Standard email messaging still relies on decades-old protocols that weren’t built for security. Just about every online connection these days uses the secure HTTPS protocol, meaning it’s encrypted during transmission. Webmail providers like Gmail do get the benefit of HTTPS, and they add their own layers of encryption to your transmitted messages. But Google (and other providers) can still see what you’re emailing and to whom. If you want actual privacy in the form of email messages that nobody unauthorized can read, you need an encrypted email service.
\We’ve rounded up a collection of choices for you, and some of them are totally free. Read on for our top picks, along with what to look for when choosing an email encryption service.
Deeper Dive: Our Top Tested Picks
Proton Mail
Best Bonus Apps
Why Did We Pick It?
If the name Proton Mail sounds familiar, it’s probably because you know about Proton VPN, a PCMag Editors’ Choice winner in the VPN realm. Springing for a top-tier paid subscription to Proton Mail gets you Proton VPN as well as Proton’s calendar, cloud storage, and password management apps. On the flip side, you can save a bundle by accepting the limitations of Proton Mail’s free account tier.
You do have to switch to a new Proton Mail email address, but doing so is a chance to shed the spam and unwanted mail cluttering your old address. Communication with other Proton Mail accounts is end-to-end encrypted; communication with outsiders uses a password that you transmit via separate cover. If you’re a PGP whiz you can even set up encrypted messaging outside of Proton Mail by using PGP key exchange.
With Proton Mail you get more than encrypted email. It includes an encrypted calendar system, for starters. The Proton Drive encrypted file storage system offers top-level paying customers 500GB of secure encrypted storage. Proton Pass manages your passwords, and you also get access to the SimpleLogin temporary email service.
Who Is It For?
You don’t have to pay a thing to start using Proton Mail. But if you find you like it, you can raise some limits by opting for a paid subscription. Going to the top level of a paid subscription gets you an amazing bundle of useful apps from Proton, including the award-winning Proton VPN. Free or paid, it’s a winner.
PROS
- End-to-end encrypted email with other users of the service
- Can password-protect messages to nonusers
- Access to VPN, password management, secure calendar, cloud storage
- SimpleLogin temporary email service available
- Disables tracking via images in email
- Free tier available
CONS
- Even Unlimited edition has a few limits
SPECS
Name | Value |
---|---|
Works With Existing Email | |
PGP Encryption | |
Non-PGP Encryption | |
Two-Factor Authentication | |
Cloud Storage and File Sharing | |
Disposable Email Addresses | |
Supports Rich Text Messages |
Learn More
PreVeil
Best for Free, Powerful Encryption
Why Did We Pick It?
It seems logical that businesses would use encryption systems that are more powerful and technical than what’s available for consumers. And it seems logical that if consumers did get access to business-grade encryption, it would cost a lot. Preveil turns both of those assumptions upside down. Its technology is powerful enough that it’s certified by the Department of Defense, and its price is…zero. Yep, it’s free.
Switching to encrypted email often involves getting used to a new email address, but Preveil lets you keep your existing address. It also integrates with Gmail, Outlook, Apple Mail, and the default Mail apps on mobile devices. It doesn’t demand a master password; the fact that you possess a trusted device authenticates you. And if you can’t log in because you lost all your trusted devices, a high-tech multi-person recovery system helps you regain account access.
With Preveil, you also get 5GB of encrypted storage for your sensitive files. Access is simple from a trusted device; impossible otherwise. And you can share your secure files with other Preveil users at four permission levels. If 5GB isn’t enough, you can bump storage to 5TB, though doing so costs $25 per month.
Who Is It For?
Switching to encrypted email is great for privacy, but it can be annoying. Preveil smooths out the pain points. You don’t have to change your email address, and you don’t have to pay a thing. The fact that it’s free means you’re not imposing on your contacts by asking them to sign up so you can enjoy communication protected by government-approved encryption.
PROS
- Powerful encryption for your email
- Works with existing email accounts
- Direct support for Apple Mail, Gmail, and Outlook
- Secure encrypted file sharing with fine-grained permissions
- Sophisticated key recovery system
CONS
- Must install manually on unsupported email clients
- Recent Mail changes by Apple require manual installation for now
SPECS
Name | Value |
---|---|
Works With Existing Email | |
PGP Encryption | |
Non-PGP Encryption | |
Two-Factor Authentication | |
Cloud Storage and File Sharing | |
Disposable Email Addresses | |
Supports Rich Text Messages |
Learn More
StartMail
Best for Disposable Email Addresses
Why Did We Pick It?
