Yes, all Tutanota clients are published as open source under GPLv3. Check out our GitHub repository. We welcome you to review the code, to give us feedback or to contribute!
Yes, Tutanota is a green email service that relies exclusively on renewable energy for all email systems.
Yes, Tutanota offers secure business email accounts with lots of whitelabel customizations. You can place the login for your employees directly on your website with a whitelabel domain. Tutanota also offers Secure Connect, an open source encrypted contact form so clients can get in touch with you confidentially directly on your website. Learn here how to use Tutanota in your organization or company with your custom email domain.
Here's a list of all whitelabel customizations for business use. Here's an instruction how to whitelabel Tutanota for your business, how to add the encrypted contact form Secure Connect to your website and more.
Yes, you can customize the logo and colors in Tutanota when you book whitelabel.
Secure Connect is an open source encrypted contact form which enables every visitor of your website to contact you confidentially. Check here how to book Secure Connect and how to send an encrypted message via Secure Connect.
Yes, Tutanota as an encrypted email service is perfectly suited for any business that would like to use a GDPR-compliant email service.
Yes, right after registration of a business account you will find a data processing agreement directly in Tutanota under Settings -> Subscription.
Yes, an encrypted calendar is integrated into the Tutanota mail client.
Please check that the time zones of your devices are in sync, including daylight saving time.
If you are using Firefox/Tor Browser with resistFingerprinting option in about:config, this automatically resets the browser time zone to UTC, which then leads to sync issues.
Yes, Tutanota will include a whole set of collaboration options such as working together on task lists and documents in the future. You can already book this collaboration tool. Right now it is called 'sharing feature' as you can now share your encrypted calendars as well as email templates with other paid accounts. This is the first step, more collaboration options will be added in the future.
We donate the business version of Tutanota to non-profit organizations (NPOs). Please find details on how non-profit organizations can secure their emails for free or with a discount.
The Tutanota clients use REST services but there is no public documentation for that API or for a library, yet. Keep in mind that when user data is stored in or read from Tutanota, it has to be encrypted/decrypted on the client. You may of course dig into the open source code of Tutanota and integrate with your product, but at this time we can not provide any support for this. We will add a public API documentation in the future.
When you sign up for Tutanota, you create an email account. This account initially has one user which is also an administrator. Free accounts only have one user. If you upgrade to a paid subscription, you can add users to your account. You manage the users (deactivate a user, change password) within your Tutanota account with your administrator user. You may also allow multiple users to be administrators.
In the diagram the '1' at the arrows means there is one item assigned. A user has one mailbox and one address book. The '*' means multiple items may be assigned, e.g. an account has one or more users, a user may have multiple calendars and a mailbox may have multiple email aliases (paid feature). By the way, a mailbox also has a main email address.
The date format for your mailbox as well as your calendar is picked either from your language settings in Tutanota or from your system/browser settings. If you pick 'English' under 'Settings' -> 'Appearance', the American date format is displayed. If you pick 'Automatic' under languages, the date format of your browser/system is displayed. If you pick any other language, e.g. German, the date format of this language, e.g. German, is displayed.
When booking a paid subscription in Tutanota, you can pay via Credit Card (Visa, Mastercard, American Express), via PayPal or via bank transfer. Payment via bank transfer is only available for business customers in the EU.
If you have problems paying for your Tutanota subscription, please contact our sales team.
Yes, you can buy gift cards and add them to your own account. Once the credit is added to your account, it does not expire. It will be used for future invoices. This gives you the option to top up your account whenever it is convenient for you. You can check your credit under 'Settings' -> 'Payment'.
When you buy a gift card (by clicking on the present symbol to the left), a popup will appear with some buttons that will give you the option to a) send an email containing the gift card link, b) copy the link to the clipboard, or c) print off a graphic containing a QR code. The popup can also be viewed later under Settings -> Subscription -> Gift cards.
The person who wants to redeem the Tutanota gift card can then either click the link or scan the QR code, and they will be taken to a page where they can redeem it by following the steps provided (select or create Tutanota account, then redeem).
These Terms and Conditions for Tutanota gift cards are valid as of December 14, 2020.
These Terms and Conditions for Tutanota gift cards are provided in English for your convenience. Please note that in case of a dispute or discrepancy between the German Terms and Conditions and the English translation, the German version shall prevail.
The gift card is valid to be redeemed in the country specified by the purchaser.
The gift card can be redeemed by anyone who has access to the gift card link. It may be applied to any private account (free or paid), but not business accounts.
The gift card is valid for three years, starting from the end of the year in which it was purchased.
A customer may purchase a maximum of 10 gift cards within a six-month period.
When redeemed on an existing or newly signed up Free account, the account will automatically be upgraded to a yearly Premium subscription with automatic renewal, at the standard price of €12 (deducted from the gift card amount), the remaining balance will be applied as credit to the account.
When redeemed on an existing paid account, the full value of the gift card will be applied as credit to the account.
