Not Just Email
At first glance, Tuta Mail seems like just another email provider. It isn’t.
It’s one of the few services I’m aware of that has consistently prioritised privacy and security for protocols that were never designed for that purpose. Within the constraints of email, Tuta makes things about as secure as they realistically get.
One of the most interesting choices is how it handles push notifications.
Rather than relying on Google’s Firebase Cloud Messaging (FCM), Tuta chose to switch to using Server Sent Events to deliver push notifications way back in 2018.
This might seem like a small implementation to an email application, but the potential issues with push notifications were already something people in the privacy community were aware of, and the team working on what was then known as Tutanota were clearly ahead of the curve on.
It’s a topic that has only increased in severity and scale since then but what's common knowledge now is that:
Push notifications can reveal far more than people tend to assume.
The change Tuta made in 2018 brought several benefits: reduced metadata leakage, the complete removal of Google Play Services for the app to function, and most importantly, full control over the notification pipeline in-house.
Notifications are sent over TLS and each one is intentionally minimal, exposing nothing more than the fact that something has been updated in the Tuta app.
Some of the issues with push notifications are explained in more detail in this article from the EFF.
There have already been countless real-world examples of push notification exploits that have affected between hundreds of thousands and millions of people (that we know of), but the one that made mainstream news most recently was the FBI iOS Signal Exploit.
In retrospect, the decision Tuta made back in 2017/2018 feels less like a minor optimisation and more like a design choice that anticipated how things would unfold in the future.
Another feature I've not seen from any other email provider is Full Contact Integration being fully built into the same service that you receive your emails and calendar alerts on, but that's exactly what Tuta added in 2024.
It's a great feature but particularly if you run GrapheneOS or another De-Googled OS on your phone, as it completely removes the need for additional services like DAVx⁵ to sync your CardDAV / CalDAV.
Again, this may seem like a minor feature to some, but we now have a single app for Tuta Mail.
That single app manages email, contacts and calendars. Secures and encrypts everything that can be encrypted and keeps it synced in real time without the need for any Google services whatsoever.
There is actually a dedicated Tuta Calendar app for power users of calendars, but I find accessing the calendar via the Mail app more than sufficient for my needs.
Tuta's long-awaited; zero-knowledge, end-to-end encrypted Drive app is also that's currently in closed beta and due to be released as pubic beta soon.
I guess my main point is that while I've been using Tuta for at least four years now. The first three of those years I was only using the free account.
I eventually ended up buying a yearly subscription when there was a sale on, and I haven't looked back since.
I'm going to refrain from singing the praises of Tuta too much more because I don't want this to come across like a sponsored post, I'm not sharing my sign up link for the same reason.
Honestly, what stands out the most for me is how there's barely any friction once you're running Tuta on mobile and/or desktop. It keeps everything as secure as possible, it syncs in real time and works flawlessly despite having fewer dependencies than a "smart" light bulb.
If you're interested in how Tuta works under the hood, Tuta’s breakdown of their stack and encryption model are both worth a look.
Their blog in general is also a good read. It's not just focused on Tuta, it's more of a tech, privacy and security blog: https://tuta.com/blog.