Encrypting your email ensures that nobody can peek at or tweak your important communications with trusted correspondents. Using temporary email addresses (also called disposable email addresses, or DEAs) lets you communicate with untrusted recipients without giving them your actual email address. In a pleasant synergy, StartMail offers both.
Like many competing products, StartMail relies on the PGP protocol for encryption, automating key exchange with other StartMail users. PGP wizards can perform manual key exchange to email outside the StartMail network, but it’s probably easier to just use the password-based system for encrypting out-of-network emails.
Any time you have to supply an email address for a newsletter, a new online merchant, or other nonpersonal connection, you can spin up an email alias in StartMail. Messages to the alias appear in your inbox and replies seem to come from the alias. But if you want to be rid of the connection, perhaps because it began receiving spam, you just disable or delete the alias.
Who Is It For?
You’re thorough; you like to cover all the bases. With StartMail, you get end-to-end encrypted email for your trusted correspondents, and you can protect your address from iffy emailers by using aliases. It’s a suspenders and belt approach!
PROS
- Automatic PGP message encryption with StartMail users
- Password-based encryption with nonusers
- Create and manage temporary email addresses
- Slick new user interface
CONS
- No mobile apps
- Relatively expensive
SPECS
Name | Value |
---|---|
Works With Existing Email | |
PGP Encryption | |
Non-PGP Encryption | |
Two-Factor Authentication | |
Cloud Storage and File Sharing | |
Disposable Email Addresses | |
Supports Rich Text Messages |
Learn More
Private-Mail
Best for Secure File Sharing
Why Did We Pick It?
Private-Mail comes from the same crew that brings you TorGuard VPN. If you’re willing to accept a few limitations, you can use its encrypted email and file sharing system for free. Ponying up for the Standard edition raises your email and file storage from 100MB to 10GB each and adds features including a secure calendar and syncing mail between devices. The Pro edition doubles both the price and the storage.
You can encrypt or digitally sign your Private-Mail messages using PGP, once you exchange PGP keys with your contacts. Putting a file into encrypted storage is as simple as dropping it into the Encrypted folder. The service does use a separate pair of PGP keys for files. You can share with others using PGP, or you can choose to share using a password that you send separately.
Who Is It For?
Private-Mail’s email encryption is a touch less automated than some, but it’s just as secure. Its strength is the flexible file sharing system, which lets you rely on PGP when available or use a simple password when not.
PROS
- Secures encrypted email using PGP public key cryptography.
- Stores and shares encrypted files.
- Two-factor authentication.
- Bonus features.
CONS
- Encrypted messaging setup not as seamless as competition.
- Can only send plain-text encrypted messages.
- No non-PGP option for encrypted mail.
- Relatively expensive.
SPECS
Name | Value |
---|---|
Works With Existing Email | |
PGP Encryption | |
Non-PGP Encryption | |
Two-Factor Authentication | |
Cloud Storage and File Sharing | |
Disposable Email Addresses | |
Supports Rich Text Messages |
Learn More
SecureMyEmail
Best for Encrypting Existing Accounts
Why Did We Pick It?
Starting with email encryption often entails switching to a new email address, and that’s a deal-breaker for some. With SecureMyEmail, you can keep your prized email account and still secure your communications, as long as that account supports IMAP. And if it’s a Gmail, Yahoo, or Microsoft account, there’s no charge to use SecureMyEmail. Those who pay for this service can use it to protect up to eight email accounts.
SecureMyEmail relies on PGP for encryption but hides most of the machinations behind this technology. You do have to define (and remember) a PGP passphrase, separate from your account password. Sending encrypted messages couldn’t be easier, regardless of whether the recipients are SecureMyEmail users, non-users, or a mix.
For other users, your mail is end-to-end encrypted. The service encrypts mail for nonusers relying on a key pair that it generates based on the recipient’s email address. As with Virtru, the recipient doesn’t need a password.
Who Is It For?
Do you have more than one email address? More than one that’s important enough to merit encryption? Paying for multiple separate encryption services could add up! SecureMyEmail costs less overall than some competitors, and your paid subscription lets you encrypt not one, not two, but eight distinct emails.
