I recommend switching to encrypted messaging apps instead of email, email wasn’t really created with privacy in mind, even if you use an end-to-end encrypted mailbox, there’ll still have some unencrypted metadata in the header portion.

Private Email Providers

Alright, with all of that out of the way, here are our recommended email providers, that provide end-to-end encryption, and collect little metadata, and sometimes even encrypt the metadata.

Tutanota

Tutanota is a freemium email service with the focus on security, privacy, encryption, anonymity, freedom, and open source. They are a small team of privacy enthusiasts, based in Germany, and have been in operation since 2011.

Tutanota uses a strong encryption solution based on RSA and AES, instead of OpenPGP, that automatically encrypts the subject, the content, and the attachments, they also plan to implement Forward Secrecy and Autocrypt. Premium plans start at just €12/year, which includes features like custom domains, multiple users & alias support, and more.

They do not allow third-party email clients, but have native apps for Linux, macOS, Windows as well as Android & iOS. It supports two-factor authentication, and a .onion service is on the roadmap, but currently accepts credit cards and PayPal, however Bitcoin and Monero can be used to purchase gift cards via their partnership with Proxystore.

ProtonMail

ProtonMail is a freemium email service with the focus on privacy, security, encryption, anonymity, open source, and ease of use. They are the same people behind ProtonVPN, based in Switzerland, and have been in operation since 2013.

Accounts start with 500 MB of storage with their free plan, which doesn’t come with ProtonMail Bridge, which is required if you want to use a recommended email client like Thunderbird. Premium accounts start from €48/year which includes features like ProtonMail Bridge, additional storage, custom domain support, email aliases, and more.

ProtonMail uses OpenPGP encryption, supports Two-factor authentication, accepts Bitcoin in addition to credit/debit cards, PayPal, and is available via Tor at protonirockerxow.onion.

Mailbox

Mailbox is a paid email service with the focus on being secure, ad-free, and privately powered by 100% eco-friendly energy with a full-fledged office-productivity suite. They are based in Germany, and have been in operation since 2014.

There is no free version, and accounts start at €12/year that comes with 2 GB of storage, 3 email aliases, and more. Mailbox uses an integrated encryption in their webmail, which simplifies sending messages to users with public OpenPGP keys.

Mailbox lets you use third-party email clients, their webmail interface cannot be accessed via their .onion service, however, they only accept cash by mail, cash to bank, bank transfer, credit card, PayPal, no cyptocurrencies.

Disroot

Disroot is a free email provider amongst other services with the focus on being open, decentralized, federated and respectful towards freedom and privacy. They are based in Amsterdam, and have been in operation since 2015, run by volunteers and its community.

Disroot is free and uses open source software like Rainloop, users support the service through donations and buying extra storage. It allows for encrypted emails to be sent from their webmail application using OpenPGP. The mailbox limit is 1 GB, but you can buy extra storage at €0.15 per GB/month, paid yearly.

Disroot lets you use a third-party email clients, supports two-factor authentication, accepts Bitcoin, faircoin, PayPal, direct bank deposit, and Patreon payments, but they do not operate a .onion service.

CTemplar

CTemplar is a freemium email service provider with a focus on security and privacy through the use of standard OpenPGP encryption. They are based in Iceland, and have been in operation since 2018.

Accounts start with 1 GB of storage, and 200 emails/day for the free plan. CTemplar uses integrated encryption using OpenPGP in their webmail, and support protected headers and therefore provides you with subject encryption. Premium plans start at $8/month, which includes features like custom domains, self-destructing emails, and more.

CTemplar doesn’t allow using third-party email-clients, however there are official clients for all platforms, and they accept credit cards via Stripe, Bitcoin and Monero.

Self-Hosted Email

You can also self-host your email server, although it’s not something that I recommend you do as it will require continuous maintenance. I will be updating this section with a guide to self-hosting an email server soon. You can try following these guides:

Self-Hosted Email Software

Here are the recommended email self-hosting solutions that make hosting an email server much easier:

  • Mail-in-a-Box—a free and open source automated setup script for deploying a mail server on Ubuntu. It provides webmail and an IMAP/SMTP server for use with mobile devices and desktop mail software, and also includes contacts and calendar synchronization.
  • Mailcow—a free and open source advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mailserver with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. 

