• End-to-end, zero-knowledge encryption.
In any case, it’s end-to-end encrypted only between users of the same solution. Only PGP is a universal way of sending encrypted emails to anyone, but unfortunately not enough people know how to use this. Zero knowledge encryption means key must be stored on the user’s device otherwise it’s not protected against state-sponsored criminals. Of course, this doesn’t mean they couldn’t give the government plain text messages — just that it would require them to actively attack the user in order steal the required password, up to now they haven’t done it, and most probable will not do so in the foreseeable future. It also means the provider is unable to recover (decrypt) data if password is lost. Tutanota explains that if they were requested to hand over inboxes (keeping in mind that this happens only with a valid German court order for criminal prosecution), all the data will be encrypted, even the Inbox rules are encrypted.
• Open-Source.
Open source doesn’t guarantee someone has actually taken the time to audit the code for backdoors or weaknesses, but it shows a will to be transparent. Tutanota claims to be auditing regularly their codes and was subject to an extensive penetration test by the SySS GmbH.
• Own business domain.
That one may present an attack opportunity to state-sponsored criminals through DNS records, so you must host your domain in a place that is going to protect access, not in the same country as your email provider. Look at states that are not part of the fourteen eyes with a record for respecting privacy and democracy. End-to-end protection provides the safeguard in case emails are intercepted. Or just stay with the provider’s domain (Tutanota.com or Protonmail.com).
• Administration of users.
Multiple Users can each have multiple aliases. A user has its own access, username, password and mailbox. Aliases are like forwarding emails to/from the original email. For example you would have an original email like name.surname@youdomain with aliases like blabla01@yourdomain blabla02@yourdomain etc. So if someone is sending an email to any alias it will be forwarded to the main name.surname@yourdomain. The benefit of that being that you can create/destroy emails easily.
• Resistance to state-sponsored criminals.
Police, prosecutors etc. Their crimes are “legal” since they’ve corrupted state institutions. They are the most dangerous sort of criminals, to an individual or to a country. If they’ve done something illegal, they can cover it up any ways they like. They can intercept and read IMAP, POP3, TLS, SSL. They can spoof your email provider SSL certificate. They can have access to your SMS, emails, meaning a recovery option is often an easy attack possibility for them. That’s why you should always use encryption software, encrypt your devices, and buy hardware outside the country you operate.
• Emergency support by the provider.
From there, it’s easy to get a lot of solutions out of the list. Basically it quickly came down to Tutanota vs Protonmail. Interesting fact: The NSA requested a backdoor from them but they refused. We use both of them, but Tutanota is the one supporting our domain name with the Premium package.
The main differences between Tutanota and Protonmail are the price and storage capacity:
• Tutanota business plan is 1$/user/month.
• Protonmail business is 6,25€/user/month and is limited to 5 users.
• With Protonmail you can create administrators for your organisation whom can manage regular users’ accounts. Tutanota is cheaper than Protonmail but offers less storage space (1Gb vs 5Gb)
• Both emails can be used for free.
Only with Tutanota Premium:
• No recovery (email or SMS).
The admin can recover for a user from the admin panel though (In Protonmail it is possible to disable the email recovery feature).
• Doesn’t ask for a GSM phone number.
Protonmail will twist your arm to get your GSM phone number. They pretend you can fill a captcha instead but this process is so long most will give up. SMS can very easily be intercepted by state-sponsored criminals, it’s the worst recovery option imaginable.
• Auto-synchronization with several devices and browsers.
• Servers are located in Germany therefore under German privacy protection laws.
I’m not sure if this is good as Germany is a member of the five eyes. On the one hand we know there is a lot of NSA hardware on German soil, basically this is from where they spy on Europe. On the other hand it means German people are used to fighting back. In any case Tutanota claims they won’t give backdoors to these agencies and would even move the Company to another country if they were forced to build backdoors through a law. Here is their stand about the situation:
.
• Dual encryption mechanism.
Tutanota uses a dual encryption mechanism private key + password. A private key is generated in the browser upon registration and is used for encryption/decryption. This private key is then encrypted with the login password.
• Uses DANE on top of SSL and PFS.
On top of its automatic end-to-end encryption, it uses DNSSEC, DANE, DMARC, DKIM, PFS & STARTTLS to secure your connection to Tutanota to the maximum. The DANE protocol effectively protects against MITM attacks and should be implemented by all mail providers.
This is all you need to register. Captcha - nowhere easier. You can create accounts as a machine)
Only with Protonmail Plus:
• Auto-destruct emails between Protonmail users. Possible for external users if you set up a password protected email.
• You get a notification on your recovery email when you have a new email.
• Can disable recovery email.
• Asks for a GSM phone number.
• PGP encryption available.
Tutanota is planning to develop an API to allow users to use PGP in a user friendly manner.
• Servers are located in Switzerland, therefore under Swiss privacy protection laws.
By remaining outside of US and EU jurisdictions they provide a safer location to protect confidential data.
• Contacts import-export.
• Language support: French, German, Russian, Spanish, Polish, Turkish, Ukranian, Dutch.
• Auto Unsubscribe.
The auto-unsubscribe feature makes it easier to unsubscribe from email lists or newsletters that you’re not keen on receiving anymore. It works by identifying the unsubscribe link in the hidden header and by making it available in the top right corner of your message. To remove your email address from mailing lists, just click “Unsubscribe”.
• PIN protection for mobile apps.
• Auto-responder.
With this new feature, users can now set an auto-reply to incoming messages that can be personalized. This way, if you are on vacation or out of the office, you can automatically let customers know that you are gone.
• Custom filters with Sieve.
The ProtonMail default filter options are useful for basic tasks and very easy to implement to help users keep a well organized inbox. A custom filter with Sieve is the advanced version of filtering, allowing nearly infinite personalization capabilities. This type of advance filtering is a global standard following the Sieve programming language. This is definitely a feature for power users, but it makes ProtonMail filters infinitely powerful.
• Desktop client bridge.
The ProtonMail Bridge adds IMAP and SMTP support to ProtonMail and is available to all paid ProtonMail members. It allows you to send and receive encrypted emails from within your mail client of choice. The Bridge supports Apple Mail, Thunderbird, Outlook 2011, and Outlook 2015 on macOS, and Thunderbird, Outlook 2010, Outlook 2013, and Outlook 2016 on Windows.