Best free and paid secure email services

Email is difficult to secure. It always has been, and without a major overhaul of its protocols, it always will be. Still, some try their hand at offering a secure email solution. It’s never a perfect solution, as we’ll see, but it’s still a large improvement over the status quo.

In this post, we’re going to present you with what we consider the best secure email services available today. Some are free. Some are not. We’re going to start with the free services and move on to the paid services. If you use email a lot and email security is critical to you, I would recommend going with a paid service. A paid service will offer you many more options than any free offering you can find.

There’s just one thing I’d like to mention before we get started. This post is about secure third-party email services. However, you can also set up email encryption for yourself using S/MIME or PGP – without a third-party service. If you want complete privacy, you want to exclude third-parties from the equation. Configuring email encryption for yourself, while more complex, is the most private option for securing your email.

My colleague, Paul Bischoff, wrote a detailed article explaining how to do just that. If that’s the road you’d like to go down, I recommend following our how to encypt email guide.

If you don’t want to read through the entire article (it is quite long…), here are the results for both categories (free & paid):

Best free secure email providers

  1. Tutanota: Our top free choice. A German secure email provider that offers a generous free plan with high security, privacy, and ease-of-use.
  2. Protonmail: A high-quality and very popular option that is extremely easy to use.
  3. Mailfence: A Belgium-based secure email provider that donates 15% of its earnings from its Pro plan to the EFF.
  4. Private-Mail: The secure email service brought to you by the folks at VPN provider, TorGuard. Despite its name, Private-Mail collects a lot of data on its users.

Best paid secure email providers

  1. mailbox.org: Our top paid choice. Based in Germany, mailbox.org combines excellent privacy practices, security, and ease-of-use in a beautiful UI.
  2. Protonmail: Probably the most well-known secure email provider. Anyone who values their privacy should consider its paid plans.
  3. Tutanota: A secure email provider from Germany, with good privacy practices, that’s very easy to use.
  4. Posteo: A German secure email provider with the best privacy practices we’ve seen, and that runs on 100% sustainable energy. Posteo is geared towards more experienced users.
  5. StartMail: A secure email service provided by the company behind the private search engine, startpage.com. The encryption setup should be more streamlined.
  6. Hushmail: A Canadian secure email provider that offers features tailored for businesses. Hushmail collects a lot of data on its users.

How are providers rated?

I’m going to be rating the providers on three major aspects:

  • Privacy practices: Does the provider have access to your encryption keys? Are there unencrypted elements within encrypted messages? Are your emails encrypted at rest on the provider’s servers?
  • Data collection: What kind of data does the provider collect – and how much of it?
  • Ease-of-use: Are the encryption keys managed automatically by the provider? How easy is it to set up? Does the provider offer a way to send encrypted messages to non-subscribers?

Free secure email providers

We’re going to start with the free secure email providers and move on to the paid services.

1. Tutanota

Tutanota Logo

Tutanota pros and cons

Pros:

  • End-to-end encryption of messages (including subject lines)
  • Servers in Germany
  • Strips IP addresses from emails
  • Open source code (including mobile apps)
  • iOS and Android apps
  • Free account includes encrypted calendar

Cons:

  • Does not support PGP
  • Account approval can take up to 48 hours
  • Cannot import your existing emails into Tutanota
  • Data collection – will hand over your emails on presentation of a valid German court order

Tutanota is a secure email service provider, based in Germany, which also offers a free plan. The service provides end-to-end encryption but does not use PGP. Tutanota uses AES public key encryption for emails sent between Tutanota users. To send emails to users outside of Tutanota, the service falls back to password-based AES encryption.

The free plan provides you with 1GB of email storage and limits you to Tutanota domains. 1GB of storage is quite generous for a free service.

Like Protonmail, Tutanota strips your IP address from the email header. And contrary to Protonmail, Tutanota encrypts your subject lines. Sending encrypted emails with Tutanota is extremely easy. Encryption is automatic when you send an email to a Tutanota user. When emailing a non-Tutanota user, you simply need to add a password to your message (and find a secure way to communicate it to your recipient). No technical skills required. The free plan also includes an encrypted calendar, which is nice to have (especially with a free account).

