Tuta vs Mailbox.org / which contributes more to privacy in practice?

Hi r/privacy ,

I’m trying to choose between Tuta (Tutanota) and Mailbox.org, and I’d really appreciate some perspectives from people here who care about actual privacy ethics and not just marketing claims.

Here’s how I currently see both:

• Tuta: I like their zero-knowledge approach, open-source stack and the fact they take strong public stances for encryption rights. They’re clearly passionate advocates. But I’m conflicted about a few points: • They use AWS for DNS (seems odd for a privacy-focused provider). • Their onion site is basically just a redirect.. not a real hidden service, which feels a bit hypocritical for a privacy-first brand. • They also restrict Tor users sometimes, which contradicts their stated philosophy.

• Mailbox.org: They feel more pragmatic and standards-based. I like that they run their own infrastructure and even operate a Tor node.. which to me shows real commitment to the privacy ecosystem beyond email. On the other hand, their webmail feels clunky and their privacy approach seems more “traditional” or outdated (relying on encryption options rather than true zero-knowledge design).

My situation: I’m in North America, not doing anything illegal. I just care deeply about data ethics, autonomy and supporting providers who strengthen the privacy landscape as a whole. I don’t use Tor, but I value organizations that contribute to open privacy infrastructure.

So I’m wondering:

• Which of these two actually contributes more to privacy at the ecosystem level (protocols, activism, standards, open code, etc.)?

• For someone who values transparency, technical integrity and social contribution more than convenience, which would you choose?

• Any firsthand experiences or insight from people who’ve followed their projects over the years?

Thanks!

Based on what you’ve shared and what you seem to want and are prioritizing, Tuta is a clear choice here. They tick all your boxes and have fixed my major grievance of conversational view with email threads.

Usability wise it’s highly functional and simple but that’s the point. A minimal and highly private and secure email service. You can also pay for it privately or anonymously should you want to.

Go with Tuta. You won’t regret it.

Welcome to the forum!

Since you’re new here, you should know this is the Privacy Guides forum and has nothing to do with the privacy subreddit but only the privacy guides subreddit.

Besides that, I agree with @Seven. Tuta is what would suit you better.

I would suggest trying out both services and see what works for you. I tired tutanota but the fact they only work on their own apps and setup means it’s much harder to integrate into your current setup or transfer and move emails from one provider to tutanota.

Tutanota does have a free plan which is fine for basics, but could become risker if there ends up being more free users than paying users. Mailbox does not have this risk and have recently gave their website and web ui a visual overhaul which looks much better than it used to.

I think it’s best if you’re moving to a privacy and security forward email service provider that you start fresh. Why bring in potentially unneeded emails from your previous inbox?

But this is also good advice.

That’s not true. Also, not sure what you mean by this so please clarify and explain.

Don’t know what devices you use (or if you’d even care since maybe you just use webmail), but I’ve found Tuta’s Android apps to be pretty clunky. They require logging in every time I open them (so they’re not particularly quick when I want to check something) and they basically look like web apps with a kind of ugly UI.

The other issue is that they don’t support PGP, so E2EE only applies if you email someone else who uses Tuta. Technically, there’s a way to get E2EE by sending basically a link that the recipient opens and then uses some password you share with them out-of-band, but most people aren’t gonna want to do that, and if you can share the password with them securely, in most cases you can probably just message them whatever you wanted to send that way. PGP is also semi-useless for communicating with other people since almost no one uses it, but it’s at least more likely to work.

More importantly, with Tuta, you’re locked into using their app. IMO the main advantage of Mailbox is that you can use IMAP with PGP (using Guard or whatever their solution is called) and then just use whatever email client you want. I’m actually considering swapping to Mailbox from Protonmail and Tuta primarily because I don’t like their apps.

I think if you read what OP is asking for, Tuta suits them better. This is not a post about Tuta vs Mailbox necessarily. The question is more than that.

I mean, they’re trying to choose between them. It’s certainly an option to choose entirely without regard for the functioning of their services, but IMO that’s a mistake that will lead to endless frustration in the future. IMO the main value of Tuta over Mailbox is that the calendar and contacts are encrypted.

I also don’t see how Tuta contributes much to the overall privacy landscape. Their services attempt to lock you into a walled garden. Frankly, if we’re talking about picking a service that contributes to the privacy landscape, I’d say Proton is the best between the three recommended services, even though I have a number of complaints about them.

And not the encrypted email they provide?

I’m pretty sure you do not know how to evaluate two products for all they can do based on what they are about.

Wow, I don’t know what to say about thinking like this. Your threshold for what you consider walled garden is unreasonably and egregiously misplaced and skewed to say the least. In other words, I think you’re wrong.

And not the encrypted email they provide?

I’m pretty sure you do not know how to evaluate two products for all they can do based on what they are about.

Given that the encryption is only useful if they try to access your data in the future way after it arrives (given that most email will be coming in unencrypted) unless you’re emailing other Tuta users, yes, I think their encrypted email is pretty much useless. At the very least, it provides no more value than Mailbox and Proton, and both Mailbox and Proton work with actual standards. (Of course, Proton also requires an app unless you use their bridge, which I don’t particularly like.)

