Great answers

…to all your questions. Please also check our How-to to learn everything you need to know about Tutanota.

Table of contents

General questions

Is Tutanota for free?

Yes, the Tutanota webmail client is forever free with 1 GB of free storage for private users.

What does the name "Tutanota" stand for?

Tutanota is derived from Latin and contains the words "tuta" and "nota" which means "secure message".

Is Tutanota open source?

Yes, all Tutanota clients are published as open source under GPLv3. Check out our GitHub repository. We welcome you to review the code, to give us feedback or to contribute!

Does Tutanota use renewable energy?

Yes, Tutanota is a green email service that relies exclusively on renewable energy for all email systems.

Is Tutanota certified?

Tutanota was subject to an extensive penetration test by the SySS GmbH in November 2013. During the tests the experts were not able to access the system or to retrieve any confidential data.

Can I use Tutanota for my business?

Yes, Tutanota offers secure business email accounts with whitelabel customizations of the logo and design. You can place the login for your employees directly on a subdomain of your website. Tutanota also offers an encrypted contact form so clients can get in touch with you confidentially directly on your website.

Learn here how to whitelabel Tutanota for your business, how to add an encrypted contact form to your website and more.

I can't access my account. What can I do?
password second factor lost login access recovery code reset

If you can't login to your account, this has been caused by one of the following reasons:

  • You forgot your password or lost your second factor: Please read How do I reset my password or second factor?.
  • Your account got suspended due to unpaid invoices: Your account may be suspended if you don't pay your open bills for a long time. Just contact us if you want to continue using your account and include the email address of your suspended Tutanota account.
  • Your account was disabled due to another reason: Some accounts get disabled due to a violation of our Terms of Service. You can contact us if you think that we made a mistake. Please include the email address of your suspended Tutanota account.

Our secure password reset feature enables you to reset your account yourself. Please write down your recovery code somewhere safe.

Special offers for non-profit organizations
for free non-profit NGO NPO

For non-profit organizations (NPOs) we have the following special offers:

  1. If you are located in Austria, Canada, France, Germany, Italy, Netherlands, or in Switzerland you can get Tutanota Premium as a donation in cooperation with our partners Stifter-helfen and tech-soup. Please find details on how non-profits can get Tutanota for free on our blog.
  2. Coming soon: If you are located in Poland, you can get Tutanota Premium as a donation in cooperation with our partner tech-soup.
  3. For all other countries we offer a discount of 50%. Get in touch with us directly.

Conditions:

  • If you make use of Tutanota Premium as a donation, our partners collects a small administration fee to cover their expenses for offering the software donations.
  • The free or discounted Tutanota Premium offer is limited to users. Additional upgrades, e.g. storage packages, have to be paid at the standard price.
  • Only up to 50 users are included in the donation. If you need more users, you cannot apply for the donations above. But of course you will get the 50% discount offered by us.

Your Tutanota Password

Tutanota secures my private key with my password. Can you access my password?
recovery reset password

No. When a password is used for authentication (login), it is not necessary that it is known to the server you want to authenticate with. The server only needs a fingerprint (hash) of your password. With Tutanota your hash for authentication is calculated by your browser and only the hash is being sent. Your password never travels the Internet in plain text and it is never seen by our server. As hashes are non-invertible, the server is unable to reconstruct your password from the hash. The server is not able to decrypt your message, but still able to log you in.

Recommended for further reading: Learn how Tutanota automates the encryption process while leaving you in full control of your encrypted data.

What hashing function is used for the password?

Your password is salted and hashed with Bcrypt on your device before being transmitted to Tutanota. Bcrypt is the most reliable method because brute-force attacks need much more time in comparison to conventional methods such as MD5 or SHA. With this method we guarantee an integrated confidentiality and we allow you to access and decrypt your emails from desktops and mobile devices instantly.

How do I choose a strong password?

Tutanota uses a password strength indicator that takes several aspects of a password into consideration to make sure your chosen password is a perfect match for your secure email account. You can find additional tips on how to choose a strong password here.

Tutanota has no limitations in regard to the password length or used characters; all unicode characters are respected.

Does Tutanota support two-factor authentication (2FA)?

Yes, Tutanota supports two-factor authentication with U2F and TOTP. Here are details on how to set up your second factor in Tutanota.

Please note: U2F is currently not working in Firefox.

Security and Privacy

Where does the encryption process take place?

Encryption and decryption of data always happens locally on your device upon login. All data is end-to-end encrypted and only you can access the data with your password.

