How-to for your secure email service

• Here you login to our mail client.
• Please enter your full email address and password and click login.
• If you tick 'Store password', your password will be stored in the browser for easier login. Only choose this option if you are using your own device.
• Click on 'More' to see more options. 'Sign up' to register a new account and 'Switch color theme' to switch to the dark theme (shown in the screenshot above).
• If you have saved your password, you will see two more options under 'More': 'Different account' to login with another Tutanota email address and 'Delete credentials' to delete the password you have previously saved in the browser.

• Tutanota supports lots of shortcuts. You can display all shortcuts available in any given section of Tutanota by pressing F1 (fn+F1). You can also use HTML shortcuts to design your mails such as Ctrl+b, Ctrl+i, Ctrl+u.
• Show header info: You can show the email header of received emails by pressing H.
• Tutanota strips headers from emails sent to protect your privacy.
• If the technical sender is different from the header info, Tutanota warns you about this. The differing sender information could be a sign that this mail is coming from a scammer.

We recommend setting up 2FA because of its security benefits. Learn in our online security guide how 2FA helps you to keep your emails safe from hackers.

Registering your second factor

You can connect your second factor with Tutanota in Settings -> Login. As admin you can setup second factors for your users in Settings -> User management.

Tutanota currently supports the following second factor types:

• Security keys (U2F), e.g. Yubikey. U2F is currently supported by Chrome and Opera.
• TOTP with an authenticator app such as FreeOTP+, andOTP, Authenticator, Authy etc. If setting up a second factor with TOTP fails, please make sure that the time is synced between your devices.
• We plan to support more second factor types. Please let us know via social media which ones you prefer!

Second factors can be added by administrators and "normal" users, but removed only by admins.

Note: If you lose your second factor, you will no longer be able to login to your account. To prevent this, you can add multiple second factors and additionally note down the recovery code shown to you when adding a second factor.

Authenticating with your second factor

During login you have to authenticate with one of your second factors. Instead, you may also accept that session from another logged in client. If your browser does not support the second factor you had registered, you can only accept the session from another client.

How to reset your second factor if you lose it

For resetting your second factor, you will need your personal recovery code and your password. You can view and also update your recovery code in Settings -> Login.

If you have lost your second factor, click on More -> Lost account access on the login page. There you will have to enter your recovery code as well as your password to delete all your second factors.

When you create a new Tutanota account, our secure password reset feature empowers only you to reset your account yourself. Please make sure that:

• You write your password down and keep it somewhere safe.
• You write down your recovery code to never lose access to your Tutanota account.

In case you can't login to Tutanota, please make sure that:

• You have entered your email address with the correct ending, e.g. ".de" or ".com".
• The caps lock key is disabled.
• The time on your TOTP device is synchronized correctly (only applies if second factor authentication with TOTP fails).

We do not know your password and can't modify your second factors. However, there are different ways on how to regain access to your mailbox in case of a lost password or a second factor.

Administrator is available

If you are a member of an organization or a business: Ask your administrator to reset your password. Each administrator can reset the passwords of other users and admins. If you want to make sure to never lose your Premium account, it's best to have at least two administrators.

Recovery code is available

Your recovery code is your personal code to resetting your account. If you did write it down when you created your account, you can reset your password or second factor using your personal recovery code by clicking on More > Lost account access on the login page.

You can view and also update your recovery code in Settings > Login. You can also find more information on this secure reset feature on our blog.

With 2FA enabled, you will need 2 out of 3 to reset your Tutanota account:

Click here to reset your password. You will need your second factor (if 2FA enabled) and your recovery code.

Click here to reset your second factor. You will need your login password and the recovery code.

Please note: If you lose your password and your second factor, there is no option to reset your Tutanota account with the recovery code.

You can access all functions of Tutanota via the navigation menu.

• To the left of the navigation menu there is a search field. Here you can search your encrypted mailbox. As all data on the Tutanota servers is encrypted, a search index has to be created that is stored encrypted on your device. Find more details on how our innovative search feature for encrypted data works. Shortcut for search: Click F. Simply enter your search query into the search field. When you are searching your mails, you can click on any offered search result. This will take you to a more detailed search mask. You can define the time from - to, the field, and the folders that should be searched.
  Please note: You can only search emails and contacts, thus, the search field is not shown when you are browsing the 'Settings' of your mailbox.
• Click the three lines to the right to see all menu options. The menu items 'Emails', 'Contacts', 'Settings', and 'Premium' are explained further down.
• If you click on 'Invite' a pre-written mail in Tutanota opens, which you may use to invite your friends to join Tutanota. Please do so! :)
• If you click on 'Community', our website opens here in another tab and you can check out how you can get involved and support our open source project.
• If you click on 'Logout', you log out. Please note: If you have previously saved the password, you are now logged out, but the password is still saved in your browser. To 'unsave' the password, please log out. The login screen appears, click on 'More' and 'Delete credentials'.

