(Updated September 5, 2018 to include recent new features in one of the products.)

Can I use any free email encryption service? Make the wrong choice and you could end up with a service where resetting a password causes all your past emails to be unreadable (yes, these exist, and for good reason).

Before you select a service, you need to know: Do they assume that all your email recipients are on a corporate email server with certificates and private keys configured by their IT departments? Can you login with your Gmail password (Google account)? Do they only work with a paid Gmail (Google Gsuite) account? Are they over-priced? Prices vary greatly. Some charge $495 for the same feature that others give you for less than a quarter of that price. Do they make it easy for your recipients to open your encrypted email? Can you place your encrypted email address on your business card or on client forms saying 'Submit completed form to this secure address?'

We show you how to select the best email encryption service for your small business or professional practice, to securely communicate with clients. Some of the best choices are free and you could also use them for personal use.

Specifically, we will compare 13 secure email services listed in the table below.

Category Products
You protect encryption key Countermail, Hushmail, Lockbin,
Protonmail, SecureMyEmail, Tutanota
Automatic encryption Safe-mail.net, SendInc,
NeoCertified, Encyro, MDOfficeMail.com,
FastMail, Neomailbox

Summary: Jump to comparison summary or specifically the summary comparison of secure webmail products that automatically manage your encryption keys.

Why Encrypt Email?

Small businesses are increasingly being attacked because their cyber-security defenses are often much easier to breach than the big corporations. In fact, the Identity Theft Resource Center's report on 2017 breaches shows that 91.4% of the records breached were from businesses (and not banks, medical institutions, government, and educational institutions that made up only the remaining 8.6%). And looking at the list of specific businesses that were breached shows that there were way more small businesses, with just a few hundred customer records stolen, than larger businesses.

Email is one of the common ways through which data can be breached. Your bank never emails you the statement, right? Because email is not secure. Email messages and attachments can be read or copied by someone without knowing your email account password as they travel over the network. Even if you use HTTPS to connect to your mail account or secure WiFi, that only encrypts the communications at your end. The transmission from your email server to the recipients' servers is not encrypted by default.

Joint research by University of MichiganGoogle, and University of Illinois Urbana Champagne, measured over 700,000 mail servers, and found that most had glaring loopholes that allow attackers to reroute emails to their servers. Do any of your clients use Gmail? Measurements in the above study showed that up to 20% of all messages were routinely attacked.

To stay safe, many small businesses have started using email encryption. They also use other common security measures outlined in this checklist.

How can you encrypt email with ease such that it is secure but your clients can open it easily?

What not to do

There are different types of email encryption (as explained in this Encyro article):

  1. TLS,
  2. enterprise email encryption,
  3. do-it-yourself (DIY) encryption, and
  4. secure webmail

The first three are not recommended for small business use. Why?

The first one, TLS, only works if both your email server and the recipient's email server are configured correctly and in a compatible manner. If any encryption setting is incompatible, the message is sent in plain text (without encryption).

The second, enterprise email encryption (such as Microsoft Exchange, Symantec, ZixMail, Virtru, Digital Guardian, and others listed here), are easy to use only when both the email sender and receiver have encryption setup correctly through their enterprise email servers. Look at the instructions to do this in Microsoft Outlook, and you will instantly notice that the very first requirement is that both the sender and receiver be set up with the correct certificates and private keys. If your recipient is using a free webmail service such as Gmail, Yahoo! Mail, Hotmail, or similar, they will be required to download a specific file and then asked to create an Microsoft account. Virtru also allows outside users to receive your email but requires them to go through a two-step identity verification process. Do you really want your recipients to go through these hassles?

This method is not recommended for small businesses as the overhead to set it up on your side is rather high, both in terms of expertise needed and the high monetary costs. You cannot place such a secure email address on your business card or paperwork as a means to receive securely because any email sent to this address from an external email address will not be secure (unless the sender has their own encrypted email account on the same service).

The third, DIY email encryption, involves getting your own public key and private key pair, as explained here, or getting a software tool that supports OpenPGP and does the encryption for you, as mentioned here. Your recipient will also need a compatible tool, of course. More detailed instructions with specific tools to use are given in this LifeHacker article.

Needless to say, the DIY method is very difficult to use, not only for you but also your clients. We do not recommend it for business use unless your clients are information technology (IT) experts and you want to impress them with your own IT skills.