All of Tutanota’s infrastructure is open source, as are its apps.

One downside with the service is that it takes up to 48 hours to activate your account once created. Tutanota claims the delay is required to set up your account as privately as possible. Still, waiting two days to use your shiny new encrypted email is a bit of a downer.

Tutanota’s privacy policy is easy to read and to the point. It makes it clear that it does not scan your emails for any reason. However, we did find this towards the bottom of the privacy policy page:

Tutanota - Privacy Policy

This would seem to indicate that Tutanota has the technical ability to read the content of your emails. This would mean that it holds the encryption keys used to encrypt client emails. However, secure email services are an imperfect solution, as I mentioned at the beginning of the article, and no company will ever state that will ignore the law… nor should they.

2. ProtonMail

ProtonMail Logo

ProtonMail pros and cons

Pros:

  • Supports PGP
  • Servers in Switzerland
  • iOS and Android apps
  • Open source web client, encryption algorithms, and apps
  • iOS and Android apps
  • Strips IP addresses from email headers

Cons:

  • Email subject lines remain unencrypted
  • Uses phone number for verification
  • Data collection and scanning of unencrypted emails
  • Free plan does not support third-party email clients

Protonmail is probably the most well-known and most popular secure email service. The service is based in Switzerland – a jurisdiction with some of the strictest privacy laws in the world. It provides end-to-end encrypted emails using PGP.

The free plan allows you to send up to 150 messages a day and provides you with 500MB of storage. As expected for a free plan, if you run into issues you will have limited support. And you can’t use your free Protonmail account with your favorite mail app. You’ll need a paid subscription for that. Still, we can’t complain too much when the upfront cost is literally zero.

Protonmail manages your PGP keys for you, which removes the risk of exposure due to a misconfiguration of PGP on your part and makes the service very easy to use. Emails sent between Protonmail users are always automatically encrypted. You can use password-based encryption to send emails to users outside of Protonmail. Another nice thing about Protonmail’s service is that it strips the IP addresses from the email headers before sending them, augmenting your level of privacy.

But nothing is perfect and there are some downsides to the service as well. So, while Protonmail strips the IP address from your email headers, it does not encrypt your subject line. The service also uses phone number verification, forcing you to expose a working phone number over the internet.

But more concerning than that is what we found in its privacy policy:

ProtonMail - Privacy Policy

Protonmail will scan any incoming and outgoing unencrypted emails sent to and from a Protonmail address. Of course, the objective is to prevent spam – which is fine. But other services manage to get a grip on spam without scanning emails. Still, if you encrypt your Protonmail messages, nobody can read your emails except your intended recipient – not even Protonmail itself. And the whole point of using Protonmail is to encrypt your message.

While we hope it tightens some of its practices, the good outweighs the bad in my opinion, and Protonmail is a recommended secure email service. And remember, it’s free.

3. Mailfence

Mailfence Logo

Mailfence pros and cons

Pros:

  • Supports PGP
  • Removes IP addresses from mail headers
  • Two-Factor Authentication (2FA) support
  • Supports password-based encrypted emails for non-Mailfence users

Cons:

  • Logs IP addresses and other data
  • Inbox is not encrypted at rest
  • Code is not open-source

Mailfence is a Belgium-based secure email service provider that focuses on user privacy. Mailfence donates 15% of all its earnings from its Pro plan to the Electronic Frontier Foundation. We like that.

The service provides PGP end-to-end encryption and strips the IP address from the email headers. Setting up PGP encryption is not as straightforward as with a service like Protonmail that handles key management for you in the background. But Mailfence does provide a wizard for the encryption setup, which is welcome. The Mailfence PGP setup will give you more control over your keys, but if you’re a less technical user, you may well want to trade that control for ease-of-use. The service also enables you to send password-based encrypted emails to non-Mailfence users.

