Follow us

Top 13 secure email services that will protect your personal information

New credential-stealing vulnerability and top 13 secure email services for 2021 in review

Updated: September 20, 2021 By Rakesh Naik

Laptop with pop-up menu showing 2 new messages

Image source – freepik.com

Emails have been in existence even before the inception of the internet for as far back as the early 80s. With the introduction of the internet and its popularity, emails followed suit with them being the most popular form of communication towards the late 90s and early 2000s.

But even with all the progress made in the technology used and the advancement of various security protocols, email remains quite vulnerable to various forms of attack, be it a simple Phishing attack or a complex Man-in-the-Middle attack.

In this article, we explore the concept of email security, along with the top 13 secure email services and a few pointers to pick the best service. We shall also be looking at a new threat to your email that can extract your credentials without your knowledge!

Why secure emails?

In its early days, email was used for all sorts of communication, such as messaging friends, writing to relatives living far away, corporate communication.

Now, since there are many more applications for most other communication, email has reduced down to mostly corporate or professional communication.

The path taken by an email teach from a sender to a receiver

Image source – “Security by Any Other Name:
On the Effectiveness of Provider Based Email Security” scholarly paper
[by Ian Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, & Kirill Levchenko]

These days, even the actual email address is quite important with it being used to log into online accounts and services such as social media, bank accounts, and various other websites. Users also use emails to send and receive a lot of important communication from their workplace or even their friends.

The compromise of such an email account would allow the attacker to access confidential and sensitive user information for their benefit. This would potentially cause the loss of user privacy, finances, and even their identity.

Email security is of paramount importance just for this reason, so that no malicious attacker (or sometimes snoopers like state agents or data conglomerates) can view and access user data shared and stored using email accounts.

Different attackers attacking the Confidentiality, Integrity, & Authenticity of an email system

Image source – “What Email Servers Can Tell to Johnny:
An Empirical Study of Provider-to-Provider Email Security” scholarly paper
[by Georgios Kambourakis , Gerard Draper Gil, & Ignacio Sanchez]

In the upcoming sections, we shall be reviewing the top 13 secure email services available, as well as pointers for selecting a good secure email service.


Vendor
Price
Platforms
Rating
EDITOR’S CHOICE- ProtonMail
Free
Web-based, Android, & iOS
10/10
15-day free trial $1/month per user
Windows, Mac, Linux, Web-based, Android, & iOS
10/10
Free
Windows, Mac, Linux, Web-based, Android, & iOS
9/10
10-day free trial with referral $4.83/month
Windows, Mac, Linux, Web-based, & Android
9/10
30-day free trial €1/month per user
Web-based
8/10
$2.95/month
Web-based, Android, & iOS
8/10
€1/month
Web-based
8/10
Free for invitations $8/month
Windows, Mac, Linux, Web-based, Android, & iOS
7/10
30-day free trial $1.66/month per account
Web-based
7/10
30-day free trial $5.4/month
Web-based
7/10
7-day free trial $35.99/year (Offer price)
Web-based
7/10
Free
Web-based
6/10
$8.95/month
Windows, Mac, Linux, Web-based, Android, and iOS
6/10

Picking the right secure email service

Before we go ahead and look at the various secure email services in the market, we need to know what to look for in a secure email service. I will be classifying the services listed in this article purely based on these points as well as my personal experience using them.

The few basic points to keep in mind while choosing a secure email service are as follows.

1. Price

The price of a service should always be of primary concern while picking a secure email service. You do not want to buy a secure email service if the price is too high and it doesn’t offer enough features to match, it is pointless to buy the service.

2. Free versions

Always go for the free version of a secure email service, as 8 times out of 10, the free version will have most of the basic features required to improve email security. If you can find such a free version, that saves you from having to pay for the email service.

3. Encryption

An email service may claim to be secure, but you can't trust it unless you know what security mechanisms or protocols they employ to provide this email security. The most common security mechanism used for email is PGP encryption along with SMTP, IMAP, & POP protocols.

