Entire mailbox is encrypted.
The entire mailbox – emails, calendar and address book – are stored end-to-end encrypted in Tutanota. The only unencrypted data are mail addresses of users as well as senders and recipients of emails Upon entering your login credentials, your mailbox is automatically decrypted locally on your device. You can easily login via a web browser or via the Tutanota apps for Android and iOS.
Encrypted emails to anyone.
Tutanota uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end. When both parties use Tutanota, all emails are automatically end-to-end encrypted (asymmetric encryption). For an encrypted email to an external recipient, a password for encrypting & decrypting the email (symmetric encryption) must be exchanged once.
Tutanota’s automatic encryption works easily on all devices, even mobile. Tutanota automatically encrypts
Tutanota comes with an end-to-end encrypted calendar that lets you store all your appointments confidentially. The calendar is very special because not only all data is encrypted, but also the reminders are end-to-end encrypted. Even the time when a notification is sent to the user is obscured from our servers so that we remain in the dark about our users’ appointments.
Encrypting these notifications is essential for your security and privacy: Notifications are sent to the user's device so that they know when a specific appointment is about to happen. If this information was not encrypted, we as the provider would have full access to the user's information along with all the information contained in the notification.
Highest level of TLS encryption with PFS, DNSSEC, DKIM, DMARC and MTA-STS.
On top of its automatic end-to-end encryption, Tutanota uses TLS, Perfect Forward Secrecy, DNSSEC, DKIM, DMARC and MTA-STS to secure your connection to Tutanota to the maximum.
Tutanota uses strict CSP (Content Security Policy), an HTML sanitizer for showing unknown content (in emails) to prevent XSS-attacks, and, by default, does not load external content from other servers (pictures and videos in emails).
Check here to see how Tutanota scores on Securityheaders.io.
Tutanota never transmits your password to the server.
When you login, Tutanota hashes and salts your password before transmitting the hash to our servers. It is impossible to derive the actual password from this hash, thus, no one can know your password, not even we at Tutanota. To protect your password, we use bcrypt and SHA256.
To further secure your login credentials, Tutanota enables you to activate two-factor authentication. For this you can use TOTP or U2F. We recommend using U2F with a security device as this is the most secure form of two-factor authentication.
Please check our online security guide on how to keep your emails safe from hackers.
Your password unlocks your private key.
Every Tutanota mailbox owns one private key that is used to automatize the exchange of encrypted emails. When you register with Tutanota, this private key is created locally on your client and encrypted with your password. This way, Tutanota can automatize the entire encryption process without ever having access to your private key.
A certain password strength is required to make sure that your private key is strong enough for encrypting your confidential emails. That’s why registration with a weak password is not possible with Tutanota.
To reset your password, you need your recovery code. We do not offer a password reset via email as this is inherently insecure.
You can read details about Tutanota’s key generation process and how we secure your private key on our blog.
Tutanota follows the principles of data minimization & privacy by design.
We are responsible for the protection of your personal data, and we take this responsibility very seriously. Therefore
Please read our full privacy statement for details.
Our built-in encryption and the ability to send an encrypted email to any recipient in the world make Tutanota a perfect fit when looking for a secure email solution. Under the GDPR, companies must always protect personal data, even when sent via email. Read our blog to find out how Tutanota can help you to always send GDPR-compliant emails.
Germany has one of the strictest data protection laws.
Data privacy regulations in the European Union (EU) are among the strictest in the world, and among all European member states, Germany has one of the strongest policies: the Federal Data Protection Act (Bundesdatenschutzgesetz). The EU General Data Protection Regulation (GDPR) was in large parts designed based on the German Federal Data Protection Act.
This law protects users of Internet services. It puts the user in charge of what should be done with their data: Companies (=we) are not allowed to collect any personal information without express permission from an individual (=you), (e.g. name, date of birth, IP address).
In addition, in Germany there is no law that could force us to submit to a gag order or to implement a backdoor.
Tutanota stores all data encrypted in highly secure data centers in Germany.
All data in Tutanota is stored end-to-end encrypted on our own servers in ISO 27001 certified data centers in Germany. No one has access to our servers except our permanent administrators, who need to pass multiple-factor-authentication before gaining access. All productive systems are monitored 24/7 for unauthorized access and extraordinary activity.
Tutanota is an anonymous email service that does not track you.
Our business model is different from most email services: Due to the encryption, we can not scan your emails. We do not track you. We do not send targeted advertisements to your mailbox.
By default, Tutanota does not log IP addresses when you login or when you send an email. Upon registration you do not need to provide any personal data (e.g. no phone number is required), even when you register via Tor.
Tutanota strips the IP addresses of emails sent from the mail headers so that your location remains unknown.
Tutanota is an email service built with privacy at its heart.
Companies love email for marketing campaigns. Because email by default does not respect your privacy. When marketing people send you a newsletter, the email usually loads external content (e.g. images). In this instance you are being tracked: IP address, browser you are using, and more information is being transmitted to the sender.
Tutanota offers you an email service that automatically protects from those tracking methods:
Check if anyone has accessed your encrypted Tutanota mailbox.
Our new mail client lets you check active and closed sessions as an opt-in feature. This allows you to verify that no one but yourself has logged into your account. Closed sessions are automatically deleted after one week.
Tutanota’s session handling also enables you to close sessions remotely. When you lose your mobile phone and you are still logged in with the Tutanota app, you can close this session from any other device. By closing the session remotely, you make sure that no one can access your secure emails on the lost phone.
IP addresses of open and closed sessions are always stored encrypted and automatically deleted after one week. Due to the encryption only you can access this information. We at Tutanota have absolutely no access to this information.
Free and open source emails for everyone.
Tutanota focuses on security and privacy. To us, open source is essential to achieve both. We have published the Tutanota web client and both Android and iOS Apps as open source software on GitHub.
This way everyone can check the code and verify that there are no bugs in the code base. By being open source potential bugs can be noticed and fixed much faster than it is the case with closed source applications.