When it comes to secure, private email services, two big names stand out: ProtonMail and Tutanota. Both services offer a free account so you can try them out, but what does each do differently?
What Makes ProtonMail and Tutanota Different?
ProtonMail and Tutanota are two secure email providers that emphasize security and privacy above all else. This includes supporting end-to-end encryption to make interception nearly impossible, protecting your identity by not keeping logs or requiring tons of personal information at sign-up, and providing secure methods for communicating with people who are using “regular” email providers like Gmail or Outlook.
This heightened security comes at the cost of convenience and features. You may need to use a dedicated mobile app to access your mail, for example (as opposed to your smartphone’s default mail app). With Gmail, Google Assistant can help surface relevant information by scanning the contents of your Gmail inbox, but secure email services can’t do this, since the data is encrypted.
Since secure email is a niche, free accounts aren’t generous like with Google and Microsoft’s offerings (ProtonMail offers 500MB compared with Tutanota’s 1GB.) Secure providers lack features like an integrated chat app or a powerful search engine, but these losses are often worth it to those who value privacy and enhanced security.
Both Providers Support Advanced Encryption
Of course, ProtonMail and Tutanota support basic Transport Layer Security (TLS), which is used by all major email providers. This provides a basic layer of security between your computer or smartphone and the server that is responsible for storing and sending email. That’s table stakes for any email service.
On top of this, the contents of your inbox are end-to-end encrypted on the server, which means that you’re the only one who can read them. In the event of a data breach, your data would be virtually useless, because it’s encrypted with a key that will (currently) take an eternity to break. That’s something that Gmail, Outlook.com, and typical email services don’t offer.
Both ProtonMail and Tutanota support easy end-to-end encryption between users of the same service. If you send an email from your ProtonMail account to another user of the same service, it will be automatically secured and signed with a key that only the recipient has. There’s no need to set up anything else when communicating with someone who’s using the same service. In addition to this, ProtonMail also supports PGP.
Pretty Good Privacy (PGP) is an additional layer of security for sending emails to virtually any email address in an encrypted format. Messages are locked with the recipient’s public key and can then be decrypted with a private key only known to the recipient. With ProtonMail, this can be set up to work “automatically” with nominated contacts, taking care of the encryption/decryption process for you.
Tutanota doesn’t explicitly support PGP, though you could still encrypt and decrypt your mail manually if you wanted to.
Both Allow Secure Messaging with “Regular” Email Providers
If you can’t convince your contacts to switch to a secure email provider or to adopt PGP, both ProtonMail and Tutanota have you covered. Each provider has an option to send an encrypted message to any email address. The process is virtually identical for both:
- Compose an email and choose to password-protect it, then hit send.
- The recipient receives a notification of a new message, but the message doesn’t appear in the body of the email.
- Instead, the email contains a link to either ProtonMail or Tutanota’s servers with a password field.
- The recipient enters the password into the field and reads the message.
This works virtually identically between both providers, except that Tutanota encrypts both the message body and subject line, whereas ProtonMail only encrypts the message body. This doesn’t pose a huge risk if you use the former service. Just make sure that your subject lines don’t contain any sensitive information.
Messages sent this way via ProtonMail expire in 28 days or less (with an option to specify less time), while Tutanota messages are only available until another email is sent to the same recipient.
ProtonMail Is in Switzerland and Tutanota Is in Germany
The country in which your data is stored is important. Both Germany and Switzerland have strong privacy laws, with Germany currently being considered as one of the strictest privacy advocates among EU nations. Switzerland is famously neutral (and not a part of the EU).
Tutanota has written a blog post detailing why the company is located in Germany, citing laws like the Federal Data Protection Act, which forbids data collection and backdoor access to encrypted data. ProtonMail has also written a blog post about its decision to host data in Switzerland, which acknowledges the changing nature of privacy laws in the country while also noting that ProtonMail cannot be compelled to spy on its users.
It’s hard to say which is the safer jurisdiction in terms of data privacy. While Germany has tougher laws, the country is also a part of the Fourteen Eyes, an international intelligence-sharing community.