The Practical Approach: Secure Webmail

A realistic option for most small businesses is to use one of many encrypted webmail services. While the different web based email encryption services vary in features and pricing, they all fall into one of two categories: those that manage your encryption keys for you, and those where even the email service provider does not have access to your encryption key.

Only You Can Decrypt

For the email encryption services where even the email provider does not have access to your encryption key, the big advantage is that even they cannot easily decrypt your email on the backend. This may be useful to avoid or slow down government surveillance, such as for whistleblowers investigating corruption, or certain others.

ProtonMail, LockBin, Hushmail, Countermail, SecureMyEmail, and Tutanota are some of the providers that offer such email encryption. Countermail only encrypts emails to other Countermail users. See others here.

The big disadvantage is that you are responsible to protect the encryption key. For instance, in ProtonMail, your encryption key is protected with your password that only you know. ProtonMail has no way to retrieve your password. If you forget your password, and need to reset it, your past email can no longer be decrypted and is lost forever. A similar risk applies for Tutanota, Hushmail, Countermail and LockBin. With SecureMyEmail, the key is only stored on your device - so you must maintain a backup.

A second disadvantage is that you cannot place this email address on your business card or paperwork as a means for your clients to send you secure messages (unless they have an account with the same provider). The only exception is Hushmail, that has recently announced a 'contact form' feature that allows you to create a web form to receive secure messages. The feature is not released yet. (Such a feature is available already from some of the providers in the other category.) Once released, you could place your secure contact form web address on your business card or on your client intake paperwork with instructions such as 'submit completed forms at this address.'

Another potential disadvantage is that if your clients are tech savvy, they may wonder why you are using the kind of encryption used for avoiding surveillance. What kind of clients do you serve? Is it OK to be associated with you?

But if your business does need to control your own encryption keys and the above difficulties are an acceptable trade-off, then you could select one of the above providers based on private key security, difficulty of use, location, and price.

How Safe is Your Private Key: While all the products in this category do not have direct access to your private key (the private key is the one needed to decrypt and read your emails), some of them do have temporary access to it. The products can be divided into two categories: those that use the private key only on your devices and those that use your private key on their server to decrypt messages.

  • Decryption on server: For services that use your private key on their server to decrypt email, they typically only use your key in memory (the key is encrypted using your password when stored on disk). However, because their server has access to your private key, at least when you are logged in, these email providers do have the ability to store your private key (in response to a court order, for instance). The private key can then be used to decrypt your data. Also, the server operating system may at times store contents of the memory on disk, such as when it is running low on memory. So while your key is normally protected in the sense that your password is needed to decrypt it, the key is available to the email provider when you enter your password to read your email. ProtonMail and Hushmail fall into this category.

  • Decrypt on your device: In this case, email encryption can be designed such that your private key never leaves your device. It may have to leave your device for being sent to another device (such as when you access your email from two devices - a desktop and a phone), but then it only leaves your device in encrypted format. The email provider's server does not require access to your decrypted key. The email provider's software running on your device uses your password to decrypt the key and email messages. Countermail offers this option. Lockbin, Tutanota, and SecureMyEmail also work this way. However, you should be aware of two risks:

    • While this option is more secure that using the key on the email provider's server, it also relies on trusting the email provider's software running on your device. In the past, there have been cases, where in response to law enforcement requests, the email provider used a backdoor in their software running on the user's device to obtain the private key even though the key was never stored on the email provider's server. The location of the email provider's organization and their servers can impact which law enforcement agency they must respond to.
    • You must backup your key reliably and securely. Since the key is stored only on your device(s), if you lose your device or if it malfunctions, all your past email could be lost unless you have a backup of your private key.

Difficulty for Recipients: If your email recipients are not themselves using the same email provider, then to be able to read your messages, you need to provide them with a secret pass-phrase or key, outside of email. This can be a hassle for business use since you now need to create a separate secret pass-phrase for each client and provide it over the phone, snail-mail, or in person. And your clients need to save their key or pass-phrase as well. This is true for all providers in this category, except Hushmail and SecureMyEmail.

  • Hushmail recently introduced a change where it does allow you to send a secure message to non-Hushmail users without having to communicate a separate secret passphrase to them. However, the recipient is forced to create a Hushmail account to read your message.
  • With SecureMyEmail, you must ask the recipient to install specific software and create an account.

