Tutanota Review

Whether you’re looking to strengthen your privacy online or you’re a professional sending secure data via email, ensuring that your emails are encrypted is one of the best ways to maintain online security. 

You’re probably wondering what alternatives exist to the main email providers like Gmail. Today we’re going to look at Tutanota’s secure email service and what makes it one of the best secure email providers.

About Tutanota

Tutanota email

Tutanota is an ad-free, secure email service that offers users end-to-end encryption on their emails and automatically encrypts their mailbox and address book. It also boasts an impressive password hashing system and U2F, making it significantly harder to hack into than mainstream email providers. 

Plus, one of the many reasons why it’s so popular with online privacy advocates is that it’s open-source software, meaning that the cybersecurity community can regularly test it for vulnerabilities and improve the software. 

Unlike some other secure email services, you can use Tutanota to send encrypted emails to non-Tutanota users, ensuring that you’re secure online regardless of who you’re talking to. 

Pros & Cons 

Before we dive into the specifics of Tutanota, let’s go over a summary of the benefits and drawbacks of this secure email provider. 

Pros

  • Full end-to-end encryption for mailbox, emails, calendar, address book, filters, search, and inbox rules
  • Open-source code for all apps
  • Free, paid, and business accounts available
  • Automatically blocks image loading in emails
  • No-logging policy

Cons

  • No way to import existing emails 
  • No out-of-office reply system
  • POP/IMAP not supported
  • Delayed account approval

The Tutanota Company

Tutanota was founded in 2011 by a small team in Hanover, Germany, by a small team of software engineers and online privacy enthusiasts. Their business was founded on the premise that online privacy is a basic human right, which is something that they’ve stuck to throughout the years. As such, their team has remained small, and their employees are extremely passionate about creating software that helps people ensure their privacy online. 

With that in mind, it’s worth noting that Tutanota isn’t backed by any sort of venture capital or investment firm and raises money for company growth through community donations and account subscriptions. We know that investment firms can often sway companies with the best intentions to move away from their principles, so we greatly respect Tutanota’s dedication to their cause. 

Tutanota is also heavily invested in activism, with the team having attended the Fridays for Future demonstrations. They also run their company on 100% renewable energy with the understanding that email has the potential to increase carbon emissions. 

This secure email provider is also extremely transparent about how it interacts with user data. Their privacy policy is one of the most clearly written and comprehensive ones we’ve seen, and they regularly publish reports showing how often user information has been requested from them. Plus, they regularly talk about online privacy laws on their blog and their work in campaigning for change. And, if you’re wondering when the developers will add new features, you can keep up with their roadmap

Jurisdiction

Some users may be concerned that Tutanota is based in Germany, particularly given that under German law, Tutanota is required to hand over any information they hold about a user to law enforcement. However, under the Federal Data Protection Act, companies aren’t permitted to collect personal information (such as your name, age, address, phone number, or IP address) without express permission from the user. 

Tutanota publishes a transparency report every six months, in which they release information about how many times they’ve been requested to release information and who to. On this page, they note that because they use zero-access encryption, they can’t read any emails they may be forced to release. Plus, they will only release mailbox information if they’re legally required to by a German court. 

While recent laws have made it so that companies legally have to store user data and IP addresses for 10 weeks, Tutanota wrote a blog post explaining that emails are legally exempt from this. They’re also fighting to have this law declared unconstitutional, using the precedent that a similar law in 2010 was ruled unconstitutional. 

So, while Germany isn’t necessarily a haven for Internet privacy, unlike locations like Panama and the British Virgin Islands, it’s certainly not the worst country for data retention laws. Plus, given that Tutanota is actively fighting against data retention laws and the erosion of online privacy, it’s a good sign that they’ll fight to ensure their users’ rights are protected. 

Tutanota Features 

Tutanota has both free and paid accounts, making it easy for all Internet users to access encrypted email service. While this does mean that some features are only available to Premium users, one of the key benefits of Tutanota is that all of the vital features are available to every user. 

