Choosing a privacy-focused email provider is not just about encryption — it is about jurisdiction, business model, metadata handling, and what threats you are actually defending against. This comparison covers the leading private email providers available in 2026, including their technical approaches, limitations, and which threat models they are suited for.
The Providers
Proton Mail
Headquarters: Geneva, Switzerland
Founded: 2013 (CERN researchers)
Pricing: Free tier available; Proton Mail Plus from $3.99/month; Proton Unlimited from $9.99/month
Proton Mail is the most widely adopted private email service. It uses zero-knowledge end-to-end encryption for messages stored on its servers — Proton cannot read your inbox. Messages between Proton users are automatically encrypted. Messages to external recipients without end-to-end encryption are stored encrypted with your public key after delivery.
Encryption approach: OpenPGP for email-to-email encryption. Messages at rest are encrypted with your private key, which Proton never holds.
Metadata: Proton encrypts the message body and attachments, but email metadata (sender, recipient, timestamps, subject lines) is not encrypted and is visible to Proton’s servers. This is an inherent limitation of the SMTP protocol.
Custom domains: Available on paid plans. You can use your own domain with full encryption support.
Storage: 1 GB free, up to 500 GB on Unlimited plan.
Limitations: The Proton Mail web client requires JavaScript. If your account is targeted by a Swiss court order, Proton must provide metadata (not message content). In 2021, Proton complied with a Swiss legal order to log the IP address of an activist account — a reminder that no provider is fully legal-proof.
Best for: General privacy, switching away from Gmail, users who want mainstream usability with strong encryption.
Tuta (formerly Tutanota)
Headquarters: Hannover, Germany
Founded: 2011
Pricing: Free tier available; Revolutionary from €3/month; Legend from €8/month
Tuta uses its own proprietary end-to-end encryption rather than OpenPGP. It encrypts not only message bodies but also subject lines — a meaningful improvement over Proton Mail’s default behavior. The encryption extends to contacts and calendar entries.
Encryption approach: AES-128 for symmetric encryption, RSA-2048 or EC for key exchange. Tuta does not use PGP, which means interoperability with external PGP users requires a shared password arrangement rather than key exchange.
Metadata: Subject lines are encrypted. Sender/recipient metadata is still present in routing headers as required by SMTP.
Custom domains: Supported on paid plans.
Storage: 1 GB free, expandable on paid plans.
Limitations: No IMAP/SMTP access — you must use the Tuta app or web client. This limits compatibility with third-party email clients like Thunderbird. Germany is a 14 Eyes member, though Tuta’s encryption means the government would receive ciphertext, not readable content.
Best for: Users who want subject line encryption, an open-source client, and are comfortable with a proprietary encryption ecosystem.
Skiff (Acquired — Service Discontinued)
Skiff Mail was acquired by Notion in early 2024 and shut down in 2025. Users were given migration windows. It is no longer a viable option. Former Skiff users should migrate to Proton Mail or Tuta. This is included here because outdated recommendations for Skiff still circulate.
Disroot
Headquarters: Amsterdam, Netherlands
Type: Non-profit collective
Pricing: Free (donations welcome)
Disroot is a community-run platform offering email alongside XMPP, Nextcloud, and other self-hostable services. It does not provide end-to-end encryption by default — email is stored encrypted at rest using disk encryption, but Disroot administrators could theoretically access message content.
Encryption approach: Server-side encryption only. The platform supports PGP via Webmail (Roundcube with Mailvelope integration), but E2EE is user-managed, not automatic.
Metadata: Standard email metadata is retained as required for service operation. Disroot’s privacy policy is transparent about what is logged.
Custom domains: Not supported.
Storage: 1 GB (expandable on request).
Limitations: No proprietary E2EE like Proton or Tuta. Not suitable for sensitive communications without user-managed PGP keys. Limited support infrastructure as a volunteer project.
Best for: Privacy-sympathetic users who want to move away from surveillance capitalism providers, already manage their own PGP keys, and value a community-run, non-commercial provider.
Riseup
Headquarters: Seattle, USA (Riseup Collective)
Type: Non-profit activist collective
Pricing: Free (donations by request)
Riseup has operated since 1999 serving activists, journalists, and social movements. Access requires either a referral from two existing Riseup members or submitting a request explaining your use case.
Encryption approach: Riseup supports user-managed PGP encryption. The platform does not provide automatic E2EE. Servers use disk encryption.
Metadata: Riseup minimizes logging — they do not log IP addresses by policy, and retain minimal metadata. They have published “canaries” (warrant canary statements) historically, though these should be verified at riseup.net/canary.
Jurisdiction: USA. Subject to US legal process, including NSLs (National Security Letters). However, because Riseup does not log IPs and stores minimal metadata, there is often little to hand over.
Best for: Activists, journalists, and organizers in the Riseup collective’s target audience. Not suitable for casual users due to access restrictions.
Provider Comparison Table
| Provider | E2EE | Subject Encrypted | Jurisdiction | Custom Domain | Free Tier | IMAP |
|---|---|---|---|---|---|---|
| Proton Mail | Yes (OpenPGP) | No (optional) | Switzerland | Yes (paid) | Yes | Yes (paid) |
| Tuta | Yes (proprietary) | Yes | Germany | Yes (paid) | Yes | No |
| Disroot | No (user PGP) | No | Netherlands | No | Yes | Yes |
| Riseup | No (user PGP) | No | USA | No | Invite-only | Yes |
Choosing by Threat Model
Casual privacy (escaping Google/Microsoft): Proton Mail free tier. No setup required, familiar interface, meaningful encryption improvement over Gmail.
Journalists and activists: Proton Mail or Tuta on paid plans with custom domain. For high-risk contexts, use Tuta for subject line encryption and operate over Tor. Riseup if you qualify and operate in activist spaces.
Technical users managing their own PGP: Disroot or Riseup with manual PGP key management and Thunderbird + Enigmail (or built-in Thunderbird OpenPGP).
Maximum metadata protection: No email provider fully protects metadata from lawful intercept. For sensitive communications, consider Signal or Briar instead of email entirely.
The Fundamental Limitation of Email
Every privacy email provider exists within the constraints of SMTP — the email protocol designed in 1982 with no privacy considerations. Sender, recipient, and timestamps are readable by routing infrastructure. End-to-end encryption protects content but not these headers. If your threat model requires metadata anonymity, encrypted email is the wrong tool. Use Signal with disappearing messages or an anonymous communication channel instead.
For most people, switching from Gmail to Proton Mail is a meaningful and practical privacy improvement. The perfect should not be the enemy of the good.