The free plan gives you up to 500MB of email storage and another 500MB for file storage. It also supports two-factor authentication.

On the downside, your Mailfence inbox, on Mailfence’s servers, is not encrypted at rest. All encrypted emails you send or receive remain encrypted on the server at rest, but any unencrypted mail is stored unencrypted on the server. The company is working on integrating this feature, so it shouldn’t remain an issue for long.

As far as the privacy policy goes, Mailfence is transparent about what it collects, but it does collect quite a bit:

Mailfence - Privacy Policy

Again, these services do not represent a magic bullet against online tracking. But they do make things better.

4. Private-Mail

Private-Mail Logo

Private-Mail pros and cons

Pros:

  • Supports PGP
  • Encrypted file-sharing
  • Supports two-factor authentication (2FA)

Cons:

  • PGP key generation and exchange is not automated
  • Does not support third-party email clients
  • Requires a credit card even for the free account

Private-Mail is the secure email service from VPN provider TorGuard. The service uses PGP encryption and allows you to store and share encrypted files. It also supports two-factor authentication. The free plan provides you with 100MB of email storage and 100MB of file storage.

Because the PGP key generation and exchange are not automated with Private-Mail, it raises the level of technical knowledge required to get this working. And even when properly set up, encryption in Private-Mail is not automatic. Using Private-Mail is very much like setting up PGP encryption for yourself in a mail client like Thunderbird, except you’re in the Private-Mail UI and have a .privatemail.com email address. That makes the service unsuitable for those who are less tech-savvy. Also, Private-Mail doesn’t provide a password-based fallback option to send encrypted emails to non-Private-Mail users.

In regards to data collection, PrivateMail collects a lot. Here’s a screenshot from its privacy policy:

Private-Mail - Privacy Policy

That’s a lot of data. And should a service that’s designed for privacy really be “creat[ing] a consumer profile that includes characteristics, psychological trends, predispositions, behaviors, or similar information”? I don’t think so. But again, if a service is free, it will need to be monetized in one way or another…

As I said at the start of this article, the only way to have truly private email is to cut out third-parties from the equation.

So those are the free options, and they’re all quite good for what they are. However, if you need more features from your email provider than you get with a free plan you should look at the paid options. So here are some of the more notable paid options for a secure email account.

1. mailbox.org

Mailbox.org Logo

mailbox.org pros and cons

Pros:

  • PGP support
  • Virus protection
  • Supports third-party mail clients
  • Includes full office suite
  • Strips IP addresses from email headers
  • Messages are encrypted at rest
  • Supports custom domains
  • Open-source

Cons:

  • No mobile clients
  • Some data collection during registration

Mailbox.org is a paid secure email provider based in Germany. The service costs 1€ per month, which is much cheaper than many of its competitors. That comes to 12€ per year, so roughly $14.50 in US dollars. Mailbox.org supports PGP encryption and uses HSTS and PFS for messages in transit. Each mailbox.org account includes a full office suite, and also includes custom domains and file storage. Your messages, whether sent encrypted or unencrypted, are encrypted at rest, on mailbox.org’s servers using PGP. And its web app is open source. Good stuff.

Mailbox.org - Pricing

Mailbox.org supports third-party mail clients, which is welcome as it doesn’t provide mobile apps at this time. Like Hushmail, if you want to send encrypted emails or read encrypted emails that you receive, you’re going to have to go through the web client.

Sending encrypted emails with mailbox.org is easy. It automatically manages the encryption keys in the background using its Guard feature. Guard is essentially mailbox.org’s encryption assistant. The first time you want to encrypt a message, Guard pops up and takes you through its encryption wizard, after which you’re all set up.

However, when setting up your PGP keys, mailbox.org automatically uses your email password as your PGP key passphrase. That means that it knows your passphrase. If you’d rather not trust Guard with your encryption, you can use the Mailvelope browser plugin and manage your keys manually from there.