Location: ProtonMail is Swiss, and have their data centers in Switzerland as well. Tutanota is German with their data center also in Germany. Countermail is Swedish and their servers are located in Sweden. Access from the US or other countries may be slower than from Europe, but they are not required to respond to US court orders.

LockBin is based in the US. HushMail's data centers are in Vancouver, Canada, and the company is subject to the laws of British Columbia, Canada.

Price: Some providers do offer a free tier, though the free tier has limitations. ProtonMail limits free mail accounts to store a total of 0.5GB maximum, including all messages and attachments. Tutanota offers 1GB free. LockBin does not specify inbox size limits but their free tier only allows storing messages for 6 months or less. Also, each email can be sent to at most one recipient and can contain just one attachment (up to 25MB).

Hushmail and Countermail do not offer a free tier but do have time-limited free trials. Their paid tiers start upwards of $49 per year, and they get more expensive as you add more storage.

SecureMyEmail does not have a free tier but their lowest paid tier is very cheap, priced at 99c as of this writing.

Besides location and price, it is worth noting that Hushmail seems to de-activate your account if you do not use it for a few weeks. Countermail offers the extra benefit of not logging any IP addresses.

Automatic Encryption

The other category of encrypted webmail, where the encryption keys are automatically managed for you, is the one we recommend for small business use. With such an email encryption service, sending messages is often as easy as with any other webmail service such as Gmail, Yahoo Mail, Outlook.com or others. The encryption key is controlled by the email encryption service provider and they manage all backups.

The differences among the products in this category are mostly in terms of:

  • how easy it is for your recipient to open your email,
  • how easy it is for them to send you an encrypted email (a new email or a reply to your email),
  • pricing, and
  • other features such as storage limits, attachment sizes, and mobile access.

We compare SendInc, safe-mail.net, NeoCertified, Encyro, and MDOfficeMail.com. All these providers encrypt your email to all senders, regardless of whether the recipient's email server supports email encryption or not.

Some other email providers such as FastMail and Neomailbox, advertised as secure, do not encrypt email sent to recipients outside of their servers. For FastMail, messages are only encrypted if the recipient servers support compatible encryption settings (similar to TLS, that even free email providers, such as Gmail, provide). Neomailbox only encrypts up to their servers. Neomailbox does allow encrypting your messages to outside users using a rather cumbersome process that involves typing your message in a particular format and exchaning a secret pass-phrase with your recipient. Since these two services do not offer the same fundamental security as the others that encrypt your messages and attachments to all recipients, we do not consider these two in more detail.

Easy to receive for clients: When emailing other users on the same service, sending and receiving are as easy as with any webmail provider. However, since most of your clients likely do not have an account with the provider you will select among these, it is important to consider how they will receive your messages.

  • SendInc, NeoCertified, and MDOfficeMail: Recipient is forced to sign up for an account (free). MDOfficeMail optionally allows enforcing an additional passphrase that you must provide your recipients outside of email.
  • Safe-mail.net allows recipients to click a link in their email to access their secure message (a password included in the email message must be manually typed by the recipient). Such messages expire to keep them safe.
  • Encyro: Recipients simply click a link in their email to access your message without any account sign up. The message expires after a set time to keep it secure. Optionally, the recipient may sign up for a free account simply by entering a password if they wish to retain indefinite access to their message. To minimize friction, the sign-up option is offered after your recipient has already retrieved the message.

Easy for clients to send you secure messages or attachments: With most of these services, if your recipient also has an account with the same encrypted email service they can send you a message too. However, if they do not have their own account:

  • NeoCertified allows users without NeoCertified accounts to upload messages securely to you, through a web based form, though the service is expensive at $495.00/year. Without that add-on service, recipients must create an account (free) that they can use only to reply to your message but not to send any new messages to others.
  • MDOfficeMail allows users without an MDOfficeMail account to send a secure message to MDOfficeMail users through their website or through a customized contact form. The whole MDOfficeMail website is geared for doctors or medical facilities and if your business does not fall in that category, certain messaging can be confusing for your clients.
  • Encyro provides you with a customized upload page where anyone can send you a message. For instance, you could include the upload page link in your email signature or message and any client may use it. The upload page is customized with your brand and does not require senders to remember or manually type your email address. The upload page can be used by any number of different clients and the received messages stay organized by client. Moreover, the branding on the upload page can be set automatically to match your business logo colors.
  • For the others (SendInc, Safe-Mail.net), your clients must sign up for their own account to send you a secure message or file.

