By If you don’t want the whole world reading your emails, you should encrypt them to protect your privacy. The top email encryption services we’ve tested can help keep snoops out of your messages.
The academics who cobbled together the first email systems didn’t give any thought to security. When global companies started conducting business over email, security couldn’t be ignored. Even 25 years ago, PCMag reported on encrypted email services, helping readers make smart choices. Modern email travels over secure HTTPS connections, but email providers can still see what you’re emailing and to whom.
If you want actual privacy in the form of email messages that nobody unauthorized can read, you need an encrypted email service like Editors’ Choice winners Proton Mail or Prevail. We’ve rounded up the best email encryption services we’ve tested here, and some of them are totally free. Read on for our top picks and what to look for when choosing the right service for you.
2024 Buying Guide: Top Email Encryption Services
You may remember some years ago when Google tweaked Gmail so that it always uses a secure HTTPS connection. That means it uses the standard Transport Layer Security (TLS) for encryption. This is good, but it’s the bare minimum. Every website should use HTTPS.
Currently, Google says it doesn’t read your mail. However, it’s easy to accidentally give mail-reading permission to third-party apps. And Google does read your messages sufficiently to do things like automatically put airline flight notifications in your calendar.
Google also has a policy explaining when it will release your email to government entities, one that clearly indicates that it can do so if compelled.
It’s Surprisingly Easy to Be More Secure Online
Apple Mail supports full-on encryption and digital signatures. To enable these features, you must obtain a security certificate. There used to be many sources for free certificates, but the list is shrinking. We used a third-party service to obtain a cert for testing.
With the certificate installed in your keychain, your emails are digitally signed by default. And if all the recipients of a message also have certs, you can click the lock icon to send the message encrypted.
A quick survey of my PC Mag colleagues turned up exactly nobody who had installed an email security certificate, and this is a technically minded group. You’d expect even fewer ordinary consumers to have encryption enabled for their Apple Mail…except that you can’t go lower than zero.
In any case, Apple has had some glitches with encryption. In 2019, researchers discovered unencrypted copies of secure emails in the database that Siri uses to serve you better. I think we can agree that Siri does not need to read our encrypted emails.
The point here is that your email provider’s goals aren’t centered on security and privacy. If you really want to protect your emails from prying eyes, look to a third-party company that prioritizes security.
What Is the Best Free Email Encryption Service?
Maybe you’re convinced that encrypting your email is good, but are you convinced enough to pay for it with your hard-earned cash? Don’t worry: You don’t have to pay.
Prevail and Virtue are totally free. Both are simplified consumer-focused editions of enterprise-level products. Their “big brother” products bring in the cash.
You don’t have to pay for Secure My Email if you use it to encrypt a single Gmail, Yahoo, or Microsoft account, and there are no limits on features. A paid account lets you protect multiple accounts—up to eight—and also adds support for other email providers.
Signing up for a free account or a 30-day trial of the paid service doesn’t require a credit card or any personal info beyond your email address.
At the free level, Tuta Mail lets you send and receive unlimited messages that are completely encrypted using open-source technology. You even get a secure calendar to go with your secure inbox.
Upgrading to the inexpensive premium edition lets you create multiple calendars, define up to five aliases (alternate emails), and set filter rules to handle incoming messages.
You can also use Proton Mail and Private-Mail for free, but you must accept certain limitations. Smart consumers will set up a free account and see if the limitations chafe. If they do, converting to a paid account is simple. Start Mail is the only product covered here that doesn’t have a free tier, though it does offer a 7-day free trial.
Do I Have to Change My Email Address for Encryption?
On the one hand, starting fresh with a never-before-seen email address can be freeing. You know that the new address hasn’t been bandied about on the Dark Web or hoovered up by data aggregators. On the other hand, you must let all your contacts know that your address changed and reconfigure all your online accounts to use the new address.
Proton Mail, Private-Mail, Start Mail, and Tutu Mail require you to switch to a brand-new email address. As with any other webmail system, it must be unique within the system. But since these services don’t have the millions or even billions of users that Gmail or Yahoo does, you may be able to get your own name without tagging on a bunch of numbers or other characters. Wouldn’t you rather have a Jane doe@ address than a janedoe18592@ one?
With Prevails, Secure My Email, and Virtus, you keep your existing email. In fact, Virtue requires that you use a Gmail address. Prevail doesn’t limit you to any specific email provider. It integrates with Gmail and Outlook on Windows and Apple Mail on macOS and with the native mail app on your mobile devices. Likewise, Secure My Email can handle accounts from any email provider that supports IMAP
Who Can I Email With Encryption?
Encrypting your messages does no good unless the recipient can decrypt them. Different products handle that end of the equation in various ways.
The recipient of a Prevail message must install Prevail to read it, period. But since the product is free and easy to install, that’s not much of a limitation. Your communication is secured with military-level encryption, but you don’t have to remember passwords or do anything beyond choosing to encrypt the message.
Virtue also manages encryption keys without bothering the user. The recipient of a Virtue message clicks a link to view and reply to the message in a browser window without needing to install Virtue.
