More Than Email
At first glance, Tuta Mail seems like just another email provider. It isn’t.
It’s one of the few services I’m aware of that has consistently prioritised privacy and security for protocols that were never designed for that purpose. Within the constraints of email, Tuta makes things about as secure as they realistically get.
One of the most interesting choices is how it handles push notifications.
Rather than relying on Google’s Firebase Cloud Messaging (FCM), Tuta chose to switch to using Server Sent Events to deliver push notifications way back in 2018.
This might seem like a small implementation to an email application, but the potential issues with push notifications were already something people in the privacy community were aware of, and the team working on what was then known as Tutanota were clearly ahead of the curve on.
It’s a topic that has only increased in severity and scale since then but what's common knowledge now is that:
Push notifications can reveal far more than people tend to assume.
The change Tuta made in 2018 brought several benefits: reduced metadata leakage, the complete removal of Google Play Services for the app to function, and most importantly, full control over the notification pipeline in-house.
Notifications are sent over TLS and each one is intentionally minimal, exposing nothing more than the fact that something has been updated in the Tuta app.
Some of the issues with push notifications are explained in more detail in this article from the EFF.
There have already been countless real-world examples of push notification exploits that have affected between hundreds of thousands and millions of people (that we know of), but the one that made mainstream news most recently was the FBI iOS Signal Exploit.
In retrospect, the decision Tuta made back in 2017/2018 feels less like a minor optimisation and more like a design choice that anticipated how things would unfold in the future.
Another feature I've not seen from any other email provider is Full Contact Integration being fully built into the same service that you receive your emails and calendar alerts on, but that's exactly what Tuta added in 2024.
It's a great feature but particularly if you run GrapheneOS or another De-Googled OS on your phone, as it completely removes the need for additional services like DAVx⁵ to sync your CardDAV / CalDAV.
Again, this may seem like a minor feature to some, but we now have a single app for Tuta Mail.
That single app manages email, contacts and calendars. Secures and encrypts everything that can be encrypted and keeps it synced in real time without the need for any Google services whatsoever.
There is actually a dedicated Tuta Calendar app for power users of calendars, but I find accessing the calendar via the Mail app more than sufficient for my needs.
Tuta's long-awaited; zero-knowledge, end-to-end encrypted Drive is currently in closed beta and due to be released as pubic beta soon I think.
I've been using Tuta Mail, calendar and contacts sync on GrapheneOS, multiple Linux distros and web browsers for around four years and it's been great, it's just as simple as any other email provider but with the added benefit of not having to use two additional apps for contacts and calendar.
If you're interested in how Tuta works under the hood, Tuta’s breakdown of their tech stack and encryption model are both worth a read.
Their blog is also a good read in general as it's more of a tech news, privacy and security blog than just occasional posts about Tuta, it's updated regularly with various interesting content. https://tuta.com/blog.
Rest assured, this is not sponsored content. I have no influence, no audience and no agenda. I made this blog yesterday and haven’t used social media for over a decade.
My Saturday afternoon was spent thinking about key derivation functions, push notification architecture, and hardening a fresh Fedora install.