Finding a Privacy-Friendly Email Provider
Disclaimer: The following is my opinion based on personal experience and does not constitute expert advice or guidance. I am not sponsored by, supported by, or otherwise financially biased toward any of the services mentioned.
The Problem with Gmail
Like most people, I used to rely on Google heavily for basically all of the core online services I used. When I realized what an invasive and anti-privacy company Google is, it was pretty simple for me to ditch Google Chrome for one of the more privacy-friendly alternatives and switch my default search engine to something like DuckDuckGo. It took me much longer to start looking for a better email provider. Downloading a new browser and switching the default search engine is free, only takes a few minutes and the end result is a user experience that is about as good as Chrome+Google. Email is another beast entirely. Gmail’s features are really quite good and you can get a Gmail account for free. Well, for “free” I suppose, since you are paying with your data and your privacy. Google openly admits that it was reading its’ customers emails to build their ad profiles until 2017 and even now there is really nothing stopping Google (or a rogue Google employee) from reading your emails if they wish. And you better believe that Gmail is still using all of your email metadata (like who you email and how often) to serve you more personalized ads regardless of whether or not they read the emails themselves.
The problem is that privacy-friendly alternatives to Gmail are either paid, lacking features when compared to Gmail, or both. That being said, if you want to take your digital privacy seriously, Gmail and other free email providers like Yahoo! or Outlook are not real options so you will have to get comfortable with either paying for your email service with cash instead of with your data or with losing some of Gmail’s functionality. In my quest to find a Gmail alternative, I looked into quite a few different email providers and tried out 4 myself: ProtonMail, Tutanota, Mailbox.org, and Posteo. Most of the other providers I looked into were either not privacy-friendly, too expensive, or lacking sufficient reputation.
ProtonMail is probably the first suggestion you will hear when asking for a privacy-friendly alternative to Gmail and with good reason. The service has been around for a while and has a good reputation (despite the more paranoid side of the digital privacy community insisting it’s a honeypot, most of the so-called “scandals” boil down to Proton turning over data to the authorities when required by local law). ProtonMail’s interface is very user-friendly and is somewhat reminiscent of Gmail’s. ProtonMail also encrypts all emails by default using PGP (though see disclaimers below), while also providing the option for users to use their own PGP keys. ProtonMail’s free tier is quite generous and includes 1 GB of storage.
Now for the downsides. The main concern I had with ProtonMail was its pricing. While the free tier is very generous, it is restricted to only 150 messages per day (more than most personal accounts need, to be fair) and does not offer custom domain support, alias addresses, or IMAP support. IMAP support essentially allows you to use 3rd-party email clients and I personally consider it to be a pretty essential feature. I like having a copy of my emails stored on my local machine and I don’t like being locked in to my email provider’s email client. While I think it is perfectly fair to lock these features behind a paywall (they do need to make money after all), the lowest paid tier (as of this writing) is €4.99/month! While they do offer slight discounts for yearly/biyearly subscriptions, this is way too much to charge for an email service. I assume the high price is trying to push people toward the “Proton Unlimited” package, which also includes access to Proton’s VPN and cloud storage services. And while Proton Unlimited may be reasonably priced for what it offers, that doesn’t much help users who are just looking for an email service. Additionally, even with a paid plan, IMAP support is only offered through the ProtonMail Bridge. The Bridge is not available for mobile however, meaning you’re stuck with the ProtonMail client on Android/iOS.
The reason why ProtonMail requires the Bridge in order to support IMAP is because ProtonMail end-to-end encrypts all of its messages by default. This is one of the major draws of ProtonMail’s service from a privacy perspective, but is also not all that it’s cracked up to be. While ProtonMail does end-to-end encrypt all emails sent between ProtonMail accounts (as well as emails which are “at rest” on their servers), any emails sent to non-ProtonMail accounts are not encrypted by default while in transit. This is not ProtonMail’s fault, but is a simple consequence of email’s decentralized nature. That being said, the idea of ProtonMail end-to-end encrypting all emails by default loses a lot of its appeal when you realize that “all” really only includes a small percentage of the emails most people will be sending/receiving. While ProtonMail does offer PGP support to encrypt emails sent to other servers, PGP support has been a standard feature of basically any email client worth discussing for a long time now and supporting it hardly makes ProtonMail unique.