When you send a message to someone outside the Tuta Mail network, the recipient gets a notification with a link, much like with virtue. You must transmit a password to the recipient by some means other than email. The link opens what’s effectively a stripped-down tutu Mail, with the ability to send secure replies but not much else.
Start Mail, Private-Mail, and Proton Mail all use the Pretty Good Privacy (PGP) encryption system to secure messages between users of their respective services. That means they can also exchange encrypted mail with users of other email systems that support PGP. Setting up the necessary key exchange to enable third-party PGP messaging can be difficult, though.
Those same three products also include a provision for securely communicating with those who don’t use the service and don’t have a PGP key. While the implementations differ, the overall method is the same. You encrypt your message with a password and transmit the password to the recipient using a text, a phone call, or other non-email communication.
When you send out-of-network mail from Secure My Email, it automatically generates keys and sets the message to expire after 30 days. After authenticating, the recipient views the message on a web page with the option to reply securely. You can shorten the expiry time or add a password for protection. Secure My Email can also import existing PGP keys and has no problem with a mix of in-network and out-of-network recipients of the same message.
How Does Encryption Protect My Email?
Using PGP encryption requires that you enter the PGP passphrase for your encryption key. When you send non-PGP encrypted messages, each can have its own password. Prevails and Virtue don’t require a password—possessing a trusted device is enough for basic authentication. And, yes, you can revoke trust for a lost device.
Tuta Mail encrypts everything, including message headers, subject lines, and contacts. You do use a password to log into your account, so make it a strong one. As noted, communicating with contacts who aren’t already using Tutu Mail requires creating a password for each contact and transmitting it by another channel other than email. Tuta Mail securely stores that password along with the contact record.
Whether basic authentication relies on a password or a trusted device, you can crank up security by enabling multi-factor authentication when available. Proton Mail, Private-Mail, Start Mail, and Tutu Mail all support multi-factor authentication using Google Authenticator or any work-alike that can provide a standard time-based one-time password (TOTP).
What Is Two-Factor Authentication?
Tutu Mail also supports authentication using a Yubikey or other security key. You can register multiple keys and even use U2F along with a TOTP app. If you don’t have your U2F key at hand, authentication rolls over to the TOTP app.
With Preveil, you need access to a trusted device (something you have), the password for your email account (something you know), and whatever authentication method you use to open the trusted device, typically a passcode or biometric system. It’s a form of multi-factor authentication, though not the traditional password-plus-TOTP type.
What Else Do I Get With Email Encryption Services?
With some services, you start fresh with a brand-new email address. But once you start using that address, once many different merchants and websites have it, it won’t stay pristine—unless you never tell anybody your email address.
How can you email without giving away your address? By using a temporary email address service, also called a disposable email address (DEA) service, that’s how. Such a service generates a one-off alias whenever you need to give out your address.
Messages to that alias show up in your regular inbox, and replies seem to come from the alias. And if one of your DEAs starts to get spam or other problems, you can just delete it.
Private-Mail can manage DEAs, but it’s rather limited compared to dedicated DEA utilities such as Burner Mail and Many Me. Email aliases in Tutu Mail are even more limited in that you get just a handful and can’t change them after creation. Start Mail used to suffer similar limitations but now offers full DEA management alongside its email encryption. Iron Vest goes beyond mere DEAs, letting you shop while hiding not only your real email address but also your credit card number and phone number.
Those who chose an Unlimited tier Proton Mail subscription have two ways to access temporary email addresses. The Proton Pass password manager can create and manage what it calls “hide-my-email aliases,” for one. In addition, that Unlimited subscription gives you full access to the Simple Login temporary email service.
With most of these services, you can share a file securely by attaching it to an encrypted message; Private-Mail is the exception, as it supports only plain text. It makes up for that lack by giving you encrypted cloud storage, along with the ability to share files from your encrypted storage securely. Prevail also offers cloud storage with secure sharing, and you have a range of choices for what recipients can do, from editing and re-sharing down to just gazing at the data in a viewer window. Proton Drive, the similar Proton Mail feature, is available to all users. Proton Mail offers cloud storage starting with its free tier, but paying customers get more storage, up to 500GB.
You can set Proton Mail and Virtue messages to expire after a given time. Private-Mail and Proton Mail let you set an away message when you don’t have email access. These two also include the ability to define filtering rules. As noted, Secure My Email out-of-network messages automatically expire in no more than 30 days, but there’s no expiry option for in-network messages.
As noted, you get a secure calendar with the free edition of Tutu Mail, one that syncs across all your devices. Paying for a premium account lets you create multiple calendars. Proton Mail’s associated Proton Calendar is likewise available at the free level. Private-Mail also offers a calendar feature. However, in testing, Private-Mail’s system for syncing that calendar proved too complex for the average user.
What Is the Best Email Encryption?
As you can see, all these products have their virtues, and each offers a different set of features. For its weapons-grade encryption, ease of use, and low price (free!), Prevails is a top pick and an Editors’ Choice winner.
An Unlimited subscription to Proton Mail also includes Proton’s cloud storage, VPN, calendar, and password manager. When it comes down to the wire, your choice may depend on whether you want to keep your existing email with Prevails or accept a new, secure email from Proton Mail.
