We recommend setting up 2FA because of its security benefits. Learn in our online security guide how 2FA helps you to keep your emails safe from hackers.
Registering your second factor
Tutanota currently supports the following second factor types:
Second factors can be added by administrators and "normal" users, but removed only by admins.
Note: If you lose your second factor, you will no longer be able to login to your account. To prevent this, you can add multiple second factors and additionally note down the recovery code shown to you when adding a second factor.
Authenticating with your second factor
During login you have to authenticate with one of your second factors. Instead, you may also accept that session from another logged in client. If your browser does not support the second factor you had registered, you can only accept the session from another client.
How to reset your second factor if you lose it
For resetting your second factor, you will need your personal recovery code and your password. You can view and also update your recovery code in Settings -> Login.
If you have lost your second factor, click on More -> Lost account access on the login page. There you will have to enter your recovery code as well as your password to delete all your second factors.
When you create a new Tutanota account, our secure password reset feature empowers only you to reset your account yourself. Please make sure that:
In case you can't login to Tutanota, please make sure that:
We do not know your password and can't modify your second factors. However, there are different ways on how to regain access to your mailbox in case of a lost password or a second factor.
Administrator is available
If you are a member of an organization or a business: Ask your administrator to reset your password. Each administrator can reset the passwords of other users and admins. If you want to make sure to never lose your Premium account, it's best to have at least two administrators.
Recovery code is available
Your recovery code is your personal code to resetting your account. If you did write it down when you created your account, you can reset your password or second factor using your personal recovery code by clicking on More > Lost account access on the login page.
You can view and also update your recovery code in Settings > Login. You can also find more information on this secure reset feature on our blog.
With 2FA enabled, you will need 2 out of 3 to reset your Tutanota account:
Click here to reset your password. You will need your second factor (if 2FA enabled) and your recovery code.
Click here to reset your second factor. You will need your login password and the recovery code.
Please note: If you lose your password and your second factor, there is no option to reset your Tutanota account with the recovery code.
To search your encrypted mailbox, simply click on the top search field or press Ctrl+F.
When you press enter, Tutanota takes you to a more detailed search mask. The free search feature goes back one month into the past.
The detailed search mask lets you specify the time frame which should be searched (one month for free users). The unlimited search feature also lets you filter your search, e.g. who sent the email, to whom did you send the email, was the search query contained in the subject or in the body, what folder should be searched.
As all data in Tutanota is encrypted, using our innovative search feature causes a lot of traffic. This is why unlimited search is only available to paying users. Learn here how you can benefit by going Premium for only €1 per month.
If you own one or more domain names that you want to use with Tutanota, you can add these domains to your Tutanota Premium or Pro account. Afterwards you can add email aliases and additional user accounts for your family or company with this domain.
To use your own domain, a Tutanota Premium account is required. You can upgrade your existing, free Tutanota account by clicking on "Premium" in the top menu. If you don't have a Tutanota account, you can register here.
After upgrading you are the admin of your Tutanota Premium account. An additional input field will appear under 'Settings' -> 'Global settings' -> 'Custom email domain' where you need to enter your domain. Activate it by confirming the activation button.
This activation process is only successful if you have configured your MX and SPF records for your domain correctly. The MX record is necessary to relay emails for your domain to the Tutanota servers. The SPF record marks the Tutanota server as valid sender of emails from your domain. You need to configure the following DNS records in the settings of your domain name provider:
TXT v=spf1 include:spf.tutanota.de -all
Depending on your domain hoster, it could also look like this:
HOST NAME IP ADDRESS / URL RECORD TYPE
@ v=spf1 include:spf.tutanota.de -all TXT Record
Please note that changes to your DNS records are not immediately available, but can take a few hours to become active. You can check your DNS settings here.
After you have successfully activated your domain, you can add an email alias or create a user under 'Settings' -> 'User management'.
What do I do if activation fails?
Please verify your DNS SOA entry if the activation of your custom domain still fails. We use the SOA entry for detecting your main DNS server. Therefore, the SOA entry must point to a valid name server.
Email encryption is needed whenever you want to send a confidential email. That is whenever your emails contains personal information that should not become public. The following examples show the differences between end-to-end encrypted, confidential emails and emails that are not being end-to-end encrypted in Tutanota.
