Best Secure Email Providers (2024)

Of the many technological advances brought about by the internet, email is probably one of the most impactful. Over 300 billion emails are sent every day, containing everything from polite conversation to huge financial transactions. But despite the popularity and ubiquity of emails, the medium has not changed much since its advent in 1971 and can often pose a serious security risk to users.

The concept of secure email has gained attention recently as a way to avoid these vulnerabilities, and while there are many providers out there, we have compiled the best options. 

Why secure email is important 

When email was invented, there was no way anyone could have predicted the way it is used today. The majority of emails were personal correspondence between friends and family for many years, with some advertisements slipping in. Because of the low-stakes use cases, email was never designed to be secure and there was little thought put into privacy or email encryption for many years. Anyone watching a network could easily see the plain text being sent. 

Today, email is slightly more secure, but there are still vulnerabilities.

Sensitive information is sent via email

At the same time, we use emails for sensitive information often. Contracts, invoices, medical information, personal information, sensitive documents, and more are sent through email servers that can easily be hacked by both individuals and malicious applications. When this happens, the information available can be used to carry out all kinds of activities, like identity theft, theft of funds, blackmail, and more. 

Personal data is vulnerable

Even if you don’t send any sensitive data, there is likely something in your email that would be valuable to a bad actor. At the very least, personal email accounts are typically unencrypted, which leaves them vulnerable. Choosing a secure email service allows you to protect yourself and your data without losing access to this form of communication. 

What is a secure email and how does it work?

A secure email experience, much like your typical one, allows you to send and receive messages from named addresses, but it also incorporates extra safeguards for your protection. Beyond the basics of strong passwords and two-factor authentication, the aim is to use traditional email while keeping out bad actors and preserving your data and identity. This involves a delicate task for your email account’s spam filter, which has to block all spam messages and guard against sophisticated phishing scams (which is why it’s important to know why an email could go to the spam folder). Despite the challenge of correctly flagging suspicious messages without false positives, achieving this balance could be the defining factor between a good and a great email provider.

End-to-end encryption

The key to a secure email experience is end-to-end encryption that goes beyond the norm. A traditional email provider will encrypt data between your computer and the server, but any information sent to the server (including your messages themselves) is not encrypted when it arrives. That means the provider has access to your data, and while they may not use it, it could be subject to a data leak without needing to be decrypted to be read. Secure providers encrypt data on the server so that it is useless to a third party. 

Metadata protection

Another key facet of secure email is how it deals with metadata. This is information logged alongside your email, like timestamps or information about the browser you are using. Most people don’t consciously generate metadata and would never know what it says, but it can become a paper trail in certain cases. A secure email provider takes care to strip as much metadata as possible from the email, making it harder to trace the origin of a message and the identity of the sender. 

Server locations

Secure email providers may also pay special attention to the location of their servers, and the most secure are often located in remote or historically neutral countries. Countries like Switzerland with very strict privacy laws are an ideal locations for these providers, as they would rarely be mandated to share personal data by law enforcement. 

Are Gmail and popular email providers secure? Why or why not? 

There is no formal definition of a secure provider or certification to help you understand who is and isn’t one. However, the term is generally understood by companies to mean things like end-to-end encryption are in place. For this reason, you will not see most mainstream services like Gmail, Outlook, or Yahoo call themselves secure email providers. 

Most popular email providers would call themselves secure and have some level of security in place to protect email clients. But without end-to-end encryption and management of metadata, these would not be considered secure email providers to the same standard as others. 

Is my work email secure? Can my boss read it? 

The term secure email is generally used to refer to the backend technical structure of email systems. Some companies may use a secure provider or create their own in-house security protocol to protect emails, especially those that contain sensitive data. Common platforms like Outlook do not have enough measures in place to be considered a secure email, but each company’s structure will vary. 

If you are using a work-issued device or account, it is likely that your boss is legally able to read your emails. This would be true even with a secure email provider, as the company would own access to the account and they could access your information. However, a third party would not be able to access your email with a secure provider in place. 

What makes a provider secure? 

We talked about how a secure provider works above, but here’s a closer look at what makes a provider secure.

Encrypted messages and servers

The biggest consideration when looking at the security of email is how and where messages are encrypted. Encrypted messages mean data is converted into a code and only those with the private key can interpret it. Major email service providers typically do not do this when storing information on their servers, so your exact emails are stored on hardware they own that may be easy to breach. 

A secure provider will encrypt your emails at every step, including on their servers. This means that even if someone were to gain unfettered access to their server, your emails would be meaningless to them. An email could contain state secrets and winning lottery numbers, but someone could not understand them after encryption. End-to-end encryption means that no third party will ever be able to read the contents of the email when they are in transit, offering the greatest protection possible. 

Metadata is stripped from emails

The way metadata is handled can also indicate how secure a provider is when it comes to emails. The pieces of information that sit alongside your data, like timestamps and browser information, can be used against you in a variety of ways or provide identifying information. Metadata as simple as the sender, recipient, date, and subject line can be useful for any bad actor. A secure provider takes care to strip out as much of this data as possible before storing it so that there is less vulnerable information out there. 

