We recommend setting up 2FA because of its security benefits. Learn in our online security guide how 2FA helps you to keep your emails safe from hackers.
Registering your second factor
Tutanota currently supports the following second factor types:
Second factors can be added by administrators and users, but only admins can remove assigned second factors.
Note: If you lose your second factor, you will no longer be able to login to your account. To prevent this, you can add multiple second factors. Additionally, please note down the recovery code shown to you when adding a second factor.
Authenticating with your second factor
During login you have to authenticate with one of your second factors. Alternatively, you may also accept that session from another logged in client. If your browser does not support the second factor you had registered, you can only accept the session from another client.
How to reset your second factor if you lose it
For resetting your second factor, you will need your personal recovery code and your password. You can view and also update your recovery code in Settings -> Login.
If you have lost your second factor, click on More -> Lost account access on the login page. There you will have to enter your recovery code as well as your password to delete all your second factors.
When you create a new Tutanota account, our secure password reset feature empowers only you to reset your account yourself. Please make sure that:
In case you can't login to Tutanota, please make sure that:
We do not know your password and can't modify your second factors. However, there are different ways on how to regain access to your mailbox in case of a lost password or a second factor.
Administrator is available
If you are a member of an organization or a business: Ask your administrator to reset your password. Each administrator can reset the passwords of other users and admins. If you want to make sure to never lose your paid account, it's best to have at least two administrators.
Recovery code is available
Your recovery code is your personal code to resetting your account. If you did write it down when you created your account, you can reset your password or second factor using your personal recovery code by clicking on More > Lost account access on the login page.
You can view and also update your recovery code in Settings > Login. You can also find more information on this secure reset feature on our blog.
With 2FA enabled, you will need 2 out of 3 to reset your Tutanota account:
Click here to reset your password. You will need your second factor (if 2FA enabled) and your recovery code.
Click here to reset your second factor. You will need your login password and the recovery code.
Please note: If you lose your password and your second factor, there is no option to reset your Tutanota account with the recovery code.
To search your encrypted mailbox, simply click on the top search field or press F.
When you press enter, Tutanota takes you to a more detailed search mask. The free search feature goes back one month into the past.
The detailed search mask lets you specify the time frame which should be searched (one month for free users). The unlimited search feature also lets you filter your search, e.g. who sent the email, to whom did you send the email, was the search query contained in the subject or in the body, what folder should be searched.
As all data in Tutanota is encrypted, using our innovative search feature causes a lot of traffic. This is why unlimited search is only available to paying users. Learn here how you can benefit by going Premium for only €1 per month.
Please note: You can only search emails and contacts, thus, the search field is not shown when you are browsing the 'Settings' of your mailbox.
If you own one or more domain names that you want to use with Tutanota, you can add these domains to your paid subscription of Tutanota. The setup wizard for your custom email domain will guide you through the process in just four small steps. In each step the wizard will explain, which configuration changes you have to make. If you don't have a Tutanota account, you can register here.
The setup wizard for your custom email domain can be found in 'Settings' -> 'Global settings' -> 'Custom email domains' by clicking the '+' button.
In order to send and receive emails with your custom domain in Tutanota, you need to configure the following types of DNS records in the settings of your domain name provider. Prior to configuring those DNS records the wizard will allow you to create new users or email aliases for your custom domain in order to have a smart switch to receiving emails in Tutanota.
The exact values that these DNS records should point to will be shown to you in the setup wizard.
The MX record is necessary to relay emails for your domain to the Tutanota servers. The SPF TXT record marks the Tutanota server as valid sender of emails from your domain. The _domainkey and _dmarc records make sure your emails are signed with DKIM and sender spoofing of your domain's email addresses can be detected automatically by the recipient mail servers. The MTA-STS records make sure that transport encryption and authentication is used between different mail servers.
Tutanota will indicate if the DNS records are fine for all your domains or if there is something that has to be changed.
Please note that with some domain name providers it may take up to a few hours before changes to your DNS records become visible for other mail servers. You can check your DNS settings here.
Please note that we do not support email import, yet. We plan to enable import in the coming months. For now, we recommend to keep your old mailboxes as a reference when moving to Tutanota from another provider.
On our business site, there is a summary of all available features of Tutanota's secure business emails.
