The Complete Guide to Email Encryption in 2025

What email encryption is protecting you from

An email is not a sealed envelope by default. It is closer to a postcard handed between sorting offices: your message is composed on your device, handed to your provider, relayed across one or more servers, and stored in the recipient's mailbox, often for years. Transport encryption (TLS) protects the hops between cooperating servers, but it does nothing once the message is at rest, and your provider holds the keys regardless.

End-to-end encryption changes the model. The message is encrypted on the sender's device and can only be decrypted on the recipient's, so no relay, no provider, and no archive in between holds a readable copy. This is exactly what the OpenPGP standard was built for: as the OpenPGP project puts it, its "main purpose is end-to-end encrypted email communication" (OpenPGP.org). That single property is the whole point, and it is also why encrypted email asks something of you: the recipient has to be able to decrypt it, which means keys, certificates, or a shared service.

There are two ways to get there. You can bolt a standard (PGP or S/MIME) onto ordinary email, or you can use a service that has built end-to-end encryption into the account itself. The rest of this guide walks through both.

PGP and GPG: the open standard you control

PGP is the standard most people mean by "encrypted email." Its modern, open form is OpenPGP, which the OpenPGP Working Group of the IETF defines as a Proposed Standard in RFC 9580 (OpenPGP.org). If you have read older guides citing RFC 4880, that is the previous version; RFC 9580 is the current refresh. OpenPGP "is the most widely used email encryption standard," its "main purpose is end-to-end encrypted email communication," and it "was originally derived from the PGP software, created by Phil Zimmermann" (OpenPGP.org). In practice you will use it through GnuPG (GPG), a free implementation of the standard, plus a client plugin or an app that speaks it.

The mechanics are a key pair. You hold a private key and publish a public key. Anyone can encrypt to your public key; only your private key decrypts. Sign with the private key and recipients can verify the message came from you and was not altered.

Where PGP is strong: it is an open standard with no central authority deciding who gets a key, it works across providers and clients, and the cryptography has held up under decades of scrutiny. Where it is weak: key management is entirely your responsibility. Lose the private key or forget the passphrase and the mail is gone for good. It also has structural limits Tuta cites as its reason for not using it at all, namely that PGP "does not encrypt the subject line" and lacks flexibility for algorithm updates and features like encrypted calendars (Tuta).

PGP is wrong for anyone who wants encryption to be invisible, for non-technical recipients who will never set up a key, and for people who cannot reliably back up a private key. It is right for developers, journalists, and privacy-minded users who want provider-independent encryption and accept the upkeep.

S/MIME: the certificate-based standard built into business email

S/MIME solves the same problem as PGP but trusts a different authority. It is "a standard for public-key encryption and signing of MIME data," on an IETF standards track and "defined in a number of documents, most importantly RFC 8551" (Wikipedia). It provides "Authentication, Message integrity, Non-repudiation of origin (using digital signatures), Privacy, [and] Data security (using encryption)" (Wikipedia), and it is wired into clients people already run at work, including Outlook and Apple Mail.

The difference from PGP is trust. Instead of publishing your own public key, you obtain an X.509 certificate signed by a Certificate Authority. That makes identity verification cleaner inside an organization that runs its own CA, which is why S/MIME dominates enterprise mail.

The same certificate requirement is its main drawback. Before you can use S/MIME "one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA," and because of that "not all users can take advantage of S/MIME, as some may wish to encrypt a message without the involvement or administrative overhead of certificates" (Wikipedia). It is wrong for casual individuals and small teams without a managed certificate setup. It is right for companies that already issue certificates and want encryption their employees do not have to think about.

Encrypted email services: Proton Mail and Tuta

If managing keys or certificates is not for you, a dedicated encrypted provider does the cryptography on your behalf. Two stand out, and they take noticeably different routes.

Proton Mail

Proton Mail uses end-to-end and zero-access encryption, so "emails are encrypted at all times, so we can never access your messages," and "all our apps are open source so that anyone can use and improve them" (Proton). It is based in Geneva, Switzerland, launched in 2014, and falls under Swiss privacy law (Wikipedia). Proton states that "all Proton Mail code has been independently audited by third-party security experts" with results published publicly (Proton); around July 2021 its security and cryptographic architecture "were both independently audited by Securitum, a European security auditing company, who uncovered no major issues" (Wikipedia). The free plan includes 1 GB of storage and one email address (as of May 2026) (Proton).