Account balance can be used to book further features up to the available amount. Further purchases will require a payment method to be added or another gift card to be applied.
Gift cards can only be purchased by customers who have provided credit card details or PayPal as a payment method.
Gift cards are non-refundable.
Account credit obtained via gift card can be neither refunded nor paid out.
We reserve the right to deactivate gift cards in the case that the purchasing account of said gift cards is found to have abused our service.
We plan to add Bitcoin as a payment method to Tutanota in the future. You can already buy Tutanota gift cards with Monero or Bitcoin via our partner Proxystore to upgrade your Tutanota account with cryptocurrencies.
No. When a password is used for authentication (login), it is not necessary that it is known to the server you want to authenticate with. The server only needs a fingerprint (hash) of your password. With Tutanota your hash for authentication is calculated by your browser and only the hash is being sent. Your password never travels the Internet in plain text and it is never seen by our server. As hashes are non-invertible, the server is unable to reconstruct your password from the hash. The server is not able to decrypt your message, but still able to log you in.
Recommended for further reading: Learn how Tutanota automates the encryption process while leaving you in full control of your encrypted data.
If you can't login to your account, this has been caused by one of the following reasons:
Our secure password reset feature enables you to reset your account yourself. Please write down your recovery code somewhere safe.
If you think your password was disclosed to someone else but you can still log into your account, please do the following:
If the attacker had been logged in as well, changing the password automatically logs him out.
We encourage you to always use 2FA with your accounts as it makes it close to impossible for an attacker to log into your account.
If you can not log into your account any more, please check this FAQ.
Your password is salted and hashed with Bcrypt on your device before being transmitted to Tutanota. Bcrypt is the most reliable method because brute-force attacks need much more time in comparison to conventional methods such as MD5 or SHA. With this method we guarantee an integrated confidentiality and we allow you to access and decrypt your emails from desktops and mobile devices instantly.
Tutanota uses a password strength indicator that takes several aspects of a password into consideration to make sure your chosen password is a perfect match for your secure email account. You can find additional tips on how to choose a strong password here.
Tutanota has no limitations in regard to the password length or used characters; all unicode characters are respected.
Yes, Tutanota supports two-factor authentication with U2F and TOTP. Here are details on how to set up your second factor in Tutanota.
If you click on 'Logout', you log out. Please note: If you have previously saved the password, you are now logged out, but the password is still saved for automatic login. To 'unsave' the password, please log out. The login screen appears, click on 'More' and 'Delete credentials'.
Tutanota encrypts all data stored in your mailbox (contacts, emails, email signature, inbox rules, invoice data, payment method, certificate and private keys of your own domains). When sending an email, Tutanota encrypts subject, content and attachments automatically.
You can find a detailed explanation about what is encrypted in Tutanota on our security page.
We can read only the following metadata:
We are looking into possibilities to hide the metadata in the future as well.
Your private and your public keys are generated locally within your browser upon registration. Your private key is encrypted with your password. This way your login password receives the status of the private key. The key is encrypted so strong that only you can use the key for encrypting and decrypting data. This is why a strong password is essential. An automatic password check on the client makes sure that you use a strong password. Your password is never transmitted to the server in plain text. It is salted and then hashed with bcrypt locally on your device so that neither the server nor we have access to your password. With this innovative design you can access your encrypted inbox from any device (desktop, mobile) easily.
For the email encryption between users, Tutanota uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm. Tutanota uses AES with a length of 128 bit and RSA with 2048 bit. Emails to external recipients are encrypted symmetrically with AES 128 bit.
The system automatically encrypts all emails stored in Tutanota. Emails between Tutanota users are automatically encrypted end-to-end, emails to external users can be secured with the help of a password. Here we explain the differences between a confidential (end-to-end encrypted) and a non-confidential email.
Independent of the end-to-end encryption, the transport between client and Tutanota servers is secured with TLS to maximize security.
The Tutanota servers are located in secure and ISO27001 certified data centers in Germany. All saved data are subject to the strict German privacy protection laws. Independent of that all data is end-to-end encrypted and cannot be read by the Tutao GmbH as the provider or by any third party.
By default, we do not log IP addresses when you log in or when you send an email. The IP addresses of sent and received emails are stripped so that your location remains unknown.
We only log IP addresses of individual accounts in case of serious criminal acts such as murder, child pornography, robbery, bomb threats and blackmail after being served a valid court order by a German judge. You can find details on this as well as on German data protection rights on our blog.
Learn on our blog how Tutanota fights illegal mass surveillance by providing an anonymous email service. Upon registration you do not need to provide any personal data (e.g. no phone number required). We will also make it possible to pay for Tutanota with Bitcoin.
Yes. You can view and remotely close active sessions under Settings -> Login.
