I Tested 5 Secure Email Providers (THIS is the best Gmail alternative)

00:00

Last month I spent $238 buying subscriptions  to 5 of the most popular encrypted email  

00:06

providers on the market today. Why? I want to  compare the differences between these email  

00:12

services side by side: what features  do they offer, where are they located,  

00:15

do they have their own mobile apps  and, of course, how much do they cost?

00:20

These are the five companies we’re looking  at today and each of them represent an  

00:24

alternative to Gmail, Outlook or Yahoo that  is both private and not inundated with ads.

00:32

When stacking each of these encrypted  email providers side by side,  

00:35

I think it’s important to note that all  of them have been in business for more  

00:39

than a decade sending and receiving emails for  folks. In other words, while there’s always a  

00:44

risk that a company could go out of business or  be bought up and have their services shut down…

00:51

Skiff

00:54

…I’ve chosen these email providers  because they have a strong history  

00:57

that lends a certain amount of trust that  they’ll be around for a while longer.

01:02

We’ll dive into encryption in a moment,  but first let’s compare the data privacy  

01:07

laws of the countries in which they’re located.  Proton is based in Switzerland, which is highly  

01:13

regarded as one of the best for privacy not just  because of their strict data protection laws,  

01:18

but also because they are outside the  jurisdiction of both the US and the EU.

01:23

Tuta, Mailfence and StartMail are based in  Germany, Belgium and Netherlands respectively,  

01:32

all of which are part of the  EU and the GDPR which is the  

01:35

self-proclaimed “toughest privacy  and security law in the world”.

01:40

And finally we’ve got Hushmail based in Canada,  which from what I can understand has good privacy  

01:45

laws and is better than the US for sure, but  perhaps isn’t as ideal as Switzerland or the EU.

01:51

But does location really matter when we’re  dealing with encrypted data? In other words,  

01:56

even if a government requested my data or  the email server was compromised in a breach,  

02:01

it shouldn’t matter where that  server is located as long as  

02:04

the data is end-to-end encrypted,  right? Hopefully that’s the case,  

02:09

but the problem is that the word “encryption”  can be used in a lot of different ways.

02:14

All of these service offer PGP support, which  is the standard for email encryption. But the  

02:21

software architecture is important as well.  For example, StartMail is encrypted, but it  

02:26

is possible for them to decrypt and recover  an account. According to their whitepaper,  

02:31

doing so requires two separate senior  members of the management team who  

02:35

reside in on different continents and  thus are under different jurisdictions.

02:40

The obvious benefit to an architecture like this  is that you have the safety net of a recovery  

02:44

process in case you somehow lose access to  your account. Zero-knowledge architecture,  

02:49

on the other hand, takes all the encryption keys  and processes and puts them in your possession,  

02:54

so if you lose it, there’s  nothing the company can do.

02:58

This zero-knowledge architecture is the way  Proton, Tuta, Mailfence and even Hushmail  

03:03

claim to be designed. And I feel like I need  to put a disclaimer here that parsing all the  

03:09

marketing language and whitepaper explanations  is not easy and doesn’t always result in a  

03:14

black and white answer. There is nuance and  some of it is honestly above my pay grade.

03:20

In theory, though, these companies can  never access your email on their servers,  

03:24

which from a privacy standpoint is a  strength, but that also means that you  

03:28

are solely responsible for your account security.  No “forgot password” recovery option available.

03:34

Part of the security that I recommend, is what is  known as a 2FA key, like what you see here from  

03:38

Yubico. When you’re dealing with secure email,  you want to know that your data is encrypted,  

03:43

but you also want to know that your account  login is protected. Using a password alone  

03:48

isn’t enough when we’re dealing with secure  email. A physical YubiKey means that even  

03:53

if somebody guessed your password or stole  it in a breach, they couldn’t gain access  

03:58

to your account unless they physically  had this key to plug into their device.