To book the encrypted contact form Secure Connect, you need to:
When someone starts to communicate with you via the encrypted contact form Secure Connect, the entire communication will be encrypted end-to-end. Encryption takes place locally in the browser so that no third party - not even we as the provider of Secure Connect - can access this information.
Here is how to start an encrypted communication channel via Secure Connect:
While sending the encrypted message via Secure Connect, Tutanota automatically creates a mailbox for the sender with an automatically generated email address of your whitelabel domain. The sender can login with the selected password to read your reply and also reply again. With Secure Connect an encrypted communication channel has been established that is both easy to use and secure.
Email encryption is needed whenever you want to send a confidential email. That is whenever your email contains personal information that should not become public. The following examples show the differences between end-to-end encrypted, confidential emails and emails that are not being end-to-end encrypted in Tutanota.
Alice is registered with Tutanota, Bob may be registered with Tutanota or an external recipient and Carol is not registered with Tutanota. In any case all emails (including attachments) are stored encrypted on the Tutanota servers. Independent of the end-to-end encryption, the transport between client and Tutanota servers is secured with TLS to maximize security.
Sending and receiving end-to-end encrypted emails
The email is encrypted on Alice's client, stored encrypted on the server and can only be decrypted by Alice or Bob.
Sending non-confidential emails
The email is sent via SMTP to the recipient. Still, the sent email is encrypted for Alice on the server and then stored.
Receiving non-confidential emails
When the SMTP email is received by the Tutanota server, it is encrypted for Alice and then stored on the server.
Updating WebView is usually as simple as installing an app. For devices with Android older than Nougat, this is usually the app called Android System WebView, which you can download from the PlayStore here.
Additional optional settings changes
The Android N default WebView is usually tied to the Chrome browser. If you don't want to install Chrome, you can install another provider and later select another WebView implementation in the developer settings.
To enable developer settings:
Note for LeEco device owners: LeEco made changes to some devices which prevents changing WebView. We don't know of a workaround, yet. We recommend using the web browser to access your Tutanota mail account.
Depending on the width of your browser Tutanota displays the left Settings menu, your folder list, your mail list, and the selected mail.
When you select an email, these options show up to its top.
The top email menu has the following options:
If you want to print an email as pdf, you can use the browser function for printing.
Sending of emails
Condensed email window.
Enlarged email window.
When writing an email you can use these text editing tools
Please use mouse-over in the web client to see what symbol represents what function. The Tutanota text editing tools enable you to embed images, add lists (bullets and numbers), change texts to bold, italics, underline, monospace, add hyperlinks, align the text left, center, right and justified, change the text size, and remove all formatting from selected text.
Go here in Settings. You can choose the 'Default delivery': Encrypted ('Confidential') or not encrypted ('Not confidential'). You can also switch whether an email is encrypted or not when composing the email by clicking on the lock symbol. Emails to other Tutanota users are always encrypted by default.
When sending an encrypted email to an external recipient, you need to specify a password when composing the email.
Once set, the password will be automatically saved along with the contact in your Tutanota address book, which makes your encrypted address book the password manager for your external contacts. Next time you write an email to that recipient, you simply specify the email address and Tutanota automatically enters the password. The password needs to be exchanged via a second channel. If you would like to change the password, you can either do this within the contacts view or when composing a new email to this external recipient.
The external recipient
Note: The link within the notification email contains a salt which is needed for decryption along with the password. Thus, someone who wants to intercept your encrypted messages needs the exact link and the password. (An old link gets deactivated as soon as you send a new email to the same email address.)
If using one of the paid plans, you can add aliases to your account. You can also add additional alias packages. Refer to our pricing page for details.
Go here in your mailbox→ 'Email aliases': Click on 'Show Email Aliases'. Click on the plus symbol to add aliases. A pop-up opens where you can type the alias you want to add. Click on the three-dot button to choose the domain for your alias. This can be any of the Tutanota domains or of your custom email domains that you have added to your Tutanota account.
Please note: It is technically not possible to delete aliases with a Tutanota domain. These can only be deactivated. Deactivated aliases remain linked to your account in case you want to activate them again in the future. When you are using your own domain with Tutanota, you can delete aliases with your custom email domain and create new ones.
If you need more than five aliases, you need to buy a larger alias package here, even if the aliases are deactivated.