Check our How-to to learn how to enable storing of closed sessions to monitor whether someone else has access to your account. To guarantee the users' privacy, we have implemented the feature as follows:
A deleted email address (also if it is an alias) will not be recycled for security reasons. There must be no possibility that someone else is able to register your previously used email address, and then, by accident, receive a confidential email that was meant for you.
Free of charge accounts are deleted after an inactive period of six months. A regular login is necessary to prevent automatic deletion. We delete such accounts for security reasons and also to allow us offering free of charge Tutanota accounts at all. However, the email addresses of such deleted accounts may be taken over into another paid account and re-used as email aliases or additional user addresses if you still have the valid login credentials.
To re-use the email address of the inactive account
Then you can add the lost address(es) as an alias (or user) to the target email account. We call it merging of addresses.
Tutanota does not load pictures automatically when you open an email. When you load external images manually, please note that
Phishing is a name or type of online scam in which criminals try to look like a legitimate sender in order to get your data such as credentials or credit card data. Phishers use very sophisticated psychological techniques and develop very realistic copies of real websites and emails.
If you see a phishing banner, it means that some parts of this email match our phishing signatures after other users reported similar emails as phishing. Please be extremely careful with such messages. Usually phishing emails contain a special link to the website which looks real but it actually is not. If you think that the email is legitimate and you opened the link, please make sure to check the full website URL: Check that you see all of it, sometimes only one part or one character may be swapped. Here is more information on how to prevent email phishing attacks.
You can mark an email as not phishing so you will not see the warning message any more for this email.
We never send you emails with links where you need to type in your password. We encourage you to always protect your login credentials with 2FA as this makes it close to impossible for an attacker to log into your account.
If you already fell for a phishing attack, please check this FAQ.
We require all messages to be authenticated. Without authentication, the email could be coming from anyone or could be modified so you should always treat such emails with scrutiny. If you see a message where the authentication has failed (red warning banner), you should be especially careful as it means that this email was likely faked.
Yes, Tutanota comes with full-text search of your encrypted mailbox. In the free version, search is limited to four weeks into the past due to heavy server load caused by the encrypted search feature. Learn here how you can improve your search results. The spam folder is excluded from search.
Search is executed locally via an encrypted search index to guarantee security and privacy of your data as well as your search queries. As the search index needs to be stored in your browser, it does not work in private mode/incognito mode. Read here how our innovative full-text search on encrypted data works.
The Settings are in the navigation menu to the left.
The language in Tutanota is taken automatically from your browser or system settings. Please change the language there. Alternatively, you can go to 'Settings' -> 'Appearance' to switch the displayed language for Tutanota.
We also invite you to join our translation project to improve Tutanota in your native language!
You can download the Tutanota app from the following stores:
In addition to that, you can also directly download and install the APK for Android. Keep in mind that you will not get updates automatically if you install the app manually instead of using an app store. You can add our blog to your RSS-reader with this link to get notified about updates: RSS-Feed
Please check the app settings on your phone. As we do not use Google's push notifications service, battery optimization must be disabled for Tutanota to receive push notifications instantly.
This is necessary to offer you an open source email service free from any links to Google.
WebView is a system app on Android devices which allows us to display web content inside the Tutanota app. Newer versions let us use newer technologies to make the app smaller, faster, more beautiful and more reliable. If you experiencing issues or bugs with the Android app, updating WebView has a good chance to help.
In the mobile app, you can currently only login with one user. To switch to another user, you must log out and log in again. You can login with multiple users in the browser by opening several tabs or windows. In the desktop clients, you can also open several windows to login with multiple users.
You can download the Tutanota desktop clients (Windows, Linux, Mac OS) on our homepage.
Tutanota desktop app uses system keychain to be able to encrypt sensitive details such as credentials and alarms. On Linux there must be an app installed which provides secret storage (org.freedesktop.secrets interface). This is usually set up together with the rest of the desktop environment but sometimes it requires manual setup. Installing GNOME Seahorse and configuring keychain there should be sufficient. KeePassXC is another provider which can be used but it must be additionally configured.
Yes, you can add existing email addresses (e.g. Alice2, Alice3) as aliases to a paid account (Alice1):
Please note: You are only transferring the email addresses. Emails and contacts stored in the deleted accounts (Alice2, Alice3) are being deleted. Please export important emails before deleting the accounts.
Current encryption standards like PGP and S/MIME have several issues that we plan to address with Tutanota. These standards do not support forward secrecy and are not resistant to attacks from quantum computers.
In addition, it is important to us that the subject line in emails is also encrypted. That's why we have developed a solution that is also based on recognized algorithms (RSA and AES) and that automatically encrypts the subject, the content and the attachments. In the future, we plan to upgrade these algorithms to quantum-resistant ones that also support forward secrecy. You can find more information on why Tutanota does not use PGP here.
We also see the importance that Tutanota needs to be interoperable with other encryption solutions. We will develop an API so that Tutanota users can communicate with users of other secure services confidentially in the future.