In terms of privacy, mailbox.org does quite well. There is a Google-owned reCAPTCHA at signup that I wish wasn’t there, but all in all, mailbox.org tries to minimize data collection. Its privacy policy is pretty standard but it does make clear what’s collected and what isn’t. At the bottom of the privacy policy, we find this:

Mailbox.org - Privacy Policy

It may seem pretty ominous, but mailbox.org is simply reciting the law as it stands in Germany right now. It is not specific to mailbox.org, it is specific to telecommunications providers. Underneath that section, mailbox.org makes this statement:

Conversely, we will not disclose any data if the legal requirements for disclosure are not mandatory (so-called “anticipatory obedience”). Such requests for information from the police without a court order will definitely be rejected by us, as in these cases it would be illegal for us to disclose the data. We, or our lawyers, strictly and critically examine all disclosure requests. However, we cannot judge whether the database data you provided when you registered is correct and accurate. If you encrypt your email traffic with PGP, we are also not able to make the content of these emails readable either.

2. ProtonMail (Paid account)

ProtonMail Logo

ProtonMail (Paid account) pros and cons

Pros:

  • Supports PGP
  • Servers in Switzerland
  • iOS and Android apps
  • Open-source web client, encryption algorithms, and apps
  • Strips IP addresses from email headers
  • Supports third-party email clients
  • Encrypted calendar
  • Custom domains
  • 5 email aliases
  • 5GB of storage

Cons:

  • Email subject lines remain unencrypted
  • Uses phone number for verification
  • Data collection and scanning of unencrypted emails

ProtonMail offers both free and paid accounts. So it makes sense for ProtonMail to be considered in both categories. When you purchase a paid subscription, you get more than with a free account. With a paid subscription, you can use your ProtonMail account with third-party email clients. But you now know the drill: to send and read encrypted emails you’ll need to use the web interface or the ProtonMail mobile apps.

ProtonMail - Pricing

You also get an encrypted calendar, 5GB of storage, access to custom domains, and up to five email aliases. The paid plan, for email only (ProtonMail’s other paid plans also include a ProtonVPN subscription), is $4.00/month. That’s not bad.

As we mentioned above, encryption is extremely easy with ProtonMail as it handles everything for you automatically. It also provides you with password-based encryption to communicate with non-ProtonMail users.

ProtonMail’s privacy practices aren’t perfect, but they’re still quite good. And as long as you encrypt your emails, they’ll remain private.

3. Tutanota (Paid account)

Tutanota Logo

Tutanota (Paid account) pros and cons

Pros:

  • AES public-key encryption
  • Password-based option for non-Tutanota users
  • Subject line is encrypted
  • Strips IP addresses from emails
  • iOS and Android apps
  • Open-source code (including mobile apps)
  • Multiple encrypted calendars

Cons:

  • Does not support PGP
  • Account approval can take up to 48 hours
  • Cannot import your existing emails into Tutanota
  • Data collection – will hand over your emails on presentation of a valid German court order

Tutanota also offers both free and paid plans. So what does a paid plan get you with Tutanota?

Tutanota - Pricing

You get everything in the free plan, plus custom domains, multiple calendars, up to five email aliases, and the ability to create inbox rules to automatically direct emails to specific folders. The package will cost you 12€/month, which is roughly $14.50.

For the rest, everything mentioned about the free option still holds here (aside from the feature differentiation). Tutanota uses AES for encryption. Encryption is completely automated, making it extremely easy to use. And Tutanota also provides password-based encryption for outside users.

4. Posteo

Posteo Logo

Posteo pros and cons

Pros:

  • Subscription includes Mail, Calendar, Contacts, and Notes
  • All your data is encrypted at rest on Posteo’s servers, using PGP
  • Subject, headers, body, metadata, and attachments are encrypted
  • Completely open-source
  • No logs
  • Strips IP addresses from email headers
  • Encrypted email storage with daily backups
  • Allows anonymous (cash) payments
  • Supports third-party email clients

Cons:

  • Does not support custom domains
  • No spam folder (spam emails are either rejected or delivered to your inbox)
  • Must set up PGP encryption manually
  • No mobile apps

Posteo is not very well-known in the secure email space, but it’s one of the best out there. Posteo is based in Germany and, like mailbox.org, costs 1€ per month, roughly $1.20. The service includes Mail, Calendar, Contacts, and Notes, which are all encrypted at rest on Posteo’s servers using PGP. When you send encrypted mail over Posteo, everything is encrypted: the body, obviously, but also the subject lines, the headers, the metadata, and any attachments.

