If you want a compatible, interoperable email service, then Mailbox. Tutanota is a propietary, centralised email system.
this post was submitted on 04 Mar 2025
59 points (96.8% liked)
Privacy
35752 readers
294 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
Tuta also doesn't easily support pgp and has no plans to integrate it. "we encrypy our stuff for you, trust us bro"
we encrypy our stuff for you, trust us bro
Their clients are open source. Might not be "standard" like PGP, but if you could read code, you could verify that it's encrypted before it gets sent.
Wouldn't that be only between Tutanota users anyway? Sure, you could use PGP manually, but it is more annoying, I prefer the seamlessness of doing so in my client. Not to mention not having an option if you, say, don't like the UI!
Wouldn’t that be only between Tutanota users anyway?
Just since nobody else answered your question: No. A Tuta user can send an encrytped message to anyone (including non-Tuta users). Those users then get an unecrypted message, saying "Click here to read your message", which takes them to the Tuta site, which lets them see the message. The non-Tuta user can then reply to the Tuta user as they like.
But you're right about the UI. Tuta users have to use the Tuta UIs (mobile, desktop, web).
I'm just teaching myself - maybe good practice.
I have concerns about mailbox being under jurisdiction of 14eyes.
This. You can't use your client, not on your phone nor on your PC. Therefore Tutanota was never a viable option
So any concern about mailbox.Org severs being in Berlin and Germany being apart of the 14eyes alliance?
~~Mailbox.org offers 2GB of space for their free tier~~, and Tuta is 1GB.
But I would just look at the recommendations on privacyguides.org. They break down what each service does well and what things you should know, like how Mailbox uses PGP and Tuta uses some other (valid) encryption method.
Edit: Could have sworn Privacy Guides said Mailbox had a free tier.
Didn't know Mailbox had a free tier! Gotta check that out.
Edit: Mailbox still doesn't have a free tier. It's just a one month trial.
Damn, thought they did. Could have sworn Privacy Guides said it was free.
For what's worth, I'm going to give it a shot on the month trial. But I already see the middle tier for 3€ offers 10GB email only. I think I can fit my current old mail backup in about 4GB, but it would be slightly tight, I guess. I'm on an older Proton plan which charges about 3USD per month (by-yearly) and it gets me about 20GB. I think shared between cloud and email (I'm not actually interested in the cloud part, I have Seafile for that).
Posteo rocks.
This is accurate
Its simple as hell, out of the way. Its a no fuss email that seems to have all the features you'd want. It just works. Carbon neutral and all the good stuff we all like to boot.
People not talking about Startmail or Disroot. Not good options?
I'm all for options, to be honest. What ideally I'd like is some sort of good encrypted email based in some safe European country, which can achieve decent Android integration. Proton apps are pretty useless to that effect (lack of offline basic functionalities, the calendar app isn't even an android calendar provider). I'm not too hard in moving around my emails, since for the last few years I've been giving my email @duck.com which actually ends up sending to my final email after some tracking cleaning. Changing email provider would entail only updating my @duck.com destination.
Following up...Yeah, why not Startmail or Disroot? Startmail seems to offer more bang for the buck than Mailbox. I'm not sure how many aliases you get if you get a paid plan in disroot.
EDIT: I...misread. Startmail offers half-priced plan the first year, then goes ahead and doubles it, getting pricier than Proton, Mailbox and about everyone else I think.
What ideally I’d like is some sort of good encrypted email [...], which can achieve decent Android integration. Proton apps are pretty useless to that effect [...]
Don't need provider-specific apps if their services use standard protocols:
- IMAP: Fair Email or K-9 Mail(/Thunderbird)
- CalDAV: DAVx⁵
Disroot is fine
Posteo
As far as I’m aware, there is a huge difference between these three in that Mailbox.org is not end-to-end encrypted. So if that is an important feature for your use case, that may disqualify them from your options.
However, mailbox can still be encrypted with pgp, and has some built in supports which make this easier.
One problem I had with proton/tuta is that you cannot use a third party app due to the encryption, which you can with mailbox. A problem I have with mailbox is that it does not support fido2 for login or 2fa, which could be a security concern.
load more comments
(2 replies)
Email is never "end to end encrypted" outside of layering something else on like PGP- which you could use with any email service.
It is under certain circumstances. Specific to ProtonMail, it is E2E encrypted if you send a message to another ProtonMail user. They also have a feature where you can send an encrypted email to an outside address. I think in that case the recipient gets a link where they can then input the decryption password to read the message.
But you’re right about any email you receive (from a non-ProtonMail address). Those can not be E2E encrypted and are only stored encrypted at rest.
Protonmail uses pgp under the hood. Their encryption was only ever within proton accounts because they had an automatic key lookup system. You can of course add your own keys, but most didn't. Still pgp.
load more comments
(3 replies)
I have used both. Both are good. Tuta doesn't support pgp as people said, but I think you'll find that the amount of people you will interact with that can and want to use pgp encrypted email is slim.
The way tuta works is you can send and receive regular email. And when you send it encrypted, the recipient gets a regular email that's says something like"you received a confidential email" (you can edit the text). That person then follows a link in the email and you need to provide them with a password (ideally you provide this password out of band... by text or chat or something... but you can of course just send by regular email).
