Encrypted Email Services
How They Work, Why They Matter, and How to Choose One
In today’s digital landscape, protecting your privacy isn’t just a technical concern, it’s a human rights issue. With a background in law and a strong interest in digital rights and security, I believe privacy should be a right that everyone can understand and protect, regardless of their technical background.
This newsletter is designed to teach everyday users simple, practical steps to better protect their digital footprint and regain a bit more control online. Along the way, it explains important concepts so we can better understand how our data moves and how to keep it safe.
Encrypted Email Services
How They Work, Why They Matter, and How to Choose One
What is an encrypted email?
Encrypted email keeps your messages private, so only you and the person you're writing to can read them. Not your email provider, not internet service providers, and not hackers.
There are three main layers of protection:
Encryption in transit: Your message is scrambled while it’s being sent, so no one can intercept and read it on the way. However, once the message reaches your email provider’s server, it’s usually decrypted. This means the provider can read it, governments can request access to it, and hackers may be able to access it if the provider is ever breached.
Encryption at rest: Once your email is stored on your provider’s servers, encryption at rest protects it from physical theft or unauthorized access to storage systems. But since the provider controls the encryption keys, they can still read your messages and share them with third parties if legally compelled or compromised.
End-to-end encryption (E2EE): Your message is scrambled (encrypted) on your device before it’s sent and only unscrambled (decrypted) on the recipient’s device. This means no one can access the contents, even if they store it.
💡 Pro Tip: Most popular email providers, like Gmail and Outlook, do not use end-to-end encryption.
What happens when you send an email with encryption at rest and in transit?
When you use a typical email service that supports only encryption at rest and in transit (like Gmail, Yahoo, or Outlook), here’s what usually happens:
Your message leaves your device in readable form. It might be encrypted in transit using HTTPS, which protects it from being intercepted on the way, but the content can still be accessed once it reaches the server.
The email is delivered to your provider’s server, where it’s stored with encryption at rest. This protects the message from physical theft or disk-level attacks, but the provider still controls the encryption keys and can decrypt and read the contents.
The provider may scan or process your email. Many services automatically scan messages for spam filtering, malware detection, or advertising-related purposes.
The message is then transmitted to the recipient’s server. This part of the journey may also use HTTPS or STARTTLS for transit encryption, but both the sending and receiving servers can access the full message contents.
The recipient retrieves the message. Unless they’re using an end-to-end encrypted service, it’s typically delivered and stored in plain text.
Implications: Even with encryption at rest and in transit, your emails can still be read, stored, scanned, or handed over to third parties by your provider. You remain vulnerable to data breaches, surveillance, or misuse unless true end-to-end encryption is used.
What happens when you send an email with E2EE?
When you use an email service with end-to-end encryption, here’s what usually happens behind the scenes:
Your message is encrypted on your device before sending. The content is turned into unreadable ciphertext using an encryption key that only you and your recipient have access to.
The encrypted message is sent to your email provider’s server. The server can’t read or scan the content, it only sees scrambled (encrypted) data.
The message travels to the recipient’s email server. It remains encrypted during this journey, and again, the server can’t decrypt it.
The recipient’s device decrypts the message locally. Using their private key, the recipient’s device turns the ciphertext back into readable text.
The recipient reads the decrypted message on their device.
Implications: Since the message is encrypted end-to-end, no third party (not even the email providers) can read it. This protects your communications from surveillance, interception, and unauthorized access.
💡 Pro Tip: End-to-end encryption relies on secret digital keys stored on your devices. If someone gains access to your device through weak passwords or outdated software, they could potentially access those keys and read your messages. Use strong passwords and keep software up to date to stay secure.
Why should you care?
