ProtonMail.com is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since 2013. ProtonMail is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan.
Free accounts have some limitations, such as not being able to search body text and not having access to ProtonMail Bridge, which is required to use a recommended desktop email client (e.g. Thunderbird). Paid accounts are available starting at €48/y which include features like ProtonMail Bridge, additional storage, and custom domain support.
Paid ProtonMail users can use their own domain with the service. Catch-all addresses are supported with custom domains for Professional and Visionary plans. ProtonMail also supports subaddressing, which is useful for users who don't want to purchase a domain.
ProtonMail accepts Bitcoin in addition to accepting credit/debit cards and PayPal.
ProtonMail supports TOTP two factor authentication only. The use of a U2F security key is not yet supported. ProtonMail is planning to implement U2F upon completion of their Single Sign On (SSO) code.
ProtonMail has zero access encryption at rest for your emails, address book contacts, and calendars. This means the messages and other data stored in your account are only readable by you.
ProtonMail has integrated OpenPGP encryption in their webmail. Emails to other ProtonMail users are encrypted automatically, and encryption to non-ProtonMail users with an OpenPGP key can be enabled easily in your account settings. They also allow you to encrypt messages to non-ProtonMail users without the need for them to sign up for a ProtonMail account or use software like OpenPGP.
ProtonMail also supports the discovery of public keys via HTTP from their Web Key Directory (WKD). This allows users outside of ProtonMail to find the OpenPGP keys of ProtonMail users easily, for cross-provider E2EE.
ProtonMail's login and services are accessible over Tor, protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
ProtonMail offers a "Visionary" account for €24/Month, which also enables access to ProtonVPN in addition to providing multiple accounts, domains, aliases, and extra storage.
Mailbox.org is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed.
Mailbox.org lets users use their own domain and they support catch-all addresses. Mailbox.org also supports subaddressing, which is useful for users who don't want to purchase a domain.
Mailbox.org doesn't accept Bitcoin or any other cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung.
Mailbox.org supports two factor authentication for their webmail only. You can use either TOTP or a Yubikey via the Yubicloud. Web standards such as U2F and WebAuthn are not yet supported.
Mailbox.org allows for encryption of incoming mail using their encrypted mailbox. New messages that you receive will then be immediately encrypted with your public key.
However, Open-Exchange, the software platform used by Mailbox.org, does not support the encryption of your address book and calendar. A standalone option may be more appropriate for that information.
Mailbox.org has integrated encryption in their webmail, which simplifies sending messages to users with public OpenPGP keys. They also allow remote recipients to decrypt an email on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox.
Mailbox.org also supports the discovery of public keys via HTTP from their Web Key Directory (WKD). This allows users outside of Mailbox.org to find the OpenPGP keys of Mailbox.org users easily, for cross-provider E2EE.
You can access your Mailbox.org account via IMAP/SMTP using their .onion service. However, their webmail interface cannot be accessed via their .onion service, and users may experience TLS certificate errors.
All accounts come with limited cloud storage that can be encrypted. Mailbox.org also offers the alias @secure.mailbox.org, which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports Exchange ActiveSync in addition to standard access protocols like IMAP and POP3.
Disroot offers email amongst other services. The service is maintained by volunteers and its community. They have been in operation since 2015. Disroot is based in Amsterdam. Disroot is free and uses open source software such as Rainloop to provide service. Users support the service through donations and buying extra storage. The mailbox limit is 1 GB, but extra storage can be purchased 0.15€ per GB per month paid yearly.
Disroot lets users use their own domain. They have aliases, however you must manually apply for them.
Disroot accepts Bitcoin and Faircoin as payment methods. They also accept PayPal, direct bank deposit, and Patreon payments. Disroot is a not-for-profit organization that also accepts donations through Liberapay, Flattr, and Monero, but these payment methods cannot be used to purchase services.
Disroot supports TOTP two factor authentication for webmail only. They do not allow U2F security key authentication.
Disroot uses full disk encryption. However, it doesn't appear to be "zero access", meaning it is technically possible for them to decrypt the data they have.
