The best secure email providers enable tighter security to protect your privacy.
When it comes to popularity and ease of use, there is no beating major email service providers like Google and Microsoft.
But these services still have a long way to go before they can be termed “secure.” Communication conducted over email isn’t normally secured by end-to-end encryption and can easily be subpoenaed by government agencies in case of legal conflict.
There are a number of other privacy and security issues to contend with. Gmail, for example, allows third-party service providers to scan your private emails to display more personalized advertisements. Generally speaking, corporations like these aren’t known for handling private data seriously.
However, there are more than a few email providers that offer increased security in exchange for a steeper price. These providers boast significantly better privacy practices than their mainstream counterparts, with strong protocols that dictate user rights in case of a subpoena or breach.
When on the lookout for a secure email provider, you have to keep in mind factors like data center location, end-to-end encryption, and zero-access guarantee. In this article, we will be taking a look at some of the most secure email providers currently in the market, perfect for conducting internal business communications and receiving sensitive information from other users.
- We've also featured the best email hosting.
Founded in 2014 at the European Organization for Nuclear Research (CERN), ProtonMail is a secure email provider featuring end-to-end encryption and a zero-access guarantee. The service was created in response to leaks from Edward Snowden and has its data centers based in Switzerland in an underground bunker strong enough to survive a nuclear attack.
One of the defining features of ProtonMail’s service is the “self-destructing” emails, which are automatically removed from the recipient’s inbox after a set time period. Moreover, you are not asked to divulge any sensitive information when signing up for a new account.
The free plan comes with limited storage and messages and users looking for more may opt for any of its tiered premium plans.
- Read our full ProtonMail review.
Dedicated to serving business users with a strong requirement for security, Mailbox.org is a secure email provider based in Germany. It has a very user-friendly interface, and, despite being a secure email provider, it is compatible with mobile devices and third-party clients.
Aside from a secure email service, Mailbox.org also comes with encrypted cloud storage, video conferencing features, a functional address book, a calendar, and a task planner. It is a well-rounded solution for businesses looking for an encrypted workflow alternative to Google or Microsoft.
There is no free plan available, but the three premium-category plans are all very affordable. Secure Mail offers 2GB of email storage, 100MB cloud storage, three email addresses, and video conferencing capabilities. This is followed by the Team Mail plan and the Business Mail plan.
- Read our full Mailbox.org review.
With servers located all over the world, Zoho Mail is a secure email hosting solution with a focus on data encryption and user-friendliness. Unlike other secure email providers, it tries to achieve a subtle balance between features and privacy to give users a friendly experience.
Aside from the usual email service with adequate spam and mail filters, Zoho Mail also offers additional features like a calendar, a task manager, and a contact portal. In terms of security, Zoho offers an encrypted environment in which data is safe whether it is stationary or on the move. The data stored on its servers can still be accessed by the company and subpoenaed by government agencies, although there is a very specific protocol to follow in either case.
Zoho Mail comes with three paid plans to choose from: Mail Lite features 5GB of storage space per user. This is followed by Mail Premium, which offers 50GB of space per user. There is also an additional plan which is suitable for users who would also like access to the company’s other solutions, such as the web-based word processing and presentation software.
- Read our full Zoho Mail review.
With its data centers located in Germany, Posteo is the email provider of choice for digital crusaders and activists. It does not offer end-to-end encryption per se, since emails can be read in plain text by third parties if there is a leak. However, all data on its servers is secured, whether moving or stationary.
Furthermore, Posteo uses a technology called DNS-based Authentication of Named Entities (DANE), which protects against hackers who try to impersonate the sender or the recipient to gain access to sensitive information. Posteo also doesn’t store any identifying data on its users and fights frequent legal battles to ensure the privacy of its users.
- Read our full Posteo review.
With its servers located in the United States, Privatemail is subject to certain legal restrictions and doesn’t offer the same amount of privacy from law enforcement or government agencies as an email provider based in Germany or Switzerland. However, it offers end-to-end encryption and secure cloud storage. It also boasts some really strong security practices.
Apart from offering email services, Privatemail features a very secure cloud storage service that’s included in all of its paid plans. The cloud storage feature is pretty powerful, with options to synchronize files between different devices and with a specific folder on your computer. There’s also an email calendar that business users will be thankful for.
Privatemail Standard comes with 10GB of email and cloud storage each, whereas Pro offers 20GB of space for email and cloud storage. There are business plans available for enterprise-level users offering 100GB of storage and a custom domain.
- Read our full Privatemail review.
Also see these secure email providers
We've recently been testing out the leading secure email providers. Check out reviews below to find out more about each service provider:
What is SPF?
- By: Peter Goldstein, chief technology officer and co-founder, Valimail.
Email security and SPF have long gone hand in hand. That’s because Sender Policy Framework, also known as SPF, is considered the first and oldest email authentication standard.
SPF is an IP-based authentication protocol, such that messages are authenticated with SPF based on the IP address of the server that delivers the message to its final destination. To use SPF, a domain owner declares in a specially-formatted DNS TXT record the list of servers and networks authorized to send mail using that domain. Mail receivers, such as Gmail or Yahoo Mail, can then look up that record to determine if an authorized host delivered the incoming messages.
When SPF made its way onto the security scene in the early 2000s, it was a game-changer. The Internet today though is far more complex. As a result, SPF can prove challenging.
To start, SPF is a text record, which makes typos and syntax errors all too easy. And while there are nuances to SPF that can trip up even the most seasoned IT person, the biggest challenge is the fact that there are no notification mechanisms in place. If something goes wrong with your implementation, it’s up to you to figure out when, why and how it happened.
Aside from implementation challenges, SPF has a few limitations to keep in mind.
- SPF contains a limit on the number of DNS lookups that mail servers will do when evaluating an SPF record, aka the 10-domain lookup limit. Historically, this limit has not been a challenge as most senders ran their own mail infrastructure. Ten lookups can go pretty quickly though in today’s cloud-first environment.
- SPF uses the domain shown in a message’s Return-Path field for authentication, leaving the “From:” address open to spoofing.
- SPF is prone to failure when a message passes through an intermediary, such as a forwarding service or mailing list, on the way to its final destination.
Since SPF is not enough in today’s cloud environment, domain owners should look for a complete email authentication solution that addresses the shortcomings of SPF. Domain-based Message Authentication, Reporting and Conformance (DMARC) is a great place to start.
Peter Goldstein is an MIT and Stanford-trained technologist who has worked in a variety of software verticals, including security, enterprise, email and video. He has built products and teams at a number of large technology companies, such as RSA Security and Perot Systems, as well as at small startups, like Tout, Securant and Swapt.