In short, with NeoCertified, MDOfficeMail, and Encyro, you can print a web address on your business card or paperwork that clients can use to send you secure messages or to submit completed paperwork.

Price: The different providers differ in the capability offered at different pricing tiers.

  • SendInc offers a free tier that only stores messages for 7 days and limits inbox size to 0.1GB, with a per message size limit of 10MB. The cheapest account that allows storing messages beyond seven days is $48/year.
  • Safe-mail.net offers a free account but limits the inbox storage space to just 3MB (that includes all messages and attachments). More practical accounts, with 0.2GB of storage, start at $150/year.
  • Encyro offers a free account without restrictions on storage size or time limit for how long the messages are stored (subject to abusive usage policy). The free account allows your recipients to send you secure messages as well through their own free account. The paid tier, starting under $10/mo, is needed to receive secure messages from users without Encyro accounts and to add custom branding.
  • MDOfficeMail does not offer a free tier but pricing starts at about $2/month, with volume discounts if you buy for multiple users. The customized form for users without MDOfficeMail accounts to send you a secure message is an additional $7/month.
  • NeoCertified does not have a free tier and their pricing starts at $99/year.

Other Features: Besides ease of use for your clients and pricing, each product also differs in other features. Depending on your business needs, these may selectively be relevant for you.

Data Backup: The data backup methods employed by the email provider are important for your business because if the email provider losses data at their servers, you will lose access to your past messages, sent or received. Some of the messages may be related to ongoing client engagements and are likely to cause a business disruption.

  • NeoCertified does not mention backup explicitly but they do claim to meet certain compliance requirements for their data center, and local backups are required as part of those requirements. They do not provide information on the use of multi-location backups.
  • Encyro backs up data within each data center and maintains a backup of all your data including messages, attachments and contacts at a remote location, hundreds of miles away from the primary data center.
  • SendInc, Safe-mail.net, and MDOfficeMail do not provide information about their use of backups or whether multiple data centers are used. SendInc's privacy policy seems to point to a different company's privacy policy.

Login with Gmail: Encyro gives you the option to login with your Google/Gmail account, or create a new password. All others require you to create a new password.

Document Organization: Most encrypted email services offer a traditional inbox view. If looking for an old attachment, you may have to dig through old message threads. Encyro offers a client-folder based view where you can opt to see only the files (without messages) to quickly find the right attachments.

freeTrialEnEmail600

Summary

Let us summarize the comparison for all products.

The first list covers the group of products where you control the decryption key and the email provider cannot easily read your stored emails without your password. Of course, if you loose your password and reset it, access to your past emails is lost.

1. Countermail

Pros

  • Email service provider cannot decrypt your messages. Gives you the option to NOT store your key on their server, so all decryption happens on your computer only (Countermail servers do not get your key even when you login).
  • Located in Sweden - not subject to US court orders
  • Additional login security through optional USB key
  • Minimized cookies and IP logging for enhanced privacy
  • Allows payment using Bitcoin or prepaid cards, to avoid revealing your credit card related personal information.
  • Custom domain supported (email to non-Countermail users is not be encrypted, so custom domain based email address can be confusing for others to distinguish if your email is secure or not)

Cons

2. Hushmail

Pros

Cons

3. Lockbin

Pros

  • Email service provider cannot normally decrypt your messages (Encryption uses your password, and that is not stored by Lockbin. Note: Using a password for encryption is not as secure as using a true cryptographic encryption key. Lockbin does store a private key that can be used to access your email, though your password is required to retrieve it.)
  • Located in the U.S., faster access for U.S. users.
  • Generous mailbox storage in paid accounts (no pre-set limit).

Cons

4. ProtonMail

Pros

Cons

5. SecureMyEmail

Pros

  • Email provider cannot read your email. Your key is stored only on your device and not sent to SecureMyEmail servers. You must backup your own
  • No free account but cheap paid account starting at 99c/yr (SecureMyEmail does not provide any storage space as your email continues to be hosted with your existing email provider.)
  • Works with custom domains, and your existing email address

Cons

  • You must install special software to use it. No webmail access.
  • If recipient does not have a SecureMyEmail account, you must ask the recipient to install specific software and create an account.
  • All past email access is lost if you loose your private key.

