Tuta

tuta.com
Tuta

Free and open source email service based in Germany. It has a basic intuitive UI, secure native mobile apps and desktop email clients, anonymous signup, and an encrypted calendar. Tuta has a full-featured free plan and premium subscription plans allowing for custom domains (starting at $3/month). Tuta does not use OpenPGP like other encrypted mail providers, instead they use a standardized, hybrid method consisting of symmetrical and asymmetrical algorithms (with AES256, and RSA 2048 or ECC (x25519) and Kyber-1024). This causes compatibility issues when communicating with contacts using PGP. But it does allow them to encrypt much more of the header data (body, attachments, subject lines, and sender names etc) which PGP mail providers cannot do. The recent upgrades to Tuta's encryption algorithm makes data stored and sent with their service safe against attacks posed by quantum computers.

Open Source

Tuta Privacy Policy

Privacy Policy Summary

  • This service does not track you
  • Service does not allow alternative accounts
  • This service does not sell your personal data
  • The service does not share user information with third parties
  • There is a date of the last update of the agreements
  • Provides information on security practices
  • You can request access and deletion of personal data
  • User-generated content is encrypted, and this service cannot decrypt it
  • Accessibility to this service is guaranteed at 99% or more
  • Archives of their agreements are provided so that changes can be viewed over time
  • You will be notified about website maintenance
  • You are prohibited from sending chain letters, junk mail, spam or any unsolicited messages
  • The service claims to be GDPR compliant for European users
  • The service is open-source
  • You authorise the service to charge a credit card supplied on re-occurring basis
  • The data retention period is kept to the minimum necessary for fulfilling its purposes
  • Features of the website are made available under a free software license
  • You can retrieve an archive of your data
  • The court of law governing the terms is in Hanover, Germany
  • The court of law governing the terms is in a jurisdiction that is friendlier to user privacy protection.
  • IP addresses of website visitors are not tracked
  • The terms for this service are translated into different languages
  • You can access most of the pages on the service's website without revealing any personal information

Score

A

Documents

Domains Covered by Policy

  • tutanota.com
  • tuta.com

About the Data

This data is kindly provided by tosdr.org. Read full report at: #157

Tuta Source Code

Author

tutao

Description

Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.

#email#encryption#javascript#mithril#privacy#security#tutanota

Homepage

https://tuta.com

License

GPL-3.0

Created

28 Jul 14

Last Updated

12 Jul 26

Latest version

tutanota-release-nextcloud-v1.1

Primary Language

TypeScript

Size

277,790 KB

Stars

7,761

Forks

623

Watchers

7,761

Language Usage

Language Usage

Star History

Star History

Recent Commits

  • jenkins build server (10 Jul 26)

    v355.260710.0

  • jenkins build server (10 Jul 26)

    update translations

  • das (09 Jul 26)

    disable quickresync for imap migration When using quick resync and logging out, we entered a state where the migration was unable to continue. This happened because we updated the modSeq to the mailbox modSeq, which meant that we tried to resync from the latest possible state, we still have not found a way to properly resolve it, see https://datatracker.ietf.org/doc/html/rfc7162#section-6. We ideally want to re-enable quick resync, but for that we need to solve the usage of modSequences and the issue described in the RFC.

  • das (09 Jul 26)

    fix limit maximum retries exceed being an auth error

  • abp (09 Jul 26)

    [desktop] fix default download path for saving attachments not working Since we were not converting the file URLs we saved to the config database to paths before joining, the destination path we created was not a proper path. We now convert the file URL to path before joining. This fixes a regression introduced in revision ac6ba0a87f5c718649354a8f5a589dcfa570515e

  • abp (09 Jul 26)

    email migration provider page UI changes

  • abp (09 Jul 26)

    remove assertNotNull in ImapImportSettingsViewer

  • das (08 Jul 26)

    fix re-authenticating not continuing import immediately & other error When the auth window was shown, setting the password ended up in the postponed state because the inner state in imapImporter was not updated, the call to continue was also using the imapImporter instead of the controller's own continue, causing programming errors to bubble up.

  • abp (09 Jul 26)

    adapt client to email migration server changes

  • abp (10 Jul 26)

    add TutanotaModelV112, IMAP related and CalendarEvent timezone changes

  • ivk (07 Jul 26)

    [ci] Switch to node 24

  • Kinan (07 Jul 26)

    [build] reapply updates to nodejs and json5 Co-authored-by: map <[email protected]>

  • jenkins build server (07 Jul 26)

    v354.260707.0

  • jenkins build server (07 Jul 26)

    update translations

  • abp (07 Jul 26)

    do not run performance analysis tests in SpamClassifierTest Co-authored-by: jomapp <[email protected]>

  • abp (07 Jul 26)

    fix wrong language in ImapImportProviderSelectionPage Co-authored-by: jomapp <[email protected]>

  • jhm (06 Jul 26)

    minor improvements to email migration progress flows

  • bed (07 Jul 26)

    Revert "[build] update nodejs to 24.17.0" This reverts commit 5f2f805990435b9b2fb9143ae238a47238b85791.