PROS
- Feature-complete free tier available
- Works with existing email accounts
- Supports existing PGP keys
- Message expiry
CONS
- Message expiry only for out-of-network messages
- Some problems in testing
- Not all features currently working
SPECS
Name | Value |
---|---|
Works With Existing Email | |
PGP Encryption | |
Non-PGP Encryption | |
Two-Factor Authentication | |
Cloud Storage and File Sharing | |
Disposable Email Addresses | |
Supports Rich Text Messages |
Learn More
Tutanota Premium
Best for Ease of Use
Why Did We Pick It?
If you mailed a ciphertext letter to a known criminal, the return address on the envelope might still incriminate you. Tutanota uses open-source encryption on the body text, message headers, and subjects of your messages. It even encrypts your contacts when you’re not actively using them. Its free tier allows unlimited messages, and its paid tier is less expensive than most.
Tutanota creates a secure, encrypted index on your local device so you can search your messages without creating a security hole. Paying customers get unlimited searching; free users can only search the previous 30 days.
As with many others, Tutanota automates end-to-end encryption with other Tutanota users, and offers a password-based system for communication with non-users. Like Proton Mail, it includes an encrypted calendar. Its Filter system lets you automatically organize messages based on content or header info. And its mobile apps give you full access to all features.
Who Is It For?
Why don’t you already have encrypted email? Too expensive? Too much of a pain? Setting up a free Tutanota subscription is a snap, and the mail system is plenty easy to use. If you find that you want the added features of the Premium edition, it’s still inexpensive.
PROS
- Encrypts entire messages, including subject and headers
- Code is entirely open source
- Free tier has no message limits
- Full-fledged calendar
- Secure search of encrypted messages
CONS
- Email alias system limited
- Searching encrypted messages can hog disk space
SPECS
Name | Value |
---|---|
Works With Existing Email | |
PGP Encryption | |
Non-PGP Encryption | |
Two-Factor Authentication | |
Cloud Storage and File Sharing | |
Disposable Email Addresses | |
Supports Rich Text Messages |
Learn More
Virtru Email Protection for Gmail
Best for Gmail Encryption
Why Did We Pick It?
Like Preveil, Virtru brings business-grade encryption down to the consumer level and doesn’t charge a penny for it. Just install the Virtru extension in Chrome, log in to your Gmail account, and activate the encryption service. There isn’t a separate password or login for Virtru—it’s protected by your strong Gmail account password and your Gmail two-factor authentication.
When you send a message using Virtru you have more control than just turning on encryption. You can set the message to expire after a set time, and you can control message expiry even for sent messages. You can watermark attachments to prove they came from you, or set attached documents and images for read-only display.
The recipient doesn’t need a password to open your secure message, but nobody else can open it without proving ownership of the receiving email address. You can also put limits on replying and forwarding through the secure portal.
Who Is It For?
If you’re not on Gmail, Virtru isn’t for you. Likewise, if you don’t use Chrome, it’s a nope. But if you fit the profile, using this free service through its browser extension is almost effortless.
PROS
- Integrates with Gmail for easy email encryption.
- Can suppress message forwarding and set expiration.
- Protects attachments.
- Free.
CONS
- Only works for users of Gmail on Chrome.
- Paranoid users may worry that Virtru holds encryption keys.
SPECS
Name | Value |
---|---|
Works With Existing Email | |
PGP Encryption | |
Non-PGP Encryption | |
Two-Factor Authentication | |
Cloud Storage and File Sharing | |
Disposable Email Addresses | |
Supports Rich Text Messages |
Learn More
Buying Guide: The Best Email Encryption Services for 2024
Wait, Isn’t My Email Already Encrypted?
You may remember some years ago when Google tweaked Gmail so that it always uses a secure HTTPS connection. That means it uses the standard Transport Layer Security (TLS) for encryption. This is good, but it’s the bare minimum. Every website should use HTTPS.
Currently, Google says it doesn’t read your mail. However, it’s easy to accidentally give mail-reading permission to third-party apps. And Google does read your messages sufficiently to do things like automatically put airline flight notifications in your calendar. Google also has a policy explaining when it will release your email to government entities, one that clearly indicates that it can do so if compelled.
Apple Mail supports full-on encryption and digital signatures. To enable these features, you must obtain a security certificate. There used to be quite a few sources for free certificates, but the list is shrinking. We used a third-party service to obtain a cert for testing. With the certificate installed in your keychain, your emails are digitally signed by default. And if all the recipients of a message also have certs, you can click the lock icon to send the message encrypted.