4. User logs

The primary reason for using secure email services over the normal ones is the fact that the normal email services such as Gmail or Outlook store logs of the emails and user activity from user accounts. If an email service stores logs, it isn't secure and shouldn't be used for secure communication.

5. IP Stripping

When sending an email securely, you want your IP address not attached to the email that ensures no attacker who steals your email can track your IP from it. IP stripping is the process where the email service provider removes the attached IP address and sometimes even the metadata associated with the email.

6. Reputation

This might not be as important as the previous point, but it is always a good idea to make sure the secure email service provider has a good reputation and a good opinion among various users in the community. This ensures that the service provider is worth using and is not a scammer.


Top 13 email services of 2021

1. Editor’s Choice – ProtonMail


Pros
Cons
  • Support for end-to-end encryption and PGP encryption
  • Emails expire after a set time
  • No-logs policy
  • Send encrypted email to non-ProtonMail users
  • Data can’t even be subpoenaed by the government
  • Limit on daily messages
  • Poor user interface for the web-based version

  • Price – Free for personal use
  • Platform – Web-based, Android, & iOS
  • Verdict – 10/10

Protonmail user interface the user mailbox with emails

Image source – protonmail.com

ProtonMail is one of the most secure, if not the best, email services available in the market. It was even marketed at its release as “the only email system the NSA can’t access” and uses the Pretty Good Privacy (PGP) encryption standard to end-to-end encrypt all emails sent.

ProtonMail stores any no logs about user activity and even allows sending encrypted emails to users who don't use the ProtonMail service.

The fact that I liked about ProtonMail is that the company stores all its servers in a nuclear bunker over 3000 feet below ground. If that doesn't speak about their value for a security, I don't know what will.

A free version of the service is available for personal use with 500GB of free storage. The service is also available as android & iOS apps for your smartphone with a very sleek design.

2. Zoho Mail


Pros
Cons
  • Provides a full email suite
  • Integrates well with other applications
  • Well-designed user interface
  • Storage in the basic plan is too low
  • Doesn’t have enough features compared to other services

  • Price – 15-day free trial & $1/month per user
  • Platform – Windows, Mac, Linux, Web-based, Android, & iOS
  • Verdict – 10/10

Zoho Mail user interface displaying emails as well along with the customizable templates

Image source – zoho.com

Zoho mail is a secure email service that offers a multiplatform email solution for personal as well as enterprise use. The service also offers an "Encryption Level Indicator" that informs the user of the encryption level at the recipient interface and whether or not they use encryption at all.

The email has additional security features such as 2-factor authentication, OTP, QR codes, and Touch ID. However, unlike ProtonMail, Zoho has a pleasing user interface on the web-based application and the mobile application.

The service does not, however, provide a free version, with the basic Zoho Mail Lite planning offering most of the personal use email features at only $1/month per user that comes with a 5GB storage space.

If you want to try the service first before purchasing it, Zoho mail offers a 15-day free trial that you can use to try out the Zoho mail service.

3. Tutanota


Pros
Cons
  • Allows multiple email addresses as aliases
  • Customizable spam rules for inbox
  • Encrypted emails to even non-users
  • No support for PGP, POP3, SMTP, or IMAP
  • Large delays in account verification
  • Very low storage for even premium plans

  • Price – Free for personal use
  • Platform – Windows, Mac, Linux, Web-based, Android, & iOS
  • Verdict – 9/10

An email opened in the Tutanota email application

Image source – tutanota.com

Based in Germany and created by a group of privacy enthusiasts, Tutanota is a secure email service that is almost as good as ProtonMail, even though it is not as widely known. Tutanota runs a hybrid encryption system that overcomes the drawbacks of PGP and can be even strengthened to defend against quantum computer attacks, as claimed by its creators.

While emails to Tutanota users are asymmetrically encrypted, the emails to a non-user are encrypted symmetrically and include a link to the message along with a decryption key.