You can change the default sending address to your own domain alias (or any other alias) by changing the default sender here in your mailbox→ 'Default Sender'. This will make your alias the default sender. However, the main address of your Tutanota account (name in tab) will remain unchanged.
To change the alias upon sending an email, click on 'SHOW'. Then click on the pen symbol next to the sender and choose the alias you want to send an email from.
Spam detection in Tutanota is multi staged. For incoming unencrypted SMTP emails, the received email is checked against DNS spam lists first. In a second stage we filter emails by executing content checks and mark emails as spam or not. Emails that have been marked as spam will be moved to the spam folder of your mailbox. In a third stage we filter spam on the base of user defined email sender lists. This list provides the possibility to classify email addresses as spam or not as spam. The check is active for all incoming emails and can be configured by the administrator. The rules are valid for all users.
Within a received email, please click on 'Show more', then click on the From address to assign the email address, the domain, or the top level domain with one of the following spam rules:
The "No spam" rule has a higher priority than "Always spam" and "Discard" has the lowest priority.
You can set spam rules for sender addresses (highest priority), domains (lower priority), and top level domains (lowest priority). To add a spam rule for a domain, just enter the domain like xyz.com without putting an @ in front. This rule will also apply to emails sent from a subdomain. To add a spam rule for a top level domain, just put in com - for example - no dot is needed before this.
Rules for domains are restricted. You are not able to assign the rules "Always spam" and "Discard" to Tutanota domains, neither to your custom domains.
You also have the option to allow all emails. To do this, create a spam rule and put in an asterisk * where you would usually put in the email address that the rule should apply to.
How to receive blocked emails.
Go to 'Settings' -> 'Global Settings' -> 'Rejected email senders' to check whether any email to your account has been blocked due to the sender being listed on a spam list. You can click 'Refresh' to refresh the list in case you are waiting for a registration email. If a blocked email is shown here, you can allow the sender so that emails from this sender will reach your inbox in the future.
'Login' shows you several info items about your Tutanota account.
Here you can configure how you want to send your mails.
'Inbox rules' (filter): Click on 'Show Inbox Rules' and then on the plus-button. A pop-up with three options opens: 'Field', 'Value' and 'Target folder'.
'Notifications': Click on 'Show' and the plus symbol. A pop-up opens where you can enter an email address that should be notified once a new mail arrives in your Tutanota mailbox.
When you order the whitelabel feature, you have two options: The whitelabel feature is already included in the Pro subscription. Alternatively, you can order it separately in your paid account. Your whitelabel domain can be any subdomain, and might look like 'secure.mycompany.com' or 'email.mycompany.com'. In order to setup your whitelabel domain you must be able to set the CNAME DNS entry of that domain.
Choose a subdomain of your own domain, at which you would like to reach the Tutanota login. This must be a subdomain, a main domain is technically not allowed. Create the subdomain by setting the CNAME DNS entry for that domain to point to login.tutanota.com at your domain hoster. The DNS entry should look like this: '< subdomain_name > CNAME login.tutanota.com'. Depending on your domain hoster you might have to set the fields 'name' to '< subdomain_name >', 'type' to 'CNAME' and 'value' to 'login.tutanota.com'. Keep in mind that the DNS changes may take a while until propagated.
Enter this subdomain under 'Whitelabel domain'.
'Certificate type': Click on the pen symbol and choose 'Automatic (Let's Encrypt)'. Certificates for your domain will be issued and updated automatically.
'Certificate type': Click on the pen symbol and choose 'Manual'. You need to get and update certificates for your own domain manually.
Upload your domain's SSL certificate chain and
your domain's private key to enable the Tutanota login at your domain. Both must be provided in PEM format (base64 encoded). The private key file content must start with the line "-----BEGIN RSA PRIVATE KEY-----" or "-----BEGIN PRIVATE KEY-----". The certificate file content must start with the line "-----BEGIN CERTIFICATE-----". In order to create a certificate chain from individual certificates create a file in a text editor. Then first copy your domain's certificate into that file and below that certificate any intermediate certificate or certificate bundle that was provided to you in addition to your certificate file. Your certificate chain file might then look like this:
(Your SSL certificate, e.g. from your_domain_name.crt)
(Your intermediate SSL certificate, e.g. from intermediate.crt)
Now you can open your custom domain in your browser and see the Tutanota login with your customizations. Please note that the customizations for your whitelabel domain are not visible in the Tutanota mobile apps and in the Tutanota desktop clients.