Email Clients

An email client lets you access and use all your mailboxes on your device, here are some open source, feature-rich, and privac-respecting email clients:

  • Mozilla Thunderbird—a free, open source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation.
  • Claws Mail—a free and open source, GTK-based email and news client, that’s easy to configure and has an abundance of features. It is included with Gpg4win, an encryption suite for Windows.
  • Mailpile—a free, open source, modern, fast web-mail client with user-friendly encryption and privacy features. It aims to make it easy and convenient to receive and send PGP encrypted or signed e-mail.
  • Mailvelope—a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard.
  • K-9 Mail—a free and open source mail app for Android, with support for both POP3 and IMAP mailboxes, but supports push mail for IMAP only. It has support for dark mode, emojis, multiple identities, and more.
  • FairEmail—a freemium, open source, email app for Android, that is fast, lightweight, and battery friendly. It is privacy-oriented, has support for dark mode, widgets, and more.

Email Cloaking Services

Email cloaking services allows you to mask your email address with aliases that can later be used by online services to send emails to your mailbox. It is a pretty nifty tool that can help combat spam, and help protect your privacy:

  • AnonAddy—lets you create email aliases that forward to your email address, there’s a generous free version, and reasonable premium plans, you can even self-host the entire service on your server.
  • SimpleLogin—another open-source email cloaking service provider with generous free plans, and the ability to self-host.

Email encryption

Alright, let’s talk about email encryption; how to encrypt email, protect encryption keys, and everything else you need to know.

End-To-End Encryption in emails?

End-to-end encryption (E2EE) in email is all about encrypting email contents so that nobody but the recipient(s) can read the email message. This prevents potential eavesdroppers from being able to read the email contents.

How to encrypt emails?

The standard way to do end-to-end encryption of email, and have it work between different email providers, is with OpenPGP (Open Pretty Good Privacy). There are different implementations of the OpenPGP standard, the most common being GnuPG and OpenPGP.js.

There is another E2EE standard that was popular with businesses called S/MIME, but it requires a certificate issued from a Certificate Authority.

However, OpenPGP does not encrypt your metadata, and does not support forward secrecy, researchers have developed code exploiting several vulnerabilities in PGP (including GPG) for email, and theorized many more which others could build upon.

Most of the email providers mentioned above use integrated encryption, which simplifies sending messages to users with public OpenPGP keys. You can also manually do PGP encryption:

How to protect private keys?

A smart card like Yubikey or Nitrokey works by receiving the encrypted email from your devices, running an email/webmail client, decrypting it, and then sending the decrypted content back to your device. Since the decryption happens on the smart card, your private keys don’t risk being exposed to a compromised device.

Email metadata

Next up, what’s email metadata: what does it include, who can view, how to protect it and everything else you need to know.

What is Email Metadata?

Email Headers are lines of metadata attached to each email that contain lots of useful information, it includes things like the To, From, Cc, Date, Subject, etc. that are required to send and receive emails.

Who can access the email metadata?

The email metadata is accessible to your email client or webmail, including any servers relaying the message from you to any recipients, sometimes it can also be accessible to external third-parties that your email provider uses to protect against spam.

When is email metadata used?

The email metadata is used by email servers to determine where an email message must be sent, among other purposes, and may also be used to show who a message is from and what time it was received.

Why can’t email metadata be end-to-end encrypted?

Email metadata is crucial to the most basic functionality of email. The email servers need to know where the email came from, and where it has to go. E2EE was not built into the email protocols originally and is also optional, therefore, only the message content is protected by E2EE.

How to protect email metadata?

When emails travel between email providers an encrypted connection is negotiated using Opportunistic TLS. This protects the metadata from outside observers, but as it is not E2EE, server administrators can snoop on the metadata of an email.

Why I don’t recommend using emails

  • Not Built for Privacy & Security: Email was never built with privacy or security in mind, the OpenPGP standard was later formulated by Phil Zimmermann, who by the way does not use it himself.
  • Metadata Not Encrypted: Even if you are using the “standard” encryption via OpenPGP, your metadata will not be end-to-end encrypted. The metadata is just as important as the content of the message.
  • No Forward Secrecy: OpenPGP does not support forward secrecy, which means if your or recipient’s private key is once stolen, it will give access to all the messages that have been ever sent.

Honestly, I just don’t see the point in using an ancient tech like email when there are much more secure, privacy-respecting messaging apps like Signal & Element.

That’s all folks!

I’ll be updating this page with an email self-hosting guide, and other recommendations.

Leave a Comment