All businesses need to communicate, but how can they communicate securely? In this post we'll cover the best secure email providers available, so any user or business can begin communicating securely with absolutely minimal technical know-how.
Anyone keeping an eye on the news recently is aware that compromised data can create massive problems. While the tech-savvy have been warning of risk since WPA, the general public is only starting to see that leaked email, media, and trade secrets can destroy market (and political) leaders. In broad terms, there are three ways anyone can integrate secure email into their workflow. A comprehensive understanding of how to utilize PGP is ideal, but that's a lot to ask of folks who aren't advanced developers. On the other end of the spectrum are browser plugin-ins and add-ons that take an ad-hoc approach to email security. Since security often comes at the expense of convenience, we've chosen to focus on a middle ground approach - Using a trusted third-party secure email platform. We'll start by identifying the best secure email platforms we've found, then we'll cover the functional considerations in a little more detail. This should allow you to be an informed buyer when you decide to take on this crucial task.
Secure Email Platform Prerequisites
Before we highlight our favorites, let's point out the base-level requirements we're looking for. To begin with, every secure email provider must have bulletproof SSL on their website. All messages must be encrypted during transport (TLS) and utilize a trusted protocol to manage key swaps (PGP, S/MIME, DANE, DIME). Platforms must be scale-able to the needs of a mid-sized business, feature transparent code (ideally open-sourced), and incur a monthly fee. This last point will surely seem counter-intuitive to "bottom-line hawks", but let me reassure you that the adage "if you're not the consumer, you're the product" is an absolute maxim in this case. With that out of the way, here are our selections.
Protonmail was founded in 2013 by a small team of CERN researchers. They collectively noticed the lack of easily accessible email encryption and decided to focus on creating a solution. As you'd expect with scientists at the helm, solid decisions were made along the way. They crowdfunded the initial seed money, established proprietary redundant servers based in Switzerland, open-sourced the code driving their web interface, and have folded in a slew of brilliant inclusions as they've matured in the industry. This includes two-factor authentication, true end-to-end encryption, encrypted storage, self-destructing messages, Tor access, and TLS with an ephemeral key exchange. Frankly, it's hard to pick a flaw in their approach, but if we're being picky I'd say it would be nice to allow a layer of anonymity during the signup process. Besides that small note, it is worth mentioning that their success has made them an occasional target for DDOS attacks, but this potential inconvenience pales in comparison to the array of features Protonmail provides. Barring any changes to Swiss law (which I wouldn't expect), it's safe to say that Protonmail offers the most comprehensive secure email platform any user could hope for. Highly Recommended
If you're in the States, Lavabit may be the one secure email provider you're familiar with. This would likely be due to it's outspoken founder Ladar Levison. In 2013 he gained notoriety for shutting his company down, rather than become complicit in unwarranted government intrusion. While this surely produced financial pain, Lavabit has rebounded and relaunched in a short time. The whitepaper detailing the DIME protocol's architecture & specs is mandatory reading for anyone interested in secure communications. The security approach involved in DIME pushes Lavabit towards the forefront in terms of technical complexity and functional security, but how they've simplified things for users is nothing short of brilliant. By targeting the different needs of potential users, Lavabit has sectioned its services into 3 categories - Trustful, Cautious, and Paranoid. While any of these will improve email security immensely, Cautious & Paranoid will get you the full end-to-end encryption most users will be seeking. Lavabit has been at the forefront of the movement, contributed immensely to the community, and proven to have the backbone to stand between the government and clients. While their latest offering is still fresh, users should feel quite confident in Lavabit as a company and product. Highly Recommended
While our previous pick earned a bit of attention stateside, German-based Posteo has also played its part in standing up to European government intrusion. The details surrounding the 2014 requests by German officials are still a bit murky, but the response to seizure threats & misapplied warrants by co-founder Patrik Löhr was crystal clear. Now with years of service under it's belt, Posteo's security approach is evident - provide anonymous account signup & payment options (including the option of sending cash), keep security inclusions current (2-Factor Authentication, TLS, HSTS, & DANE/TLSA for example), have a hands-off approach in terms of IP / data collection, and feature a very well documented OpenPGP encryption flow. The Posteo encryption info page is honestly worth a read no matter which provider you decide to select. Their commitment to running on entirely green energy makes Posteo's 2GB base account a top contender for any user.
Belgian-based email provider Mailfence is newer to the scene, but founder Pattrick de Schutter seems to be checking all the boxes for security-minded users. Offering a free trial of its impressive GUI will surely grow the market, but its commitment to solidly managing both ends of its encrypted messaging platform while relying on highly protective Belgian law should give users plenty of confidence. If legal issues did arise, Mailfence notes the circumstances in which they must disclose data. While this could frighten newbies (like needing to pay for truly secure email), this level of specificity is awfully helpful to those of us who simply want to know the lay of the land. If I needed to pick one fault, I'd say it would be nice if Mailfence included that same specificity in their technical approach. Mailfence may not be cutting edge, but they are a solid entry point and they are certainly correct to highlight the value of protections provided by a forward-thinking Belgian government.