This is not possible as we could not guarantee end-to-end encryption for your data. Instead Tutanota offers email desktop clients for Linux, Mac OS and Windows as well as a web client and apps for Android and iOS.
Yes, you can always access the emails sent via Tutanota through the link from your latest notification email. Old notification links from the same sender are de-activated for security reasons. Your exchanged password, however, stays unchanged as long as the sender does not change it. If you have saved the password upon accessing your confidential emails in your browser, you do not have to re-enter it.
Yes. Tutanota uses a preshared password for sending an encrypted message to an external recipient, i.e. to someone who does not use Tutanota. Please check our how-to to learn how to send encrypted emails to external recipients.
Here we explain how to switch the default so that emails to external recipients are sent not encrypted and without a password.
If you add another user to your account (family member, partner, team member etc.), you get the following benefits:
Furthermore, we have recently added a sharing feature for the encrypted calendar which we will extend in the future. Sharing of entire calendars only works with other paid Tutanota accounts.
Email aliases are additional email addresses that you can use with the same mailbox without having to switch accounts. Aliases are included in all paid plans of Tutanota. If you upgrade to Premium (€1 per month), you can add up to 5 aliases.
Find out more about Tutanota aliases in our How-to (create alias, change default sender, etc.). Learn here what the purpose of an email alias compared to a user is and how aliases can increase your security.
No, Tutanota does not support plus addressing (email@example.com) for Tutanota domains. If you want to register with different plus addresses at different sites, you can add an alias package to your account (limited to the number of aliases you book). Alternatively, you can use a custom email domain with catch-all to create an unlimited number of plus addresses for incoming emails.
Yes, any paid subscription of Tutanota comes with custom email domain support. Multiple domain support is also available in Tutanota. Please check our pricing page for details.
Please refer to our how-to to learn how to add your own email domains to your Tutanota account and how to make sure that your records (MX, SPF, TXT, DKIM, DMARC, CNAME) are set up correctly in your DNS as well as how to activate/deactive catch-all and more.
Yes, Tutanota uses a spam filter to keep your mailbox free from spam. We are improving this filter continuously. Should you receive spam emails in your inbox, you can also configure your own spam rules here to deny or allow certain email addresses or domains. If a sender is blocked (rejected) by the spam filter, you can allow the sender for your account.
In paid accounts, only admins can create spam rules that are being applied across all users.
Yes, Tutanota supports an unlimited number of inbox rules / filters for paid accounts. Check our how-to to see how to set up inbox rules.
Yes, all emails in Trash or Spam are automatically deleted 30 days after the emails were moved to these folders. You can also manually empty these folders with one click. Please note: Emails deleted from Trash or Spam folders are physically deleted and can't be restored.
Yes, Tutanota uses different variables to calculate email limits for individual accounts. This is necessary to protect our free and anonymous email service from spammers who try to abuse Tutanota. If spammers were able to abuse Tutanota, it would harm all Tutanota users - ie Tutanota domains could end up on email spam lists, which we have to prevent under all circumstances.
If you receive the following message in your Tutanota account "It looks like you exceeded the number of allowed emails. Please try again later.", the anti-spam protection method has stopped your account temporarily from sending new emails. Please wait a day or two to send new emails again.
If you need to send more emails immediately, please upgrade to our affordable Premium version (1 Euro per month) as limits for paying users are much higher. Simply click on 'Premium' in your side menu bar of Tutanota.
Please note that Tutanota is not meant for sending out mass mailings such as newsletters. Please read our Terms & Conditions for details.
Yes, email addresses are automatically added to your encrypted Tutanota address book when sending an email unless you deactivate this feature. You'll find details here.
Emails: You can export/download individual emails or batch-export emails by using multi-select. Email import is not yet possible. We plan to support email import as well as an even easier export function with our new secure desktop clients.
Calendars: You can import and export calendars via .ics. Login with a browser and click on the three-dot button next to the calendar you wish to import data to or you wish to export.
Yes, Tutanota supports HTML editing options (embed images, add lists, bold, italics, underline, monospace, add hyperlinks, align the text left, center, right, justified, change text size, remove all formatting). These are explained in our how-to along with lots of information on email handling.
Yes, with a paid subscription you can set up email notifications to any email address under 'Settings' - 'Email' - 'Notifications'. You will be informed about new emails once until you log in. Only if you have logged in to view this email, Tutanota will send another notification to keep notification emails to a minimum.
As a Free user, you can receive push notifications in the browser, the Android & iOS app as well as the desktop clients.
Yes, the Tutanota Transparency Report is updated every six months. You can check it here. It also includes a Warrant Canary.
Yes, you can downgrade back to free anytime. Before this, you need to disable all extra bookings. You can keep your main Tutanota email address as a free account.
Check here to see how you can upgrade or downgrade and how to add or disable extra bookings (aliases, storage, additional users).