Posteo - Pricing

Of course, to send encrypted messages over Posteo, you’re going to have to use the web client. You can use your Posteo account with any third-party email client – just not to send or read encrypted messages.

Posteo has a strong commitment to user privacy and sustainable energy. Its entire operation runs on sustainable energy and its entire infrastructure is open source. Posteo collects no logs whatsoever and strips your IP address from the email headers as well.

Posteo’s downsides are (mostly) rather minor, in my opinion. It doesn’t provide mobile apps unlike ProtonMail and Tutanota. The service doesn’t support custom domains and doesn’t provide any “.com” domain options either. But there is one pretty big issue…

PGP key management is a manual process with Posteo. You need to set it up yourself and even then, you need to add your key to your Posteo account. That means that using PGP with Posteo is not an integrated process. You need to generate your PGP keys, set your passphrase and trust level, and only then can you email your public key to Posteo to use it within the web client. Alternatively, you can use the Mailvelope browser add-on and manage your keys from there rather than from within Posteo.

This is probably going to be a deal-breaker for those who aren’t familiar with encryption in general or PGP in particular. Admittedly, it’s not the easiest thing to set up…

But if you have the tech skills, Posteo is a great choice for the privacy-minded.

Let’s take a quick look at its privacy policy. Here’s a short excerpt:

Posteo - Privacy Policy

That’s quite good. And below that, we find the following statement:

When you delete content data, it’s deleted immediately. If the data has been backed up in one of our daily security backups, it will remain there for an additional 7 days until it is completely deleted.

Posteo’s privacy policy will be hard to beat.

5. StartMail

StartMail Logo 2

StartMail pros and cons

Pros:

  • Supports PGP
  • Password-based encryption for non-StartMail users
  • Allows you to create and manage disposable email addresses
  • Nice-looking new UI
  • Free 30-day trial (but requires a credit card)
  • Strips IP addresses from email headers
  • Third-party mail client support

Cons:

  • Many features still require the use of the classic UI
  • Documentation only refers to the classic UI
  • No mobile apps
  • More expensive than its competitors
  • Free trial requires a credit card

StartMail is another paid secure email service provider based in the Netherlands. The subscription normally costs $59.95 per year, but at the time of writing, StartMail is having a sale that drops the price of your first year down to $29.99. StartMail also gives you 30 days to try the service before it charges your card – which is nice.

StartMail - Pricing

StartMail supports PGP encryption automatically between StartMail users. The service also supports password-based encryption to communicate securely to non-StartMail users. A StartMail subscription will also give you access to up to 10 disposable email addresses (aliases) that relay mail back to your main StartMail account. StartMail has recently updated its UI, which looks great. But it’s also a double-edged sword.

First of all, many important configuration settings can only be made using the classic UI. That is the case for configuring your account to use PGP. The help does not make it clear that you need to toggle between the old and the new UI. In fact, StartMail’s documentation refers exclusively to the old UI. At $59.95 per year, one would assume the service would have a streamlined UI. It also makes getting started with encryption more difficult, especially for newer users.

As is the case with every other encrypted email provider, if you use your StartMail account with your mobile phone’s Mail app, you won’t be able to send or view encrypted messages from there. You need to use the web client as StartMail does not supply mobile apps at this time.

StartMail’s privacy practices are where the service really shines. No tracking, no advertising, no access to your inbox, no third-parties. Here’s a screenshot, taken from its privacy policy:

StartMail - Privacy Policy

So StartMail might be expensive and might force you to toggle between two UIs to get everything set up. But if privacy is paramount to you, you should take a look at StartMail’s offering.

