The first email was sent in 1971 (though it wasn’t called email at the time). The ability to send messages to people on other computers, even other networks, was groundbreaking. Scientists and academics loved it and didn’t give much thought to the idea that someone else might read their messages. That would be rude! We still use email protocols that came out of that early development. And it’s still possible for snoops to intercept messages. Even if your email service provider uses encrypted communications, the provider can scan your text. For truly private email, you need a third-party encrypted email service.
If you want actual privacy in the form of email messages that nobody unauthorized can read, you need an encrypted email service. We’ve rounded up an eclectic collection of choices for you, and some of them are totally free. Read on for our top picks, along with what to look for when choosing an email encryption service.
Wait, Isn't My Email Already Encrypted?
You may remember some years ago when Google tweaked Gmail so that it always uses a secure HTTPS connection. That means it uses the standard Transport Layer Security (TLS) for encryption. This is good, but it’s the bare minimum. Every website should use HTTPS.
Currently, Google says it doesn't read your mail. However, it's easy to accidentally give mail-reading permission to third-party apps. And Google does read your messages sufficiently to do things like automatically put airline flight notifications in your calendar. Google also has a policy explaining when it will release your email to government entities, one that clearly indicates that it can do so if compelled.
It's Surprisingly Easy to Be More Secure OnlineApple Mail supports full-on encryption and digital signatures. To enable these features, you must obtain a security certificate. There used to be quite a few sources for free certificates, but the list is shrinking. We used a third-party service to obtain a cert for testing. With the certificate installed in your keychain, your emails are digitally signed by default. And if all the recipients of a message also have certs, you can click the lock icon to send the message encrypted.
A quick survey of my PCMag colleagues turned up exactly nobody who had installed an email security certificate, and this is a technically minded group. You’d expect even fewer ordinary consumers to have encryption enabled for their Apple Mail…except that you can’t go lower than zero.
In any case, Apple has had some glitches with encryption. Researchers in 2019 discovered unencrypted copies of secure emails in the database that Siri uses to better serve you. I think we can agree that Siri does not need to read our encrypted emails.
The point here is that your email provider’s goals aren’t centered on security and privacy. If you really want to protect your emails from prying eyes, look to a third-party company that puts security first.
What Is the Best Free Email Encryption Service?
Maybe you’re convinced that encrypting your email is a good thing, but are you convinced enough to pay for it with your hard-earned cash? Don’t worry: You don’t have to pay.
Preveil and Virtru are totally free. Both are simplified consumer-focused editions of enterprise-level products. Their “big brother” products bring in the cash. Skiff gives you encrypted email, secure file storage and sharing, private collaboration and more, all at no charge.
You don't have to pay for SecureMyEmail if you use it to encrypt a single Gmail, Yahoo, or Microsoft account, and there are no limits on features. A paid account lets you protect multiple accounts—up to eight—and also adds support for other email providers. Signing up for a free account or a 30-day trial of the paid service doesn't require a credit card or any personal info beyond your email address.
At the free level, Tutanota lets you send and receive unlimited messages that are completely encrypted using open-source technology. You even get a secure calendar to go with your secure inbox. Upgrading to the inexpensive premium edition lets you create multiple calendars, define up to five aliases (alternate emails), and set filter rules to handle incoming messages.
You can also use Proton Mail and Private-Mail for free, but you must accept certain limitations. Smart consumers will set up a free account and see if the limitations chafe. If they do, converting to a paid account is simple. StartMail is the only product covered here that doesn’t have a free tier, though it does offer a 7-day free trial.
Do I Have to Change My Email Address for Encryption?
On the one hand, starting fresh with a never-before-seen email address can be freeing. You know that the new address hasn’t been bandied about on the Dark Web or hoovered up by data aggregators. On the other hand, you must let all your contacts know that your address changed and reconfigure all your online accounts to use the new address.
Proton Mail, Private-Mail, Skiff, StartMail, and Tutanota all require that you switch to a brand-new email address. As with any other webmail system, it must be unique within the system. But since these services don’t have the millions or even billions of users that a Gmail or Yahoo does, you may well be able to get your own name without tagging on a bunch of numbers or other characters. Wouldn’t you rather have a janedoe@ address than a janedoe18592@ one?
With Preveil, SecureMyEmail, and Virtru, you keep your existing email. In fact, Virtru requires that you use a Gmail address. Preveil doesn’t limit you to any specific email provider. It integrates with Gmail and Outlook on Windows and Apple Mail on macOS and with the native mail app on your mobile devices. Likewise, SecureMyEmail can handle accounts from any email provider that supports IMAP.
Who Can I Email With Encryption?
Encrypting your messages does no good unless the recipient can decrypt them. Different products handle that end of the equation in a variety of ways.
The recipient of a Preveil message must install Preveil to read it, period. But since the product is free and easy to install, that’s not much of a limitation. Your communication is secured with military-level encryption, but you don’t have to remember passwords or do anything beyond choosing to encrypt the message.
Skiff is also free, but it's up to you to evangelize and get your contacts to try it. Messages between Skiff users are end-to-end encrypted, while messages outside the network are only encrypted between you and the Skiff servers.
Virtru also manages encryption keys outside your view. The recipient of a Virtru message clicks a link to view and reply to the message in a browser window, with no need to install Virtru.
When you send a message to someone outside the Tutanota network, the recipient gets a notification with a link, much like with Virtru. You must transmit a password to the recipient by some means other than email. The link opens what's effectively a stripped-down Tutanota, with the ability to send secure replies but not much else.