What is encrypted and what can you read?
encryption

Tutanota encrypts all your data (contacts, emails). When sending an email, Tutanota encrypts subject, content and attachments automatically.

We can read only the following metadata:

  • sender
  • recipient
  • date of the email

We are looking into possibilities to hide the metadata in the future as well.

Where are my keys generated and how is my private key secured?

Your private and your public keys are generated locally within your browser upon registration. Your private key is encrypted with your password. This way your login password receives the status of the private key. The key is encrypted so strong that only you can use the key for encrypting and decrypting data. This is why a strong password is essential. An automatic password check on the client makes sure that you use a strong password. Your password is never transmitted to the server in plain text. It is salted and then hashed with bcrypt locally on your device so that neither the server nor we have access to your password. With this innovative design you can access your encrypted inbox from any device (desktop, mobile) easily.

What encryption algorithms does Tutanota use?

For the email encryption between users, Tutanota uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm. Tutanota uses AES with a length of 128 bit and RSA with 2048 bit. Emails to external recipients are encrypted symmetrically with AES 128 bit.

How are my emails encrypted with Tutanota?

The system automatically encrypts all emails stored in Tutanota. Emails between Tutanota users are automatically encrypted end-to-end, emails to external users can be secured with the help of a password. Here we explain the differences between a confidential (end-to-end encrypted) and a non-confidential email.

Independent of the end-to-end encryption, the transport between client and Tutanota servers is secured with SSL and DANE to maximize security.

Where are the Tutanota servers located?

The Tutanota servers are located in secure data centers in Germany. All saved data are subject to the strict German privacy protection laws. Independent of that all data is end-to-end encrypted and cannot be read by the Tutao GmbH as the provider or by any third party.

Does Tutanota log IP addresses or can I use my encrypted mailbox anonymously?

By default, we do not log IP addresses when you login or when you send an email. The IP addresses of sent and received emails are stripped so that your location remains unknown.

We only log IP addresses of individual accounts in case of serious criminal acts such as murder, child pornography, robbery, bomb threats and blackmail after being served a valid court order by a German judge. You can find details on this as well as on German data protection rights on our blog.

Learn on our blog how Tutanota fights illegal mass surveillance by providing an anonymous email service. Upon registration you do not need to provide any personal data (e.g. no phone number required). We will also make it possible to pay for Premium and Pro with Bitcoin.

Is my address book within Tutanota encrypted?

Yes, all data within Tutanota is end-to-end encrypted and only accessible with your password. Scanning and profiling of your data is not possible.

Can I disable sessions remotely (session handling)?
ip address log logging security

Yes. You can view and remotely close active sessions under Settings -> Login.

Check our How-to to learn how to enable storing of closed sessions to monitor whether someone else has access to your account. To guarantee the users' privacy, we have implemented the feature as follows:

  • The IP address is stored encrypted, and only the user can decrypt this information. No one else - not even we at Tutanota - can access this information.
  • IP addresses are only stored for one week and then automatically deleted.
Do you delete inactive accounts / recycle email addresses?

Free of charge accounts are deleted if they were not used for at least six months. Your deleted email address (also if it is an alias) will not be recycled for security reasons. There must be no possibility that someone else is able to register your previously used email address, and then, by accident, receive a confidential email that was meant for you.

App, client, instructions

Where can I request a new feature for Tutanota?

You can request and discuss new features with us and other users in our Reddit community. You can check whether someone has already requested this feature and whether we have already added it to our Roadmap.

How can I change the language in Tutanota?

The language in Tutanota is taken automatically from your browser or system settings. Please change the language there.

We also invite you to join our translation project to improve Tutanota in your native language!

Where can I get the Tutanota app?

You can download the Tutanota app from the following stores:

In addition to that, you can also directly download and install the APK for Android. Keep in mind that you will not get updates automatically if you install the app manually instead of using an app store. You can add our blog to your RSS-reader with this link to get notified about updates: RSS-Feed

Push notifications on my Android phone are being delayed. What can I do?

Please check the app settings on your phone. As we do not use Google's push notifications service, battery optimization must be disabled for Tutanota to receive push notifications instantly.

This is necessary to offer you an open source email service free from any links to Google.

My Tutanota app on Android was disabled, but I don't see a new version on F-Droid. What can I do?

You need to update your F-Droid repository to see the newest version of the Tutanota Android app.

Why does the Tutanota app ask me to update WebView?

WebView is a system app on Android devices which allows us to display web content inside the Tutanota app. Newer versions let us use newer technologies to make the app smaller, faster, more beautiful and more reliable. If you experiencing issues or bugs with the Android app, updating WebView has a good chance to help.