Even though it is one of the most secure email services, it is quite lacking in various other features and offers no support for PGP, POP3, SMTP, or IMAP, making it quite difficult to integrate with other technologies.

The software does have a free version but only offers 1GB of storage. Even the 'premium' plan comes with only 1GB storage for €1 per month, and if you need larger storage, you need to opt for the 'teams' plan for €4 per month.

4. CounterMail


Pros
Cons
  • Built-in password manager
  • RAM-only servers that store no logs
  • Protection against identity theft and Man-in-the-Middle attacks
  • Quite expensive compared to others
  • No support for POP protocol
  • Quite expensive compared to others
  • No support for POP protocol

  • Price – 10-day free trial with referral & $4.83/month
  • Platform – Windows, Mac, Linux, Web-based, & Android
  • Verdict – 9/10

The user inbox with an opened email in the Countermail client

Image source – countermail.com

CounterMail is one of the most secure email services that offers quite advanced email protection protocols and services. CounterMail runs PGP encryption using the 4096-bit encryption keys.

CounterMail also employs RSA and AES-CBC encryption along with SSL to improve the security of the email system and also prevent Man-in-the-Middle attacks or any other form of identity attacks on the user.

They also use 2-factor authentication as an added layer of security, which allows users to use a USB key or a 3rd party authenticator app that provides a Time-based OTP.

The higher price of the service is explained off by the creators as the price for the high-quality servers and stronger security measures implemented in the service. This is mainly a reference to the RAM-only servers that they use, which don’t store anything and only process the email transit.

5. Mailbox.org


Pros
Cons
  • PGP encryption along with SSL protection
  • Offers complete productivity suite
  • PFS for all messages
  • Support for POP, IMAP, SMTP, and ActiveSync
  • No support for mobile devices
  • Can’t integrate with 3rd party email clients
  • Metadata stays exposed

  • Price – 30-day free trial & €1/month per user
  • Platform – Web-based
  • Verdict – 8/10

The Mailbox.org dashboard

Image source – mailbox.org

Mailbox.org supports PGP encryption with SSL Perfect Forward Secrecy. It has a full productivity suite with more features and provides a balance between security and features. It, however, does not offer integration with 3rd party clients or any mobile apps.

The service comes with a 30-day free trial & the base plan is priced at €1/month per user with 2GB storage and 3 aliases.

6. Thexyz


Pros
Cons
  • A wide array of spam filters
  • Sender monitoring
  • IMAP, OpenPGP, and POP support
  • A good amount of storage for the base plan
  • No free versions
  • Might be monitored by Five Eyes

  • Price – $2.95/month
  • Platform – Web-based, Android, & iOS
  • Verdict – 8/10

The Thexyz user interface with the compose email windows open

Image source – thexyz.com

Thexyz offers web-hosting and has a good base plan with 25GB storage and unlimited aliases. Thexyz uses systems like CloudMark or Message Sniffer for sender analysis & monitoring to block spam and threats.

Being based in Canada, Thexyz servers are mainly located in the US, making it quite vulnerable to snooping by various government agencies and even "Five Eyes”. Offers IP stripping along with IMAP, OpenPGP, & POP encryption to improve good end-to-end encryption to counteract possible snooping.

7. Posteo


Pros
Cons
  • Mailbox can be user encrypted
  • Support for PGP
  • Open-source allows high customization
  • Customizable spam filter
  • Encryption has to be set up by the user
  • No free trial
  • No mobile or desktop apps

  • Price – €1/month
  • Platform – Web-based
  • Verdict – 8/10

The inbox of the Posteo email service

Image source – posteo.de

Posteo, being open-source, offers transparency to users and integrates well with PGP encryption to improve security. It also uses SSL with Perfect Forward Secrecy (PFS), HTTP Strict Transport Security (HSTS), and SSH for encryption by using the Mailvelope app.

The entire Posteo mailbox can be password encrypted, but it should be kept safe as it can’t be recovered if lost.

The email service is quite cheap as well, at just €1/month, which offers most of the basic secure email features.

