FAQ

For the email encryption between users, Tutanota uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm. Tutanota uses AES with a length of 128 bit and RSA with 2048 bit. Emails to external recipients are encrypted symmetrically with AES 128 bit.

By default, we do not log IP addresses when you log in or when you send an email. The IP addresses of sent and received emails are stripped so that your location remains unknown.

We only log IP addresses of individual accounts in case of serious criminal acts such as murder, child pornography, robbery, bomb threats and blackmail after being served a valid court order by a German judge. You can find details on this as well as on German data protection rights on our blog.

Learn on our blog how Tutanota fights illegal mass surveillance by providing an anonymous email service. Upon registration you do not need to provide any personal data (e.g. no phone number required). We will also make it possible to pay for Tutanota with Bitcoin.

Tutanota automatically encrypts all emails stored in your mailbox. Emails between Tutanota users are automatically encrypted end-to-end, emails to external users can be secured with the help of a password. Here we explain the differences between a confidential (end-to-end encrypted) and a non-confidential email.

Independent of the end-to-end encryption, the transport between client and Tutanota servers is secured with TLS to maximize security.

Watch our YouTube email encryption guide for Tutanota - the quickest email encryption guide you can get!

Yes, all data within Tutanota is end-to-end encrypted and only accessible with your password. Scanning and profiling of your data is not possible.

Encryption and decryption of data always happens locally on your device upon login. All data is end-to-end encrypted and only you can access the data with your password.

You can show headers of received emails by pressing the shortcut H. Tutanota strips headers from emails sent to protect your privacy.

To show all shortcuts in Tutanota, please press F1 (Fn & F1).

A deleted email address (also if it is an alias) will not be recycled for security reasons. There must be no possibility that someone else is able to register your previously used email address, and then, by accident, receive a confidential email that was meant for you.

Free of charge accounts are deleted after an inactive period of six months. A regular login is necessary to prevent automatic deletion. We delete such accounts for security reasons and also to allow us offering free of charge Tutanota accounts at all. However, the email addresses of such deleted accounts may be taken over into another paid account and re-used as email aliases or additional user addresses if you still have the valid login credentials.

To re-use the email address of the inactive account

1. You need to create a paid email account (or use any paid Tutanota account you already have as the target account).
2. Login to your lost account.

3. Click on 'Help' as you can see in the screenshot above.

4. Enter the 'Target account address' (and - if you enabled two-factor authentication - the recovery code of the lost address).

Then you can add the lost address(es) as an alias (or user) to the target email account. We call it merging of addresses.

Your private and your public keys are generated locally within your browser upon registration. Your private key is encrypted with your password. This way your login password receives the status of the private key. The key is encrypted so strong that only you can use the key for encrypting and decrypting data. This is why a strong password is essential. An automatic password check on the client makes sure that you use a strong password. Your password is never transmitted to the server in plain text. It is salted and then hashed with bcrypt locally on your device so that neither the server nor we have access to your password. With this innovative design you can access your encrypted inbox from any device (desktop, mobile) easily.

Tutanota does not load pictures automatically when you open an email. When you load external images manually, please note that

• someone knows that you read the email.
• someone may add cookies to your browser (if your browser is not configured to reject them).
• someone may track your location with your IP address.
• someone may track parameters of your device.

Here we explain how to display external images. Please read here how we make sure that you can use Tutanota as an anonymous email service.

We require all messages to be authenticated. Without authentication, the email could be coming from anyone or could be modified so you should always treat such emails with scrutiny. If you see a message where the authentication has failed (red warning banner), you should be especially careful as it means that this email was likely faked.

Phishing is a name or type of online scam in which criminals try to look like a legitimate sender in order to get your data such as credentials or credit card data. Phishers use very sophisticated psychological techniques and develop very realistic copies of real websites and emails.

If you see a phishing banner, it means that some parts of this email match our phishing signatures after other users reported similar emails as phishing. Please be extremely careful with such messages. Usually phishing emails contain a special link to the website which looks real but it actually is not. If you think that the email is legitimate and you opened the link, please make sure to check the full website URL: Check that you see all of it, sometimes only one part or one character may be swapped. Here is more information on how to prevent email phishing attacks.