With all that being said, ProtonMail is still a very good option as a Gmail alternative. Its free tier is great if you want a semi-disposable account or if you have modest needs from your email provider. While I can’t recommend the expensive, mail-only paid tier, if you’re interested in going all-in on Proton’s larger ecosystem, Proton Unlimited could be a really good option.
Tutanota is probably the most well-known privacy-friendly email provider after ProtonMail. Like ProtonMail, they place their emphasis on end-to-end encryption and open-source in their attempt to build a trustworthy and privacy-friendly email platform. Tutanota’s encryption is very robust and has some advantages over ProtonMail’s and over PGP in general. Tutanota also offers a free plan, which while not as generous as ProtonMail’s, is pretty decent and is likely serviceable for many users. It includes 1 GB of storage while paywalling features like email aliases and custom domain support. The other feature that is paywalled is “unlimited search.” Essentially, Tutanota allows free users to only search for recent emails. Older emails will have to be found manually and not using the search function. While this does seem like a pretty basic feature to keep paywalled, I suppose they need something to push users toward paid plans, so I can’t really blame them.
Unlike ProtonMail, Tutanota’s lowest paid tier is priced at a reasonable €1.20/month (or €1/month for a yearly plan) and includes unlimited search, custom domain support and 5 aliases. Other features such as extra email aliases and extra storage are offered à la carte. The major feature that is missing from both Tutanota’s free and paid plans is IMAP support, meaning you are locked in to Tutanota’s (open source) email clients. Like ProtonMail, the reasoning for this is Tutanota’s encryption implementation. Unlike ProtonMail however, Tutanota’s email client is pretty basic. Honestly, it worked just fine for my needs, but it is relatively feature-poor and has a few unintuitive UI choices which could alienate some users.
Also like ProtonMail, Tutanota end-to-end encrypts emails between Tutanota accounts by default, but this comes with many of the same caveats. Tutanota’s end-to-end encryption will not work for external email address unless you set a password for the email message. This is cumbersome to do and poses the problem of how to securely share the password to the email recipient. You could send it over a secure messenger like Signal, but if you already have a secure communication channel, why would you need Tutanota’s password-encrypted emails? PGP solves this problem by using public/private key pairs, and while Tutanota’s encryption is stronger than PGP’s (they claim it’s quantum-resistant) and encrypts metadata like the subject line (which PGP does not), its benefits don’t really seem to outweigh the downside of abandoning public/private key pairs for a password. Not only that, but you have no option to integrate PGP with Tutanota even if you want to, meaning that you are stuck using their encryption or nothing (I suppose you could encrypt the message yourself and then put the encrypted text in the email, but that seems like a lot of extra work). While you can of course just insist that any correspondents also use a Tutanota account, a program like Signal seems a lot more suited to that use case since one of the major advantages of email is its wide adoption decentralized nature. ProtonMail also offers password-protected emails and many of these points apply to ProtonMail as well, but they at least give you option of using desktop email clients and/or your own PGP keys, so these problems are all the more glaring with Tutanota.
Despite its shortcomings, Tutanota still has a strong use case. I could particularly imagine its end-to-end encryption implementation being put to good use in a team setting where there would be a lot of sensitive, internal email communications. If you are aware of and comfortable with Tutanota’s shortcomings, its paid tier is reasonably priced and not a bad option overall and its free tier is a slightly inferior but still noteworthy alternative to ProtonMail’s.