8. CTemplar


Pros
Cons
  • No log monitoring
  • Zero-knowledge password policy
  • OpenPGP encryption with 4096-bit encryption keys
  • No support for SMTP or IMAP
  • No email metadata encryption

  • Price – Free for invitations & $8/month
  • Platform – Windows, Mac, Linux, Web-based, Android, & iOS
  • Verdict –7/10

The CTemplar dashboard with the user mailbox and other features

Image source – ctemplar.com

CTemplar comes with OpenPGP 4096-bit encryption, along with Icelandic servers using Iceland's privacy laws, which are some of the strongest in the world.

It stores passwords using the “Zero-knowledge password” technology and even offers self-destructing emails that get deleted after a set timer. The email service stores no logs about any user activity and employs IP stripping to remove user IP from emails.

It is free if you can manage an invite from someone who already uses the service or costs $8/month with 5GB storage.

9. Runbox


Pros
Cons
  • IP addresses stripped and removed from every message
  • Adheres to GDPR
  • Allows PGP integration
  • Support for SMTP, IMAP, & POP protocols
  • No desktop or mobile apps are available
  • No mailbox encryption
  • Quite expensive compared to competitors

  • Price – 30-day free trial & $1.66/month per account
  • Platform – Web-based
  • Verdict – 7/10

The Runbox access settings page with option to provide email forwarding details

Image source – runbox.com

Runbox uses SSL with Perfect Forward Secrecy, along with SMTP, POP, and IMAP, and complies with the GDPR standards for privacy. While there is no built-in mailbox encryption, it offers the user an option to add PGP encryption for added security.

The base account of Runbox offers 2GB for secure cloud storage and over 100 aliases for creating disposable email addresses.

10. Kolab Now


Pros
Cons
  • Supports POP, SMTP, and IMAP protocols
  • Switzerland jurisdiction offers good privacy laws
  • End-to-end encryption available
  • Emails aren’t encrypted at rest
  • Expensive compared to the competition

  • Price – 30-day free trial & $5.4/month
  • Platform – Web-based
  • Verdict – 7/10

A sample email open in the Kolab Now interface

Image source – kolabnow.com

An open-source secure email, Kolab Now offers end-to-end encryption with Perfect Forward Secrecy and includes a complete productivity suite as well. It uses different encryption keys for each session, allowing maximum transit email security.

However, it offers no security to emails at rest, stored in the mailbox.

The base option starts at $5.4/month and doesn't offer enough features for that price compared to the competition. The base version also comes with only 5GB of storage for the users.

11. Startmail


Pros
Cons
  • IMAP & SMTP support for added privacy
  • Supports PGP encryption
  • Offers multiple aliases
  • 2FA is available for an extra layer of security
  • No mobile applications
  • No “true” end-to-end encryption
  • The user interface feels outdated

  • Price – 7-day free trial & $35.99/year (Offer price)
  • Platform – Web-based
  • Verdict – 7/10

The Startmail email running on a laptop and a mobile device

Image source – startmail.com

Startmail runs PGP encryption along with SMTP & IMAP for an added layer of privacy. The email service also offers 2-factor authentication as an additional security layer, making stolen passwords useless.

However, Startmail offers PGP encryption only at the server-side which, & not at the client-side, which means only emails in transit will be encrypted and not those stored in the user mailbox.

While it offers no free version, it does offer a 7-day trial and a base plan for $35.99/year with 10GB storage space. This price is only an offer price and might change later on.

12. Mailfence


Pros
Cons
  • Support for RSA or ECC encryption
  • Built-in digital signatures
  • Integrated calendar and document storage
  • User IP and minor activity logging
  • Poor customer support
  • The free version has absolutely no features

  • Price – Free for personal use
  • Platform – Web-based
  • Verdict – 6/10

The Mailfence user interface with the compose email window open

Image source – mailfence.com

Mailfence uses an open-source implementation of OpenPGP encryption, along with RSA & ECC encryption algorithms. The email service also has a built-in digital signature feature that improves the privacy of the system.