  • bed (07 Jul 26)

    Revert "[build] update json5 to 2.2.3" This reverts commit f6c58bd47765f5641ee2c755d06c7243d5e72230.

  • Kinan (07 Jul 26)

    [build] update json5 to 2.2.3

  • Kinan (07 Jul 26)

    [build] update nodejs to 24.17.0 Co-authored-by: map <[email protected]>

  • jenkins build server (06 Jul 26)

    v354.260706.1

  • jenkins build server (06 Jul 26)

    update translations

  • jhm (06 Jul 26)

    move OAuthErrorHandler to ImapMailImportController We were calling main code from the worker, as OAuthErrorHandler was initiated in the ImapImporter.ts Co-authored-by: das <[email protected]> Co-authored-by: abp <[email protected]>

  • ivk (06 Jul 26)

    Add contribution policy note Co-authored-by: wrd <[email protected]>

  • ivk (03 Jul 26)

    Add testid to mail folder column

  • jhm (06 Jul 26)

    fix error when window is undefined in KeyManager.ts

  • abp (06 Jul 26)

    change postpone time depending on the error type when importing mails We now postpone for 25 hours only if there is an insufficient storage error when importing mails. For other errors, we postpone for a minute as it makes sense to try again soon in case of BadRequest errors and other similar errors.

  • jenkins build server (06 Jul 26)

    v354.260706.0

  • jenkins build server (06 Jul 26)

    update translations

Tuta Security

5.5/10

Repo Security Summary

Updated 29 Jun 26

  • Code-Review 0/10
  • Maintained 10/10
  • Packaging N/A
  • Security-Policy 10/10
  • Dangerous-Workflow 10/10
  • CII-Best-Practices 0/10
  • Token-Permissions 7/10
  • Binary-Artifacts 8/10
  • License 10/10
  • Branch-Protection N/A
  • Signed-Releases 0/10
  • Pinned-Dependencies 7/10
  • SAST 0/10
  • Fuzzing 0/10

Security Advisories (5)

  • high Patched

    GHSA-24v3-254g-jv85 DOM attribute and CSS injection in contact viewer

  • medium Patched

    GHSA-jj2j-5x96-gf8h Relative resource URLs in email body could cause a crash in iOS app

  • low Patched

    CVE-2024-23330 Images are loaded from external resources

  • high Patched CVSS 7.5

    CVE-2024-23655 Attacker can prevent users from accessing received emails

  • critical Patched CVSS 9.3

    CVE-2023-46116 Remote Code Execution via insufficiently sanitized call to shell.openExternal

Tuta Website

Website

Tuta: Turn ON privacy for free with secure emails, calendars & contacts | Tuta

Tuta guarantees your data stays private for free & without ads. Quantum-resistant encryption makes Tuta the best secure technology solution to protect your privacy.

Redirects

Does not redirect

Security Checks

All 65 security checks passed

Server Details

  • IP Address 185.205.69.12
  • Location Hanover, Niedersachsen, Germany, EU
  • ISP Tutao GmbH
  • ASN AS210909

Associated Countries

  • US US
  • DE DE

Safety Score

Website marked as safe

100%

Blacklist Check

tuta.com was found on 0 blacklists

  • AntiSocial Blacklist
  • Artists Against 419
  • Badbitcoin
  • Bambenek Consulting
  • CERT Polska
  • CoinBlockerLists
  • CRDF
  • CryptoScamDB
  • EtherAddressLookup
  • EtherScamDB
  • Fake Website Buster
  • MetaMask EthPhishing
  • NABP Not Recommended Sites
  • OpenPhish
  • PetScams
  • PhishFeed
  • PhishFort
  • Phishing.Database
  • PhishStats
  • PhishTank
  • Phishunt
  • RPiList Not Serious
  • Scam.Directory
  • SecureReload Phishing List
  • Spam404
  • StopGunScams
  • Suspicious Hosting IP
  • ThreatFox
  • ThreatLog
  • TweetFeed
  • URLhaus
  • ViriBack C2 Tracker

Website Preview

Website preview

Tuta Android App

APK Info

De-Googled Compatibility

Native 3.96 / 4 48 ratings
microG 4.00 / 4 24 ratings
  • GrapheneOS Native 3.9 / 4 (37)
  • CalyxOS microG 4.0 / 4 (14)
  • LineageOS microG 4.0 / 4 (7)
  • LineageOS Native 4.0 / 4 (3)
  • crDroid Native 4.0 / 4 (3)

Tested on Android 11–16 · Updated 13 Jun 26 · View on Plexus →

Trackers

No trackers found

Permissions

  • Access Network State
  • Internet
  • Read Contacts
  • Read External Storage
  • Vibrate
  • Wake Lock
  • Receive
  • C2d Message