End-to-End Encryption

Tutanota uses AES-128 for symmetric and AES-128/RSA-2048 for nonsymmetric encryption protocols at each stage of data transfer. While the industry standard for encryption is AES-256, AES-128 will still take the most powerful computers hundreds of years to crack. Given that Tutanota uses AES-128 in conjunction with other encryption techniques like zero-access encryption, your emails are still protected significantly more than they would with other email providers. 

If you’ve been weighing up Tutanota vs. Protonmail, it’s worth noting that Tutanota also encrypts email subject lines, which is a feature that Protonmail doesn’t currently have. 

Every part of Tutanota is covered by end-to-end encryption, including your emails, attachments, address book, calendar, searches, reminders, and premium features like inbox rules. 

This end-to-end encryption means that the only unencrypted information that Tutonota receives is the email address that belongs to you and your recipient. Even when Tutanota sends you a reminder for a calendar event, the time is obscured and encrypted before it reaches Tutanota’s servers. 

Zero-Access Encryption

When you create an email account with Tutanota, a private encryption key is created for you locally to automate the exchange of encrypted emails. This means that Tutanota doesn’t have the key to decrypt your emails, so there’s no chance of a data breach on their servers revealing your personal information. This key is encrypted with the user’s password, so even if Tutanota did get hold of it, they wouldn’t be able to decrypt it. 

Full-Text Search

Tutanota allows for full-text searching of your encrypted emails, just as you might expect with any mainstream email client. However, unlike with other email clients, searching through your emails happens locally. So, Tutanota’s servers don’t get any information about your searches, they don’t need to decrypt your emails to find what you’re looking for, and you can complete your search faster. 

Plus, your entire search history in Tutanota is also protected with end-to-end encryption, so even if someone gained access to your hard drive, they wouldn’t be able to see what you were searching for. 

External Email Encryption

Tutanota allows you to send encrypted emails to non-Tutanota users, helping to thoroughly protect your privacy. When you’re emailing a non-Tutanota user, you’ll have to send them a unique password that will decrypt your emails for them. Until the recipient enters the correct password, they won’t be able to see any information about the email that you’ve sent them. 

This is a fantastic feature that we can see being extremely useful for professionals who need to send information to their coworkers or clients securely. 

Secure Password Hashing and Salting

Your Tutanota password is hashed with bcrypt and SHA256, which are both industry standard hashing and salting protocols that are widely used for passwords across the Internet. However, when used in combination, your password is doubly protected against brute force attacks. 

Plus, this hashing and salting is performed locally, so your true password is never sent to Tutanota’s servers. This greatly reduces the chance of a data breach at Tutanota affecting your account, which helps to ensure your continued privacy and security. 

Secure Password Resetting

Resetting your password with an email service has always been a risky procedure, particularly if you’re doing that reset because you’re worried someone has gained access to your account. 

When you sign up with Tutanota, you’ll only be permitted to create an account if your password is strong enough. You’ll also receive a recovery code, which will be generated locally. Your recovery code has three primary functions for your account:

  • Password resetting, 
  • Unlocking your encryption key, 
  • Removing two-factor authentication. 

So, it’s vital that you keep your recovery code safe, as, without it, you’ll lose access to your account if you forget your password. 

This process truly shows Tutanota’s dedication to user privacy. While we expect this might be an arduous process for most people who are used to simple email password resets, it works hand in hand with their anonymous signup process to make your account as secure and private as possible. 

Anonymous Signup Process

Most mainstream email services will ask for a ton of personal information when you sign up for an account. However, when you sign up with Tutanota, all you have to do is choose an email address, create a strong password, confirm you’re over 16, and agree to Tutanota’s terms and conditions. This means Tutanota holds no personal information about its users, and you can stay truly anonymous if you use one of Tutanota’s domain names for your email account.

Once you’ve created an account, it’s vital that you record your recovery code and keep it somewhere safe, as this is the only way you’ll be able to reset your password later. 

Unfortunately, this lack of personal information does mean that Tutanota has to find a new way to protect itself against scammers and spammers using its service. This is why some accounts may be marked for manual approval, which Tutanota claims can take up to 48 hours. 

If you signed up for Tutanota while you were using Tor or a VPN, you’re more likely to be marked for manual approval. As stated in one of their blog posts, this is because scam artists and spammers also regularly use these tools, so they use this measure to protect their users. 