Some accounts are automatically marked for approval upon sign-up to prevent abuse. This often affects IPs from VPN services or Tor as spammers try to bypass our anti-spam protection method by abusing these services. Please read here why the 48-hour wait is necessary to protect your privacy to the maximum with a truly anonymous email service.
During these 48 hours emails cannot be sent or received. Please do not share your new email address before the blocking has been lifted automatically.
Please check whether the sender was blocked by following this instruction.
Sometimes newly created email addresses are put on hold for 48 hours to prevent abuse. It is important that you do not share your email address until this block is lifted automatically. If you do use the email address to register elsewhere or sign up for newsletters before the block is lifted, this service will send you a confirmation email, which will bounce with a temporary error. This might lead to problems registering with this service, even in the future.
Most websites and online services let you register with your chosen Tutanota email address just fine. Unfortunately, we have received reports by users that some websites block Tutanota email addresses for registrations. Please check these options to resolve this situation.
Tutanota uses its own Captcha so that we do not have to depend on using Google Captcha. This enables us to offer an open source email service without any links to Google.
The Tutanota Captcha shows a clock. You need to enter the displayed time with four numerals, including the colon in the middle. If the displayed time is 8.30 for example, you have to enter 08:30 or 20:30 exactly.
If you would like to inform us about abusive usage of one of our domains (tutanota.com, tutanota.de, tutamail.com, tuta.io, keemail.me), please contact us at firstname.lastname@example.org. Please forward the abusive message to us if appropriate.
If you are a Tutanota user and have received a phishing email, you can report this email by clicking on the three-dot button to the right and then click on 'Report phishing'. Here are more details.
If you would like to report abusive usage originating from another provider's email address, you can find contact addresses at abuse.net.
We recommend setting up 2FA because of its security benefits. Learn in our online security guide how 2FA helps you to keep your emails safe from hackers.
Registering your second factor
Tutanota currently supports the following second factor types:
Second factors can be added by administrators and users, but only admins can remove assigned second factors.
Note: If you lose your second factor, you will no longer be able to login to your account. To prevent this, you can add multiple second factors. Additionally, please note down the recovery code shown to you when adding a second factor.
Authenticating with your second factor
During login you have to authenticate with one of your second factors. Alternatively, you may also accept that session from another logged in client. If your browser does not support the second factor you had registered, you can only accept the session from another client.
How to reset your second factor if you lose it
For resetting your second factor, you will need your personal recovery code and your password. You can view and also update your recovery code in Settings -> Login.
If you have lost your second factor, click on More -> Lost account access on the login page. There you will have to enter your recovery code as well as your password to delete all your second factors.
When you create a new Tutanota account, our secure password reset feature empowers only you to reset your account yourself. Please make sure that:
In case you can't login to Tutanota, please make sure that:
We do not know your password and can't modify your second factors. However, there are different ways on how to regain access to your mailbox in case of a lost password or a second factor.
Administrator is available
If you are a member of an organization or a business: Ask your administrator to reset your password. Each administrator can reset the passwords of other users and admins. If you want to make sure to never lose your paid account, it's best to have at least two administrators.
Recovery code is available
Your recovery code is your personal code to resetting your account. If you did write it down when you created your account, you can reset your password or second factor using your personal recovery code by clicking on More > Lost account access on the login page.
You can view and also update your recovery code in Settings > Login. You can also find more information on this secure reset feature on our blog.
With 2FA enabled, you will need 2 out of 3 to reset your Tutanota account:
Click here to reset your password. You will need your second factor (if 2FA enabled) and your recovery code.
Click here to reset your second factor. You will need your login password and the recovery code.
Please note: If you lose your password and your second factor, there is no option to reset your Tutanota account with the recovery code.
To search your encrypted mailbox, simply click on the top search field or press F.
When you press enter, Tutanota takes you to a more detailed search mask. The free search feature goes back one month into the past.
The detailed search mask lets you specify the time frame which should be searched (one month for free users). The unlimited search feature also lets you filter your search, e.g. who sent the email, to whom did you send the email, was the search query contained in the subject or in the body, what folder should be searched.
As all data in Tutanota is encrypted, using our innovative search feature causes a lot of traffic. This is why unlimited search is only available to paying users. Learn here how you can benefit by going Premium for only €1 per month.
Please note: You can only search emails and contacts, thus, the search field is not shown when you are browsing the 'Settings' of your mailbox.
If you own one or more domain names that you want to use with Tutanota, you can add these domains to your paid subscription of Tutanota. The setup wizard for your custom email domain will guide you through the process in just four small steps. In each step the wizard will explain, which configuration changes you have to make. If you don't have a Tutanota account, you can register here.
The setup wizard for your custom email domain can be found in 'Settings' -> 'Global settings' -> 'Custom email domains' by clicking the '+' button.
In order to send and receive emails with your custom domain in Tutanota, you need to configure the following types of DNS records in the settings of your domain name provider. Prior to configuring those DNS records the wizard will allow you to create new users or email aliases for your custom domain in order to have a smart switch to receiving emails in Tutanota.