Here are instructions how to update WebView on your phone.

Is it possible to merge several Tutanota email addresses in one account?

Yes, you can add existing email addresses (e.g. Alice2, Alice3) as aliases to a Premium account (Alice1). Before you can add the aliases, you need to delete the other accounts (Alice2, Alice3) and specify the Premium account (Alice1) as the take over account upon deletion. We explain here how to take over the email addresses.

Please note: You are only transferring the email addresses. Emails and contacts stored in the deleted accounts (Alice2, Alice3) are being deleted. Please export important emails before deleting the accounts.

Is there a dark theme in Tutanota?

Yes. Before logging in, click on 'More' and 'Switch color theme' to switch to the dark theme. This works in all Tutanota clients (web, desktop, apps).

How to use Tutanota?
How to How-to settings instructions help support

Tutanota is very easy to use. From the start we focused on usability and kept the encryption process in the background. You do not have to install anything or worry about key handling. Tutanota is as easy to use as Gmail or any other webmail service.

You can start with Tutanota right away. If any questions remain, check our detailed how-to.

This describes all Settings of Tutanota. It also answers common usability questions such as:

How to send an encrypted email?
How to switch to not confidential?
How are contacts sorted?
How to add / rename / delete a folder?
How to use multi-select and shortcuts?
How to upgrade to Premium?
How to set up an alias?
How to send an email from an alias?
How to manage passwords for my Premium users?
How to send emails with my own domain?
How to add an encrypted contact form to my website?
How to delete an account?

Why does Tutanota not use pgp?

Current encryption standards like PGP and S/MIME have several issues that we plan to address with Tutanota. These standards do not support forward secrecy and are not resistant to attacks from quantum computers.

In addition, it is important to us that the subject line in emails is also encrypted. That's why we have developed a solution that is also based on recognized algorithms (RSA and AES) and that automatically encrypts the subject, the content and the attachments. In the future, we plan to upgrade these algorithms to quantum-resistant ones that also support forward secrecy. You can find more information on why Tutanota does not use PGP here.

We also see the importance that Tutanota needs to be interoperable with other encryption solutions. We will develop an API so that Tutanota users can communicate with users of other secure services confidentially in the future.

What browsers does Tutanota support? Via what browsers can external recipients check their encrypted emails?

Tutanota supports the current version of the following browsers:

  • Firefox (desktop)
  • Opera (desktop, Android)
  • Chrome (desktop, Android)
  • Safari from version 11.0 (desktop, iOS)
  • Microsoft Edge (desktop)

    Tutanota also works in Internet Explorer 11, but this browser is not officially supported.

The development goes on. What comes next?
roadmap

Please have a look here and here.

What is the maximum size for emails and attachments?

The size of emails with attachments sent via Tutanota is limited to 25 MB at the moment.

Can I retrieve my Tutanota emails via IMAP to another email client?
gmail outlook yahoo thunderbird redirect

This is not possible as we could not guarantee end-to-end encryption for your data. Instead Tutanota offers email desktop clients for Linux, Mac OS and Windows.

As an external recipient, can I re-access my emails later?

Yes, you can always access the emails sent via Tutanota through the link from your latest notification email. Old notification links from the same sender are de-activated for security reasons. Your exchanged password, however, stays unchanged as long as the sender does not change it. If you have saved the password upon accessing your confidential emails in your browser, you do not have to re-enter it.

Are emails to other Tutanota users always encrypted?

Yes, when sending emails from Tutanota to Tutanota, all emails are encrypted automatically end-to-end on your device. You do not have to enter any passwords.

Can Tutanota encrypt emails to other email services (external recipients)?

Yes. Tutanota uses a preshared password for sending an encrypted message to an external recipient, to someone who does not use Tutanota. Please check our how-to to learn how to send encrypted emails to external recipients.

Can I add alias email addresses to Tutanota?

Email aliases are additional email addresses that you can use with the same mailbox without having to switch accounts. Aliases are a Premium feature. If you upgrade to Premium (€1 per month), you can add up to 5 aliases.

Find out more about Tutanota aliases in our How-to.

Can I use plus addresses for my Tutanota email address?

No, Tutanota does not support plus addressing (xyz+username@tutanota.com) for Tutanota domains. If you want to register with different plus addresses at different sites, you can add an alias package to your account. Alternatively, you can use a custom domain with catch-all to create an unlimited number of plus addresses for incoming emails.