To search your encrypted mailbox, simply click on the top search field or press Ctrl+F.

When you press enter, Tutanota takes you to a more detailed search mask. The free search feature goes back one month into the past.

The detailed search mask lets you specify the time frame which should be searched (one month for free users). The unlimited search feature also lets you filter your search, e.g. who sent the email, to whom did you send the email, was the search query contained in the subject or in the body, what folder should be searched.

As all data in Tutanota is encrypted, using our innovative search feature causes a lot of traffic. This is why unlimited search is only available to paying users. Learn here how you can benefit by going Premium for only €1 per month.

If you own one or more domain names that you want to use with Tutanota, you can add these domains to your Tutanota Premium or Pro account. Afterwards you can add email aliases and additional user accounts for your family or company with this domain.

To use your own domain, a Tutanota Premium account is required. You can upgrade your existing, free Tutanota account by clicking on "Premium" in the top menu. If you don't have a Tutanota account, you can register here.

After upgrading you are the admin of your Tutanota Premium account. An additional input field will appear under 'Settings' -> 'Global settings' -> 'Custom email domain' where you need to enter your domain. Activate it by confirming the activation button.

This activation process is only successful if you have configured your MX and SPF records for your domain correctly. The MX record is necessary to relay emails for your domain to the Tutanota servers. The SPF record marks the Tutanota server as valid sender of emails from your domain. You need to configure the following DNS records in the settings of your domain name provider:

MX mail.tutanota.de
TXT v=spf1 include:spf.tutanota.de -all

Depending on your domain hoster, it could also look like this:
HOST NAME:
@ mail.tutanota.de
HOST NAME IP ADDRESS / URL RECORD TYPE
@ v=spf1 include:spf.tutanota.de -all TXT Record

Please note that changes to your DNS records are not immediately available, but can take a few hours to become active. You can check your DNS settings here.

After you have successfully activated your domain, you can add an email alias or create a user under 'Settings' -> 'User management'.

What do I do if activation fails?

Please verify your DNS SOA entry if the activation of your custom domain still fails. We use the SOA entry for detecting your main DNS server. Therefore, the SOA entry must point to a valid name server.

1. Register a Tutanota Premium account here. This will be your initial administrator account. Once you have added additional accounts to your initial administrator account, you can mark all - or just some - as admin accounts. Your administrator account(s) can configure all general settings and manage user accounts, e.g. reset user passwords. As we at Tutanota can not reset passwords, we recommend to have at least two admin accounts. This way you can reset each others password in case you lose one.
2. Add your domain in "Settings" -> "Global settings" -> "Custom email domain". There you will also find instructions on how to configure your MX DNS entries first in order to route incoming SMTP emails to the Tutanota email servers.
3. Add user accounts (i.e. mailboxes) for your domain in "Settings" -> "User management". If you have a large number of users, you can import a CSV file containing user name, email address and optionally the user password. This is useful to automatically create all user accounts in one step.
4. Provide the user passwords to the users, so they can log in into their mailboxes.

Email encryption is needed whenever you want to send a confidential email. That is whenever your emails contains personal information that should not become public. The following examples show the differences between end-to-end encrypted, confidential emails and emails that are not being end-to-end encrypted in Tutanota.

Alice is registered with Tutanota, Bob may be registered with Tutanota or an external recipient and Carol is not registered with Tutanota. In any case all emails (including attachments) are stored encrypted on the Tutanota servers. Independent of the end-to-end encryption, the transport between client and Tutanota servers is secured with SSL and DANE to maximize security. You can check here how to install the DANE browser add-ons.

Sending and receiving end-to-end encrypted emails
The email is encrypted on Alice' client, stored encrypted on the server and can only be decrypted by Alice or Bob.

Sending non-confidential emails
The email is sent via SMTP to the recipient. Still, the sent email is encrypted for Alice on the server and then stored.

Receiving non-confidential emails
When the SMTP email is received by the Tutanota server, it is encrypted for Alice and then stored on the server.

Updating WebView is usually as simple as installing an app. For devices with Android older than N (7), this is usually the app called Android System WebView, which you can download from the PlayStore here.

Additional optional settings changes

The Android N default WebView is usually tied to the Chrome browser. If you don't want to install Chrome, you can install another provider and later select another WebView implementation in the developer settings.

To enable developer settings:

• Open up your Settings app.
• Scroll all the way down to find “About Phone” (or “About Tablet”)
• Scroll down again and find the entry with the Build number.
• Start tapping on the “Build number section”, Android will now pop up a message informing you that in x amount of clicks you will become a Developer. Keep tapping until the process is complete.

Some of the apps providing WebView are:

• Lynket Browser.
• Chromium.

Note for LeEco device owners: LeEco made changes to some devices which prevents changing WebView. We don't know of a workaround, yet. We recommend using the web browser to access your Tutanota mail account.