A quick survey of my PCMag colleagues turned up exactly nobody who had installed an email security certificate, and this is a technically minded group. You’d expect even fewer ordinary consumers to have encryption enabled for their Apple Mail…except that you can’t go lower than zero.
In any case, Apple has had some glitches with encryption. Researchers in 2019 discovered unencrypted copies of secure emails in the database that Siri uses to better serve you. I think we can agree that Siri does not need to read our encrypted emails.
The point here is that your email provider’s goals aren’t centered on security and privacy. If you really want to protect your emails from prying eyes, look to a third-party company that puts security first.
What Is the Best Free Email Encryption Service?
Maybe you’re convinced that encrypting your email is a good thing, but are you convinced enough to pay for it with your hard-earned cash? Don’t worry: You don’t have to pay.
Preveil and Virtru are totally free. Both are simplified consumer-focused editions of enterprise-level products. Their “big brother” products bring in the cash.
You don’t have to pay for SecureMyEmail if you use it to encrypt a single Gmail, Yahoo, or Microsoft account, and there are no limits on features. A paid account lets you protect multiple accounts—up to eight—and also adds support for other email providers. Signing up for a free account or a 30-day trial of the paid service doesn’t require a credit card or any personal info beyond your email address.
At the free level, Tutanota lets you send and receive unlimited messages that are completely encrypted using open-source technology. You even get a secure calendar to go with your secure inbox. Upgrading to the inexpensive premium edition lets you create multiple calendars, define up to five aliases (alternate emails), and set filter rules to handle incoming messages.
You can also use Proton Mail and Private-Mail for free, but you must accept certain limitations. Smart consumers will set up a free account and see if the limitations chafe. If they do, converting to a paid account is simple. StartMail is the only product covered here that doesn’t have a free tier, though it does offer a 7-day free trial.
Do I Have to Change My Email Address for Encryption?
On the one hand, starting fresh with a never-before-seen email address can be freeing. You know that the new address hasn’t been bandied about on the Dark Web or hoovered up by data aggregators. On the other hand, you must let all your contacts know that your address changed and reconfigure all your online accounts to use the new address.
Proton Mail, Private-Mail, StartMail, and Tutanota all require that you switch to a brand-new email address. As with any other webmail system, it must be unique within the system. But since these services don’t have the millions or even billions of users that Gmail or Yahoo does, you may well be able to get your own name without tagging on a bunch of numbers or other characters. Wouldn’t you rather have a janedoe@ address than a janedoe18592@ one?
With Preveil, SecureMyEmail, and Virtru, you keep your existing email. In fact, Virtru requires that you use a Gmail address. Preveil doesn’t limit you to any specific email provider. It integrates with Gmail and Outlook on Windows and Apple Mail on macOS and with the native mail app on your mobile devices. Likewise, SecureMyEmail can handle accounts from any email provider that supports IMAP.
Who Can I Email With Encryption?
Encrypting your messages does no good unless the recipient can decrypt them. Different products handle that end of the equation in various ways.
The recipient of a Preveil message must install Preveil to read it, period. But since the product is free and easy to install, that’s not much of a limitation. Your communication is secured with military-level encryption, but you don’t have to remember passwords or do anything beyond choosing to encrypt the message.
Virtru also manages encryption keys without bothering the user. The recipient of a Virtru message clicks a link to view and reply to the message in a browser window without needing to install Virtru.
When you send a message to someone outside the Tutanota network, the recipient gets a notification with a link, much like with Virtru. You must transmit a password to the recipient by some means other than email. The link opens what’s effectively a stripped-down Tutanota, with the ability to send secure replies but not much else.
StartMail, Private-Mail, and Proton Mail all use the Pretty Good Privacy (PGP) encryption system to secure messages between users of their respective services. That means they can also exchange encrypted mail with users of other email systems that support PGP. Setting up the necessary key exchange to enable third-party PGP messaging can be difficult, though.
Those same three products also include a provision for securely communicating with those who don’t use the service and don’t have a PGP key. While the implementations differ, the overall method is the same. You encrypt your message with a password and transmit the password to the recipient using a text, a phone call, or other non-email communication.