Can I use a custom (own) domain with Tutanota?
Does Tutanota use a spam filter?
false spam block legit newsletter

Yes, Tutanota uses a spam filter to keep your mailbox free from spam. We are improving this filter continuously. Should you receive spam emails in your inbox, you can also configure your own spam rules here to blacklist or whitelist certain email addresses or domains.

In paid accounts, only admins can create spam rules that are being applied across all users.

Does Tutanota support inbox rules for filtering incoming emails?

Yes, Tutanota supports an unlimited number of inbox rules / filters for paid accounts. Check our how-to to see how to set up inbox rules.

Are emails in Trash and Spam folder deleted?

Yes, all emails moved to Trash or Spam are automatically deleted after 30 days. You can also manually empty these folders with one click. Please note: Emails deleted from Trash or Spam folders are physically deleted and can't be restored.

Are there email limits to protect Tutanota from being abused by spammers?

Yes, Tutanota uses different variables to calculate email limits for individual accounts. This is necessary to protect our free and anonymous email service from spammers who try to abuse Tutanota. If spammers were able to abuse Tutanota, it would harm all Tutanota users - ie Tutanota domains could end up on email blacklists, which we have to prevent under all circumstances.

If you receive the following message in your Tutanota account "It looks like you exceeded the number of allowed emails. Please try again later.", the anti-spam protection method has stopped your account temporarily from sending new emails. Please wait a day or two to send new emails again.

If you need to send more emails immediately, please upgrade to our affordable Premium version (1 Euro per month) as limits for Premium or Pro users are much higher. Simply click on 'Premium' in your top menu bar of Tutanota.

Please note that Tutanota is not meant for sending out mass mailings such as newsletters. Please read our Terms & Conditions for details.

Are email addresses stored automatically in contacts when sending an email?

Yes, email addresses are automatically added to your encrypted Tutanota address book when sending an email unless you deactivate this feature. You'll find details here.

Does Tutanota support email and contacts export and import?

You can export individual emails or batch-export emails by using multi-select.

Email import is not yet possible. We plan to support email import as well as an even easier export function with our new secure desktop clients.

You can already import contacts via vCard.

Can I change the signature in a free account?

Yes, you can change the signature in Settings -> Email. Every account can change their signature. To support our free and secure email service, please leave the link to our homepage in your signature.

Other

If I upgrade to Premium, can I downgrade to free again?
Premium Free subscribe unsubscribe

Yes, you can downgrade back to free anytime. Before this, you need to disable all extra bookings (aliases, storage, additional users). You can keep your main Tutanota email address as a free account.

Check here how you can upgrade and downgrade.

My newly created account has been put on hold for 48 hours after registration. What should I do?

Some accounts are automatically marked for approval upon sign-up to prevent abuse. This often affects IPs from VPN services or Tor as spammers try to bypass our anti-spam protection method by abusing these services. Please read here why the 48-hour wait is necessary to protect your privacy to the maximum with a truly anonymous email service.

During these 48 hours emails cannot be sent or received. Please do not share your new email address before the blocking has been lifted automatically.

I don't receive confirmation emails from services or newsletters. What can I do?

Sometimes newly created email addresses are put on hold for 48 hours to prevent abuse. It is important that you do not share your email address until this block is lifted automatically.

If you do use the email address to register elsewhere or sign up for newsletters before the block is lifted, this service will send you a confirmation email, which will bounce. As a result, they will block your email address to keep their sender score high. If this has happened, you will not receive emails from this service even if you click to resend the confirmation email at a later time. You will need to use a different email address for this service or ask their support for help.

How do I solve the Tutanota Captcha upon registration?

Tutanota uses its own Captcha so that we do not have to depend on using Google Captcha. This enables us to offer an open source email service without any links to Google.

The Tutanota Captcha shows a clock. You need to enter the displayed time with four numerals, including the colon in the middle. If the displayed time is 8.30 for example, you have to enter 08:30 or 20:30 exactly.

I have received an abusive email (spam, phishing) from one of your domains. How do I report abuse?
fraud stalker threat abuse abusive phishing

If you would like to inform us about abusive usage of one of our domains (tutanota.com, tutanota.de, tutamail.com, tuta.io, keemail.me), please contact us at abuse@tutao.de. Please forward the abusive message to us if appropiate.

If you would like to report abusive usage originating from another provider's email address, you can find contact addresses at abuse.net.

Where can I report a security issue or a vulnerability that I found in Tutanota?

We at Tutanota take utmost care to secure your mailbox to the maximum. The Tutanota code is published on GitHub, and we invite security experts to check the code. In case you find a vulnerability in Tutanota, please report it directly to us so we can fix it.