Depending on the width of your browser Tutanota displays your folder list, your mail list, and the selected mail.

• To add folders, please click the plus symbol in the left folder view. A pop-up opens where you can enter the folder name. The newly created folder will be sorted alphabetically under 'Your Folders'. You can add as many folders as you need.
• To edit this folder later, click on the folder. Then click the symbol with the three dots next to the folder. You can 'Rename' this folder, or 'Delete' it.
• Please note: If you delete a folder all mails are immediately physically deleted. Make sure to have selected the right folder before hitting 'Delete'.
• If you are in the 'Trash' or 'Spam' folder, you can click the 'empty folder' symbol next to the folder to completely empty this folder. When you click this symbol, all mails are physically deleted. Physical deletion means that these mails can never be restored, not by you, not by us. They are wiped from our servers.
• Spam folder: Tutanota automatically puts suspected spam into this folder. If you delete a mail from this folder, it does not go to Trash, but it is physically deleted.

• You can use multi-select on desktop (press Shift or Ctrl while selecting and deselecting specific mails) and mobile (activated by a long press).
• You can move all selected mails with drag & drop to any folder.
• You can click the symbols displayed to the right: 'Move', 'Delete', or the three dots. When you click the three dots, you can choose one of the following options: 'Mark unread', 'Mark read' or 'Export'.
• In the Tutanota app you can move a mail left, then it goes to Trash. If you move a mail right, it goes to Archive.

When you select an email, these options show up to its top.

• For writing a new email, simply click the red pen symbol in the down right corner. Shortcut: Click N.

• The top email menu has the following options:

  • Arrow left = reply - Shortcut: Click R.
  • Double arrow left = reply all - Shortcut: Click ⇧ + R.
  • Arrow right = forward
  • Folders symbol = Move this email to a folder. When you click this symbol, a folder list opens where you can choose a folder to move the email to. You can also move a mail with drag & drop in a browser or with sliding left and right in the apps.
  • Delete symbol = The email is moved to Trash.
  • Three dot symbol = You can mark the email unread or export it.

• If you want to print an email as pdf, you can use the browser function for printing.

• In an opened email, you can click the sender. A pop-up opens where you can show and edit this contact in your address book.
• You can also click on 'Add inbox rule' (Premium feature) or 'Add spam rule' so that future mails from this contact are automatically moved to a specific folder.

• As a Premium user you can also click 'Add rule' to send all new emails from this sender to a particular folder. Find more details on 'Inbox rules' under section 'Email'.

Sending of emails

Condensed email window.

• Click on the red pen symbol in the down right corner to compose a new email.
• When you enter an email address into the 'To'-field, Tutanota shows you the preview of matching email addresses from your address book. You can hit 'Enter' to choose the first email address shown or you can keep on typing.
• Once you have entered an email address in the 'To'-field, the 'Confidential'-button appears in the 'Subject' line. Click on it to send this mail not end-to-end encrypted. You may also switch the default to encrypted/not-encrypted here in your Settings→ 'Default delivery'. Emails to other Tutanota users are always end-to-end encrypted; there is no option to disable this.
• Below the recipient's email address of an encrypted mail, you enter the 'Password' for the recipient, which you need to share with your recipient via a different channel.
• Attach files by clicking on the file symbol in the subject line or by using drag & drop.
• Write your email like you are used to from other webmail services. When you click 'Send', Tutanota automatically encrypts subject, body and attachments for you.

Enlarged email window.

• Click on 'Show' in the 'To' field to enlarge/reduce the options shown. After enlarging it, you can enter Cc- and Bcc-recipients.
• If you have added an alias in 'Settings', you can also change the email address you want to send from by clicking on the pen symbol next to the 'Sender' email address. You can change the default sender here in your Settings→ 'Default sender'. This makes your alias the default sender, the Tutanota address will still remain the main account address (name in tab) which can't be changed.
• External recipients of an end-to-end encrypted email receive a notification mail from your Tutanota email address. You can choose the language of this notification email by clicking on the pen symbol on the right (in this screenshot: English is chosen).

Go here in your Settings. You can choose whether emails to external recipients should be encrypted by default ('Confidential') or if you need to click on the lock symbol when composing an email to encrypt it ('Not confidential' = unencrypted by default). Emails to other Tutanota users are always encrypted by default.

When sending an encrypted email to an external recipient, you need to specify a password when composing the email.

Once set, the password will be automatically saved along with the contact in your Tutanota address book. Next time you write an email to that recipient, you simply specify the email address and Tutanota automatically enters the password. The password needs to be exchanged via a second channel.

The external recipient

• receives a notification email with a link to Tutanota (browser opens up),
• enters the exchanged password,
• can read the automatically decrypted email, reply confidentially, export all exchanged messages and save them locally.