While some users might be put off by this process, it’s worth noting that Tutanota uses it in place of other options like phone verification so they don’t have to collect any personal information about you. 

Mobile Apps

Tutanota has apps for both Android and iOS, so you can replace your current email provider with their security services instead. 

The app currently stands at 4.1/5 stars on the Google Play Store, and 3.9/5 on the Apple Store. From reading the reviews, it appears that Tutanota users are generally happy with the apps, however, there are some bugs and functionality issues that need to be addressed. 

Blocked Automatic Image Loading

Many people don’t realize that it’s remarkably easy for their emails to be tracked thanks to software that logs not only if an email has been opened, but also when and where that email was accessed. Emails can tell marketing agencies a lot about you when you load the external content contained within it, which is why Tutanota automatically blocks external content from loading in emails. 

By preventing external images from loading in emails, this prevents the sender from finding out your IP address, estimated location, the time you loaded that image, and even the browser you’re using. 

That’s not to say that Tutanota completely blocks you from seeing external content in emails, but rather that it gives you control over whether you’re happy to load that content. Unfortunately, you can’t yet whitelist a sender so the content automatically loads – which we’ll talk more about later – but the automatic blocking ensures that you’re always covered. 

Email Header Obscuring

Another aspect of email privacy that not many people realize is that your email header often contains personal information, such as your IP address. So, when you send an email, the recipient can find out not only your rough location, but also which servers your email was routed through to reach them. 

While you can use a VPN to obscure your location, this information will still be contained in the email header. Granted, it will show either a random IP address or one associated with a VPN server (depending on your VPN provider), but this still reveals that you’re using a VPN.

Tutanota helps to strengthen your online privacy by stripping that header information from your email, so your email recipients can’t see where you’re located or which servers your email has moved through. 

SSL Certificates

Tutanota secures your connection to their servers using multiple SSL certificates, making it one of the most secure email providers out there. You can expect your emails and connections to be secured with the following SSL certificates:

  • STARTTLS with PFS
  • DKIM
  • DNSSEC
  • DANE
  • DMARC

Plus, if you want to use a custom domain name, Tutanota supports those with MTA-STS certificates. This means that whether you need a cheap, secure personal email address, or want to secure your business email address and the information you send from it, you’re covered from all angles. 

1GB Storage

Regardless of what you’re using your email provider for, you’re inevitably going to need storage space to keep hold of important information. With Tutanota, you get 1GB of storage space with a free account, but you can upgrade your storage as high as 1TB for a monthly fee. Plus, business account holders can access 10GB of storage space without having to pay any additional costs on top of their account fee. 

According to Tutanota’s blog, they compress all of your emails so they take up less of your storage space. So, while 1GB may not seem like much, this may be more than enough for some users. 

While 1GB of free storage space isn’t a scratch on the 15GB that you get with GMail, we don’t see this as a major issue, particularly given the significant privacy and security that you get with Tutanota. Plus, if you need more space, then an additional 10GB of storage space is only €24/year. 

If you’re weighing up Tutanota vs. Protonmail, it’s worth noting that with a free Protonmail account, you only get 500MB of storage space. Even if you purchased a Tutanota Premium account for €12/year, and paid for an additional 10GB of storage space at €24/year, you’d still be paying less than what a Protonmail Plus account would cost – and that only has 5GB storage. 

Two-Factor Authentication

Two-factor authentication, also known as 2FA, is a popular feature that almost every private online service uses to maintain user security. Tutanota is no exception to this, and they actively encourage all users to activate 2FA on their account to prevent the risk of unauthorized access. 

Tutanota uses multiple 2FA methods, so you can pick which one works best for you. Currently, Tutanota supports:

  • U2F 
  • TOTP
  • HOTP
  • SMS codes

They recommend that users activate U2F two-factor authentication, as this method uses a physical key that generates a code. As users are likely to have the Tutanota smartphone app if they use this secure email provider, U2F provides the most secure solution as 2FA codes aren’t generated on the same device as the app. 

However, they still support TOTP/HOTP and SMS, despite them being the least secure options, because these protocols can be more accessible to users.

While other secure email providers like Protonmail have 2FA, this is typically limited to TOTP/HOTP and SMS, leaving Tutanota as the most secure option for privacy enthusiasts. 