6. Tutanota

Pros

Cons

freeTrialEnEmail600

The second list covers products where encryption is automatically managed for you. You can reset your password and need not backup any encryption keys. However, the email provider has full access to your data.

1. Encyro

Pros

  • Easy to receive your secure messages and attachments for users without Encyro accounts (simple link click)
  • Users outside Encyro can send you secure messages without own account (if you have a paid account).
  • Past email is not lost if you forget password and reset it
  • Free account with generous storage size (no pre-set limits)
  • Can login using Google account (same password as Gmail) or create separate Encyro password.
  • You or your recipients need not install any software or keys
  • Multiple backups including a backup at a second distant data center.
  • Data centers in the U.S. - faster access for U.S. users

Cons

  • Email provider has access to your encryption keys (but not your password).
  • Located in the U.S. Subject to U.S. laws.
  • No custom domain support (encrypted mail stays clearly separated).

2. FastMail

Pros

  • Easy to use as any webmail
  • Past email is not lost if you forget password and reset it
  • Supports custom domain and enterprise level retention policies
  • Data centers in U.S. and Netherlands - faster access from both regions
  • Can access via the web without installing extra software

Cons

3. MDOfficeMail

Pros

  • Allows users without MDOfficeMail accounts to send you secure messages (if you have a paid account with required add-ons).
  • Past email is not lost if you forget password and reset it
  • You or your recipients need not install any software or keys
  • U.S. based - faster access for U.S. users

Cons

  • If recipient is not an MDOfficeMail user, they must sign up for a free account.
  • No free account. Paid account starts at $2/mo and with option to receive securely from non-MDOfficeMail users, $9/mo.
  • No information on data backup or remote site backup

4. NeoCertified

Pros

  • Past email is not lost if you forget password and reset it
  • Users without NeoCertified accounts can upload messages securely to you, through a web based form (if you purchase their required add-on (relatively expensive, at $495/yr).
  • You or your recipients need not install any software or keys
  • Data is backed up at least locally

Cons

  • If recipient is not a NeoCertified user, recipient is forced to sign up for an account. That free account is limited to communicating only with you or paid NeoCertified users.
  • No free tier. Prices start at $99/yr.

5. NeoMailbox

Pros

  • Past email sent to Neomailbox users is not lost if forget password and reset. But past emails to non-Neomailbox users will be lost if you forget their respective pass-phrases.
  • Servers in U.S. and Switzerland - faster access from both regions. You have the option to choose Swiss servers even if you are located in the U.S. or vice versa.
  • Accepts Bitcoin for payment, for those who want to avoid giving Neomailbox their credit card information.
  • You or your recipients need not install any software or keys
  • Can access via the web without installing extra software

Cons

6. Safe-Mail.net

Pros

  • Easy to receive your secure message for users without Safe-mail.net accounts (link click plus manually type a pass-phrase shown by the system)
  • Past email is not lost if you forget password and reset it
  • Offers free account
  • You or your recipients need not install any software or keys

Cons

  • Clients must sign up for their own account to send you a secure message or file
  • Free account limited to very low 3MB storage.More practical account with 200MB of storage starts at $150/yr.
  • No information on data backup or remote site backup

7. SendInc

Pros

  • Past email is not lost if you forget password and reset it
  • You or your recipients need not install any software or keys
  • U.S. based - faster access for U.S. users

Cons

  • If recipient is not a SendInc user, recipient is forced to sign up for an account to receive your message
  • Clients must sign up for their own account to send you a secure message or file
  • No custom domain support (encrypted mail stays clearly separated).
  • Free account only saves messages for 7 days and limits mailbox storage to 100MB. Paid accounts start at $48/yr.
  • No information on data backup or remote site backup

Conclusion

Among the free options, considering ease of use, the top two contenders are Safe-Mail.net and Encyro. All others require purchasing a paid tier because either they do not offer a free tier or, for SendInc, the free tier does not save messages beyond 7 days making it impractical for most use cases.

If choosing a paid product, the exact decision will depend on which features are most relevant for your scenario. MDOfficeMail and Encyro seem to stand out because they allow your clients to send you secure messages without signing up for any new account. NeoCertified also offers the same feature but at a steep price.

Also, use this security checklist to make sure you are protected against common attacks that hackers and data thieves use.

freeTrialEnEmail600