Note: The link within the notification email contains a salt which is needed for decryption along with the password. Thus, someone who wants to intercept your encrypted messages needs the exact link and the password. (An old link gets deactivated as soon as you send a new email to the same email address.)

As a Premium or Pro user, you can add aliases to your account. You can also add additional alias packages. Refer to our pricing page for details.

Go here in your mailbox→ 'Email aliases': Click on 'Show Email Aliases'. Click on the plus symbol to add aliases. A pop-up opens where you can type the alias you want to add. Click on the three-dot button to choose the domain for your alias. This can be any of the Tutanota domains or of your own domains that you have added to your Tutanota account.

Please note: Aliases with a Tutanota domain can only be disabled, but not removed. Deactivated aliases must remain linked to your account in case you want to activate them again in the future. When you are using your own domain with Tutanota, you can delete aliases with your own domain and create new ones.

You can change the default sending address to your own domain alias (or any other alias) by changing the default sender here in your mailbox→ 'Default Sender'. This will make your alias the default sender. However, the main address of your Tutanota account (name in tab) will remain unchanged.

Spam detection in Tutanota is multi staged. For incoming unencrypted SMTP emails the received email is checked against DNS blacklists first. In a second stage we filter emails by executing content checks and mark emails as spam or not. Emails that have been marked as spam will be moved to the spam folder of your mailbox. In a third stage we filter spam on the base of user defined email sender lists. This list provides the possibility to classify email addresses as spam (blacklist) or explicit not as spam (whitelist). The check is active for all incoming emails and can be configured by the administrator. The rules are valid for all users.

As administrator for a Tutanota account you can configure the email address list here in Settings.

Please click on the sender's address to assign the email address or domain with one of the following spam rules:

• No spam - Emails from this sender email address are always stored in the inbox.
• Always spam - Emails from this sender email address will always be stored in the spam folder.
• Discard - Emails from this sender email address will be silently discarded. The sender does not get any information about it.

The "No spam" rule has a higher priority than "Always spam" and "Discard" has the lowest priority. Furthermore you are able to define rules based on a domain instead of a single email address. Rules defined for a domain have a lower priority than rules for an email address.

Rules for domains are restricted. You are not able to assign the rules "Always spam" and "Discard" to Tutanota domains, neither to your custom domains.

• Each time you send a mail to a new email address, this address is automatically saved to 'Contacts'. This can be changed here → 'Create contacts'.
• Select a contact and you will get the option to edit (pen symbol to the right) or delete (trash symbol to the right) this contact. You can also send an email to this contact by clicking on the mail button next to the contact's email address.
• You can add new contacts by clicking on the plus symbol in the down right corner. When you create a contact, you can enter all necessary information (see screenshot below).
• The three dot button next to 'All contacts' allows you to import or export contacts via vCard and to merge contacts automatically.
• You can also merge contacts manually: Press Ctrl while selecting two contacts that should be merged. At the top right two buttons appear: 'Delete' and 'Merge'. Click 'Merge' to merge the selected contacts.
• Contacts are sorted alphabetically according to their email address.
• Your entire address book is encrypted, thus, no one can access your contact database stored in Tutanota.

Create contact view.

'Login' shows you several info items about your Tutanota account.

• 'Login credentials': You can check your email address and your password. When clicking on the pen symbol next to 'Password', you can change your current password to a new one. Please write it down somewhere safe as we can't reset passwords.
• 'Second factor authentication': Click the plus symbol to the right to add a second factor. Tutanota supports U2F and TOTP for 2FA. Once added all second factors are displayed here. You can delete them by clicking the cross symbol next to each added key.
• Activate session handling to see who has accessed your Tutanota account. This information is stored encrypted and automatically deleted after one week.
• 'Active sessions': This shows you the IP address currently being logged in to your account. We only store client and IP addresses encrypted so no one but yourself can access this information. Here you can remotely close sessions, for instance when you have lost your mobile phone and you are still logged in on your phone.
• 'Closed sessions': Click on 'Show' to see from where you have logged into your account recently. This lets you check whether someone else tried to access your Tutanota account.

Here you can configure how you want to send your mails.

• 'Default sender': All mails you send are being sent with this email address. If you have aliases added to your account, you can change the default sender address by clicking on the pen symbol. You can also change the sender every time you are composing an email.
• 'Sender name': This is the name displayed with your sent mails. You can change it by clicking the pen symbol.
• 'Email signature': You can either use the 'Default' signature when sending mails or by clicking the pen symbol to define your personal signature or use no signature at all.
• 'Default delivery': Click the pen symbol to decide whether new mails should be sent end-to-end encrypted ('Confidential') or not end-to-end encrypted ('Not confidential') by default. You can always change this for individual mails when writing an email.
• 'Formatting': Click the pen symbol to decide whether all mails should be sent including HTML formatting or converted to plain text.
• 'Create contacts': Click the pen symbol to decide whether contacts should be created when sending mails ('Activated') or not ('Deactivated').
• 'Search mailbox': Click the pen symbol to decide whether the search feature for your encrypted mailbox should be 'Deactivated' or 'Activated'. Please note: Search in Tutanota needs to be handled locally on your device as all data on our servers is encrypted. Thus, enabling search consumes memory on your device and might consume additional traffic.