Phishing Protection

Email phishing remains one of the largest threats on the Internet because, unfortunately, it’s still an effective way to steal passwords and other personal information. The notorious Wannacry ransomware attack of 2017 that affected hundreds of thousands of computers started with email phishing, and there are no signs that this tactic will stop any time soon. 

With this in mind, all of Tutanota’s users are covered by their phishing protection software. Tutanota has a powerful spam filter that aims to prevent these emails from reaching your inbox in the first place. However, they fully acknowledge that no spam filter will ever be perfect.

To catch the emails that slip through, Tutanota will warn you if a sender’s technical address differs from the displayed email address. This helps you to easily identify spoofed emails. Plus, their system is designed to mark official emails from the Tutanota team with a red or green tagline. This coloring is built into Tutanota’s code, so it can’t be spoofed by phishing emails. 

In addition to the above measures, Tutanota have extremely secure password reset protocols that require a recovery code and, if it’s being used, two-factor authentication. So, phishing attackers can’t use password recovery links to fool you into divulging your password.

Contacts and Calendars

As we mentioned earlier, Tutanota offers zero-access end-to-end encryption on your address book and calendars, meaning that the information you store on your account is visible only to you. 

While the Calendar app appears to still be in beta, it still has the base features you’d expect from a calendar, all while offering complete privacy. Not only that, but your notifications and reminders are also fully encrypted, so Tutanota’s servers don’t even receive data about what time you were sent a notification. 

Additional Premium Features

All of the features listed above are available as part of a free account, making Tutanota one of the best free secure email providers available. Plus, if you’re interested in a Premium account, or you’re looking to use Tutanota for Business, you can enjoy these additional features:

  • Custom domain names
  • Custom email notifications
  • Additional storage
  • Inbox rules
  • Inbox filter
  • Aliases
  • Whitelabel

Tutanota is also constantly updated with new features, so we expect this list to expand as time goes on. 

Missing Popular Features

With the myriad of features that are already available for Tutanota, it’s not surprising that some popular features fell by the wayside during development. That’s not to say that these features will never exist in Tutanota, but rather as of the time of writing, they were not currently available to users. 

Autoresponse/Out of Office

Having an autoresponder or out-of-office feature is a basic expectation from most email clients, but unfortunately, Tutanota currently doesn’t offer this feature. We expect this is due to the challenges that end-to-end encryption presents with an automated mailing function, particularly when emails are sent to non-Tutanota users. 

According to Tutanota’s GitHub profile, it appears that significant progress was made on this feature in 2020 after the first prototype was created in June. However, there’s no news on when this will be made available to beta testers, let alone the full user base. 

POP3/IMAP Support

POP3/IMAP are the typical protocols used by email providers and clients, however, Tutanota doesn’t support these protocols. According to Tutanota, this is because emails retrieved using POP3/IMAP are stored unencrypted, which can compromise your security. 

This means that you can’t use Tutanota with other desktop email clients, such as Outlook. Instead, you have to download Tutanota’s own desktop client, which is currently still in beta. 

Fingerprint/PIN Unlock on Mobile

Smartphone apps that handle personal data are now able to use a device’s fingerprint scanner or PIN code as an additional layer of security. While this might feel redundant to you, it means that if someone breaks into your phone, they also have to bypass the app’s security measures to get to your information. 

Tutanota’s smartphone apps currently don’t use fingerprint or PIN unlocks, but according to their GitHub, it is a feature that they plan on implementing. 

Cryptocurrency Payment

One of the biggest complaints about Tutanota is that even though they don’t collect any personal information from you on signup, you can only pay for a Premium or Business account with a credit or debit card. These methods of payment are directly linked to you as an individual, which is why many VPNs and other secure email providers allow you to pay with Bitcoin and other cryptocurrencies. 

This issue is currently on the roadmap, but Tutanota’s development team has locked the GitHub thread about this issue to collaborators only. So, there’s no update on when this feature will be implemented. 

Email Bomb Protection

Email bombs are, in essence, a DDoS attack against an email address. When an email address is targeted by an email bomb, this means that their email address is automatically signed up to thousands of newsletters at once, rendering the inbox useless as it’s filled up with confirmation emails and otherwise harmless newsletters from random sources. 