Because your messages often reveal more than you think. Without end-to-end encryption and other privacy protections, your private conversations can be:
intercepted or read by the app’s company, your ISP, network administrators, hackers, or the government
Scanned, stored, or analyzed by your email service
Used to identify you (even if you use a pseudonym)
Collected to build behavioral profiles based on who you talk to, when, and how often
Shared with third parties, including law enforcement or marketing firms, sometimes without your knowledge
Using an encrypted email service helps shield you from that kind of exposure. It’s one of the most effective ways to keep your conversations private, protect your identity, and communicate freely without fear of surveillance or misuse.
Okay, I'm in! How do I choose an encrypted email service?
Some email providers claim to protect your privacy but still collect and share your usage data behind the scenes. Others show ads, have weak default security settings, or are operated by companies with questionable privacy practices.
What are key features of a secure encrypted email service?
🧹 Open Source: Is the service’s code publicly available for independent security audits?
🗝️ End-to-End Encryption (E2EE): Are your emails encrypted on your device and only readable by the intended recipient?
🔁 Interoperability: Does the service allow encrypted communication with users on other platforms?
📉 Minimal Metadata: Does the provider limit what it logs, like sender, recipient, timestamps, and IP addresses?
💳 Anonymous Payment Options: Does the service accept anonymous payments like cryptocurrency, gift cards, or even cash?
🙈 No Personal Info Required: Can you sign up without giving a phone number or revealing your identity?
⚖️ Privacy-Friendly Jurisdiction: Is the provider based in countries with strong privacy laws and minimal surveillance mandates?
Comparison Chart of Well-Known Encrypted Email Providers
The chart below compares four well-known encrypted email services—Posteo, Proton Mail, Tutanota, and Mailfence—based on the criteria outlined above.
The best choice for you will depend on your desired level of privacy, security, and anonymity
💡 Pro Tip: If an email provider is closed source or only partially open source, it’s difficult to independently verify whether it truly uses end-to-end encryption as claimed. Unless the full source code is made available to auditors or the public, you’re relying solely on the company’s word, without a transparent way to confirm how your messages are actually encrypted or handled.
🔍 Deep Dive: PGP is a widely used encryption standard that protects email content using a pair of cryptographic keys: a public key to encrypt messages and a private key to decrypt them. This setup ensures that only the intended recipient can read the message, even if it’s intercepted in transit. Many encrypted email providers support PGP to enable end-to-end encryption, including with people using different platforms, making secure communication more flexible and widely compatible.
💡 Pro Tip: When signing up for online services, consider using email aliases or forwarding addresses. This helps prevent spam, phishing, and long-term tracking tied to a single email identity.
How to Get Started
Step 1: Choose your preferred provider
Step 2: Visit the provider’s website to sign up or install the providers app
Proton Mail, Tuta, and Mailfence have dedicated apps and offer free plans
Step 3: Open the app or website and complete the initial setup.
That’s it. You’re now emailing through a privacy-focused service that helps protect your communication from surveillance, profiling, and data mining.
💡 Pro Tip: If your email account offers a recovery email or key, make sure it's just as secure as your primary account. Weak recovery options are a common way attackers regain access. Consider printing or securely storing recovery keys offline.
An Important Note on Jurisdiction
Where a privacy service is based and where it operates its servers can significantly affect how your data is managed.
Some countries have strong privacy laws that require court orders or due process before authorities can access user data. Others are part of intelligence-sharing alliances or have laws that allow broad surveillance or secret government demands. This means even trustworthy services may be forced to collect or share your information. Sometimes without telling you.
Some privacy-focused companies, like Mullvad, go a step further by carefully choosing where their servers are located. They may avoid placing servers in countries with weak privacy laws, mass surveillance programs, or aggressive data retention mandates. Others operate globally without these precautions, meaning your data could pass through and be stored in high-risk jurisdictions, even if the company itself is based in a privacy-friendly country.
When evaluating a service, it’s worth considering:
Where the company is headquartered
Where it runs its servers
Whether it owns and controls its infrastructure or relies on third-party hosting
For more detailed information on data protection laws by country, visit DLA Piper’s comprehensive guide, which covers over 160 jurisdictions worldwide. The platform offers an interactive heatmap and in-depth summaries of each country’s privacy laws.
