
The best encrypted email services
- VersionDude
- Tooling
- 6 min read
What "encrypted email" really means, the difference between zero-access and end-to-end, and the services that do it credibly.
Ordinary email is far less private than most people assume. It is usually sent with transport encryption, which protects messages while they travel between servers. But the provider still stores your mail in a form it can read. And in the past many providers scanned that content to build advertising profiles. Transport security is needed. But on its own it does nothing to stop the company holding your inbox from reading it.
Two kinds of encryption to separate

'Encrypted email' usually means something stronger, and the term covers two distinct ideas worth separating. Zero-access encryption means the provider cannot read your stored mail, because it does not hold the key to your mailbox. End-to-end encryption means only the sender and recipient can read a given message, with no readable copy on any server in between. A service can offer one, both, or neither. So it pays to know which you are actually getting.
The difference matters because it sets the limits of what a provider can protect. Zero-access encryption guards everything in your own mailbox against the provider and against a server breach. End-to-end encryption guards one conversation against everyone except the two endpoints. Strong encrypted-email services aim to give you zero-access storage by default. They also aim for end-to-end encryption wherever the recipient's setup allows it.
The leading auditable providers
Proton Mail is the most established option in this space. It offers zero-access storage, so it cannot read your saved mail. It offers end-to-end encryption between its own users. Its client apps are open source, so the cryptography can be reviewed. And it has a Swiss legal base. That blend of a checkable build and a privacy-minded jurisdiction is what made it the default pick for people who want private email without becoming cryptography experts.
- Transport encryption protects mail in transit but not from the provider itself
- Zero-access encryption: the provider cannot read your stored mail
- End-to-end encryption: only the sender and recipient can read a message
- Proton Mail and Tuta are the leading open-source, auditable options
- No service can end-to-end encrypt a message to a standard Gmail account
Tuta, formerly known as Tutanota, is another open-source, end-to-end encrypted provider. It takes its own distinct approach. Notably, it encrypts not just message bodies but also subject lines and the broader mailbox. And it is based in Germany. Its encryption model is built differently from Proton's. So it also works differently with the outside world. That is a reminder that 'encrypted email' is built in more than one way.
The limit no provider can cross
A limitation applies to every service equally, and no provider can engineer around it. No service can magically encrypt a message end-to-end to someone on a normal Gmail or Outlook account. The recipient simply has no key to decrypt it. This is a property of how interoperable email works, not a flaw in any one product. Any vendor claiming otherwise should be treated with suspicion.
The realistic goal, then, is twofold. First, keep your own stored mail private from the provider through zero-access encryption. That way a breach or a curious company cannot read your inbox. Second, get true end-to-end encryption with contacts on the same system. For those who are not, use password-protected messages. Framed this way, encrypted email is about meaningfully cutting exposure, not reaching an impossible absolute.
What to check before you commit
When evaluating a service, look past the marketing to a few concrete signals. Are the client apps open source, and have they been independently reviewed? What exactly is encrypted, only message bodies, or subjects and metadata too? Where is the company based, and what is its track record on transparency? These questions separate services with genuine, checkable encryption from those that merely use the word in their branding.
There are also trade-offs to accept in exchange for privacy. Encrypted mailboxes can behave differently from mainstream ones. That shows up in areas like server-side search, automatic filtering, and integrations, because the provider cannot read your content. For most people these differences are minor next to the benefit of a mailbox the provider cannot mine. But going in aware of them prevents disappointment.
Picking the right fit
Maybe you want a private mailbox that the provider cannot read. Then Proton Mail is the easiest credible place to start. Tuta is a strong open-source alternative for those drawn to its full-mailbox encryption. Choose the model that fits how you communicate. Set realistic expectations about messages to outside providers. Do that, and you will have meaningfully better email privacy than the default offered by ad-funded services.



There are also trade-offs to accept in exchange for privacy. Encrypted mailboxes can behave differently from mainstream ones. That shows up in areas like server-side search, automatic filtering, and integrations, because the provider cannot read your content. For most people these differences are minor next to the benefit of a mailbox the provider cannot mine. But going in aware of them prevents disappointment.