Since both providers use end-to-end encryption to secure the contents of their servers, data is likely to remain safe even if the German or Swiss authorities were to demand its handover.
Both Services Rely Heavily on Open-Source Code
Making source code available for anyone to peruse is important for a service that sells itself on privacy and security. If your code is open source, it can be audited by anyone. The more transparent a provider is, the more you should be able to trust that they are delivering on their promises.
That being said, neither service is fully open source. In the case of Tutanota, server-side software has yet to be made fully open source. The client-side web interface and mobile apps are already open source, and Tutanota admits, “The only issue that’s left for us to do is to open source the server part of Tutanota as well.”
ProtonMail has a similar commitment to being open source. ProtonMail’s web interface has been fully open source since version 2.0, the iPhone app was open-sourced in 2019, and the Android app followed a year later. The company has stated that it does not plan to release the source code for its back-end server component, since this would give away “information about how we do anti-spam and anti-abuse.”
Many of the technologies that go into both packages, including encryption protocols and ProtonMail’s implementation of OpenPGP, are already open source.
Tutanota Provides a More Attractive Free Option
For private use, Tutanota provides 1GB of storage for a single user, limited search abilities, and a single calendar. There are no restrictions on the number of messages that you can send or receive in a day or how you organize your mail.
ProtonMail offers 500MB for a single user, a limit of 150 messages per day, and three labels with which to organize your mail. This makes ProtonMail more limited for free users than Tutanota.
Neither service is “complete” without upgrading to gain access to features like custom domains, inbox rules, email aliases, autoresponders, and better support. This is another area where secure email providers forge a different path to their free webmail rivals. If you want a capable, secure email address, then you’re going to have to pay for it.
ProtonMail Is More Expensive
A direct comparison of prices is difficult, since both services have different plans and different offerings. If you’re thinking of paying for an email service, however, ProtonMail is the most expensive, with its cheapest plan starting at $48/year or €48/year, with monthly plans also available.
For this, you’ll get a whopping 5GB of space, up to five email addresses (aliases), support for a single custom domain, and access to filters and an autoresponder. ProtonMail still sets a limit of 1,000 outgoing messages per day, although this is a “soft limit” based on how you use your account. You get a maximum of 200 labels for organizational purposes.
Tutanota starts at only €12/year (around $14), but you’ll still only get 1GB of storage in total. You also get a single custom domain, five email aliases, full access to search, and the ability to create inbox rules. There’s no limit on daily messages or labels either.
While Tutanota is cheaper, it also allows you to build your ideal email plan. You can add users, aliases, storage, and additional services such as a secure contact form for your website, and then pay a single monthly fee for it all. ProtonMail takes more of an “all-or-nothing” approach.
Tutanota Supports Searching of Email Body
Being able to search your inbox is a feature that you probably take for granted, but with secure email, it’s not so simple. Due to the way that email is end-to-end encrypted, searching your inbox isn’t possible with ProtonMail. You can only search by subject lines, senders, recipients, and time. This is because ProtonMail’s servers cannot decrypt your email.
By comparison, Tutanota also encrypts your email on the server. In 2017, the service announced that searching the body of an email would now be possible. This takes place locally on the user’s device and can be done either in a browser or by using a dedicated mobile app. This happens without sacrificing privacy, since the search duties are performed by your local machine instead of the server.
If search is a big deal for you, Tutanota has the edge here.
Both Services Require Dedicated Mobile Apps
Neither ProtonMail nor Tutanota is compatible with “regular” email clients out of the box. ProtonMail paid accounts have access to ProtonMail Bridge, which extends support for the service to common mail clients like Outlook, Thunderbird, and Apple Mail on Windows, Mac, and Linux desktops. Tutanota relies on dedicated desktop clients for Windows, Mac, and Linux instead.
To access either service on a smartphone, you’ll need to use the dedicated ProtonMail (iPhone, Android) or Tutanota (iPhone, Android, F-Droid) apps. There’s no support for basic mail clients because of the way that data is encrypted on the server.
Secure email piqued your interest? Protect your privacy while browsing the web with a VPN.