04:02

YubiKeys are an important part of my personal  security and something I recommend for everybody  

04:06

I know. They’re actually the sponsor of this video  and as you can see here, Proton and Tuta are the  

04:12

only providers that accept YubiKeys right now.  Mailfence, StartMail and Hushmail all provide  

04:17

2FA via a text message or authenticator  app, but we’re dealing with encrypted  

04:22

email here - in my opinion, you should be able  to use the strongest form of security, right?

04:28

Well moving on, as I’ve gone about testing these  different email providers, basically trying to  

04:33

replace my reliance on Google services, the thing  I’ve noticed with email is that it’s not a single  

04:40

product. What I mean by that is that my email  is very closely tied to both my calendar and  

04:45

my cloud storage. I need to send and receive  calendar event invitations as well as download  

04:51

or upload attachments. And if you care about the  privacy of your email, you likely also care about  

04:56

the privacy of your calendar - I don’t want  Google or Microsoft knowing exactly where I  

05:00

am at all times and who I’m meeting with - or  the privacy of your stored contacts or your  

05:05

cloud drive. When you separate those services,  at least for me, it really disrupts my workflow.

05:12

This is an area where both Proton and Mailfence  already have an advantage in that they offer an  

05:17

encrypted calendar and cloud drive that  integrate seamlessly with their email  

05:21

product. Tuta has a very nice encrypted calendar  and I’m told the TutaDrive is being developed,  

05:26

but as of this filming it hasn’t been  released yet. So be aware of that.

05:31

Unfortunately, calendar and  encrypted drive features aren’t  

05:34

offered by StartMail and Hushmail, both  of whom are strictly email providers.

05:39

Ok, at this point I’m going to power  through a list of other features that  

05:41

are important but I don’t want  to go into great detail about.

05:46

First, if you want a native mobile app to access  your mail on your phone or tablet - something you  

05:50

download on the iOS or Android app store - Proton,  Tuta and Hushmail have developed and released  

05:56

their own apps. In terms of aliases, which is the  number of unique emails you can create to forward  

06:01

to your inbox, Proton, StartMail and Hushmail all  allow for an unlimited number of those. Tuta and  

06:08

Mailfence limit you based on your plan, starting  at 15-20 aliases, at least using their URL.

06:14

All of these encrypted email providers  allow you to use a custom domain,  

06:18

but StartMail is the only one that  for some reason requires you to  

06:21

pay $.85 extra per month to do it. I  don’t understand that, but whatever.

06:27

And finally, the pricing. The average  among these five services is $48,  

06:31

which makes Tuta the best value and  StartMail the highest investment.

06:35

So what do I recommend? After using all of these  encrypted email providers, for me it boils down to  

06:45

either Proton Mail or Tuta, which I’ll explain  in a moment. I like Mailfence and Startmail,  

06:51

but for Mailfence I really wish they would  add Yubikey support and for StartMail,  

06:55

the same thing applies but they  also simply lack the calendar and  

06:58

drive services that I need in order to  fully migrate to a new email provider.

07:04

At the end of the day, I suggest you go with  Proton Mail if you value unlimited aliases  

07:08

and the suite of other privacy services  they offer like a VPN or password manager.

07:13

If you just want the strongest email at the  best value, Tuta is the way to go instead.

07:19

And whichever you choose, if you  don’t already have a 2FA security key,  

07:23

then go purchase two YubiKeys for yourself -  one primary and one backup - that will ensure  

07:27

the highest possible protection for your account.  These keys can protect multiple online accounts,  

07:32

which I’ve talked about in a previous  video, but it just doesn’t make sense to  

07:35

me to invest in a secure email service  without having YubiKey protection.

07:40

I’m sure there are other things I’ve forgotten  to include in this comparison which you can leave  

07:44

in the comments, but if you want to see a full  breakdown, visit allthingssecured.com/secureemail  

07:50

which I’ll keep updated with any  changes long after this video goes live.