After they log in, they are basically on a limited web interface to tuta where they can only exchange emails with you (but they can see every email between the two of you in their "inbox).
It's a pretty good system. There is also encrypted calendar and contacts. They have webmail of course and also apps. There's a dedicated calendar app.
Mailbox.org is actually more of a full office suite at this point. The web interface isn't as tight and can be confusing. They can handle your pgp keys or you can do it yourself. You need to decide if you care about trusting someone else with your keys. I actually still have my mailbox.org address because I like the domain. It forwards to my tuta email.
Oh yeah, tuta also allows you to use any of a number of their domains or you can bring your own (pricing may vary). They also have aliasing and catch-all addresses for custom domains.
Both are based in Germany for what it's worth. German privacy laws are pretty strict. For any law enforcement to be granted access to any of your stuff there needs to be a court hearing. They have a warrant canary and transparency report here https://tuta.com/blog/transparency-report .
Also, because tuta is end to end encrypted, all they can release is encrypted data. There's is more of an explanation at the bottom of that transparency report post about what can be requested and what data they even have on users. Mailbox.org might have similar policies but I haven't taken the time to find them.
One thing I will note is that tuta has HSTS enabled I believe so if you're behind a corporate firewall that does certificate snooping by way of MITM when you try to access, it won't connect.
Thanks I really appreciate elaborated comments about both. I think I'm going to skip the Tuta encryption for now. While it has a way of keeping it encrypted for the destination, it involves the final user having to click some links in order to open the encrypted mail. I mean...I think most of the people I'd write to would hate having to do extra steps just to see an email I wrote. So I guess I'd have to stick to unencripted, and then the advantage is kinda lost. I'd like a fully encrypted mailbox, yeah, but not at the cost of making it incompatible with any other app or email standards. I guess I didn't have a great experience with Proton apps for Android.
Don't take me wrong, I'd love to have a fully encrypted mailbox, but not by making it all cumbersome.
load more comments
(1 replies)
I don't know mailbox.org but tuta will try to upsell you, eventually. It's going down the same path as Proton is so maybe stay away from it if you want to get away from Proton.
With tuta, I was locked into using their apps which kind of sucked. I moved to mailbox.org with the intent of encrypting my inbox but never did in the end. I'm happy to have IMAP/SNMP back that's for sure.
Edit to add: been with mailbox.org 2 years and they've never tried to up sell me. Each Christmas I get a coupon or something to invite someone but I've never used it.
I just got on Tuta and don't want to do this every 3 years forever. Can you elaborate on Tuta upselling the customer? I just need reasonable encryption, basic mail service, and for my data not to be in the hands of psychopaths.
Every once in a while they'll send you an email with special CSS styling so you can't avoid seeing it and you can't unsubscribe from it. They call it a newsletter. It's advertising. It's less news and more begging you to buy more of their stuff. Very occasionally they'll bump new features onto a higher tier but still show that feature in your UI, with special CSS styling. God forbid if they try to upgrade your account but you deny because you're happy with the features you have now and the amount you pay; they push harder and harder the longer you're on a 'legacy' tier.
It happened to me. It'll happen to you.
special CSS styling so you can’t avoid seeing it
you can't set your client to plain-text only?
Tuta does not have a text-only mode for it's interface.
load more comments
(1 replies)
Oh, I see Well, as long as they still offer the cheaper option I need, I don't really care, it's not the prettiest sales tactic but at least I can still chose
load more comments
(4 replies)
Take a look into Posteo if having a custom domain is something you can live without.
Posteo
Wow...This one seems to be a very good one as well. How come it's not even mentioned in privacytools.io or privacyguides.org?
You also get SMTP with posteo, if that is important to you.
With that you mean it's standard access IMAP/SMTP from any client you want, as opposed to Proton/Tutanota and their custom apps right? Yeah, I prefer a standard protocol and my own app.
Yes. You can get it with proton too, but you need your own domain for that iirc.
Not sure.
It's not as popular, but i use it with my own PGP keys & Thunderbird and it's great!
Tutanota for max security (no imap/pop3 support). Other services for using IMAP/POP3. But really, you shouldn't be using email anyway if your goal is max security and privacy, simplex.chat is better for that.
Sigh...right. But people DO need email. For banks. For taxes. For governments, healthcare, and lots of other crap.
So yeah, I'm skipping the whole "encrypted mailbox no-knowledge", since it's both cumbersome and useless unless anyone around you ALSO uses it (otherwise, those super private emails can be way more easily intercepted during transit than in your inbox anyway).
I just want some attempt at privacy from some EU nation while keeping some decent interoperability.
load more comments
(3 replies)
load more comments
(1 replies)
It's not on your list but I've had a Mailfence email for the last couple of years and they've been solid.
You could also use YUNOhost to host your own on a VPS. I had no experience before setting mine up and it was fine. Unlimited email accounts and aliases out of the box, plus you can host other stuff besides, like a website, file server or even a fediverse instance.
I'd try avoiding email hosting. I've heard way too many times that it's too much pain when it fails, and when it fails basically emails are bounced. I can't afford to miss taxes emails or other important stuff.
load more comments
(1 replies)
Mailbox.org is great, their webmail setup is good and has contacts and calendar and all the things you would expect to have. With Cal/CardDAV and ActiveSync support too.
view more: next ›