Secure Connect - our encrypted contact forms allow you to be contacted confidentially as all messages are automatically end-to-end encrypted.
Create a new contact form
The people making contact form requests on your website will have the option to provide their own private email address to which they will receive a notification when you respond, informing them that there is a message in their secure mailbox. To ensure that these notifications can be sent, make a TXT Record in the DNS settings for your whitelabel domain, with the value "v=spf1 include:spf.tutanota.de -all". They will still be able to communicate securely without this, but the notifications may not be received.
Manage existing contact forms
To upgrade a Free account (or downgrade from Premium to Free), please go to Settings -> Subscription -> Subscription and click on the pen symbol. Then you can pick another subscription (picture below).
Under Settings -> Subscription you can also sign the 'Order processing agreement' if you need to comply with the GDPR, switch your 'Subscription period' from monthly to yearly, check your price per year, and add more 'Extensions' or order gift cards.
Once upgraded you can add 'Extensions':
Go to Settings -> Payment to view and update your payment details.
Mac: Double-click the installer and follow the instructions on your computer.
Linux: After download, right click the AppImage and give it execute permission. Alternatively, run
chmod +x tutanota-desktop-linux.AppImage from a terminal window. Now you can run the App like any other executable, no further installation required. You may want to let it integrate itself with your desktop and app launcher.
Windows: Double-click on the Tutanota app and follow the instructions on your computer.
Enterprise mode (Windows): The desktop client can be installed on Windows in "enterprise mode" by passing the following flags to the installer:
The application may also be uninstalled silently, by passing /S to the uninstaller (in the installation directory under Program Files).
Windows: Go to Settings -> Desktop -> set "Default Email Handler" to "Registered". Then hit the Windows key, type "default" and choose "Default App Settings". In the settings window, choose "Tutanota Desktop" in the email row.
Mac: Go to the Settings -> Desktop -> set "Default email handler" to "Registered".
Linux: This depends on your distribution. Please refer to the relevant documentation. Useful keywords are "mailto handler", "protocol handler"
On all platforms, you may have to tell applications like your internet browser to use the system default mail app.
Sometimes the browser does not recognize the newly installed Tutanota desktop client as the default mailto app. If clicking a mailto-link does not open an email in the desktop client, please make sure that the Tutanota desktop client is activated as the default email app in your system settings as described above.
If everything is set up correctly, these instructions might help to troubleshoot:
The Tutanota desktop applications for Linux, Windows, and Mac OS are signed. The signatures make sure that the desktop clients as well as any updates come directly from us and have not been tampered with. Upon every update, the desktop client automatically checks that the signature is valid.
You can verify the authenticity of your manually downloaded installer with the OpenSSL utility yourself as well. It should be installed on most Linux and Mac systems, but needs to be added to Windows, you can get OpenSSL via this link.
The installer signatures are provided as separate files:
You need to activate the 'Run in background' option to receive notifications from the desktop client. This option appears in your notification area on Windows and in the Tray on Linux.
When it is active, the desktop client will not terminate when all windows are closed and instead remain in the background to provide desktop notifications in case of incoming email or calendar alarms.
If you can't see the tray icon on Linux despite the app running and the 'Run in background' option being set to 'Yes', please refer to your distribution's documentation to enable tray icons or AppIndicators. On MacOS, this option is not visible, and the dock icon is always used to provide a context menu.
Windows: Hit the windows key, type "apps", choose the entry "Apps & Features". In the settings window, search for "Tutanota Desktop". Click it and then click the "Uninstall" Button.
Mac: Right-click the Application in the Applications folder and select "Move to bin". To remove the app cache as well, you need to delete the directory
~/Library/Application Support/tutanota-desktop/, for example via the terminal:
cd ~/Library/Application\ Support/ rm -r ./tutanota-desktop
Delete the AppImage, then delete the file
~/.local/share/applications/appimagekit-tutanota-desktop.desktop and the directory
~/.config/tutanota-desktop/ if they're present.
If you want to remove the icons, too, open a terminal window and type
cd ~/.local/share/icons/hicolor/ ls **/*/appimagekit-tutanota-desktop.png
Make sure the output only lists tutanota-desktop image files, then type
rm -i **/*/appimagekit-tutanota-desktop.png