Two honest caveats. First, only Proton's client apps are open source; "the source code for the back end of Proton Mail remains closed-source" (Wikipedia). Second, encryption does not make a provider untouchable. Proton does not log IP addresses by default, but "if you are breaking Swiss law, a law-abiding company such as Proton Mail can be legally compelled to log your IP address" (Proton); this happened in 2021, when Proton "logged IP address of French activist after order by Swiss authorities" routed via Europol (TechCrunch). Crucially, that order reached metadata, not content: "under no circumstances can our encryption be bypassed" (Proton).

Proton is wrong for anyone whose threat model includes hiding the fact that they hold an account, or who needs a fully open-source back end. It is right for most people who want strong, audited, usable encryption with a familiar interface.

Tuta

Tuta (formerly Tutanota) was founded in 2011 in Hanover, Germany, and rebranded to "Tuta" on 7 November 2023 (Wikipedia). Its software has been open source since 2014, and "emails between Tuta users are automatically encrypted end-to-end" (Wikipedia). It runs under German jurisdiction and EU GDPR law, describing itself as "Made in Germany" with "strict GDPR regulations" (Tuta). Its free plan includes 1 GB of storage (as of May 2026) (Tuta).

Tuta's distinguishing choice is its scope of encryption. It encrypts "the 'subject' as well as the names of the 'sender' and the recipient," plus bodies, attachments, calendars, and contacts; "the only data that is not encrypted in a Tuta email are the email addresses and the date of an email sent or received" (Tuta). That is a real advantage over standard PGP and S/MIME, which leave the subject line exposed. To get there, Tuta deliberately avoids both standards, citing PGP's inability to encrypt subjects and lack of algorithm flexibility, and the 2018 S/MIME (EFAIL) vulnerabilities (Wikipedia). Since March 2024 it has rolled out post-quantum cryptography through its TutaCrypt protocol, replacing RSA-2048/AES-256 for accounts created after that date (Wikipedia).

The trade-offs are concrete. Because Tuta uses its own encrypted format rather than PGP or S/MIME, it is widely reported not to support IMAP, POP3, or SMTP, so you generally must use Tuta's own apps. And unlike Proton's published Securitum audit, we could not confirm a named, primary third-party cryptographic audit of Tuta with public results; the codebase is fully open source, which is a meaningful but different assurance. Tuta is wrong for anyone who must keep their existing mail client or interoperate over PGP/S/MIME, or who specifically wants a published independent crypto audit on record. It is right for people who want subject-line encryption, post-quantum protection, and an EU/GDPR home.

Side-by-side comparison

Durable facts only. Prices move and render through client-side scripts on the providers' pages, so this table sticks to features, jurisdiction, audits, and open-source status, and uses "Not stated" where a clean source is unavailable. As of May 2026, both Proton Free and Tuta Free include 1 GB of storage (Proton; Tuta); for current paid pricing, check Proton and Tuta directly.

Read the table as a filter, not a scoreboard. The standards (PGP, S/MIME) win on interoperability and control; the services (Proton, Tuta) win on usability and on encrypting more of the message. The Securitum audit line and the open-source columns are the durable signals worth weighting; the price you will pay is the volatile one, so confirm it on the provider's own page the day you sign up.

What encryption does not cover, and how to fill the gaps

Even strong encryption has edges, and being honest about them is the point of this guide.

Metadata usually survives. Standard PGP and S/MIME encrypt the body but leave the subject line and routing information readable, which is exactly the gap Tuta closes by encrypting subjects (Tuta). And metadata can be compelled even from a privacy-first provider: the 2021 Proton case logged an IP address under a binding Swiss order, without ever touching message content (Proton).

Both ends must cooperate. Encryption only works if the recipient can decrypt, whether through a shared key, a certificate, or the same service. Once a message is decrypted on the other device, the recipient can copy, screenshot, or forward it; encryption is not a leash on what the recipient does next.

Keys are yours to keep. With PGP and S/MIME, a lost private key or certificate means permanently unreadable mail. Pair any of these tools with the basics: a strong unique password, app-based or hardware two-factor authentication, and a documented plan for backing up your keys. If you are still choosing a provider, our roundup of the best encrypted email services for 2025 compares the hosted options in more depth.

Finally, match the tool to the task. Encrypting a newsletter signup is wasted effort; the smarter move is to not expose your real address at all. Use a disposable address when signing up for a trial or a one-off download, then let it expire. TempMailSpot is a free, no-registration disposable inbox with send-by-CAPTCHA, PDF/JSON/EML export, a public REST API, and an embeddable widget; the complete temporary-email guide covers when that beats encryption outright.