CounterMail runs on a Java-based open-source project named "The Legion of the Bouncy Castle". While Java has its detractors, there are two aspects that Countermail leads the industry in. The first is that Countermail loads its system from a diskless server. That may seem like a drawback, but remember - it's the information retained on servers that raises issues. The second feature is that Countermail offers an optional USB key for users. While I've gotten into the habit of building my own USB key, this concept is insanely helpful for boosting security and should be more commonplace. Retaining encryption keys on a removable physical device adds another layer of security that could hypothetically enhance any secure email provider. At its core, Countermail uses OpenPGP encryption with a borderline-overkill 4096-bit key, no cookies, no logging, anonymous headers, and encrypted storage. Combine those features with the two previously mentioned, toss in Swedish jurisdiction, and you've got yourself a strong option. If they decide to fold in anonymous payments, I would raise Countermail to a top 3 pick.
Tutanota is the brainchild of a small team of German developers committed to bringing secure messaging to the masses. Their name itself is derived from the Latin words "tuta nota" meaning "secure message". Their web-based mail platform features basic encryption for users and relies on a backdoor password to enable secure connections for non-users. While their English documentation is a bit lacking, their code is GPLv3 so any detail can be derived by simply visiting their Tutanota Github project page. While their goal is surely honorable, a little research will show you that their product still needs a bit of work. They currently list goals to fully implement PGP w/ S/MIME-Support and two-factor authentication this calendar year. While I do not doubt their ability to achieve that, I would recommend giving the team a little time before committing. Eventually, the combination of a simple approach and fairly stout German law should make Tutanota another great option.
Secure Email Use Cases
Any user/business need is unique, but there are a few use cases that should help narrow down your picks. Want to Integrate Secure Email into Your Business? This was the exact situation we found our company in last year. If you're not particularly tech-savvy or simply prioritize ease of use, I'd suggest debating Protonmail vs Posteo. Both secure providers offer high quality with a gentle learning curve. Need the Most Secure Email Possible? I'd first suggest boning up on your understanding of the whole key exchange process, then I'd start the hunt with a Lavabit vs Posteo showdown. Want to Dip Your Toes in the Water? While I've already mentioned that I'd shy away from a "Freemium" model, if you absolutely must your starting point should probably be Protonmail vs Mailfence. Our All-Around Favorites? Much like any other small business owner, I stress one factor that can be generally overlooked at times. Coming from the "Measure Twice / Cut Once" school of thought, I place plenty of weight on the longevity of a product. With that in mind, Our internal debate centered around Protonmail vs Lavabit. The driving factor here is that it can be a bit of a headache to set everything up, so we may as well choose an email provider that won't become dated quickly or require too much attention.
Crucial Factors Involved in Secure Email
"Freedom of speech is always under attack by Fascist mentality, which exists in all parts of the world, unfortunately."Lawrence Ferlinghetti
The factors involved in selecting a secure email provider could be a post in and of itself, but I'll try to cover the big points for you quickly. End-to-End Encryption is a must. The key exchange protocol is also important, but I'd be hesitant to pick a favorite there. Widely accepted approaches like DIME, DANE, and Open-Sourced PGP (like OpenPGP) should be sufficient. Local laws should be considered for where the servers are physically located and where the certificates are issued. The less logging the better and anything that is stored should ideally be encrypted. All aspects of the proved should be SSL secured and I'd even push TLS and Two-Factor-Authentication towards a "Must". The final factor will seem suspicious to older folks, but I believe anonymous payment is important. Bitcoin is not 100% anonymous, but splitting that direct link provides an incredible layer of security that any provider could be using. Most business owners would simply think "I shouldn't need that if I'm not doing anything illegal", but if you've been following the legal tightening around the world I think a better mental approach would be "Why should I provide more info than is absolutely needed". The last factor I'd recommend is completely agnostic of your provider and very important - Any secure email provider has holes and the single largest can be plugged by utilizing a solid VPN. While that topic deserves its own post, put briefly, your ISP can intercept crucial data and a good VPN is your best defense against that.
Hopefully, this post has helped you understand the basics of secure email and given you a few options to start your search. The benefits of secure email might be tough to identify, but that's really because we're not trying to add value so much as limit liability. Find a provider you like, share these options with your friends, and give them some social love if you have a moment. These companies are fighting an honorable battle and it's one that rarely draws praise. As always - Thanks for stopping by, feel free to shoot us any feedback through your favorite social media site, and if you've found the information at all useful - Please Share.