6. Hushmail

Hushmail Logo

Hushmail pros and cons

Pros:

  • Supports PGP
  • iOS app
  • Strips IP addresses from emails
  • Supports third-party mail clients
  • Supports password-based encryption for non-Hushmail users
  • Features for business users

Cons:

  • Hushmail can capture user’s passphrase, allowing them to decrypt PGP messages
  • Not open source
  • No Android app
  • Canadian company, subsidiary of a US company (bad privacy jurisdiction)
  • More expensive than many of its competitors

Hushmail is a paid encrypted email service from Canada that costs $49.98 (USD) per year. The email encryption is based on PGP and falls back to password-based encryption when communicating with non-Hushmail users. Hushmail also strips your IP address from the email header.

Hushmail - Pricing

You can add your Hushmail inbox to a third-party mail client to send and read unencrypted messages. However, to read or send encrypted messages, you’ll still need to either go through the web interface or use the Hushmail iOS app (the Android app is coming).

Encryption is easy with Hushmail. Hushmail handles the PGP setup and the service also provides password-based encryption for users outside of Hushmail.

Additionally, Hushmail tries to cater to businesses by including two secure forms with each subscription. Secure forms are document templates that you can use on your commercial website to securely collect information from your customers. These are used on a sign-up page, for example. Secure forms are online and encrypted versions of paper forms or questionnaires.

But for a service that claims to give you back some privacy, it sure collects a whole lot of data. To begin with, when signing up, Hushmail collects your IP address, your phone number, and your current email address.

And we find the following in its privacy policy:

Hushmail - Privacy Policy

You read that correctly. When you sign-in to your Hushmail account, Hushmail collects:

  • Your IP address
  • Your browser type
  • Browser language
  • Date and Time of the action
  • Account usernames
  • Sender and recipient email addresses
  • File names of attachments
  • Subjects of emails
  • URLs in the bodies of unencrypted email
  • Any other information that it deems necessary to record for the purposes of maintaining the system and preventing abuse.

Worse, below that we find this:

Please note, we may be required to store a passphrase for an account identified in an order enforceable in British Columbia, Canada.

Hushmail may be required to store your PGP passphrase? Wow.

Hushmail’s PGP encryption doesn’t happen on your device, like with most encrypted email services. With Hushmail, this happens on its servers. That’s why it has the technical ability to record your passphrase. And it also means it has the technical ability to decrypt your messages.

This all seems pretty bad for privacy, and it is. However, Hushmail isn’t geared towards activists or dissidents, or even journalists. It seems to cater to small businesses that just need a small extra layer of privacy for things like web forms and confidential information sharing. That fact doesn’t improve its privacy practices but just helps us understand its offering.

On a funny side note, in its marketing, Hushmail makes the following claim about being located in Canada:

Location matters. The rules that apply to the protection of your data differ from one location to another. Enjoy some peace of mind, safe in the knowledge that your data is stored only in Canada and under the protection of Canadian Law.

Canada is part of the Five Eyes and subject to intelligence sharing with its partners. Canada does not have particularly strict privacy laws. Canada is not a very good jurisdiction for privacy.

Is email secure?

No. Email isn’t secure. It never has been. Your email provider can scan your emails and they could be intercepted at any one of the intermediary hops between you and your recipient.

What about accessing your email using HTTPS, with the lock icon displayed in the corner? Sure, that may protect your emails between the mail server and your device, but emails sent over the internet have no guaranteed protection. Email is full of privacy holes. You should consider email as being an insecure means of communication.

Add to that the fact that most email providers collect a lot of data from their users. Most unencrypted email services are free, and as the now old saying goes: if you’re not paying for a service, you’re the product.

Because of that, some email providers have strived to offer “secure” email services.

What is a secure email service?

A secure email service typically means one that provides end-to-end encryption so that not even your provider can access your mail. Anything less will be a promise on your provider’s part to not do “bad things”. That makes me think of corporate self-regulation – letting industries regulate themselves rather than be accountable to government oversight bodies. It just doesn’t work… Encryption is your only guarantee against snooping.