When you send out-of-network mail from SecureMyEmail, it automatically generates keys and sets the message to expire after 30 days. After authenticating, the recipient views the message on a web page with the option to reply securely. You can shorten the expiry time or add a password for protection. SecureMyEmail can also import existing PGP keys and has no problem with a mix of in-network and out-of-network recipients of the same message.
How Does Encryption Protect My Email?
Using PGP encryption requires that you enter the PGP passphrase for your encryption key. When you send non-PGP encrypted messages, each can have its own password. Preveil and Virtru don’t require a password—possessing a trusted device is enough for basic authentication. And, yes, you can revoke trust for a lost device.
Tutanota encrypts everything, including message headers, subject lines, and contacts. You do use a password to log into your account, so make it a strong one. As noted, communicating with contacts who aren’t already using Tutanota requires creating a password for each contact and transmitting it by another channel other than email. Tutanota securely stores that password along with the contact record.
Whether basic authentication relies on a password or a trusted device, you can crank up security by enabling multi-factor authentication when available. Proton Mail, Private-Mail, StartMail, and Tutanota all support multi-factor authentication using Google Authenticator or any work-alike that can provide a standard time-based one-time password (TOTP).
Recommended by Our Editors
Tutanota also supports authentication using a Yubikey or other security key. You can register multiple keys and even use U2F along with a TOTP app. If you don’t have your U2F key at hand, authentication rolls over to the TOTP app.
With Preveil, you need access to a trusted device (something you have), the password for your email account (something you know), and whatever authentication method you use to open the trusted device, typically a passcode or biometric system. It’s a form of multi-factor authentication, though not the traditional password-plus-TOTP type.
What Else Do I Get With Email Encryption Services?
With some services, you start fresh with a brand-new email address. But once you start using that address, once many different merchants and websites have it, it won’t stay pristine—unless you never tell anybody your email address.
How can you email without giving away your address? By using a temporary email address service, also called a disposable email address (DEA) service, that’s how. Such a service generates a one-off alias whenever you need to give out your address. Messages to that alias show up in your regular inbox, and replies seem to come from the alias. And if one of your DEAs starts to get spam or other problems, you can just delete it.
Private-Mail can manage DEAs, but it’s rather limited compared to dedicated DEA utilities such as Burner Mail and ManyMe. Email aliases in Tutanota are even more limited in that you get just a handful and can’t change them after creation. StartMail used to suffer similar limitations but now offers full DEA management alongside its email encryption. IronVest goes beyond mere DEAs, letting you shop while hiding not only your real email address but also your credit card number and phone number.
Those who chose an Unlimited tier Proton Mail subscription have two ways to access temporary email addresses. The Proton Pass password manager can create and manage what it calls “hide-my-email aliases,” for one. In addition, that Unlimited subscription gives you full access to the SimpleLogin temporary email service.
With most of these services, you can share a file securely by attaching it to an encrypted message; Private-Mail is the exception, as it supports only plain text. It makes up for that lack by giving you encrypted cloud storage, along with the ability to securely share files from your encrypted storage. Preveil also offers cloud storage with secure sharing, and you have a range of choices for what recipients can do, from editing and re-sharing down to just gazing at the data in a viewer window. Proton Drive, the similar Proton Mail feature, is available to all users. Proton Mail offers cloud storage starting with its free tier, but paying customers get more storage, up to 500GB.
You can set Proton Mail and Virtru messages to expire after a given time. Private-Mail and Proton Mail let you set an away message when you don’t have email access. These two also include the ability to define filtering rules. As noted, SecureMyEmail out-of-network messages automatically expire in no more than 30 days, but there’s no expiry option for in-network messages.
As noted, you get a secure calendar with the free edition of Tutanota, one that syncs across all your devices. Paying for a premium account lets you create multiple calendars. Proton Mail’s associated Proton Calendar is likewise available at the free level. Private-Mail also offers a calendar feature. However, in testing, Private-Mail’s system for syncing that calendar proved too complex for the average user.
What Is the Best Email Encryption?
As you can see, all these products have their virtues, and each offers a different set of features. For its weapons-grade encryption, ease of use, and low price (free!), Preveil is a top pick and an Editors’ Choice winner. An Unlimited subscription to Proton Mail also includes Proton’s cloud storage, VPN, calendar, and password manager. When it comes down to the wire, your choice may depend on whether you want to keep your existing email with Preveil or accept a new, secure email from Proton Mail.
While you’re thinking about security, you should read our roundup of the best encryption software for protecting the sensitive data on your drives.