While not as well-known as ProtonMail and Tutanota, Mailbox.org is another common name you’ll hear tossed around when privacy-friendly email services are discussed. Mailbox.org doesn’t claim to end-to-end encrypt all its emails like ProtonMail and Tutanota do, but instead offers a more “basic” email functionality free of the mailbox snooping and analytics shenanigans Google is known for.
One of the most underrated advantages of Mailbox.org is the fact that it has normal name. While this may sound like a silly consideration, if you’ve ever had to read out your email address to a customer service representative on the phone or a casual acquaintance in real life, you’ll know that having an email address like firstname.lastname@example.org may have seemed like a great idea when you were just typing it online but suddenly becomes a bit of an embarrassment. Even a relatively more normal email address like email@example.com can earn you weird looks and questions like “how do you spell that?” when trying to do something simple like share your email address.
In terms of features, Mailbox.org is nothing special but does everything you could reasonably want an email provider to do. Its webmail client is perfectly functional and IMAP support is an included feature with all plans so you’re not forced to use it anyway. Mailbox.org also claims to be fully powered by green energy. It is nice to see services like Mailbox.org that seem committed to social progress generally beyond the narrow (though important) area of digital privacy.
One point of note about Mailbox.org that may be a dealbreaker for some is that it has no free tier. However, if you already planned on paying cash for your email provider, Mailbox.org’s plans start at €1/month, which is quite competitive. Although you can only credit your account with a minimum of €12, they do offer refund options if you with to cancel your account before you’ve used up your balance. The lowest tier includes 3 email alises and 2 GB of storage. The higher tiers (€3/month and €9/month) offer more storage and aliases, custom domain support, as well as cloud storage and an office suite if that’s something you’d want from your email provider. In my opinion, everything but the lowest tier is overpriced and its a shame that custom domain support is not available on the lowest tier. The custom domain support and 25 alias addresses in addition to disposable email addresses do make the €3/month tier somewhat attractive, but it’s still a bit much to pay for an email service in my opinion, especially since there’s no option to purchase these features separately à la carte like there is with Tutanota.
The major concerns I had with Mailbox.org related to security and usability rather than to price. When I went to enable TOTP 2FA on my account, I found that I needed to set a PIN and that I would then enter that PIN followed by the TOTP code into the password box in lieu of my password. This seems totally ridiculous to me. What’s the point of 2FA when you’re basically decimating the security of one of the factors by reducing its complexity to a numeric PIN? I ended up feeling more comfortable leaving 2FA off and simply using my randomly generated password. I’ve never seen TOTP 2FA implemented this way before and it did not instill a ton of confidence in Mailbox.org’s security practices.
The second security-related concern I had was with Mailbox.org’s encryption implementation. Mailbox.org doesn’t claim to end-to-end encrypt all of the emails it sends like ProtonMail and Tutanota do, which is fine from my perspective. As I discussed above, the end-to-end encrypted email claim comes with a lot of caveats anyway. That being said, my emails being encrypted while at rest on my provider’s servers is a worthwhile feature and doesn’t impact email’s usability as a decentralized service. Mailbox.org doesn’t do this by default and finding the setting was a real pain. In general, while Mailbox.org’s webmail client is perfectly serviceable, its settings panel is a huge mess and its documentation doesn’t do a ton to help out. Eventually I did find the setting to encrypt emails at rest, which required inputting a public PGP key to encrypt the emails with. While I guess this is fine, I would have really preferred a toggle where I could simply encrypt my at-rest emails using my password. There was also a totally separate setting called “mailbox.org Guard,” which seems to be used to encrypt emails sent from the account, but the functionality seemed a little overlapping and finding the proper documentation explaining what each setting was for was a bit of a pain. Even now, I’m a little unsure how to implement each of these features and how they overlap. I suppose this is more of a usability concern than a security concern, but it was still disheartening to see what should be a core security feature made so opaque and complicated.
