Worlds Best Secure Email Providers
All businesses need to communicate, but how can they communicate securely? In this post we'll cover the best secure email providers available, so any user or business can begin communicating securely with absolutely minimal technical know-how.
Anyone keeping an eye on the news recently is aware that compromised data can create massive problems. While the tech savvy have been warning of risk since WPA, the general public is only starting to see that leaked email, media, and trade secrets can absolutely destroy market (and political) leaders. In broad terms, there are three ways anyone can integrate secure email into their workflow. A comprehensive understanding of how to utilize PGP is ideal, but that's a lot to ask of folks who aren't advanced developers. On the other end of the spectrum are browser plugin-ins and add-ons that take an ad-hoc approach to email security. Since security often comes at the expense of convenience, we've chosen to focus on a middle ground approach - Using a trusted third party secure email platform. We'll start by identifying the best secure email platforms we've found, then we'll cover the functional considerations in a little more detail. This should allow you to be an informed buyer when you decide to take on this crucial task.
Secure Email Platform Prerequisites
Before we highlight our favorites, lets point out base level requirements we're looking for. To begin with every secure email provider must have bulletproof SSL on their website. All messages must be encrypted during transport (TLS) and utilize a trusted protocol to manage key-swaps (PGP,S/MIME,DANE,DIME). Platforms must be scale-able to the needs of a mid-sized business, feature transparent code (ideally open-sourced), and incur a monthly fee. This last point will surely seem counter-intuitive to "bottom-line hawks", but let me reassure you that the adage "if you're not the consumer, you're the product" is an absolute maxim in this case. With that out of the way, here are our selections.
Protonmail was founded in 2013 by a small team of CERN researchers. They collectively noticed the lack of easily accessible email encryption and decided to focus on creating a solution. As you'd expect with scientists at the helm, solid decisions were made along the way. They crowdfunded the initial seed money, established proprietary redundant servers based in Switzerland, open-sourced the code driving their web interface, and have folded in a slew of brilliant inclusions as they've matured in the industry. This includes two-factor authentication, true end-to-end encryption, encrypted storage, self destructing messages, Tor access, and TLS with an ephemeral key exchange. Frankly it's hard to pick a flaw in their approach, but if we're being picky I'd say it would be nice to allow a layer of anonymity during the signup process. Besides that small note it is worth mentioning that their success has made them an occasional target for DDOS attacks, but this potential inconvenience pales in comparison to the array of features Protonmail provides. Baring any changes to Swiss law (which I wouldn't expect), it's safe to say that Protonmail offers the most comprehensive secure email platform any user could hope for. Highly Recommended
If you're in the states, Lavabit may be the one secure email provider you're familiar with. This would likely be due to it's outspoken founder Ladar Levison. In 2013 he gained notoriety for shutting his company down, rather then become complicit in unwarranted government intrusion. While this surely produced financial pain, Lavabit has rebounded and relaunched in short time. The whitepaper detailing the DIME protocol's architecture & specs is mandatory reading for anyone interested in secure communications. The security approach involved in DIME push Lavabit towards the forefront in terms of technical complexity and functional security, but how they've simplified things for users is nothing short of brilliant. By targeting the different needs of potential users, Lavabit has sectioned their services into 3 categories - Trustful, Cautious, & Paranoid. While any of these will improve email security immensely, Cautious & Paranoid will get you the full end-to-end encryption most users will be seeking. Lavabit has really been at the forefront of the movement, contributed immensely to the community, and proven to have the backbone to stand between the government and clients. While their latest offering is still fresh, users should feel quite confident in Lavabit as a company and product. Highly Recommended
While our previous pick earned a bit of attention stateside, German based Posteo has also played their part in standing up to European government intrusion. The details surrounding the 2014 requests by German officials is still a bit murky, but the response to seizure threats & mis-applied warrants by co-founder Patrik Löhr was crystal clear. Now with years of service under it's belt, Posteo's security approach is evident - provide anonymous account signup & payment options (including the option of sending cash), keep security inclusions current (2-Factor Authentication, TLS, HSTS, & DANE/TLSA for example), have a hands-off approach in terms of IP / data collection, and feature a very well documented OpenPGP encryption flow. The Posteo encryption info page is honestly worth a read no matter which provider you decide to select. Their commitment to running on entierly green energy makes Posteo's 2GB base account a top contender for any user.
Belgian based email provider Mailfence is newer to the scene, but founder Pattrick de Schutter seems to be checking all the boxes for security minded users. Offering a free trial of it's impressive GUI will surely grow market, but it's commitment to solidly managing both ends of it's encrypted messaging platform while relying on highly protective Belgian law should give users plenty of confidence. If legal issues did arise, Mailfence clearly notes the circumstances in which they must disclose data. While this could frighten newbies (like needing to pay for truly secure email), this level of specificity is awfully helpful to those of us who simply want to know the lay of the land. If I needed to pick one fault, I'd say it would be nice if Mailfence included that same specificity on their technical approach. Mailfence may not be cutting edge, but they are a solid entry point and they are certainly correct to highlight the value of protections provided by a forward thinking Belgian government.