In Tutanota’s case, they were the victim of an email bomb in 2017, which saw their main contact inbox filled with half a million emails. 

Given that any known email address can be targeted by an email bomb, it’s difficult to protect against them. While Tutanota implemented a solution, they admit that this would be difficult to automate. Saying that it’s still a feature they say they’d like to implement in the future. 

Tutanota for Business

Tutanota also offers a business account starting at only €12/year, but if you’re a non-profit or school, you can access a discounted rate. 

A significant benefit of Tutanota’s pricing structure is that they offer a range of additional features separately from your main subscription, so you only have to pay for what you use. 

For instance, as a business, you can pay for a whitelabel version of Tutanota for only €12/year/user, which will allow you to use their secure email in a client that’s branded for your company. However, you’re not forced to pay for this feature if it doesn’t matter to your business. 

Tutanota vs. Gmail 

Tutanota offers significantly more privacy to users than Gmail. 

While Gmail does offer encrypted transmission of emails, they hold the decryption key for your emails, so they can access your personal information at any time. However, Tutanota uses zero-access encryption, so they hold very little data about you that can be accessed by their employees or any other 3rd parties.

It’s also worth remembering that Google is based in the US, which is notorious for its constant push to erode online privacy and freedom, and allows ISPs to sell users’ personal data (such as browsing history, applications used, or locations visited) without their consent. 

In comparison, Tutanota is based in Germany, which has laws that prevent businesses from collecting and holding user data without express permission, 

While both companies are legally required to hand over data to law enforcement when asked, Tutanota holds significantly less information about you that they can decrypt than Google. So, if you’re looking for online privacy, Tutanota is a better bet. 

Tutanota Alternatives 

ProtonMail

protonmail

Tutanota’s main competitor is ProtonMail, because it offers a very similar service. Based in Switzerland, ProtonMail is an open-source secure email provider that uses zero-access end-to-end encryption to protect your privacy online. 

ProtonMail has the benefit of being covered by the strongest online privacy laws around, and it also has multiple features that Tutanota hasn’t yet implemented.

However, a major downside of ProtonMail is that they don’t encrypt email subject lines or sender/recipient email addresses, so it’s easy for popular email providers to retain a copy of emails from ProtonMail once they’ve been decrypted by the recipient. 

Posteo

Posteo is another Germany-based open-source secure email provider. Unlike ProtonMail, they fully encrypt your emails, and they also use zero-access encryption to maintain user privacy. 

One of the main drawbacks of Posteo is that it doesn’t have a spam filter, which can leave users vulnerable. Plus, it uses the IMAP protocol, which Tutanota has stated is not secure because it stores emails unencrypted. 

NordVPN or ExpressVPN for Tutanota

As we mentioned earlier, if you sign up for Tutanota while you’re using a VPN, then it’s likely your account will be on hold for manual verification. However, that’s not to say that once your account is up and running, you can’t use Tutanota with a VPN. Plus, with some ISPs like AT&T blocking Tutanota, chances are that you might start to need a VPN to access this secure email service. 

With that being said, we’d recommend using NordVPN with Tutanota. NordVPN has significantly more features than competing providers like ExpressVPN, making it one of the best options to maintain your online privacy alongside your encrypted emails. Not only that, but NordVPN’s CyberSec feature blocks phishing domains, malware, and other trackers, granting you an additional level of protection. 

Conclusion

Tutanota is a fantastic secure email provider that offers you unparalleled levels of security and privacy when you’re using your email client. While it may be missing some popular features, the Tutanota development team appear to be constantly improving the service and working to build more functionality into their email client. 

As it stands, Tutanota is one of the best alternatives to standard email services that we’ve reviewed. If you’re looking for a service that offers zero-access encryption protocols, security services, secure encrypted messages, and a pro-active development team, then Tutanota is the secure email client for you.  

FAQ

Tim Robinson

Tim Robinson

I research, write, and publish about VPN and other privacy tools.

My first VPN setup was over ten years ago, and since then, it is an essential part of my internet experience. I surf the internet, stream, and work with a VPN.