💡 Pro Tip: A service’s jurisdiction affects your privacy, but strong safeguards—like end-to-end encryption, minimal metadata logging, open-source code, and anonymous signup/payment options—can reduce risks even in countries with weaker privacy laws.
⚠️ Note: Avoid mixing secure and insecure accounts. If you forward encrypted emails to an unsecured address (like Gmail), you break the encryption chain. Keep your private communications separate from mainstream accounts to avoid accidental leaks.
A detailed, easy-to-use Digital Privacy Log now accompanies this newsletter. It’s designed to help you keep track of the privacy tools you’ve installed, document your setup across devices, and securely store recovery codes, configuration notes, and other key settings all in one place.
Stay tuned for Secure Cloud Storage & File Sharing—How It Works, Why It Matters, and Tools to Help You Take Control
Questions or feedback? Drop them below or send a private message.
#EncryptedEmail #Encryption #Posteo #ProtonMail #Tuta #DigitalRights #DigitalPrivacy #DigitalSecurity #DigitalFreedom #HumanRights
Posteo, Proton, Tuta, and Mailfence offer encrypted email services focused on protecting your privacy. None sponsor this article, and each offers tools designed to help you communicate securely and maintain control over your data.
If you’re interested, I encourage you to explore these options and choose the one that best fits your needs.
Newsletter Summary: Everyday Digital Privacy
This newsletter shares simple steps everyday users can take to strengthen our digital privacy, security, and anonymity:
🔒 Encrypting Your DNS Traffic — Learn how DNS requests reveal which websites you're trying to visit and how to encrypt them using services like Cloudflare, Quad9, Mullvad, and NextDNS.
🛡️ Hiding Your IP Address with a VPN — Understand what an IP address is, how your IP address exposes your location and identity, and how a trustworthy VPN like Mullvad VPN, Proton VPN, Riseup VPN, and Windscribe can encrypt all your traffic and hide where you’re connecting from.
📡 Hiding Your MAC Address — Discover how your devices' unique hardware IDs can be tracked by Wi-Fi networks (even when they're not online) and how to enable MAC address to limit passive tracking.
🌐 Privacy-Focused Browsers — Explore how your choice of browser impacts your online privacy, why mainstream browsers often collect extensive data, and how privacy-focused browsers like Mullvad, Tor, Firefox, and Brave can help block trackers, fingerprinting, and unwanted data collection.
💬 Private Messaging Apps — Understand what makes a messaging app truly private, how end-to-end encryption protects your conversations, why metadata still matters, and how to choose secure apps like Session or Signal that safeguard your communications from surveillance and hacking.
📧 Encrypted Email Services — Find out why email is one of the least private forms of communication by default, how end-to-end encryption works, and how to choose secure email providers like Posteo, Proton Mail, and Tuta that protect your messages (even from themselves).
💾 Secure Cloud Storage & File Sharing — Learn why mainstream cloud services leave your files exposed, how end-to-end encrypted storage tools keep your documents private, and how to share files securely using services like Cryptomator, Filen, Proton Drive, Tresorit or Sync.
🗝️ Encrypted Password Managers — Learn how password managers work, what makes one secure, and how to choose tools that use end-to-end encryption and zero-knowledge architecture. Compare options like KeePassXC, LessPass, Proton Pass, and Bitwarden to find the right balance of privacy, usability, and control.
🔎 Private Search Engines — Learn how search engines track what you’re curious about, how that data is used to profile you, and how private alternatives like Startpage, Mojeek, Brave Search, Qwant, and DuckDuckGo let you search the web without being watched, logged, or targeted.
✉️ Email Alias Services — Learn how alias tools like SimpleLogin, addy.io, Firefox Relay, DuckDuckGo, and Apple Hide My Email protect your real address from spam, tracking, and data leaks by letting you create unique, disposable email addresses for each site or app.