CounterMail runs on a Java based open-source project named "The Legion of the Bouncy Castle". While Java has it's detractors, there are two aspects that Countermail leads the industry in. The first being that Countermail loads their system from a diskless server. That may seems like a drawback, but remember - it's the information retained on servers that raise issues. The second feature is that Countermail offers an optional USB key for users. While I've gotten into the habit of building my own USB key, this concept is insanely helpful for boosting security and should really be more commonplace. Retaining encryption keys on a removable physical device adds another layer of security that could hypothetically enhance any secure email provider. At it's core, Countermail uses OpenPGP encryption w/ a borderline-overkill 4096 bit key, no cookies, no logging, anonymous headers, and encrypted storage. Combine those features with the two previously mentioned, toss in Swedish jurisdiction, and you've got yourself a strong option. If they decide to fold in an anonymous payments, I would really raise Countermail to a top 3 pick.
Tutanota is the brainchild of a small team of German developers committed to bringing secure messaging to the masses. Their name itself is derived from the Latin words "tuta nota" meaning "secure message". Their web based mail platform features basic encryption for users and relies on a backdoor password to enable secure connections for non-users. While their english documentation is a bit lacking, their code is GPLv3 so any detail can be derived by simply visiting their Tutanota Github project page. While their goal is surely honorable, a little research will show you that their product still needs a bit of a work. They currently list goals to fully implement PGP w/ S/MIME-Support & Two-factor authentication this calendar year. While I have no doubt in their ability to achieve that, I would recommend giving the team a little time before committing. Eventually the combination of a simple approach and fairly stout German law should make Tutanota another great option.
Secure Email Use Cases
Any user / businesses need is unique, but there are a few use cases that should help narrow down your picks. Want to Integrate Secure Email into a Your Business? This was the exact situation we found our company in last year. If you're not particularly tech savy or simply prioritize ease-of-use, I'd suggest debating Protonmail vs Posteo. Both secure providers offer high quality with a gentle learning curve. Need the Absolutely Most Secure Email Possible? I'd first suggest boning up on your understanding of the whole key-exchange process, then I'd start the hunt with a Lavabit vs Posteo showdown. Want to Dip Your Toes in the Water? While I've already mentioned that I'd shy away from a "Freemium" model, if you absolutely must your starting point should probably be Protonmail vs Mailfence. Our All-Around Favorites? Much like any other small business owner, I stress one factor that can be generally overlooked at times. Coming from the "Measure Twice / Cut Once" school of thought, I place plenty of weight on a products longevity. With that in mind, Our internal debate really centered around Protonmail vs Lavabit. The driving factor here is that it can be a bit of a headache to set everything up, so we may as well choose an email provider that won't become dated quickly or require too much attention.
Crucial Factors Involved in Secure Email
"Freedom of speech is always under attack by Fascist mentality, which exists in all parts of the world, unfortunately."Lawrence Ferlinghetti
The factors involved in selecting a secure email provider could be a post in and of itself, but I'll try to cover the big points for you quickly. End-to-End Encryption is a must. The key exchange protocol is also important, but I'd be hesitant to pick a favorite there. Widely accepted approaches like DIME, DANE, and Open-Sourced PGP (like OpenPGP) should be sufficient. Local laws should be considered for where the servers are physically located and where the certificates are issued. The less logging the better and anything thats stored should ideally be encrypted. All aspects of the proved should be SSL secured and I'd even push TLS and Two-Factor-Authentication towards a "Must". The final factor will seem suspicious to older folks, but I believe anonymous payment is important. Bitcoin is obviously not 100% anonymous, but splitting that direct link provides an incredible layer of security that any provider could be using. Most business owners would simply think "I shouldn't need that if I'm not doing anything illegal", but if you've been following the legal tightening around the world I think a better mental approach would be "Why should I provide more info then is absolutely needed". The last factor I'd recommend is completely agnostic of your provider and very important - Any secure email provider has holes and the single largest can be plugged by utilizing a solid VPN. While that topic deserves it's own post, put briefly your ISP can intercept crucial data and a good VPN is your best defense against that.
Hopefully this post has helped you understand the basics of secure email and given you a few options to start your search. The benefits of secure email might be tough to identify, but that's really because we're not trying to add value so much as limit liability. Find a provider you like, share these options with your friends, and give them some social love if you have a moment. These companies are fighting an honorable battle and it's one that rarely draws praise. As always - Thanks for stopping by, feel free to shoot us any feedback through your favorite social media site, and if you've found the information at all useful - Please Share.