Alice is registered with Tutanota, Bob may be registered with Tutanota or an external recipient and Carol is not registered with Tutanota. In any case all emails (including attachments) are stored encrypted on the Tutanota servers. Independent of the end-to-end encryption, the transport between client and Tutanota servers is secured with SSL and DANE to maximize security.
Sending and receiving end-to-end encrypted emails
The email is encrypted on Alice' client, stored encrypted on the server and can only be decrypted by Alice or Bob.
Sending non-confidential emails
The email is sent via SMTP to the recipient. Still, the sent email is encrypted for Alice on the server and then stored.
Receiving non-confidential emails
When the SMTP email is received by the Tutanota server, it is encrypted for Alice and then stored on the server.
Updating WebView is usually as simple as installing an app. For devices with Android older than N (7), this is usually the app called Android System WebView, which you can download from the PlayStore here.
Additional optional settings changes
The Android N default WebView is usually tied to the Chrome browser. If you don't want to install Chrome, you can install another provider and later select another WebView implementation in the developer settings.
To enable developer settings:
Some of the apps providing WebView are:
Note for LeEco device owners: LeEco made changes to some devices which prevents changing WebView. We don't know of a workaround, yet. We recommend using the web browser to access your Tutanota mail account.
Depending on the width of your browser Tutanota displays your folder list, your mail list, and the selected mail.
When you select an email, these options show up to its top.
The top email menu has the following options:
If you want to print an email as pdf, you can use the browser function for printing.
Sending of emails
Condensed email window.
Enlarged email window.
Go here in your Settings. You can choose whether emails to external recipients should be encrypted by default ('Confidential') or if you need to click on the lock symbol when composing an email to encrypt it ('Not confidential' = unencrypted by default). Emails to other Tutanota users are always encrypted by default.
When sending an encrypted email to an external recipient, you need to specify a password when composing the email.
Once set, the password will be automatically saved along with the contact in your Tutanota address book. Next time you write an email to that recipient, you simply specify the email address and Tutanota automatically enters the password. The password needs to be exchanged via a second channel.
The external recipient
Note: The link within the notification email contains a salt which is needed for decryption along with the password. Thus, someone who wants to intercept your encrypted messages needs the exact link and the password. (An old link gets deactivated as soon as you send a new email to the same email address.)
As a Premium or Pro user, you can add aliases to your account. You can also add additional alias packages. Refer to our pricing page for details.
Go here in your mailbox→ 'Email aliases': Click on 'Show Email Aliases'. Click on the plus symbol to add aliases. A pop-up opens where you can type the alias you want to add. Click on the three-dot button to choose the domain for your alias. This can be any of the Tutanota domains or of your own domains that you have added to your Tutanota account.
Please note: Aliases with a Tutanota domain can only be disabled, but not removed. Deactivated aliases must remain linked to your account in case you want to activate them again in the future. When you are using your own domain with Tutanota, you can delete aliases with your own domain and create new ones.
You can change the default sending address to your own domain alias (or any other alias) by changing the default sender here in your mailbox→ 'Default Sender'. This will make your alias the default sender. However, the main address of your Tutanota account (name in tab) will remain unchanged.
Spam detection in Tutanota is multi staged. For incoming unencrypted SMTP emails the received email is checked against DNS blacklists first. In a second stage we filter emails by executing content checks and mark emails as spam or not. Emails that have been marked as spam will be moved to the spam folder of your mailbox. In a third stage we filter spam on the base of user defined email sender lists. This list provides the possibility to classify email addresses as spam (blacklist) or explicit not as spam (whitelist). The check is active for all incoming emails and can be configured by the administrator. The rules are valid for all users.
As administrator for a Tutanota account you can configure the email address list here in Settings. You assign email addresses or domains to one of the following spam rules:
The "No spam" rule has a higher priority than "Always spam" and "Discard" has the lowest priority. Furthermore you are able to define rules based on a domain instead of a single email address. Rules defined for a domain have a lower priority than rules for an email address.
Rules for domains are restricted. You are not able to assign the rules "Always spam" and "Discard" to Tutanota domains, neither to your custom domains.
'Login' shows you several info items about your Tutanota account.
Here you can configure how you want to send your mails.
