Tutanota for business use? Any alternatives with zero access encryption besides ProtonMail and mailbox.org?

I am a freelancer, and customers send me sensitive information via email. Because of that, I want to start using an email provider with zero access encryption.

Tutanota seems to offer the most bang for the buck, but whenever I go to their subreddit there are people complaining that they are not receiving emails. That, to me, could mean losing business, and I guess I wouldn’t even know that it was happening.

Has anyone here experienced this while using Tutanota?

The best option overall seems to be ProtonMail, but it’s also the most expensive one.

Another option is mailbox.org, but it seems to be the most finicky one when it comes to encryption. I’d have to enable inbox encryption, then Guard so I can decrypt messages on the webmail interface, then download K-9 Mail on Android and setup my PGP key, and I guess I’d have to unencrypt messages one by one. It seems unpractical.

Are there any other options with reasonable pricing? What I really need from an email provider is:

  • Inbox with zero access encryption
  • An easy to use mobile app like Tutanota’s and ProtonMail’s
  • Ability to use custom domains (preferably two or more, but just one is fine too)

Please share your recommendations and opinions about this! Thank you all!

when it comes to work i think proton is more like a pro for work or you can host your own i think!

1 Like

You should have bought protonmail lifetime account before when it got offsale

Just our opinion: There is no “zero-access encryption.” This is a marketing term, introduced by ProtonMail. You likely just want “end-to-end encryption.”


In the case of ProtonMail, Tutanota, and Mailbox Guard, the mail server providers store your decryption key in some form. The benefit is that you can log in from different devices without managing the decryption keys yourself. You still need to manage your password, though.

On the contrary, handing over your decryption keys to the mail server provider could mean that your keys are somehow compromised. While there is no proof that this happened so far, it could happen.

Besides, Mailbox allows you to upload your own public OpenPGP key without using Mailbox Guard. This key is used to encrypt all incoming and outgoing e-mails that are stored in your mailbox. So, in this case, you don’t have to upload private OpenPGP key or rely on Mailbox Guard. You can add your private OpenPGP to K-9 Mail (as you wrote) and decrypt your e-mails there. A benefit of Mailbox is that you can use any modern e-mail client. ProtonMail and Tutanota come with their own clients.

Keep in mind that ProtonMail, Tutanota, and Mailbox still need some key management if you want to send encrypted e-mails to other people. Their “protection” is mostly limited to storing your e-mails in an encrypted form.

In the end, all of the three providers should work for you.


This might be related to the recent denial of service attacks on Tutanota. We use Tutanota for some time and never encountered this problem.

2 Likes

Hard to add something which hasn’t already been told by @infosechandbook (as always), but I found one :slight_smile: You can use up to 4 own domains (1 main + 3 aliases, optional catch-all for each of them) with Mailbox.org with the € 1/month entry level plan.

1 Like

Out of curiosity (and maybe useful for readers): I see you have a public PGP key for your Tutanota address, how do you manage the PGP-decryption/encryption process? Asking because I’ve done it for a while using Tutanota web client & Mailvelope, but I found it to be very inconvenient if my interlocutors used PGP/MIME instead of PGP/Inline.

We use OpenPGP offline (GnuPG in the terminal). This may be inconvenient for some people; however, it fits our use case best.

1 Like

Tutanota has no terminal/command line access, how do you interact with body message and attachments?

Download the message/file and pipe it to gpg -d.

Thank you for the answers, everyone!

Besides, Mailbox allows you to upload your own public OpenPGP key without using Mailbox Guard.

Yes. I singed up for a free trial of Mailbox and it’s better than I thought. You only have to set up your decryption key once on Thunderbird and on OpenKeyChain + K-9/FairEmail (Android). After that, all messages are decrypted locally automatically.

On the contrary, handing over your decryption keys to the mail server provider could mean that your keys are somehow compromised. While there is no proof that this happened so far, it could happen.

By that you mean that, because ProtonMail, Tutanota and Mailbox Guard rely on Javascript to work (the script is downloaded everytime you open the webmail), you could potentially receive malicious code that would exfiltrate your decryption keys?