I am pretty sure you can’t either, given what I’m seeing here. Unless you have many other contacts using Tuta, it is definitely the worst of the recommended options on this site for email.

Wow, I don’t know what to say about thinking like this. Your threshold for what you consider walled garden is unreasonably and egregiously misplaced and skewed to say the least. In other words, I think you’re wrong.

Unless you do the incredibly janky link thing that generally speaking people will simply not want to use, their E2EE email only works between Tuta users. This is basically the definition of a walled garden. They do not follow standards and have made their own solution that works with absolutely no one else.

dare I ask if you set the option “keep me signed in”? Usually it shoudl not prompt you for pw then…

It is necessary for the encryption, privacy, and security they provide with email which is historically and inherently highly insecure otherwise.

If choosing Tuta, you’re choosing to be with Tuta and use what it offers and how. You don’t always have to use email that’s encrypted but it works best if the other is also encrypted. I highly doubt anyone using Proton always sends emails to only other Proton users. There’s more to using private and secure email services than just having the strong encryption they provide only if you send messages to other Tuta users.

All that said and even notwithstanding, you can always still send encrypted Tuta emails like you said. Most people may not do it but it’s an option that I don’t think should be dismissed or discounted as far as you have.

I use Tuta, Mailbox, and Proton. I prefer standard protocols and support over custom apps no matter how secure are the claims. With Tuta and Proton, you the user really have to read any and all published security audits and claims. You are wholly reliant on their developers and security to maintain yours.

Tuta is basically a webassembly client that loads to handle email. Proton is javascript based, but the same idea; it’s a client you run to talk to their servers. Neither Tuta nor Proton use standard protocols like IMAP, CalDAV, etc on claims they cannot secure them. Instead of using Thunderbird, Claws, Sylpheed, you’re using their app (Tuta or Proton). Proton at least offers an IMAP bridge so one can use a normal mail application locally and/or offlineimap or some other way to back up your mail on a schedule.

Tuta does not offer any way to store your emails in a standard format. They are only accessible via their app. And by default, it’s only the last 30 days. You have to specifically configure their app to allow longer storage. And even then, one cannot choose say, 10 years or longer.

Mailbox operates on standard protocols (IMAP, CalDAV, SMTP) so you can use any mail client with their service. You can store your mails locally, or wherever. They offer GPG automation to encrypt the emails at rest.

It really comes down to what you prioritize, as others have said in this thread. I value portability and adherence to standards over ephemeral security claims. My experience is that I will outlive the companies, so I need to be able to migrate my mail as needed. I’ll skip my crazy backup security policy, but it’s saved me a few times when providers shutdown (LavaBit, Skiff, etc).

My €0.02, always use your own domain name with any provider so that when the provider shuts down, you can still use your email in the long run. Always backup your email to some standard format (mbox, maildir) so when the provider shuts down you can still have your history. Secure the mail backup yourself, don’t rely on the provider to do it for you.

It automatically signs you in, but unlike Proton or a normal email client, it blocks the screen while it signs you in. It then also takes a while to load your actual content. It also sometimes fails to load the inbox at first and I have to manually press “load more” for the inbox to actually load. It’s just not a pleasant experience.

It is necessary for the encryption, privacy, and security they provide with email which is historically and inherently highly insecure otherwise.

If choosing Tuta, you’re choosing to be with Tuta and use what it offers and how. You don’t always have to use email that’s encrypted but it works best if the other is also encrypted. I highly doubt anyone using Proton always sends emails to only other Proton users. There’s more to using private and secure email services than just having the strong encryption they provide only if you send messages to other Tuta users

These exact same statements could apply to iMessage. You can still message other people just with degraded security. Choosing a provider doesn’t prevent it from being a walled garden. You choose Apple products. If they wanted to actually improve the email landscape, they’d work with other providers to implement support for their protocol.

Also, the entire point I am making with Proton is that you don’t need to email another Proton user for encryption because it uses PGP. I would have an entirely different opinion of Tuta in this aspect if they implemented support for PGP when emailing people who don’t use Tuta. However, they have very intentionally chosen not to do so. This is their choice obviously, but it basically degrades their service from potentially the best choice (since you’d get their custom protocol for Tuta users and PGP for e.g. Protonmail users) into something that is mostly useless. Anecdotally, I know absolutely no one who uses Tuta.

Exactly! The only reason I use Proton instead of Tuta is the fact they don’t fallback to PGP for addresses outside of Tuta. I have no clue why would this not be the number one priority feature to implement.

hmm, that ought not to be. what OS are you on?

GrapheneOS. I can try it later on an iOS device and see if it behaves differently, but it hasn’t worked that well on my phone. It probably doesn’t help that I’m somewhat far from their servers and use a VPN.

Essentially if you have more free users than paid users. The service has to somehow keep going with all the free users. The paid users are esentially paying more to make up for the larger number of free users. So the email service has a choice of either get rid of the free service which may result in users going elsewhere or shut down or sell out. There have been various examples over the years such as CTemplar. So for something mission critical and is the backbone for peoples lives, you don’t want your email service to shut down.

You’re assuming way too much about Tuta’s capacity as a sustainable business. You don’t know the numbers or the dollars they are making or not making.

Such speculation only breeds anxiety that may not even be warranted.