However, the service is known to log user activity as well as IP addresses, which is quite worrying no matter the volume of the logs. This logging system can't be disabled in any way either.

The free version has capped storage at 500MB while the paid version, starting at €2.50/month, offers 12GB of storage space.

13. PrivateMail


Pros
Cons
  • PGP encryption to encrypt emails
  • Cloud storage
  • End-to-end encryption
  • Expensive compared to other feature-rich services
  • Not safe from government or law enforcement agencies

  • Price – $8.95/month
  • Platform – Windows, Mac, Linux, Web-based, Android, and iOS
  • Verdict – 6/10

The PrivateMail setting to enable PGP encryption

Image source – privatemail.com

PrivateMail, owned by the creators of TorGuard VPN, is a US-based service and is bound to be monitored by various government and law-enforcement agencies. It, however, does offer end-to-end encryption to protect against attempts at extracting email content.

It offers several aliases that allow the creation of disposable emails, and the base plan starts at $8.95/month offering 10GB storage and 5 aliases.


A new vulnerability & the need for secure email

A group of German academic researchers found over 40 flaws in the STARTTLS email protocol that is used by over 8 million systems worldwide. The security vulnerability was presented in the 30th USENIX Security Symposium by a group of researchers at the Münster University of Applied Sciences.

A STARTTLS report from Shodan showing over 8 million systems still running the STARTTLS protocol service

These flaws can be used to compromise quite a lot of popular email clients such as Apple, Google, Yandex, and much more.

In total, there were 40 different flaws with STARTTLS, a few of which allows mailbox spoofing, credential stealing, and even cross-protocol attack with HTTPS on IMAP. The most common form of attack was command injection which would allow an attacker to inject commands into the server, which can open several doors to more attacks.

List of popular servers affected by the command injection through the STARTTLS protocol service

Image source – “Why TLS is better without STARTTLS:
A Security Analysis of STARTTLS in the Email Context” scholarly paper
[by Damian Poddebniak, Fabian Ising, Hanno Böck & Sebastian Schinzel]

These command injection attacks are made possible using the MAIL, RCPT, and DATA commands which the attacker uses to send an email to themselves on an account created in the vulnerable server.

This allows any data sent by the victim to be extracted by the DATA command, which then reveals the victim credentials to the attacker.

The attacker can also perform command injection using the ability of STARTTLS to upgrade plaintext SMTP, POP3, or IMAP connections into encrypted ones. The attacker then injects plaintext commands which the victim server interprets as an encrypted connection allowing the attacker to steal victim credentials.

To prevent such flaws, the researchers have suggested that email clients should port to implicit TLS from STARTTLS. Users are also directed to configure email clients to use SMTP, POP3, and IMAP with implicit TLS on ports 465, 995, and 993, respectively.

This brings me to the topic at hand. Most of the secure email services listed in this article use SSL/TLS encryption for emails which is the implicit TLS protocol that the German researchers claim is more secure.

Furthermore, the secure email services that we looked at also use additional layers of encryption such as PGP, RSA, and ECC to protect your emails which make it impossible for an attacker to inject any sort of commands into it to extract user credentials.


Conclusion

Vulnerabilities are everywhere in the world, be they on the internet or in real life. These vulnerabilities are constantly being used by various malicious users to their benefit at the expense of another person.

When such vulnerabilities are exploited in your email, it is even worse since your email is the one place that connects all your various internet-based accounts and your whole internet identity.

In our article, we looked at the concept of email security, along with the top 13 most secure email services in the market. We also listed a few points to remember while picking a secure email service and finally looked at a new vulnerability threatening email clients all over the world.

If you enjoyed reading this article and/or have any suggestions or opinions regarding the secure email services in this article, do let us know by leaving a comment below.

Tags: 
Security
Author
Rakesh Naik
Freelance Cyber Security Analyst and Writer practicing in Infosec Assessment.

Write a review

click to select