• 'Email aliases': Click on 'Show Email Aliases' to add alias email addresses or activate/deactivate existing aliases. Click on the plus symbol to add aliases. A pop-up opens where you can type the alias you want to add. Click on the three-dot button to choose the domain for your alias. This can be any of the Tutanota domains or of your own domains that you have added to your Tutanota account. Before doing this, you need to upgrade to Premium or buy an alias package. Please note: Aliases with a Tutanota domain can only be disabled, but not removed. Deactivated aliases must remain linked to your account in case you want to activate them again in the future. When you are using your own domain with Tutanota, you can delete aliases with your own domain and create new ones.

• 'Inbox rules' (filter): Click on 'Show Inbox Rules' and then on the plus-button. A pop-up with three options opens: 'Field', 'Value' and 'Target folder'.

  • Field: Click on the pen symbol to define what field should be used for the inbox rule 'Sender', 'To recipient', 'Cc recipient', 'Bcc recipient', 'Subject contains', or 'Header contains'.
  • Value: You can enter text such as an email address, a domain name or required content of the subject or header. Refer to ‘Login, Shortcuts & header info’ to learn how to view the header of an email in Tutanota.
  • Target folder: Click the pen symbol to define what folder the specified mails should be moved to automatically upon hitting your inbox. Before being able to add inbox rules, you need to upgrade to Premium.
• 'Notifications': Click on 'Show' and the plus symbol. A pop-up opens where you can enter an email address that should be notified once a new mail arrives in your Tutanota mailbox.

Push notifications

• Tutanota allows you to receive push notifications via other email addresses and via its Android and iOS apps. Push will be sent to your phone even when you are not logged in.
• To manage what email addresses and mobile devices should (or should no longer) receive push notifications, click here→ 'Notifications'.
• You can also allow your browser to send push notifications for Tutanota in your browser settings, but only when your are logged in.

In 'User management' you can manage your account details. If you are using Tutanota Premium, you can also add and manage additional users.

• Click the plus symbol in the down right corner. A pop-up opens where you can enter the 'Name' of the user, his 'Email address' and a 'New password' for logging in.
• Please note: Each user gets their own mailbox and login so each user costs extra. If you simply want to add another email address, you can also add it as an alias which is already included in the Premium package.

• Click the user you want to manage to see all available 'User settings'.
• Click the adequate pen symbol to change the 'Sender name', the 'Password', the 'Global admin' status (Yes/No), 'Administrated by' (Global admin/Local admin), and the 'Status' of this user (Activated/Deactivated).
• Global admins can access the user management and change the passwords of users that they have added to their Premium account. Local admins see only the users that they have been assigned to administrate. They can manage these users, including changing their passwords. Changing of passwords only works within one Premium account. We at Tutanota have no access and cannot reset passwords.

• 'Second factor authentication': Click the plus symbol to the right to add a second factor for this user. Tutanota supports U2F and
  TOTP for 2FA. Once added all second factors are displayed here. You can delete them by clicking the cross symbol next to each added key.
• 'Groups': Click on the plus symbol to add this user to a group. Refer to 'Groups: Local admin' to learn how to set up a group.
• 'Contact forms': Click on the plus symbol to add this user to a contact form. Refer to 'Contact forms' to learn how to set up a contact form.
• 'Email aliases': Click on 'Show Email Aliases' to add alias email addresses or activate/deactivate existing aliases. Please note: Aliases with a Tutanota domain can only be disabled, but not deleted. When you are using your own domain with Tutanota, you can delete aliases with your own domain and add new ones.
• 'Notifications': Click on 'Show' and you will see all email addresses and the IDs of mobile devices (via the Tutanota app) that receive push notifications about new mails received in the mailbox of this user. You can delete an entry if you do not wish to receive notifications to a particular email address or mobile device anymore.

• 'Spam rules': Click on 'Show' to show all defined spam rules. Click the plus symbol to add rules. You have the option between 'No spam', 'Always spam' or 'Discard' depending on a specified email address or domain name. Please find more details on the configuration of spam blacklists and whitelists in our FAQ.
• 'Custom email domains': Click on 'Show' to show all added custom domains. Click the plus symbol to add your custom domains. You can add as many domains as you need. Details on using custom domains with Tutanota in our FAQ. Next to each custom domain is a three dot symbol. When you click it, you can 'Set a catch all mailbox' or 'Delete' this domain. If you select 'Set a catch all mailbox', you have to choose which email address catch-all mails should go to. This is usually your main admin, but can be any user that you have added to your Premium account. All emails that are being sent to your own domain that do not match any existing email address will be delivered to the catch-all mailbox.
• 'Security': By Clicking the pen symbol, you can force your users to change their password after an administrator has reset the password. Please note: Only administrators of Premium accounts can reset passwords of their own users, e.g. all users of a custom domain. Tutanota as the mail service provider cannot reset your passwords for security reasons.
• 'Audit log': This log is only visible to admins of Tutanota Premium accounts. It contains important administrative actions, e.g. if you have added a second factor to one of your user accounts, or if you have changed the password of one of your user accounts.