The exact values that these DNS records should point to will be shown to you in the setup wizard.
The MX record is necessary to relay emails for your domain to the Tutanota servers. The SPF TXT record marks the Tutanota server as valid sender of emails from your domain. The _domainkey and _dmarc records make sure your emails are signed with DKIM and sender spoofing of your domain's email addresses can be detected automatically by the recipient mail servers. The MTA-STS records make sure that transport encryption and authentication is used between different mail servers.
Tutanota will indicate if the DNS records are fine for all your domains or if there is something that has to be changed.
Please note that with some domain name providers it may take up to a few hours before changes to your DNS records become visible for other mail servers. You can check your DNS settings here.
Please note that we do not support email import, yet. We plan to enable import in the coming months. For now, we recommend to keep your old mailboxes as a reference when moving to Tutanota from another provider.
On our business site, there is a summary of all available features of Tutanota's secure business emails.
To book the encrypted contact form Secure Connect, you need to:
When someone starts to communicate with you via the encrypted contact form Secure Connect, the entire communication will be encrypted end-to-end. Encryption takes place locally in the browser so that no third party - not even we as the provider of Secure Connect - can access this information.
Here is how to start an encrypted communication channel via Secure Connect:
While sending the encrypted message via Secure Connect, Tutanota automatically creates a mailbox for the sender with an automatically generated email address of your whitelabel domain. The sender can login with the selected password to read your reply and also reply again. With Secure Connect an encrypted communication channel has been established that is both easy to use and secure.
Email encryption is needed whenever you want to send a confidential email. That is whenever your email contains personal information that should not become public. The following examples show the differences between end-to-end encrypted, confidential emails and emails that are not being end-to-end encrypted in Tutanota.
Alice is registered with Tutanota, Bob may be registered with Tutanota or an external recipient and Carol is not registered with Tutanota. In any case all emails (including attachments) are stored encrypted on the Tutanota servers. Independent of the end-to-end encryption, the transport between client and Tutanota servers is secured with TLS to maximize security.
Sending and receiving end-to-end encrypted emails
The email is encrypted on Alice's client, stored encrypted on the server and can only be decrypted by Alice or Bob.
Sending non-confidential emails
The email is sent via SMTP to the recipient. Still, the sent email is encrypted for Alice on the server and then stored.
Receiving non-confidential emails
When the SMTP email is received by the Tutanota server, it is encrypted for Alice and then stored on the server.
Updating WebView is usually as simple as installing an app. For devices with Android older than Nougat, this is usually the app called Android System WebView, which you can download from the PlayStore here.
Additional optional settings changes
The Android N default WebView is usually tied to the Chrome browser. If you don't want to install Chrome, you can install another provider and later select another WebView implementation in the developer settings.
To enable developer settings:
Note for LeEco device owners: LeEco made changes to some devices which prevents changing WebView. We don't know of a workaround, yet. We recommend using the web browser to access your Tutanota mail account.
Depending on the width of your browser Tutanota displays the left Settings menu, your folder list, your mail list, and the selected mail.
When you select an email, these options show up to its top.
The top email menu has the following options:
If you want to print an email as pdf, you can use the browser function for printing.
Sending of emails
Condensed email window.
Enlarged email window.
When writing an email you can use these text editing tools
Please use mouse-over in the web client to see what symbol represents what function. The Tutanota text editing tools enable you to embed images, add lists (bullets and numbers), change texts to bold, italics, underline, monospace, add hyperlinks, align the text left, center, right and justified, change the text size, and remove all formatting from selected text.
To insert a template into the mail editor, please login to Tutanota in the browser or in one of the Tutanota desktop clients:
If you have created several language versions for this template, you can choose the correct one after hitting tab (step 2).
Alternatively, you can access your templates by typing ctrl+space, or from the editor toolbar. There you can search for the correct template and insert it.
Tutanota blocks automatic image loading to protect your privacy. To load external images, please click on 'Show' above the mail body to load the image for now or on 'Always trust sender' to always load all images sent from this email address. Please note that you have to allow images from a trusted sender on all your devices once. In the case that mail authentication fails or is non-existent, images will not be loaded even if the sender has been allow-listed. Inline images are displayed directly as no external content needs to be loaded.
Go here in Settings. You can choose the 'Default delivery': Encrypted ('Confidential') or not encrypted ('Not confidential'). You can also switch whether an email is encrypted or not when composing the email by clicking on the lock symbol. Emails to other Tutanota users are always encrypted by default.
When sending an encrypted email to an external recipient, you need to specify a password when composing the email.
Once set, the password will be automatically saved along with the contact in your Tutanota address book, which makes your encrypted address book the password manager for your external contacts. Next time you write an email to that recipient, you simply specify the email address and Tutanota automatically enters the password. The password needs to be exchanged via a second channel. If you would like to change the password, you can either do this within the contacts view or when composing a new email to this external recipient.
