- Cut to the chase: The best secure email provider is SecureMyEmail (opens in new tab) . Sign up for a no-obligation 30-day free trial to make your email communication safer.
The best secure email providers make it simple and easy to improve the security of your emails and better protect your privacy.
When it comes to popularity and ease of use, there is no beating major email providers (opens in new tab) such as Google and Microsoft.
But these services still have a long way to go before they can be termed “secure.” Communication conducted over email isn’t normally secured by end-to-end encryption and can easily be subpoenaed by government agencies in case of legal conflict.
There are a number of other privacy and security issues to contend with. Gmail, for example, allows third-party service providers to scan your private emails (opens in new tab) to display more personalized advertisements.
However, there are more than a few email providers that offer increased security in exchange for a higher fee.
These providers boast significantly better privacy practices than their mainstream counterparts, with strong protocols that dictate user rights in case of a subpoena or breach, especially important for businesses in the GDPR/HIPAA era.
When on the lookout for a secure email provider, you have to keep in mind factors like data center location, end-to-end encryption (opens in new tab) and zero-access guarantee.
In this guide, we will be taking a look at some of the most secure email providers currently in the market, perfect for conducting internal business communications and receiving sensitive information from other users.
We've also featured the best email hosting.
SecureMyEmail provides something that is different from the rest of the other providers on that list. It delivers zero-knowledge end-to-end encryption and encryption-at-rest for ANY email address. You KEEP your email address. Even better is that you can encrypt your personal email for free (Gmail, Yahoo and Microsoft only).
Its advanced security options will appeal to more experienced users. Although most email providers do provide secure email facilities, users particularly concerned with security are catered for - zero-knowledge encryption is as good as it gets. Each SecureMyEmail account includes eight addresses.
Note that you will also get a 40% discount off Witopia VPN, which is a well-heeled VPN service and a great companion to Securemyemail.
Read our full SecureMyEmail review.
Founded in 2014 at the European Organization for Nuclear Research (CERN), ProtonMail is a secure email provider featuring end-to-end encryption and a zero-access guarantee. The service was created in response to leaks from Edward Snowden and has its data centers based in Switzerland in an underground bunker strong enough to survive a nuclear attack.
One of the defining features of ProtonMail’s service is the “self-destructing” emails, which are automatically removed from the recipient’s inbox after a set time period. Moreover, you are not asked to divulge any sensitive information when signing up for a new account.
The free plan comes with limited storage and messages and users looking for more may opt for any of its tiered premium plans.
Read our full ProtonMail review.
Dedicated to serving business users with a strong requirement for security, Mailbox.org (opens in new tab) is a secure email provider based in Germany. It has a very user-friendly interface, and, despite being a secure email provider, it is compatible with mobile devices and third-party clients.
Aside from a secure email service, Mailbox.org also comes with encrypted cloud storage, video conferencing features, a functional address book, a calendar, and a task planner. It is a well-rounded solution for businesses looking for an encrypted workflow alternative to Google or Microsoft.
There is no free plan available, but the three premium-category plans are all very affordable, and offer email storage, cloud storage, email addresses, and video conferencing capabilities.
Read our full Mailbox.org review.
With servers located all over the world, Zoho Mail (opens in new tab) is a secure email hosting solution with a focus on data encryption and user-friendliness. Unlike other secure email providers, it tries to achieve a subtle balance between features and privacy to give users a friendly experience.
Aside from the usual email service with adequate spam and mail filters, Zoho Mail also offers additional features like a calendar, a task manager, and a contact portal. In terms of security, Zoho offers an encrypted environment in which data is safe whether it is stationary or on the move. The data stored on its servers can still be accessed by the company and subpoenaed by government agencies, although there is a very specific protocol to follow in either case.
Zoho Mail comes with three paid plans to choose from: Mail Lite features 5GB or 10GB of storage space per user. This is followed by Mail Premium, which offers 50GB of space per user. There is also an additional plan which is suitable for users who would also like access to the company’s other solutions, such as the web-based word processing and presentation software.
Read our full Zoho Mail review.
With its data centers located in Germany, Posteo (opens in new tab) is the email provider of choice for digital crusaders and activists. It does not offer end-to-end encryption per se, since emails can be read in plain text by third parties if there is a leak. However, all data on its servers is secured, whether moving or stationary.
Furthermore, Posteo uses a technology called DNS-based Authentication of Named Entities (DANE), which protects against hackers who try to impersonate the sender or the recipient to gain access to sensitive information. Posteo also doesn’t store any identifying data on its users and fights frequent legal battles to ensure the privacy of its users.
Read our full Posteo review.
With its servers located in the United States, PrivateMail (opens in new tab) is subject to certain legal restrictions and doesn’t offer the same amount of privacy from law enforcement or government agencies as an email provider based in Germany or Switzerland. However, it offers end-to-end encryption and secure cloud storage. It also boasts some really strong security practices.
Apart from offering email services, PrivateMail features a very secure cloud storage service that’s included in all of its paid plans. The cloud storage feature is pretty powerful, with options to synchronize files between different devices and with a specific folder on your computer. There’s also an email calendar that business users will be thankful for.
PrivateMail Standard comes with 10GB of email and cloud storage each, whereas Pro offers 20GB of space for email and cloud storage. There are business plans available for enterprise-level users offering 100GB of storage and a custom domain.
Read our full PrivateMail review.
Also see these secure email providers
We've recently been testing out the leading secure email providers. Check out reviews below to find out more about each service provider:
- Hushmail (opens in new tab)
- Tutanota (opens in new tab)
- Mailfence (opens in new tab)
- Runbox (opens in new tab)
What is SPF?
By: Peter Goldstein, chief technology officer and co-founder, Valimail (opens in new tab)
Email security and SPF have long gone hand in hand. That’s because Sender Policy Framework, also known as SPF, is considered the first and oldest email authentication standard.
SPF is an IP-based authentication protocol, such that messages are authenticated with SPF based on the IP address of the server that delivers the message to its final destination. To use SPF, a domain owner declares in a specially-formatted DNS TXT record the list of servers and networks authorized to send mail using that domain. Mail receivers, such as Gmail or Yahoo Mail, can then look up that record to determine if an authorized host delivered the incoming messages.
When SPF made its way onto the security scene in the early 2000s, it was a game-changer. The Internet today though is far more complex. As a result, SPF can prove challenging.
To start, SPF is a text record, which makes typos and syntax errors all too easy. And while there are nuances to SPF that can trip up even the most seasoned IT person, the biggest challenge is the fact that there are no notification mechanisms in place. If something goes wrong with your implementation, it’s up to you to figure out when, why and how it happened.
What are the limitations of SPF?
Aside from implementation challenges, SPF has a few limitations to keep in mind.
SPF contains a limit on the number of DNS lookups that mail servers will do when evaluating an SPF record, aka the 10-domain lookup limit. Historically, this limit has not been a challenge as most senders ran their own mail infrastructure. Ten lookups can go pretty quickly though in today’s cloud-first environment.
SPF also uses the domain shown in a message’s Return-Path field for authentication, leaving the “From:” address open to spoofing.
SPF is prone to failure when a message passes through an intermediary, such as a forwarding service or mailing list, on the way to its final destination.
Since SPF is not enough in today’s cloud environment, domain owners should look for a complete email authentication solution that addresses the shortcomings of SPF. Domain-based Message Authentication, Reporting and Conformance (DMARC) is a great place to start.