You can mark an email as not phishing so you will not see the warning message any more for this email.

We never send you emails with links where you need to type in your password. We encourage you to always protect your login credentials with 2FA as this makes it close to impossible for an attacker to log into your account.

If you already fell for a phishing attack, please check this FAQ.

The Tutanota servers are located in secure and ISO27001 certified data centers in Germany. All saved data are subject to the strict German privacy protection laws. Independent of that all data is end-to-end encrypted and cannot be read by the Tutao GmbH as the provider or by any third party.

Yes. You can view and remotely close active sessions under Settings -> Login.

Check our How-to to learn how to enable storing of closed sessions to monitor whether someone else has access to your account. To guarantee the users' privacy, we have implemented the feature as follows:

• The IP address is stored encrypted, and only the user can decrypt this information. No one else - not even we at Tutanota - can access this information.
• IP addresses are only stored for one week and then automatically deleted.

Tutanota encrypts all data stored in your mailbox (contacts, emails, email signature, inbox rules, invoice data, payment method, certificate and private keys of your own domains). When sending an email, Tutanota encrypts subject, content and attachments automatically.

You can find a detailed explanation about what is encrypted in Tutanota on our security page.

We can read only the following metadata:

• sender email address
• recipient email address
• date of the email

We are looking into possibilities to hide the metadata in the future as well.

You can secure the stored app login with a pin, pattern or biometrics (fingerprint, Face ID etc.). Please go to Settings -> Login -> Unlock method to activate this.

This option will only show after you have stored your login credentials in the Tutanota app. Upon login tick the checkbox 'Store password' to store your login credentials.

Tutanota uses a password strength indicator that takes several aspects of a password into consideration to make sure your chosen password is a perfect match for your secure email account. You can find additional tips on how to choose a strong password here.

Tutanota has no limitations in regard to the password length or used characters; all unicode characters are respected.

If you click on 'Logout', you log out. Please note: If you have previously saved the password, you are now logged out, but the password is still saved for automatic login. To 'unsave' the password, please log out. The login screen appears, click on 'More' and 'Delete credentials'.

A secure password is one that is random enough that it cannot be guessed in a feasible amount of time. But random strings of alphanumeric characters are hard to remember. That's why we have implemented a passphrase generator that finds a good balance between security and memorability. The generator chooses six easy words from a huge curated list and outputs a passphrase that is secure as well as easy to type and remember. Here are more tips on how to create and remember a strong password.

Your password is salted and hashed with Bcrypt on your device before being transmitted to Tutanota. Bcrypt is the most reliable method because brute-force attacks need much more time in comparison to conventional methods such as MD5 or SHA. With this method we guarantee an integrated confidentiality and we allow you to access and decrypt your emails from desktops and mobile devices instantly.

No. When a password is used for authentication (login), it is not necessary that it is known to the server you want to authenticate with. The server only needs a fingerprint (hash) of your password. With Tutanota your hash for authentication is calculated by your browser and only the hash is being sent. Your password never travels the Internet in plain text and it is never seen by our server. As hashes are non-invertible, the server is unable to reconstruct your password from the hash. The server is not able to decrypt your message, but still able to log you in.

Recommended for further reading: Learn how Tutanota automates the encryption process while leaving you in full control of your encrypted data.

If you think your password was disclosed to someone else but you can still log into your account, please do the following:

• Change your password in 'Settings' -> 'Login' -> 'Password'.
• Update your recovery code in 'Settings' -> 'Login' -> 'Recovery code'.

If the attacker had been logged in as well, changing the password automatically logs them out.

We encourage you to always use 2FA with your accounts as it makes it close to impossible for an attacker to log into your account.

If you can not log into your account any more, please check this FAQ.

Go to Settings - Login and click on the pen symbol next to 'Recovery Code' to show the code or update it. To do this, you need to enter your password.