However, switching to an encrypted email provider (especially a free one) is no magic bullet and a lot of data collection still occurs on these services. While most of these services are locked out of your communications once encrypted, there remains a host of data points that can and tend to be collected. This includes IP addresses, timestamps, and sender and receiver email addresses, among other things. Also, many encrypted email providers will scan any incoming or outgoing unencrypted emails sent to and from their service to mitigate spam.

Still, encrypting your emails is a good idea, as is switching to a more privacy-preserving email provider – even if it still collects information from you. A secure email provider has a good chance of having better data practices than say, Google. While switching to an encrypted email provider won’t turn the collection dial down to zero, it will enhance your personal privacy. Less data collection and message encryption is a big privacy step up when compared to Google (Gmail), Microsoft  (Outlook), and the like.

Also, keep in mind that using a secure email service to send encrypted emails is more involved than using Gmail to send unencrypted emails. That’s part of the game. Most secure email providers try to keep it as simple as possible but you’re still going to have to jump through a few more hoops than normal.

Email encryption

Email encryption is usually implemented using either S/MIME, PGP, and to a lesser degree, AES. Let’s take a quick look at each of these.

S/MIME

S/MIME is a type of public-key encryption and signing that is frequently used with email. In fact, many email clients support S/MIME out of the box. S/MIME uses certificates for signing and encrypting your messages. Within the S/MIME scheme, you encrypt your messages to your recipient with that recipient’s public key and sign the message using your key. Much like SSL, Certificate Authorities (CAs) validate the certificates in the S/MIME scheme. Because of its inclusion on most email clients and its reliance on centralized CAs, S/MIME is typically easier to set up and maintain than PGP. However, your recipients must either already be part of your organization or have sent you at least one S/MIME encrypted email for you to be able to use their certificate.

PGP

PGP (which stands for ‘pretty good privacy’) is another encryption scheme that is widely used for email encryption. PGP is also based upon public-key encryption. However, it does not rely on Certificate Authorities for authentication. Instead, PGP uses a distributed trust model, referred to as Web of trust. The way Web of trust works, in a nutshell, is that each user sets a level of trust for the keys of other users they communicate with. Then, users can adjust the trust level they set for a contact’s public key by comparing the trust levels others have set for that same key. They can then make decisions on whether or not they accept the incoming message that was encrypted with that key.

However, in reality, PGP isn’t widely used enough for Web of trust to really work. Most people using PGP just end up sharing their keys directly with those with whom they want to communicate securely. PGP has a bit of a reputation for being difficult to implement. It’s not natively supported by most email clients and it’s more complicated to set up and use than S/MIME. However, if you sign-up to a secure email service that uses PGP, it typically manages the keys for you, making it much easier to use.

AES

S/MIME and PGP (PGP can use AES ciphers for encryption, but here, we are talking about using “plain” AES, without PGP) are really the two most widely-used forms of email encryption. But some encrypted email providers that prefer taking a third route: AES encryption. These tend to be in the minority but you can still find quite a few on the web (Tutanota, for example).

AES can be used for both public-key encryption and password-based encryption. Many secure email providers that do support PGP also fall back to password-based AES encryption when sending an encrypted email to a recipient that uses a standard email service without PGP support. With password-based AES encryption, you write a message and then encrypt it with a password that you share, preferably in person, with your recipient. It’s the simplest way to encrypt your emails, but also the least secure, being password-based.

Wrapping Up

So there you go. Those are the most notable secure email services available today. None of them are perfect. None of them give you 100% privacy. All of them still collect some information from you. Still, any of them will represent a step up in privacy when compared to using “regular” email providers (Google, Microsoft, etc.).

That’s the end of our best secure email rundown, but before I go, let me just say this: Email is inherently insecure. It just is. Encryption makes it more secure, but it doesn’t fix the systemic security issues that have always been part of how email works. If you have sensitive information to share, don’t use email to send it. Consider using an encrypted messaging app to keep your data secure instead.

See also: