The Best Email Encryption Services for 2022

If you’ve never embarrassed yourself by clicking Send All on what should’ve been a private email message, congratulations! You’re a rare breed. But don’t twist your arm patting yourself on the back. The security, or lack of security, in the overall email communication system means that you might as well have made that mistake. Anybody who’s interested in snooping your email can probably catch it as it bounces around between servers. Even when your webmail provider protects mail using HTTPS, that provider still has access. To communicate via email while protecting your privacy, you need a service that encrypts every trace of your email communication. We’ve rounded up a varied collection of such services, some of which don’t cost a penny.

Wait, Isn't My Email Already Encrypted?

You may remember some years ago when Google tweaked Gmail so that it always uses a secure HTTPS connection. That means it uses the standard Transport Layer Security (TLS) for encryption. This is good, but it’s the bare minimum. Every website should use HTTPS.

Currently, Google says it doesn't read your mail. However, it's easy to accidentally give mail-reading permission to third-party apps. And Google does read your messages sufficiently to do things like automatically put airline flight notifications in your calendar. Google also has a policy explaining when it will release your email to government entities, one that clearly indicates that it can do so if compelled.

Apple Mail supports full-on encryption and digital signatures. To enable these features, you must obtain a security certificate. There used to be quite a few sources for free certificates, but the list is shrinking. We used a third-party service obtain a cert for testing. With the certificate installed in your keychain, your emails are digitally signed by default. And if all the recipients of a message also have certs, you can click the lock icon to send the message encrypted.

A quick survey of my PCMag colleagues turned up exactly nobody who had installed an email security certificate, and this is a technically minded group. You’d expect even fewer ordinary consumers to have encryption enabled for their Apple Mail…except that you can’t go lower than zero.

In any case, Apple has had some glitches with encryption. Researchers in 2019 discovered unencrypted copies of secure emails in the database that Siri uses to better serve you. I think we can agree that Siri does not need to read our encrypted emails.

The point here is that your email provider’s goals aren’t centered on security and privacy. If you really want to protect your emails from prying eyes, look to a third-party company that puts security first.

Do I Have to Pay for Email Encryption?

Maybe you’re convinced that encrypting your email is a good thing, but are you convinced enough to pay for it with your hard-earned cash? Don’t worry: You don’t have to pay.

Preveil and Virtru are totally free. Both are simplified consumer-focused editions of enterprise-level products. Their “big brother” products bring in the cash.

You don't have to pay for SecureMyEmail if you use it to encrypt a single Gmail, Yahoo, or Microsoft account, and there are no limits on features. A paid account lets you protect multiple accounts, up to eight, and also adds support for other email providers. Signing up for a free account or a 30-day trial of the paid service doesn't require a credit card or any personal info beyond your email address.

At the free level, Tutanota lets you send and receive unlimited messages that are completely encrypted using open-source technology. You even get a secure calendar to go with your secure inbox. Upgrading to the inexpensive premium edition lets you create multiple calendars, define up to five aliases (alternate emails), and set filter rules to handle incoming messages.

You can also use ProtonMail and Private-Mail for free, but you must accept certain limitations. Smart consumers will set up a free account and see if the limitations chafe. If they do, converting to a paid account is simple. StartMail is the only product covered here that doesn’t have a free tier, though it does offer a 7-day free trial.

Do I Have to Change My Email Address?

On the one hand, starting fresh with a never-before-seen email address can be freeing. You know that the new address hasn’t been bandied about on the Dark Web or hoovered up by data aggregators. On the other hand, you must let all your contacts know that your address changed and reconfigure all your online accounts to use the new address.

ProtonMail, Private-Mail, StartMail, and Tutanota all require that you switch to a brand-new email address. As with any other webmail system, it must be unique within the system. But since these services don’t have the millions or even billions of users that a Gmail or Yahoo does, you may well be able to get your own name without tagging on a bunch of numbers or other characters. Wouldn’t you rather have a [email protected] address than a [email protected] one?

With Preveil, SecureMyEmail, and Virtru, you keep your existing email. In fact, Virtru requires that you use a Gmail address. Preveil doesn’t limit you to any specific email provider. It integrates with Gmail and Outlook on Windows and Apple Mail on macOS, and with the native mail app on your mobile devices. Likewise, SecureMyEmail can handle accounts from any email provider that supports IMAP.

Who Can I Email?

Encrypting your messages does no good unless the recipient can decrypt them. Different products handle that end of the equation in a variety of ways.

The recipient of a Preveil message must install Preveil to read it, period. But since the product is free and easy to install, that’s not much of a limitation. Your communication is secured with military-level encryption, but you don’t have to remember passwords or do anything beyond choosing to encrypt the message.