Tuta iOS App

App Info

Tuta: Encrypted Private Email

PROTECT YOUR PRIVACY WITH TUTA MAIL – FREE, SECURE & ENCRYPTED EMAIL Take control of your email with Tuta Mail, the world’s most secure email service, trusted by over 10 million users. With end-to-end encryption, your emails and contacts stay private. Fast, open source, and free: Tuta Mail is built with the highest security standards. WHY CHOOSE TUTA MAIL? Stay Secure • Quantum-Safe Encryption: Your entire mailbox and contacts are fully end-to-end encrypted – only you can access them. • Zero Tracking: We never track or profile you. Your data is yours. • Anonymous Registration: Sign up without providing a phone number or personal details – for free or pay anonymously with cash or cryptocurrency. • Open Source: Our code is publicly available for independent security review. Boost Your Productivity • Free Secure Email: Get a free email address with @tutamail.com, @tutanota.com, @tutanota.de, @tuta.io, or @keemail.me and 1 GB of free storage. • Exclusive Domain: Upgrade to a paid plan to create a short @tuta.com email address. • Auto-Sync: Your emails and contacts sync seamlessly across the app, web, and desktop clients. • Offline Access: Read and manage your encrypted emails even without an internet connection. • Contacts App: Sync your Tuta contacts to your phone. Simple & Intuitive • User-Friendly Interface: Clean, modern design with light and dark mode. • Quick Swipe Gestures: Easily organize emails with swipe-to-archive or swipe-to-trash. • Full-Text Search: Securely search your encrypted emails. • Smart Notifications: Delete or move emails directly from notifications to save time. BONUS: FREE ENCRYPTED CALENDAR APP Your Tuta Mail account includes a free encrypted calendar, giving you the same privacy for scheduling and event management. Stay organized while keeping your data safe. WHO IS BEHIND TUTA MAIL? Freedom fighters committed to protecting freedom of speech and your right to privacy! • Developed & Hosted in Germany: Adheres to strict GDPR data protection laws. • Private by Design: We can’t access your data – secure password reset ensures your privacy. • Secure Transmission: Industry-leading security with TLS, PFS, DMARC, DKIM, DNSSEC, and DANE for safe email delivery. TRUSTED BY SECURITY EXPERTS "Tuta provides an exceptional level of security and privacy... If security is your priority, there’s not much better than Tuta." — TechRadar "Since Tuta is open source and has amazing products in development, I moved my email there." — Journalist Dan Arel "Tuta’s email security is unmatched. Its mobile apps are fast and user-friendly, with fair pricing and a free option." — CyberSynchs JOIN MILLIONS WHO TRUST TUTA MAIL Keep Your Email Private: Download Tuta Mail today and join millions who trust us for secure, encrypted communication. Website: https://tuta.com Open Source Code: https://github.com/tutao/tutanota Terms of Use: https://www.apple.com/legal/internet-services/itunes/dev/stdeula

Rating

Rated 4.71 out of 5 stars by 3,254 users

Version Info

  • Current Version 349.260602.1
  • Last Updated 05 Jun 26
  • First Released 30 Nov 14
  • Minimum iOS Version 16.0
  • Device Models Supported 127

App Details

  • IPA Size 78.64 Mb
  • Price Free (USD)
  • Age Advisory 4+
  • Supported Languages 59
  • Developer Tutao GmbH
  • Bundle ID de.tutao.tutanota

Screenshots

Tuta Reviews

More Encrypted Email

  • A Berlin-based, eco-friendly secure mail provider. There is no free plan, the standard service costs €12/year. You can use your own domain, with the option of a catch-all alias. They provide good account security and email encryption, with OpenPGP, as well as encrypted storage. There is no dedicated app, but it works well with any standard mail client with SSL. There's also currently no anonymous payment option.

  • Mailfence supports OpenPGP so that you can manually exchange encryption keys independently from the Mailfence servers, putting you in full control. Mailfence has a simple UI, similar to that of Outlook, and it comes with bundled with calendar, address book, and files. All mail settings are highly customizable, yet still clear and easy to use. Sign up is not anonymous, since your name, and prior email address is required. There is a fully-featured free plan, or you can pay for premium, and use a custom domain ($2.50/ month, or $7.50/ month for 5 domains), where Bitcoin, LiteCoin or credit card is accepted.

    Not Open Source
  • An end-to-end encrypted anonymous email service. ProtonMail has a modern easy-to-use and customizable UI, as well as fast, secure native mobile apps. ProtonMail has all the features that you'd expect from a modern email service and is based on simplicity without sacrificing security. It has a free plan or a premium option for using custom domains (starting at $5/month). ProtonMail requires no personally identifiable information for signup, they have a .onion server, for access via Tor, and they accept anonymous payment: BTC and cash (as well as the normal credit card and PayPal).

About the Data: Tuta

Change History

  • Amended (description) by @Lissy93 #387
  • Amended (description, openSource) by @brnsuh #262
  • Amended (androidApp, iosApp, subreddit)
  • Renamed previously: Tutanota from Communication › Encrypted Email by @thezacharytaylor #213

API

You can access Tuta's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/v1/services/tuta

The REST API is free, no-auth and CORS-enabled. To learn more, view the API Docs or read the API Usage Guide.

Share Tuta

Help your friends compare Encrypted Email, and pick privacy-respecting software and services.
Share Tuta and Awesome Privacy with your network!

View Encrypted Email (4)