Mailbox.org certainly gets points for its relative simplicity and IMAP support even on its cheapest plans. However, some of its security practices certainly seem like red flags (or at least yellow flags) to me and so I’m afraid I can’t recommend the service in confidence. If you’re not looking for anything fancy security-wise and just want a simple email provider who won’t mine your data (and has a normal-sounding domain name to boot) or need both IMAP and custom domain support and don’t mind paying a little extra, perhaps Mailbox.org is worth looking into.
Posteo is very similar to Mailbox.org on its surface. Both services are hosted in Germany (as is Tutanota, by the way), both lack free tiers but offer subscriptions with IMAP support from as low as €1/month, and both have similar-looking, green-colored web interfaces and use green energy. Part of me suspects that one project was a breakaway from the other, but I have no proof of that either way.
So what makes Posteo unique? Well, Posteo properly implements TOTP 2FA for one thing. Even with 2FA enabled, IMAP is still accessible with your password alone (this is more of an IMAP limitation than a Posteo limitation as best as I can tell), but you do have the option to turn off IMAP access for your account if you wish. The settings in general are also much simpler to navigate than Mailbox.org’s (even I did stumble across a German phrase here or there where English probably should have been). While Posteo does not offer end-to-end encryption by default between Posteo users like ProtonMail and Tutanota, they do have a simple option for encrypting your emails at rest with your password and they also have support for encrypting them with your public PGP key if you’d prefer. While the encryption is disabled by default, this is somewhat understandable since enabling the encryption prevents you from being able to recover your previous emails if you lose your password, which might not be something the average user wants. But it is good that it’s there and good that it’s pretty simple to activate. There is also the option of mandating TLS for sent and received emails (not sure how useful this actually is, but it’s an option if you want it).
Posteo’s pricing consists of a single tier costing €1/month for basic email access with IMAP support, 2 GB of storage and 2 alias addresses included. You can pay extra for additional alias addresses (€0.10/address) or storage space. While all of the providers on this list accept some form of anonymous payment (either cash by mail, cryptocurrency or both), Posteo is the only one that I noticed claimed that your payment info will be kept anonymous from your account if you choose to pay by credit card. Not sure how realistic that claim is, so make what you will of it.
So what’s not to like? The biggest shortcoming is a lack of support for custom domains. Posteo claims that this is because allowing custom domains would sacrifice their users’ privacy, but if that is really the reason, I don’t see why they make that decision unilaterally instead of letting their users decide. Additionally, aliases are capped at 20 per account. This is admittedly more than most people need, but it’s curious why they would put a cap on alias addresses per account at all if you pay for each one. And while Posteo does have a variety of domains available for their aliases, there is no .com option (though they do have .org and .net). Finally, their webmail interface works just fine but is nothing special, though this is a moot point if you’re planning to use an IMAP-based email client anyway.
Posteo is a great choice overall and probably the best, cheap option if IMAP support is a must for you as it is for me. It is basically superior to Mailbox.org’s lowest tier in every conceivable way (other than the domain name, I suppose) and has quite a few advantages over ProtonMail and Tutanota as well, even if the overall advantage there isn’t clear-cut.
Unfortunately, there’s really no “gold standard” for a privacy-respecting email service at this point. Each service I looked into was lacking in some way. That doesn’t mean that there are no good options though, just that you will have to make some sacrifices in either price or features to find a privacy-respecting email provider that works for you. I ultimately decided to go with Posteo as I felt it had the best balance of price and features. I did seriously consider Tutanota as well, but its lack of IMAP and PGP support didn’t overcome its other advantages (like custom domain support) for me. If I ever decide to sign up for Proton’s full suite of products I could perhaps see myself moving to ProtonMail, but the price of their email service alone is just too high for it to be a consideration for me at this point. I hope this provided some useful information if you’re looking for a privacy-respecting email provider yourself (or perhaps encouraged you to start looking). Don’t rely on my conclusions though. Try out a few services, do your own research and don’t be afraid to share your conclusions with others when you’re done.