StartMail, Private-Mail, and Proton Mail all use an encryption system called Pretty Good Privacy (PGP) to secure messages between users of their respective services. That means they can also exchange encrypted mail with users of other email systems that support PGP. Setting up the necessary key exchange to enable third-party PGP messaging can be difficult, though.
Those same three products also include a provision for securely communicating with those who don’t use the service and don’t have a PGP key. While the implementations differ, the overall method is the same. You encrypt your message with a password and transmit the password to the recipient using a text, a phone call, or some other non-email communication.
When you send out-of-network mail from SecureMyEmail, it automatically generates keys and sets the message to expire after 30 days. After authenticating, the recipient views the message on a web page with the option to reply securely. You can choose to shorten the expiry time or to add a password for protection. SecureMyEmail can also import existing PGP keys and has no problem with a mix of in-network and out-of-network recipients of the same message.
How Does Encryption Protect My Email?
Using PGP encryption requires that you enter the PGP passphrase for your encryption key. When you send non-PGP encrypted messages, each can have its own password. Preveil and Virtru don’t require a password—your possession of a trusted device is enough for basic authentication. And, yes, you can revoke trust for a lost device.
Tutanota encrypts everything, including message headers, subject lines, and contacts. You do use a password to log into your account, so make it a strong one. As noted, communicating with contacts who aren't already using Tutanota requires that you create a password for each contact and transmit it by some channel other than email. Tutanota securely stores that password along with the contact record.
Whether basic authentication relies on a password or a trusted device, you can crank up security by enabling multi-factor authentication when available. Proton Mail, Private-Mail, Skiff, StartMail, and Tutanota all support multi-factor authentication using Google Authenticator or any work-alike that can provide a standard time-based one-time password (TOTP).
What Is Two-Factor Authentication?Tutanota also supports authentication using a Yubikey or other security key. You can register multiple keys and even use U2F along with a TOTP app. If you don't have your U2F key at hand, authentication rolls over to the TOTP app.
With Preveil, you need access to a trusted device (something you have), the password for your email account (something you know), and whatever authentication method you use to open the trusted device, typically a passcode or biometric system. It’s a form of multi-factor authentication, though not the traditional password-plus-TOTP type.
What Else Do I Get With Email Encryption Services?
With some services, you start fresh with a brand-new email address. But once you start using that address, once many different merchants and websites have it, it won’t stay pristine—unless you never tell anybody your email address.
How can you email without giving away your address? By using a temporary email address service, also called a disposable email address (DEA) service, that’s how. Such a service generates a one-off alias every time you need to give out your address. Messages to that alias show up in your regular inbox, and replies seem to come from the alias. And if one of your DEAs starts to get spam or other problems, you can just delete it.
Private-Mail can manage DEAs, but it's rather limited compared to dedicated DEA utilities such as Burner Mail and ManyMe. Email aliases in Skiff and Tutanota are even more limited in that you get just a handful and can't change them after creation. StartMail used to suffer similar limitations, but at present, it offers full DEA management alongside its email encryption. IronVest goes beyond mere DEAs, letting you shop while hiding not only your actual email address but also your credit card number and phone number.
Those who chose an Unlimited tier Proton Mail subscription have two ways to access temporary email addresses. The Proton Pass password manager can create and manage what it calls "hide-my-email aliases," for one. In addition, that Unlimited subscription gives you full access to the SimpleLogin temporary email service.
With most of these services, you can share a file securely by attaching it to an encrypted message; Private-Mail is the exception, as it supports only plain text. It makes up for that lack by giving you encrypted cloud storage, along with the ability to securely share files from your encrypted storage. Preveil also offers cloud storage with secure sharing, and you have a range of choices for what recipients can do, from editing and re-sharing down to just gazing at the data in a viewer window. Proton Drive, the similar Proton Mail feature, is available to all users.
Skiff offers full-scale collaboration, with simultaneous editing and end-to-end encryption. You can also use Skiff for secure file sharing. Proton Mail offers cloud storage starting with its free tier, but paying customers get more storage, up to 500GB.
You can set Proton Mail and Virtru messages to expire after a given time. Private-Mail and Proton Mail let you set an away message when you don’t have email access. These two also include the ability to define filtering rules. As noted, SecureMyEmail out-of-network messages automatically expire in no more than 30 days, but there's no expiry option for in-network messages.
As noted, you get a secure calendar with the free edition of Tutanota, one that syncs across all your devices. Paying for a premium account lets you create multiple calendars. Proton Mail's associated Proton Calendar is likewise available at the free level. Private-Mail also offers a calendar feature. However, in testing, Private-Mail's system for syncing that calendar proved too complex for the average user.
What Is the Best Email Encryption?
As you can see, all these products have their virtues, and each offers a different set of features. For its weapons-grade encryption, ease of use, and low price (free!), Preveil is a top pick and an Editors’ Choice winner. Skiff's combination of easy encrypted email with collaboration and file sharing that are equally secure makes it another Editors' Choice. An Unlimited subscription to Proton Mail also gets you Proton's cloud storage, VPN, calendar, and password manager. When it comes down to the wire, your choice may depend on whether you want to keep your existing email with Preveil or accept a new, secure email from Skiff or Proton Mail.
While you're thinking about security, you should read our roundup of the best encryption software for protecting the sensitive data on your drives.
