How it works
Tuta is a hosted email service operated by Tutao GmbH from Hanover, Germany, online since 2011 and rebranded from Tutanota in November 2023. An account covers an encrypted mailbox, an encrypted calendar and an encrypted address book, reachable through a web client, desktop clients for Linux, Windows and macOS, and mobile apps. The entire client codebase has been published under the GPLv3 on GitHub since 2014, so the encryption can be inspected rather than taken on faith.
Encryption happens on the device before anything reaches Tuta's servers. Message bodies, subject lines, attachments, contacts and calendar entries are sealed with keys derived from the account password; Tuta stores the ciphertext and cannot open it. Standard accounts use AES-256 and RSA-2048. In March 2024 the company introduced TutaCrypt, a hybrid scheme combining the X25519 elliptic curve with the Kyber-1024 post-quantum algorithm, applied to new accounts first and then to existing ones from December 2024.
KYC & privacy
Signup asks for an address and a password and nothing else: no phone number, no recovery email, no government ID. A free account stores only the chosen address, and Tuta strips sender IP addresses from outgoing mail. There is no AML layer because this is not a financial service, and no identity check exists at any tier.
The limits are structural rather than hidden. Email addresses and timestamps remain unencrypted, because the network needs them to route mail. Encryption is end-to-end only between Tuta users or through a password-protected link; mail arriving from outside providers reaches the server as plaintext before it is encrypted at rest. That gap is what a Cologne court tested in 2020, ordering Tuta to capture future incoming plaintext messages for a single account used in an extortion case — a decision reported widely and upheld on appeal. End-to-end encrypted content stayed inaccessible throughout.
Payment is the other privacy seam: Tuta bills directly by card, PayPal and SEPA. Crypto is not accepted on the site, though Tuta gift cards can be bought with Bitcoin, Monero or cash through a partner store, which restores an anonymous route for users who want one.
Strengths and limits
The strongest argument for Tuta is breadth of coverage. Most providers leave the subject line and calendar in the clear; Tuta does not, and it has carried that design for over a decade without a data breach. The open-source clients and the early move to post-quantum encryption back the security claims, and the rebrand from Tutanota did not interrupt the service.
The limits are real and worth stating plainly. Tuta runs its own encryption rather than OpenPGP, so there is no interoperable encrypted mail with PGP users elsewhere. There is no IMAP or SMTP bridge, which rules out Thunderbird and Apple Mail as front ends. A series of DDoS attacks in 2020 knocked the service offline for hours, though no data was exposed. The jurisdiction cuts both ways: German law gives strong data-protection defaults but also the lawful-intercept powers the 2020 order relied on.
Verdict
Tuta is a mature, transparent encrypted mailbox that does more on-device encryption than most rivals and asks for nothing identifying to open an account. The caveat is jurisdictional, not commercial: a German court can compel interception of a targeted account's future incoming plaintext, and users whose threat model includes that should weigh it. For everyone else seeking a private daily inbox, it remains a top pick. Grade: A- (8.6/10). Trust: TRUSTED.
Tuta is a mature, transparent encrypted mailbox that encrypts more than most rivals and asks for nothing identifying at signup. The one caveat is jurisdictional: a German court can compel interception of a targeted account's future incoming plaintext, so factor that into your threat model. For a private daily inbox, it stays among the strongest options. Grade: A- (8.6/10). Trust: TRUSTED.