• Click on the pen symbol to activate whitelabel (€2 per user/per month). When you order the whitelabel feature, you can activate the Tutanota login at your own domain (a subdomain), change the look of Tutanota according to your needs (e.g. Corporate Identity) and create secure contact forms for your clients.
• 'Whitelabel domain': Click the pen symbol to activate the whitelabel feature for your own domain. A pop-up shows up where you have to enter the following information (shown in the screenshots):

• Choose a subdomain of your own domain, at which you would like to reach the Tutanota login. This must be a subdomain, a main domain is technically not allowed. Set the CNAME DNS entry for that domain to point to login.tutanota.com. Keep in mind that the DNS changes may take a while until propagated.
  • Enter this subdomain under 'Whitelabel domain'.
  • 'Certificate type': Click on the pen symbol and choose 'Automatic (Let's Encrypt)'. Certificates for your domain will be issued and updated automatically.

• Choose a subdomain of your own domain, at which you would like to reach the Tutanota login. This must be a subdomain, a main domain is technically not allowed. Set the CNAME DNS entry for that domain to point to login.tutanota.com. Keep in mind that the DNS changes may take a while until propagated.
  • Enter this subdomain under 'Whitelabel domain'.
  • 'Certificate type': Click on the pen symbol and choose 'Manual'. You need to get and update certificates for your own domain manually.
  • Upload your domain's SSL certificate chain and
  • your domain's private key to enable the Tutanota login at your domain. Both must be provided in PEM format (base64 encoded).

Customizations

• 'Custom logo': Click the pen symbol to upload your logo. It will be shown in the top left corner (38x280 pixel) when you load Tutanota at your own domain.

• 'Custom colors': Click the pen symbol to set the colors according to your own corporate design. If you don't set a color, the default color from the Tutanota style sheet will be taken.
• 'Custom meta tags': Click the pen symbol to enter a meta tag.
• 'Link to imprint': Here you can add a link to your Imprint.
• 'Link to privacy policy': Here you can add a link to your Privacy Policy.

Now you can open your custom domain in your browser and see the Tutanota login with your customizations.

When you order the whitelabel upgrade for your Premium account you can activate the Tutanota login on your own domain (a sub-domain), change the look of Tutanota according to your needs (e.g. corporate identity) and create contact forms for your clients. If you send confidential messages to external recipients, those recipients are also directed to your whitelabel domain.

Complete list of possible customizations:

• Set custom logo (displayed on your whitelabel domain instead of the Tutanota logo).
• Set custom colors (displayed on your whitelabel domain).
• Set custom meta tags for the Tutanota app on your whitelabel domain, like title and social media texts.
• Set a custom imprint link (displayed in the "More" menu on the login page of your whitelabel domain instead of the Tutanota imprint link).
• Set a custom notification email text for external recipients (coming soon).

Preconditions for applying the whitelabel feature:

• You need your custom whitelabel domain. This must be a subdomain. A main domain is technically not allowed. It is also not allowed to add an email domain as whitelabel domain.
• You need a valid SSL certificate for your whitelabel domain and you need to make sure to update it in Tutanota before it expires.

This is how you can setup your whitelabel domain:

1. Choose a subdomain of your own domain, at which you would like to reach the Tutanota login.
2. Set the CNAME DNS entry for that domain to point to login.tutanota.com. Keep in mind that the DNS changes may take a while until propagated.

3. Enable the Tutanota login at your domain by uploading your domain's SSL certificate chain and private key here in your Tutanota Settings - Whitelabel. Both must be provided in PEM format (base64 coded). The private key file content must start with the line "-----BEGIN RSA PRIVATE KEY-----" or "-----BEGIN PRIVATE KEY-----". The certificate file content must start with the line "-----BEGIN CERTIFICATE-----". In order to create a certificate chain from individual certificates create a file in a text editor. Then first copy your domain's certificate into that file and below that certificate any intermediate certificate or certificate bundle that was provided to you in addition to you certificate file. Your certificate chain file might then look like this:

   -----BEGIN CERTIFICATE-----
   (Your SSL certificate, e.g. from your_domain_name.crt)
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   (Your intermediate SSL certificate, e.g. from intermediate.crt)
   -----END CERTIFICATE-----

4. Optionally upload your custom logo to be shown when you load Tutanota at your own domain.

5. Optionally configure your custom colors to be used in Tutanota when you load Tutanota at your own domain.

Now you should be able to open your custom domain in your browser and see the Tutanota login with your own logo and own colors. Additionally you may now order and setup contact forms ("Settings" -> "Contact forms") which allows you to be contacted confidentially.