That would be the main advantage of using Mailbox w/o using Guard, I guess: being in control of your OpenPGP key.

Their “protection” is mostly limited to storing your e-mails in an encrypted form.

That’s what I am looking for: not having to worry in case there is a data breach on the email server. I don’t really send/receive encrypted e-mails, but I want them to be stored in an encrypted form.

In the end, all of the three providers should work for you.

Indeed, and I am leaning more towards Tutanota because of the price and ease of use. Mailbox is better than I thought, but there are still some disadvantages IMO:

  1. Weird 2FA implementation. 2FA only protects login into the account via their website. IMAP is still acessible with password only, no 2FA, and I have to use IMAP if I want to use my email on my phone. Sure, messages would be encrypted if I enable inbox encryption and unreadable to anyone who gained access to my email via IMAP, but still… Tutanota’s mobile app is 2FA protected.

  2. Imported messages are not encrypted. I’d have to find a way to batch encrypt my .eml files before importing them to Mailbox. You can’t import old emails to Tutanota yet, but their team says they are working on an import/export tool.

In a way, Tutanota and Mailbox are similar when it comes to 2FA, though:

  • Mailbox: accessible without 2FA via IMAP, but messages are encrypted if inbox encryption is enabled. OpenPGP key acts as a second factor and needs to be compromised in order to read the messages. User must protect the decryption key and back it up.
  • Tutanota: both password + 2FA need to be compromised in order to gain access to messages. User must protect the device used for 2FA and back up the TOTP secret.

Which, again, makes me lean towards choosing Tutanota because of the ease of use, since it has the same price as Mailbox.

Tutanota doesn’t use OpenPGP, but your scenario still applies: Somebody injects malicious code in your web browser to steal the decryption keys. Of course, this isn’t trivial and countermeasures may exist.

You can always remain in control of your OpenPGP key: Just ignore the built-in OpenPGP key and deploy your own locally. However, this makes things more complicated as you now need to decrypt the message twice.

ProtonMail/Tutanota “solve” the IMAP/2FA problem by rolling our their custom client. (We do not use these clients, but) it seems like they are basically HTML wrappers, so the clients load your account via HTTPS instead of IMAP. (As written before, this may be false.)

We didn’t try this, but you could try to locally encrypt all of your older e-mails, using the same OpenPGP public key that you upload to Mailbox for the inbox encryption.

1 Like

Just a general note – We recommend WebAuthn (or legacy U2F) instead of OATH-TOTP for a simple reason:

  • OATH-TOTP relies on a shared private key, stored by your authenticator and the server.
  • WebAuthn (or legacy U2F) relies on public-key cryptography, so the server only stores public, non-sensitive information.

And yes, when using WebAuthn/U2F, you still need to create a backup. Currently, the “best” option is to register two distinct security tokens for this.

1 Like

Mailbox.org doesn’t rely on Javascript, as far as I can understand here.

1 Like

We didn’t try this, but you could try to locally encrypt all of your older e-mails, using the same OpenPGP public key that you upload to Mailbox for the inbox encryption.

Is there any way to batch encrypt all of them? I suppose that encrypting an entire .eml file would make it impossible to import it to an email client and decrypt it there. The challenge is to encrypt only the message body.

I tried searching how to do that, but only found this question on StackExchange: How to encrypt stored inbox email messages

Honestly, it’s too technical for me, I don’t even know how to start using the information in the answer.

Mailbox.org doesn’t rely on Javascript, as far as I can understand here.

Interesting, I’ll take a look at that!

Protonmail is good but too expensive for me, also I don’t really like their way for encryption (OpenPGP.js).

there are people complaining that they are not receiving emails

I read it many times on reddit subs, never face that issue. But since most of my clients use PGP, then I delete my account.

Then I found Mailbox, really hate the web interface (slow), bad impression for the first time. Until I set up the clients both on laptop and android then make it as my default email provider. I’ve been use it for few months and don’t want to switch anymore.

1 Like