Measures beyond spam filtering

To be considered secure, a provider should be focused not just on basic email security like spam filtering and SSL certificates, but take steps to protect data in all stages of life. 

Security features to look for in an email 

Each secure email provider will emphasize different elements of security, so it is important to understand which are most important to you when choosing a provider. You will need to consider the security features themselves, along with functionality, user-friendly navigation, mobile apps, and file storage space for your general email use. 

Server location and data centers

Many countries, including the United States, collect and share data gathered through email servers and are legally protected in this area. This is not necessarily a concern if you are trying to avoid hackers, but when the concern is government agencies, it may be important. Activists in particular may want to avoid giving the government access to their personal and business emails. Countries with strict privacy laws are often the choice of secure email providers, including Switzerland, Germany, Belgium, Norway, and Sweden. 

Encryption

The basic expectation of a secure email provider should be end-to-end encryption. The way this is done can differ- symmetric encryption involves a single key, while asymmetric encryption uses two sets of keys. The latter is more complex and can add time to an email exchange, but some prefer the added security. 

Two-factor authentication (2FA)

It is equally important to protect your account from being accessed by an outside party. With 2FA, a password is not enough to get into your account. The password is the first factor, but once that has been verified, the second method of authentication is used. This is typically a phone number or email address. 

Metadata header stripping

Emails usually contain metadata about the recipient and sender, including browser and network information. Many providers strip this data out before storing the emails so it cannot be accessed later, which is considered “zero-access.“ 

Usability and function

A secure email tool will not be impactful if it is so difficult no one can use it or if it doesn’t have all the necessary features. Some providers have a full suite similar to Office 365, which may be important to a business. It is also useful to know if the tool is available on mobile and on which devices. 

The best secure email providers available

1. CounterMail

CounterMail is a provider that uses PGP encryption alongside AES and RSA algorithms, and also allows for a USB key to be configured as a part of two-factor authentication. The servers are Swiss and don’t have hard drives, instead, they use CD-ROMs for added security. CounterMail also offers a password manager that uses a master password to protect all login information. 

2. ProtonMail

One of the most popular encrypted email providers, ProtonMail has a very mature program built on open-source technology. The encrypted data sits on serves in Switzerland, where the company performs routine audits that ensure the protections are as robust as necessary. While ProtonMail does not support default mail applications, a dedicated app is available for both iPhone and Android devices. Free versions of this email are available to users. 

3. Hushmail

One of the original providers of secure email, Hushmail is known for being simple to use and a focus on HIPAA compliance. A specific healthcare plan lets users encrypt personal health information, though there are plans available for lawyers, small businesses, and personal use as well. Hushmail also creates a separate archive account to keep track of emails sent or received by all users in your custom domain in case of audits. 

4. Tutanota

This popular provider is an open-source option that has strong encryption practices and two-factor authentication that make it a market leader. Rather than the common PGP encryption, Tutanona uses AES and RSA encryption for an extra layer of security, as they combine both symmetric and asymmetric keys. They also offer image blocking, header stripping, and warnings about potential phishing attacks. 

5. Runbox

While Runbox uses standard-issue PGP encryption and two-factor authentication to offer security, it is unique for its commitment to being an ethical and environmentally friendly organization. Its Norway-based servers are powered by renewable energy from hydroelectric power plants. Runbox also allows IP addresses to access your account and see a list of successful and failed login attempts. 

6. Kolab Now

Based in Switzerland, Kolab Now offers a full suite of tools like calendars, notes, and video conferencing alongside its email capability. In addition to typical end-to-end encryption, Kolab Now offers the benefit of being compliant with GDPR, HIPAA, and PCI laws. 

7. Mailfence

This provider is a good middle-ground for someone who wants a more secure email than the typical providers, but also needs features like a password manager, calendar, or messaging. The usability of Mailfence is a strong feature, and they also offer free plans with 500 MB of email storage. The tool is based on OpenPGP encryption and digital signatures. 

8. Posteo

While there is no free version of Posteo available, its fee is lower than the paid version of popular options like Protonmail. In addition to Germany-based servers with end-to-end encryption, Posteo supports PGP implementation. Many people choose this provider because creating an account does not require you to provide a name, backup email, email aliases, or any other identifying information. 

9. Startmail

Managed by the same team behind the private search engine Startpage, Startmail is an encrypted email service that uses PGP encryption and can work with other PGP clients. You can communicate with non-PGP users by having them provide answers to predefined secret questions. Startmail also obscures IP addresses and hostnames for extra security. 

10. Mailbox.org 

Aimed at business users, mailbox.org is a common alternative to tools like Microsoft Outlook or Gmail. Along with email, they offer encrypted cloud storage, video conferencing, contact management, calendars, and a task planner. This suite of products sits under PGP encryption and can be paid through an anonymous email. Mailbox.org is also powered by eco-friendly energy, making it the choice of sustainability experts.

Summary

While emails revolutionized communication, the concept behind them has not evolved greatly since they became widely available. Most popular email platforms implement only basic security measures that aren’t sufficient to protect the sensitive data sent through email every day. To offer more protection for the public, secure email providers are available. These options provide robust encryption, metadata management, and a renewed focus on protecting the contents of your emails from malicious attacks.

FAQs