Secure Mail Guide
Home Posts Topics
Provider Matcher Tools Glossary Resources About

Tools

The encrypted email providers and supporting tools we test and reference — judged on architecture and threat model, not marketing. Free tiers noted.

Interactive tool

Encrypted Email Provider Matcher →

Knockout filters by threat model and crypto requirements (PGP interop, subject-line encryption, zero-access, IMAP, jurisdiction) — ranks Proton, Tuta, Mailbox.org and more, and flags the crypto trade-offs.

Encrypted Email Providers

Proton Mail

open-source clients Free tier; paid plans

Swiss zero-access provider with end-to-end encryption between Proton users and PGP support for external recipients.

Our take

Our default recommendation for most users: mature, audited clients and the largest secure-email ecosystem. We're explicit that metadata and external (non-PGP) mail are still outside E2EE.

Tuta (Tutanota)

open-source Free tier; paid plans

German provider with zero-access storage that also encrypts subject lines and the address book, using its own encryption rather than OpenPGP.

Our take

Encrypted subjects are a real advantage over PGP-based setups. The trade-off is no standard PGP interop — encrypted mail to outsiders uses a password-protected link instead.

Mailbox.org

proprietary service Paid (~€1–3/mo)

Privacy-focused German provider with standard IMAP/SMTP, optional PGP, and an encrypted mailbox feature.

Our take

The pick when you need normal client compatibility (IMAP/SMTP) with a privacy posture. Encryption is more opt-in than Proton/Tuta — convenient, but you must configure it deliberately.

Thunderbird (with OpenPGP)

open-source (MPL) Free

A mail client with built-in OpenPGP, letting you do true end-to-end PGP on top of almost any provider.

Our take

The provider-independent route to real PGP. More setup and key management than a managed provider, but no vendor lock-in and fully inspectable.

Aliasing & Compartmentalization

SimpleLogin

open-source Free tier; paid

Unlimited email aliases that forward to your real mailbox and can be disabled individually. Part of the Proton ecosystem.

Our take

A high-impact, low-effort privacy win that pairs with any provider. Aliasing limits breach and tracking blast radius without changing your inbox.

Addy.io

open-source Free tier; paid

Open-source, self-hostable alias service with the same disposable-address model.

Our take

The choice when you want aliasing you can host yourself. Self-hosting removes a third party from the forwarding path at the cost of running it.

Verification

Hardenize / Internet.nl email test

free service Free

Checks a domain's SPF, DKIM, DMARC, MTA-STS, and TLS posture.

Our take

How we sanity-check the transport and anti-spoofing side of a provider or your own domain — the part E2EE doesn't cover.

GnuPG (gpg)

open-source (GPL) Free

Reference OpenPGP implementation for generating keys and verifying message signatures and fingerprints.

Our take

The tool behind real key verification. We use fingerprint checks via gpg rather than trusting a provider's key directory blindly.