Secure emails at the tip of your finger

End-to-end encryption

Entire mailbox is encrypted.

The entire mailbox – emails and address book – are stored end-to-end encrypted in Tutanota. The only unencrypted data are mail addresses of users as well as senders and recipients of emails Upon entering your login credentials, your mailbox is automatically decrypted locally on your device. You can easily login via a web browser or via the Tutanota apps for Android and iOS.

Encrypted emails to anyone.

Tutanota uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end. When both parties use Tutanota, all emails are automatically end-to-end encrypted (asymmetric encryption). For an encrypted email to an external recipient, a password for encrypting & decrypting the email (symmetric encryption) must be exchanged once.

Tutanota’s automatic encryption works easily on all devices, even mobile. Tutanota automatically encrypts

  • subject line, content and all attachments of an email,

  • address book,

  • inbox rules / filters,

  • and the search index.

TLS encryption

Highest level of TLS encryption with STARTTLS, PFS, DNSSEC, DANE, DMARC, and DKIM.

On top of its automatic end-to-end encryption, Tutanota uses STARTTLS with an extended validation certificate, Perfect Forward Secrecy, DNSSEC, DANE, DMARC, and DKIM to secure your connection to Tutanota to the maximum.

Check here for more info on Tutanota’s TLS encryption.

Check here to see how Tutanota scores on SSL Labs and Securityheaders.io.

Maximum login protection

Tutanota never transmits your password to the server.

When you login, Tutanota hashes and salts your password before transmitting the hash to our servers. It is impossible to derive the actual password from this hash, thus, no one can know your password, not even we at Tutanota. To protect your password, we use bcrypt and SHA256.

To further secure your login credentials, Tutanota enables you to activate two-factor authentication. For this you can use TOTP or U2F. We recommend using U2F with a security device as this is the most secure form of two-factor authentication.

One password to automatize encryption.

Your password unlocks your private key.

Every Tutanota mailbox owns one private key that is used to automatize the exchange of encrypted emails. When you register with Tutanota, this private key is created locally on your client and encrypted with your password. This way, Tutanota can automatize the entire encryption process without ever having access to your private key.

A certain password strength is required to make sure that your private key is strong enough for encrypting your confidential emails. That’s why registration with a weak password is not possible with Tutanota.

You can read details about Tutanota’s key generation process and how we secure your private key on our blog.

GDPR compliant email service

Tutanota follows the principles of data minimization & privacy by design.

We are responsible for the protection of your personal data, and we take this responsibility very seriously. Therefore

  • Tutanota is based on the data privacy principles "data minimization" and "privacy by design",

  • all user data is stored end-to-end encrypted in Tutanota (except for email addresses of users as well as senders and recipients of emails),

  • we have technical and organizational measures in place which protect your data best possible.

Please read our full privacy statement for details.

Our built-in encryption and the ability to send an encrypted email to any recipient in the world make Tutanota a perfect option when looking for a secure email service. Under the GDPR, companies must always protect personal data, even when sent via email. Read our blog to find out how Tutanota can help you to always send GDPR compliant emails.

Privacy made in Germany

Germany has one of the strictest data protection laws.

Data privacy regulations in the European Union (EU) are among the strictest in the world, and among all European member states, Germany has one of the strongest policies: the Federal Data Protection Act (Bundesdatenschutzgesetz). The EU General Data Protection Regulation (GDPR) was in large parts designed based on the German Federal Data Protection Act.

This law protects users of Internet services. It puts the user in charge of what should be done with their data: Companies (=we) are not allowed to collect any personal information without express permission from an individual (=you), (e.g. name, date of birth, IP address).

In addition, in Germany there is no law that could force us to submit to a gag order or to implement a backdoor.

You can find details about German data protection laws on our blog and in our Transparency Report.

Data stored in Germany

Tutanota stores all data encrypted in highly secure data centers in Germany.

All data in Tutanota is stored end-to-end encrypted on our own servers in ISO 27001 certified data centers in Germany. No one has access to our servers except our permanent administrators, who need to pass multiple-factor-authentication before gaining access. All productive systems are monitored 24/7 for unauthorized access and extraordinary activity.

Anonymous email service: No tracking, no ads

Tutanota is an anonymous email service that does not track you.

Our business model is different from most email services: Due to the encryption, we can not scan your emails. We do not track you. We do not send targeted advertisments to your mailbox.

Tutanota does not log IP addresses when you login or when you send an email. Upon registration you do not need to provide any personal data (e.g. no phone number is required), even when you register via Tor.

Tutanota strips the IP addresses of emails sent and received from the mail headers so that your location remains unknown. Please read our blog post on anonymous email to find out how Tutanota protects your identity.

Enhanced privacy features

Tutanota is an email service built with privacy at its heart.

Companies love email for marketing campaigns. Because email by default does not respect your privacy. When marketing people send you a newsletter, the email usually loads external content (e.g. images). In this instance you are being tracked: IP address, browser you are using, and more information is being transmitted to the sender.

Tutanota offers you an email service that automatically protects from those tracking methods:

  • Tutanota blocks images by default. No external content is loaded when you open an email unless you actively allow this.

  • Tutanota strips all header information (IP address) from emails sent to protect your privacy.

  • Tutanota warns you when the technical sender differs from the from sender. To fake the from sender is a typical method used in phishing attacks. On our blog you can find more tips on how to prevent phishing.

  • Tutanota scores very well on Email Privacy Tester.

Monitor & close sessions remotely

Check if anyone has accessed your encrypted Tutanota mailbox.

Our new mail client lets you check active and closed sessions as an opt-in feature. This allows you to verify that no one but yourself has logged into your account. Closed sessions are automatically deleted after one week.

Tutanota’s session handling also enables you to close sessions remotely. When you lose your mobile phone and you are still logged in with the Tutanota app, you can close this session from any other device. By closing the session remotely, you make sure that no one can access your secure emails on the lost phone.

IP addresses of open and closed sessions are always stored encrypted and automatically deleted after one week. Due to the encryption only you can access this information. We at Tutanota have absolutely no access to this information.

Committed to open source

Free and open source email for everyone.

Tutanota focuses on security and privacy. To us, open source is essential to achieve both. We have published the Tutanota web client and both Android and iOS Apps as open source software on GitHub.

This way everyone can check the code and verify that there are no bugs in the code base. By being open source potential bugs can be noticed and fixed much faster than it is the case with closed source applications.