The external recipient
Note: The link within the notification email contains a salt which is needed for decryption along with the password. Thus, someone who wants to intercept your encrypted messages needs the exact link and the password. (An old link gets deactivated as soon as you send a new email to the same email address.)
If using one of the paid plans, you can add aliases to your account. You can also add additional alias packages. Refer to our pricing page for details.
Go here in your mailbox→ 'Email aliases': Click on 'Show Email Aliases'. Click on the plus symbol to add aliases. A pop-up opens where you can type the alias you want to add. Click on the three-dot button to choose the domain for your alias. This can be any of the Tutanota domains or of your custom email domains that you have added to your Tutanota account.
Please note: It is technically not possible to delete aliases with a Tutanota domain. These can only be deactivated. Deactivated aliases remain linked to your account in case you want to activate them again in the future. When you are using your own domain with Tutanota, you can delete aliases with your custom email domain and create new ones.
If you need more than five aliases, you need to buy a larger alias package here, even if the aliases are deactivated.
You can change the default sending address to your own domain alias (or any other alias) by changing the default sender here in your mailbox→ 'Default Sender'. This will make your alias the default sender. However, the main address of your Tutanota account (name in tab) will remain unchanged.
To change the alias upon sending an email, click on 'SHOW'. Then click on the pen symbol next to the sender and choose the alias you want to send an email from.
Spam detection in Tutanota is multi staged. For incoming unencrypted SMTP emails, the received email is checked against DNS spam lists first. In a second stage we filter emails by executing content checks and mark emails as spam or not. Emails that have been marked as spam will be moved to the spam folder of your mailbox. In a third stage we filter spam on the base of user defined email sender lists. This list provides the possibility to classify email addresses as spam or not as spam. The check is active for all incoming emails and can be configured by the administrator. The rules are valid for all users.
Within a received email, please click on 'Show more', then click on the From address to assign the email address, the domain, or the top level domain with one of the following spam rules:
The "No spam" rule has a higher priority than "Always spam" and "Discard" has the lowest priority.
You can set spam rules for sender addresses (highest priority), domains (lower priority), and top level domains (lowest priority). To add a spam rule for a domain, just enter the domain like xyz.com without putting an @ in front. This rule will also apply to emails sent from a subdomain. To add a spam rule for a top level domain, just put in com - for example - no dot is needed before this.
Rules for domains are restricted. You are not able to assign the rules "Always spam" and "Discard" to Tutanota domains, neither to your custom domains.
You also have the option to allow all emails. To do this, create a spam rule and put in an asterisk * where you would usually put in the email address that the rule should apply to.
How to receive blocked emails.
Go to 'Settings' -> 'Global Settings' -> 'Rejected email senders' to check whether any email to your account has been blocked due to the sender being listed on a spam list. You can click 'Refresh' to refresh the list in case you are waiting for a registration email. If a blocked email is shown here, you can allow the sender so that emails from this sender will reach your inbox in the future.
'Login' shows you several info items about your Tutanota account.
Here you can configure how you want to send your mails.
'Inbox rules' (filter): Click on 'Show Inbox Rules' and then on the plus-button. A pop-up with three options opens: 'Field', 'Value' and 'Target folder'.
'Notifications': Click on 'Show' and the plus symbol. A pop-up opens where you can enter an email address that should be notified once a new mail arrives in your Tutanota mailbox.
Please login to Tutanota in the browser or in one of the Tutanota desktop clients. In Settings -> My Templates you can create templates to answer repetitive requests faster. Click on 'New template' to create new template.
For your template, enter a Title, a Shortcut, select the language (here: English), the content. When using templates, you will need the shortcut to find the correct template. The content will be added to the mail editor automatically.
Here we explain how to add templates to an email.
When you order the Whitelabel feature, you have two options: The Whitelabel feature is already included in the Pro subscription. Alternatively, you can order it separately in your paid account. Your whitelabel domain can be any subdomain, and might look like 'secure.mycompany.com' or 'email.mycompany.com'. In order to setup your whitelabel domain you must be able to set the CNAME DNS entry of that domain.
Choose a subdomain of your own domain, at which you would like to reach the Tutanota login. This must be a subdomain, a main domain is technically not allowed. Create the subdomain by setting the CNAME DNS entry for that domain to point to login.tutanota.com at your domain hoster. The DNS entry should look like this: '< subdomain_name > CNAME login.tutanota.com'. Depending on your domain hoster you might have to set the fields 'name' to '< subdomain_name >', 'type' to 'CNAME' and 'value' to 'login.tutanota.com'. Keep in mind that the DNS changes may take a while until propagated.
Enter this subdomain under 'Whitelabel domain'.
'Certificate type': Click on the pen symbol and choose 'Automatic (Let's Encrypt)'. Certificates for your domain will be issued and updated automatically.