Disroot also uses the standard CalDAV and CardDAV protocols for calendars and contacts, which do not support E2EE. A standalone option may be more appropriate.
Disroot allows for encrypted emails to be sent from their webmail application using OpenPGP. However, Disroot has not integrated a Web Key Directory (WKD) for users on their platform.
Disroot does not operate a .onion service.
They offer other services such as NextCloud, XMPP Chat, Etherpad, Ethercalc, Pastebin, Online polls and a Gitea instance. They also have an app available in F-Droid.
Tutanota.com is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since 2011 and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan.
Tutanota doesn't allow the use of third-party email clients. There are plans to allow Tutanota pull email from external email accounts using the IMAP protocol. Email import is currently not possible.
Emails can be exported individually or by bulk selection. Tutanota does not allow for subfolders as you might expect with other email providers.
Tutanota is working on a desktop client and they have an app available in F-Droid. They also have their app in conventional stores such as App Store on iOS and Google Play for Android.
Paid Tutanota accounts can use up to 5 aliases and custom domains. Tutanota doesn't allow for subaddressing (plus addresses), but you can use a catch-all with a custom domain.
Tutanota accepts only credit cards and PayPal.
Tutanota supports two factor authentication. Users can either use TOTP or U2F. U2F support is not yet available on Android.
Tutanota has zero access encryption at rest for your emails, address book contacts, and calendars. This means the messages and other data stored in your account are only readable by you.
Tutanota does not use OpenPGP. Tutanota users can only receive encrypted emails when external users send them through a temporary Tutanota mailbox.
Tutanota does have plans to support AutoCrypt. This would allow for external users to send encrypted emails to Tutanota users as long as their email client supports the AutoCrypt headers.
Tutanota does not operate a .onion service but may consider it in the future.
Tutanota offers the business version of Tutanota to non-profit organizations for free or with a heavy discount.
Tutanota also has a business feature called Secure Connect. This ensures customer contact to the business uses E2EE. The feature costs €240/y.
StartMail.com is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial.
Personal accounts can use Custom or Generated aliases. Business accounts can use Domain aliases.
StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other payment options such as Bitcoin (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year.
StartMail supports TOTP two factor authentication for webmail only. They do not allow U2F security key authentication.
StartMail has zero access encryption at rest, using their "user vault" system. When a user logs in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key.
StartMail supports importing contacts however, they are only accessible in the webmail and not through protocols such as CalDAV. Contacts are also not stored using zero knowledge encryption, so a standalone option may be more appropriate.
StartMail has integrated encryption in their webmail, which simplifies sending messages to users with public OpenPGP keys.
StartMail does not operate a .onion service.
StartMail allows for proxying of images within emails. If a user allows the remote image to be loaded, the sender won't know what the user's IP address is.
CTemplar is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. CTemplar has been in operation since 2018 and is run from Iceland. Paid accounts start with 5GB. They offer free accounts by invitation.
Paid accounts can use Custom Domains and aliases.
CTemplar payment options include Credit cards via Stripe, Bitcoin and Monero.
CTemplar supports TOTP two factor authentication for webmail only. They do not allow U2F security key authentication.
CTemplar has zero access encryption at rest, using PGP. They support protected headers and therefore there is subject encryption.
CTemplar supports importing contacts and contacts are encrypted at rest however, they are only accessible in the webmail and apps.
CTemplar has integrated encryption in their webmail, which simplifies sending messages to users with public OpenPGP keys.
CTemplar's .onion service ctemplarpizuduxk3fkwrieizstx33kg5chlvrh37nz73pv5smsvl6ad.onion is currently disabled for webmail access, due to a Tor Browser bug.
CTemplar has a dead man timer feature that will automatically send a particular message after a given period of time.
CTemplar also has a feature that allows users verify checksums of production pages with a public copy on Github.
Electron clients exist for Windows, Mac and Linux. Official clients also exist for iOS and Android (including F-Droid.) All of these clients are open source.