Please note that your whitelabel customizations will not be visible in the mobile apps.

Contact forms allow you to be contacted confidentially as all messages are automatically end-to-end encrypted.

Create a new contact form

• Click the plus symbol in the down right corner. A pop-up shows up which lets you create a new contact form.

• 'Receiving mailbox': Click the user symbol (left) to select one user who should receive all emails sent via the contact form.
• 'Responsible Persons': If you do not enter anything here, contact requests can be passed on to all users on your domain by the receiving mailbox.
• 'Path': Enter a path to the link where your contact form should be displayed.
• 'Language': Click the three-dot symbol to add another language to your contact form (i.e. French, German, Spanish). Visitors of your website will automatically see the language defined in their browser settings. Once you have added another language, a cross symbol appears so that you can delete any language you do not need anymore.
• 'Page title': Enter a title for your contact form to be displayed on the website. A page title needs to be entered for all added languages.
• 'Header', 'Footer', 'Help page': You can enter three different text fields either in rich text format or as HTML source code. You can switch between rich text and HTML by clicking on the pen symbol to the right. The entered text will be displayed on the contact form on your website.

Manage existing contact forms

• Click the contact form you want to manage.
• Click the pen symbol to the right to edit this form. The pop-up shown above opens. You can manage all fields described under 'Create a local admin group'.
• Click the copy symbol to copy this form. A new contact form pops up where you can change all required fields shown under 'Create a local admin group'. At least the 'Path' and the 'Receiving mailbox' must be changed as the new form must have its own web link and its own recipient.
• Click the delete symbol to delete this contact form.
• Click the Export button further down to export a CSV log of all contact form requests in a given period of time.

• The global admin can create a local admin group to add as well as manage administrators of users and contact forms. Please refer to 'Create a local admin group' for details.
• The user who creates another user or contact form becomes the administrator of the created entity. More precisely, the admin group in which the user is member will become the admin of the entity. If the user is a global admin, then the entity is administrated by the global admins. If the user is a local admin (i.e. member of a local admin group), then that local admin group becomes the admin.
• The global admin can change the administrator of a user by selecting a local admin group under 'Administrated by'.
• Local administrators only see those users and contact forms that they administrate.
• Even if an entity is administrated by a local admin group, the global admins can still administrate the entity.
• A contact form is always administrated by the administrator of its receiving mailbox. So if a global admin changes the receiving mailbox of a contact form, the admin of this user mailbox becomes the administrator of the contact form.

• Click on 'Upgrade' to upgrade your free Tutanota account to Premium or Pro. Look at the screenshot below to view the upgrading process.

Once upgraded you can add 'Extensions':

• Please note: When you want to downgrade back to the free version, you have to disable all these extensions as they are only available to paying Tutanota users. This means, for example, that all your aliases must be deactivated. They will still be linked to your account so that you can reactivate them when you upgrade again at a later stage.
• 'User accounts': You can manage your current user by clicking on the pen symbol or you can add more users to your account by clicking on the plus symbol.
• 'Storage capacity': Click on the pen symbol to add another storage package to your account.
• 'Email aliases': Click on the pen symbol to add another alias package.
• 'Groups': Click on the plus symbol to add a local admin. Refer to 'Local admin' to learn how to set up a group.
• 'Whitelabel': Click on the pen symbol to add the whitelabel feature to your account. This allows you to customize your account: login via your website, add custom logos & colors.
• 'Contact forms': After adding whitelabel, you can also add a contact form to your website. This allows visitors of your website to directly get in touch with you via Tutanota's end-to-end encrypted contact form.
• 'Delete Account': Here you can delete the account. Your email address and aliases will be deleted and can't be reactivated. If you want to use your Tutanota email addresses in another account, it is important to enter the 'Take over email address' here. Then you can add the deleted email addresses to the stated Tutanota take over email account.
• Downgrade back to Free: You can unsubscribe from Premium here. Next to 'Subscription', click the pen icon and select the Free plan.

• Choose whether you are using Tutanota for 'Private' use or for 'Business' use. This differentiation is necessary for tax regulations.
• Choose whether you want to pay 'Yearly' or 'Monthly'. When you choose 'Yearly', you get two months for free.
• Click on 'Select' of the package you want to upgrade to. This takes you to the payment procedure.

• Choose your payment method: Credit card or PayPal. Note: When choosing Tutanota for Business, you can also pay via invoice. The invoice will be sent to your Tutanota account and must be paid within two weeks time. In case of no payment being made, two reminders will be sent before the account is closed.
• Enter you payment details.
• Choose your country of residence.
• Click 'Next'.