Virtru also manages encryption keys outside your view. The recipient of a Virtru message clicks a link to view and reply to the message in a browser window, with no need to install Virtru.

When you send a message to someone outside the Tutanota network, the recipient gets a notification with a link, much like with Virtru. You must transmit a password to the recipient by some means other than email. The link opens what's effectively a stripped down Tutanota, with the ability to send secure replies but not much else.

StartMail, Private-Mail, and ProtonMail all use an encryption system called Pretty Good Privacy (PGP) to secure messages between users of their respective services. That means they can also exchange encrypted mail with users of other email systems that support PGP. Setting up the necessary key exchange to enable third-party PGP messaging can be difficult, though.

Those same three products also include a provision for securely communicating with those who both don’t use the service and don’t have a PGP key. While the implementations differ, the overall method is the same. You encrypt your message with a password and transmit the password to the recipient using a text, a phone call, or some other non-email communication.

When you send out-of-network mail from SecureMyEmail, it automatically generates keys and sets the message to expire after 30 days. After authenticating, the recipient views the message in a web page, with the option to reply securely. You can choose to shorten the expiry time, or to add a password for protection. SecureMyEmail can also import existing PGP keys and has no problem with a mix of in-network and out-of-network recipients of the same message.

How Is My Email Protected?

Using PGP encryption requires that you enter the PGP passphrase for your encryption key. When you send non-PGP encrypted messages, each can have its own password. Preveil and Virtru don’t require a password—your possession of a trusted device is enough for basic authentication. And yes, you can revoke trust for a lost device.

Tutanota encrypts everything, including message headers, subject lines, and contacts. You do use a password to log into your account, so make it a strong one. As noted, communicating with contacts who aren't already using Tutanota requires that you create a password for each contact and transmit it by some channel other than email. Tutanota securely stores that password along with the contact record.

Whether basic authentication relies on a password or trusted device, you can crank up security by enabling multi-factor authentication, when available. ProtonMail, Private-Mail, StartMail, and Tutanota all support multi-factor authentication using Google Authenticator or any work-alike that can provide a standard Time-based One-Time Password (TOTP).

Tutanota also supports authentication using a Yubikey or other U2F (Universal 2nd Factor) authentication key. You can register multiple keys and even use U2F along with a TOTP app. If you don't have your U2F key at hand, authentication rolls over to the TOTP app.

With Preveil, you need access to a trusted device (something you have), the password for your email account (something you know), and whatever authentication method you use to open the trusted device, typically a passcode or biometric system. It’s a form of multi-factor authentication, though not the traditional password-plus-TOTP type.

What Else Do I Get?

As noted, with some services you start fresh with a brand-new email address. But once you start using that address, once many different merchants and websites have it, it won’t stay pristine. That is, unless you never tell anybody your email address.

How can you email without giving away your address? By using a Disposable Email Address (DEA) service, that’s how. Such a service generates a one-off DEA every time you need to give out your address. Messages to that DEA show up in your regular inbox, and replies seem to come from the DEA. And if one of your DEAs starts to get spam or other problems, you can just delete it.

Private-Mail and StartMail can both create and manage DEAs. However, they’re rather limited compared to dedicated DEA utilities such as Burner Mail and ManyMe. Tutanota's email aliases are even more limited, in that you get just five and can't change them after creation. Abine Blur goes beyond those two, letting you shop while hiding not only your actual email address but your credit card number and phone number.

With most of these services, you can share a file securely by attaching it to an encrypted message; Private-Mail is the exception, as it supports only plain text. It makes up for that lack by giving you encrypted cloud storage, along with the ability to securely share files from your encrypted storage. Preveil also offers cloud storage with secure sharing. A similar ProtonMail feature is now in beta, available to all users.

You can set ProtonMail and Virtru messages to expire after a given time. Private-Mail and ProtonMail let you set an away message when you won’t have email access. These two also include the ability to define filtering rules. As noted, SecureMyEmail out-of-network messages automatically expire in no more than 30 days, but there's no expiry option for in-network messages.

As noted, you get a secure calendar with the free edition of Tutanota, one that syncs across all your devices. Paying for a premium account lets you create multiple calendars. ProtonMail's associated ProtonCalendar is likewise available at the free level. Private-Mail also offers a calendar feature. However, in testing, Private-Mail's system for syncing that calendar proved too complex for the average user.

What’s the Best Service for Encrypting Your Email?

As you can see, all these products have their virtues, and each offers a different set of features. For its weapons-grade encryption, ease of use, and low price (free!), Preveil is our top pick and our Editors’ Choice winner. However, if you want a new email address for your encrypted messages, support for third-party PGP communication, or another unusual feature, you’ve got plenty of choices.

While you're thinking about security, you should read our roundup of the best encryption software for protecting the data on your drives.