'Certificate type': Click on the pen symbol and choose 'Manual'. You need to get and update certificates for your own domain manually.
Upload your domain's SSL certificate chain and
your domain's private key to enable the Tutanota login at your domain. Both must be provided in PEM format (base64 encoded). The private key file content must start with the line "-----BEGIN RSA PRIVATE KEY-----" or "-----BEGIN PRIVATE KEY-----". The certificate file content must start with the line "-----BEGIN CERTIFICATE-----". In order to create a certificate chain from individual certificates create a file in a text editor. Then first copy your domain's certificate into that file and below that certificate any intermediate certificate or certificate bundle that was provided to you in addition to your certificate file. Your certificate chain file might then look like this:
(Your SSL certificate, e.g. from your_domain_name.crt)
(Your intermediate SSL certificate, e.g. from intermediate.crt)
Now you can open your custom domain in your browser and see the Tutanota login with your customizations.
Secure Connect - our encrypted contact forms allow you to be contacted confidentially as all messages are automatically end-to-end encrypted.
Create a new contact form
Manage existing contact forms
To upgrade a Free account (or downgrade from Premium to Free), please go to Settings -> Subscription -> Subscription and click on the pen symbol. Then you can pick another subscription (picture below).
Under Settings -> Subscription you can also sign the 'Order processing agreement' if you need to comply with the GDPR, switch your 'Subscription period' from monthly to yearly, check your price per year, and add more 'Extensions' or order gift cards.
Once upgraded you can add 'Extensions':
Go to Settings -> Payment to view and update your payment details.
Mac: Double-click the installer and follow the instructions on your computer.
Linux: After download, right click the AppImage and give it execute permission. Alternatively, run
chmod +x tutanota-desktop-linux.AppImage from a terminal window. Now you can run the App like any other executable, no further installation required. You may want to let it integrate itself with your desktop and app launcher.
Windows: Double-click on the Tutanota app and follow the instructions on your computer.
Enterprise mode (Windows): The desktop client can be installed on Windows in "enterprise mode" by passing the following flags to the installer:
The application may also be uninstalled silently, by passing /S to the uninstaller (in the installation directory under Program Files).
Windows: Go to Settings -> Desktop -> set "Default Email Handler" to "Registered". Then hit the Windows key, type "default" and choose "Default App Settings". In the settings window, choose "Tutanota Desktop" in the email row.
Mac: Go to the Settings -> Desktop -> set "Default email handler" to "Registered".
Linux: This depends on your distribution. Please refer to the relevant documentation. Useful keywords are "mailto handler", "protocol handler"
On all platforms, you may have to tell applications like your internet browser to use the system default mail app.
Sometimes the browser does not recognize the newly installed Tutanota desktop client as the default mailto app. If clicking a mailto-link does not open an email in the desktop client, please make sure that the Tutanota desktop client is activated as the default email app in your system settings as described above.
If everything is set up correctly, these instructions might help to troubleshoot:
The Tutanota desktop applications for Linux, Windows, and Mac OS are signed. The signatures make sure that the desktop clients as well as any updates come directly from us and have not been tampered with. Upon every update, the desktop client automatically checks that the signature is valid.
You can verify the authenticity of your manually downloaded installer with the OpenSSL utility yourself as well. It should be installed on most Linux and Mac systems, but needs to be added to Windows, you can get OpenSSL via this link.
The installer signatures are provided as separate files:
You need to activate the 'Run in background' option to receive notifications from the desktop client. This option appears in your notification area on Windows and in the Tray on Linux.
When it is active, the desktop client will not terminate when all windows are closed and instead remain in the background to provide desktop notifications in case of incoming email or calendar alarms.
If you can't see the tray icon on Linux despite the app running and the 'Run in background' option being set to 'Yes', please refer to your distribution's documentation to enable tray icons or AppIndicators. On MacOS, this option is not visible, and the dock icon is always used to provide a context menu.
If you still do not receive notifications, please check that you do not have focus mode, alarms only, or do not disturb modes on. You can also check the desktop settings of the client.
Windows: Hit the windows key, type "apps", choose the entry "Apps & Features". In the settings window, search for "Tutanota Desktop". Click it and then click the "Uninstall" Button.
Mac: Right-click the Application in the Applications folder and select "Move to bin". To remove the app cache as well, you need to delete the directory
~/Library/Application Support/tutanota-desktop/, for example via the terminal:
cd ~/Library/Application\ Support/ rm -r ./tutanota-desktop
Delete the AppImage, then delete the file
~/.local/share/applications/appimagekit-tutanota-desktop.desktop and the directory
~/.config/tutanota-desktop/ if they're present.
If you want to remove the icons, too, open a terminal window and type
cd ~/.local/share/icons/hicolor/ ls **/*/appimagekit-tutanota-desktop.png
Make sure the output only lists tutanota-desktop image files, then type
rm -i **/*/appimagekit-tutanota-desktop.png