'Inbox rules' (filter): Click on 'Show Inbox Rules' and then on the plus-button. A pop-up with three options opens: 'Field', 'Value' and 'Target folder'.
When you order the whitelabel upgrade for your Premium account you can activate the Tutanota login on your own domain (a sub-domain), change the look of Tutanota according to your needs (e.g. corporate identity) and create contact forms for your clients. If you send confidential messages to external recipients, those recipients are also directed to your whitelabel domain.
Complete list of possible customizations:
Preconditions for applying the whitelabel feature:
This is how you can setup your whitelabel domain:
Enable the Tutanota login at your domain by uploading your domain's SSL certificate chain and private key here in your Tutanota Settings - Whitelabel. Both must be provided in PEM format (base64 coded). The private key file content must start with the line "-----BEGIN RSA PRIVATE KEY-----" or "-----BEGIN PRIVATE KEY-----". The certificate file content must start with the line "-----BEGIN CERTIFICATE-----". In order to create a certificate chain from individual certificates create a file in a text editor. Then first copy your domain's certificate into that file and below that certificate any intermediate certificate or certificate bundle that was provided to you in addition to you certificate file. Your certificate chain file might then look like this:
(Your SSL certificate, e.g. from your_domain_name.crt)
(Your intermediate SSL certificate, e.g. from intermediate.crt)
Optionally upload your custom logo to be shown when you load Tutanota at your own domain.
Now you should be able to open your custom domain in your browser and see the Tutanota login with your own logo and own colors. Additionally you may now order and setup contact forms ("Settings" -> "Contact forms") which allows you to be contacted confidentially.
Please note that your whitelabel customizations will not be visible in the mobile apps.
Contact forms allow you to be contacted confidentially as all messages are automatically end-to-end encrypted.
Create a new contact form
Manage existing contact forms
Once upgraded you can add 'Extensions':
Windows: Double-click on the Tutanota app and follow the instructions on your computer.
Mac: Move the installer inside the directory you would like the app to be located in and double click it to extract.
Linux: After download, right click the AppImage and give it execute permission. Alternatively, run
chmod +x tutanota-desktop-linux.AppImage from a terminal window. Now you can run the App like any other executable, no further installation required. You may want to let it integrate itself with your desktop and app launcher.
Windows: Go to Settings -> Desktop -> set "Default Email Handler" to "Registered". Then hit the Windows key, type "default" and choose "Default App Settings". In the settings window, choose "Tutanota Desktop" in the email row.
Mac: Go to the Settings -> Desktop -> set "Default email handler" to "Registered".
Linux: This depends on your distribution. Please refer to the relevant documentation. Useful keywords are mailto handler, protocol handler
On all platforms, you may have to tell applications like your internet browser to use the system default mail app.
Sometimes the browser does not recognize the newly installed Tutanota desktop client as the default mailto app. If clicking a mailto-link does not open an email in the desktop client, please make sure that the Tutanota desktop client is activated as the default email app in your system settings as described above.
If everything is set up correctly, these instructions might help to troubleshoot:
The Tutanota desktop applications for Linux, Windows, and Mac OS are signed. The signatures make sure that the desktop clients as well as any updates come directly from us and have not been tampered with. Upon every update, the desktop client automatically checks that the signature is valid.
You can verify the authenticity of your manually downloaded installer with the OpenSSL utility yourself as well. It should be installed on most Linux and Mac systems, but needs to be added to Windows, you can get OpenSSL via this link.
The installer signatures are provided as separate files:
Windows: Hit the windows key, type "apps", choose the entry "Apps & Features". In the settings window, search for "Tutanota Desktop". Click it and then click the "Uninstall" Button.
Mac: Move the file you extracted during installation and that you used to start Tutanota Desktop to the trash. To remove the app cache as well, you need to delete the directory
~/Library/Application Support/tutanota-desktop/, for example via the terminal:
cd "~/Library/Application Support/" rm -r ./tutanota-desktop
Delete the AppImage, then delete the file
~/.local/share/applications/appimagekit-tutanota-desktop.desktop and the directory
~/.config/tutanota-desktop/ if they're present.
If you want to remove the icons, too, open a terminal window and type
cd ~/.local/share/icons/hicolor/ ls **/*/appimagekit-tutanota-desktop.png
Make sure the output only lists tutanota-desktop image files, then type