• Once all payment data is entered, a booking summary will be shown.
• Check the summary and click 'Buy' to complete your order.

• Click the plus symbol in the down right corner. A pop-up shows up. The group type can be chosen as 'local admin'. Choose 'Local admin' if you want one of your users (e.g. a project manager) to administrate all users working on this particular project. Set a name for this group. Click OK. You have created a local admin group. Refer to 'Manage an existing local admin' to find out how to add users to this group.

• Click the local admin you want to manage. To the right you have several options to manage this group:
  • 'Name': Click the pen symbol to change the name of the group.
  • 'Administrated by': Local admin groups have to be administrated by a Global admin.
  • 'Status': Click the pen symbol to activate/deactivate this group.
  • 'Group members': Click the plus symbol to add as many group members as you like. This should be at least one as the Group member is the local admin of all added administrated groups/users.
  • 'Administrated groups': This list contains all users administrated by the local admin(s) added under 'Group members'.
  • Log in with the group member account (here: Bob) to see all Setting options of the local admin.

Manage users

• Go to Settings → User management. You can see all users that this local admin administrates. Please refer to section 'Manage an existing user' to see all available administrative options.

Manage groups

• Go to here in Settings .
• Click the local admin you want to manage.
• Manage a local admin: To the right you have several options to manage this local admin. The local admin has less options compared to the global admin who originally set up this group. You can see this by comparing the local admin options with 'Manage an existing local admin' (global admin options).
  • 'Name': Click the pen symbol to change the name of the group.
  • 'Status': Click the pen symbol to activate/deactivate this group.
  • 'Group members': Click the plus symbol to add as many group members as you like. This should be at least one as the Group member is the local admin of all added administrated groups.
  • 'Administrated groups': This list contains all users administrated by the local admin added under 'Group members'. The local admin cannot add anything here.

Windows: Double-click on the Tutanota app and follow the instructions on your computer.

Mac: Move the installer inside the directory you would like the app to be located in and double click it to extract.

Linux: After download, right click the AppImage and give it execute permission. Alternatively, run chmod +x tutanota-desktop-linux.AppImage from a terminal window. Now you can run the App like any other executable, no further installation required. You may want to let it integrate itself with your desktop and app launcher.

Windows: Go to Settings -> Desktop -> set "Default Email Handler" to "Registered". Then hit the Windows key, type "default" and choose "Default App Settings". In the settings window, choose "Tutanota Desktop" in the email row.

Mac: Go to the Settings -> Desktop -> set "Default email handler" to "Registered".

Linux: This depends on your distribution. Please refer to the relevant documentation. Useful keywords are mailto handler, protocol handler

On all platforms, you may have to tell applications like your internet browser to use the system default mail app.

Sometimes the browser does not recognize the newly installed Tutanota desktop client as the default mailto app. If clicking a mailto-link does not open an email in the desktop client, please make sure that the Tutanota desktop client is activated as the default email app in your system settings as described above.

If everything is set up correctly, these instructions might help to troubleshoot:

Firefox

• Enter "about:preferences" in the address field.
• Go to "Applications" -> mailto set to "Tutanota Desktop" or "Standard"
• Enter "about:config" in the address field
• Set "network.protocol-handler.expose.mailto = true"
• Set "network.protocol-handler.external.mailto = true"

Chrome

• Enter "chrome://settings/handlers" in the address field
• Deactivate all handlers for emails

The Tutanota desktop applications for Linux, Windows, and Mac OS are signed. The signatures make sure that the desktop clients as well as any updates come directly from us and have not been tampered with. Upon every update, the desktop client automatically checks that the signature is valid.

You can verify the authenticity of your manually downloaded installer with the OpenSSL utility yourself as well. It should be installed on most Linux and Mac systems, but needs to be added to Windows, you can get OpenSSL via this link.

The installer signatures are provided as separate files:

• Signature for Windows
• Signature for Mac
• Signature for Linux

For further details, please refer to GitHub, lines 12 to 21.

Windows: Hit the windows key, type "apps", choose the entry "Apps & Features". In the settings window, search for "Tutanota Desktop". Click it and then click the "Uninstall" Button.

Mac: Move the file you extracted during installation and that you used to start Tutanota Desktop to the trash. To remove the app cache as well, you need to delete the directory ~/Library/Application Support/tutanota-desktop/, for example via the terminal:

cd ~/Library/Application\ Support/
rm -r ./tutanota-desktop

Linux:

• Delete the AppImage, then delete the file ~/.local/share/applications/appimagekit-tutanota-desktop.desktop and the directory ~/.config/tutanota-desktop/ if they're present.

• If you want to remove the icons, too, open a terminal window and type

  cd ~/.local/share/icons/hicolor/
  ls **/*/appimagekit-tutanota-desktop.png
  

• Make sure the output only lists tutanota-desktop image files, then type

  rm  -i **/*/appimagekit-tutanota-desktop.png