Private Email Providers: What They Protect
A private email provider changes three things: whether stored mail is encrypted so the provider cannot read it, whether an account can be opened and paid for without a legal name, and which jurisdiction can compel the provider. It does not change how email itself works. Mail exchanged with an outside address crosses the internet with readable headers, and the sender, recipient, and timing of every message pass through the provider regardless of content encryption. This page compares providers on the parts that are actually theirs to control.
Email intent: this page is about the mailbox and the provider. For encrypting message content across providers, see PGP basics. For the jurisdiction question in depth, see Five Eyes jurisdictions.
- providers compared, none requiring identity documents
- 5
- Recorded signup requirements per provider
- jurisdictions of the compared mailboxes
- EU/CH
- Germany, Switzerland, Belgium; none in Five Eyes
- what stays readable in transit to outside mail
- Headers
- SMTP metadata is not covered by stored-mail encryption
What "private" covers, and what it does not
The protection a mailbox provider can offer has edges, and knowing them decides which provider actually helps:
- Stored content: a provider that encrypts mail at rest so it holds no key cannot read or hand over the content. This is the strongest property and the one that varies most in scope, from full mailboxes to content only.
- Transit to other providers: mail sent to an outside address travels with readable headers, and is readable on the receiving side. Content encryption between different providers requires OpenPGP on both ends.
- Metadata: the provider always handles sender, recipient, subject in many cases, and timing. Court orders in several countries have compelled providers to log connection data such as IP addresses for named accounts.
- Account identity: signup without documents and payment by cash or crypto keeps a legal name off the account. This is separate from encryption and is where the compared providers differ in payment options.
Decide in four checks
- What must stay encrypted: if content must be unreadable to the provider, choose one that encrypts stored mail and confirm the scope (content, subjects, attachments, whole mailbox). If mail must stay encrypted to outside recipients, that is an OpenPGP question, not a provider one.
- How the account is paid: if payment must not carry a name, check for cash-by-post or cryptocurrency acceptance. Providers here differ sharply on this.
- Which jurisdiction: all compared mailboxes sit in the EU or Switzerland, outside Five Eyes, and each has its own compelled-disclosure process worth reading.
- Whether an alias layer helps: if the goal is limiting what each signup learns rather than encrypting mail, an alias service in front of any mailbox does that job.
Compared providers
| Provider | Jurisdiction | Account | Cunicula score |
|---|---|---|---|
| Proton Mail | CH | No account ID | 74/100 |
| Tuta | DE | No account ID | 94/100 |
| Posteo | DE | No account ID | 89/100 |
| Mailbox.org | DE | light KYC | 77/100 |
| Mailfence | BE | No account ID | 69/100 |
Proton Mail is a Swiss service with end-to-end encryption between Proton users, no phone number required at signup by default, and a Securitum audit on record. Its compliance surface is documented: Proton complied with a 2021 Swiss court order that logged an account's IP address, which is a jurisdiction property to weigh rather than a reason to dismiss it.
Tuta (Germany) encrypts subject lines along with content, which many designs leave readable, and supports anonymous signup. German jurisdiction means connection data can be compelled for specific accounts under court order, and mail to outside providers still crosses in ordinary form.
Posteo (Germany) is built so payment cannot be linked to the account: it accepts cash by post and keeps payment data separate from mailbox identity, at one euro per month. It is a data-minimizing mailbox under German legal process rather than a zero-knowledge one across the whole account.
Mailbox.org (Germany) offers OpenPGP support and a workspace suite, and its signup asks for a name it states it does not verify, so pseudonymous accounts are allowed. It does not accept cryptocurrency, so paid accounts settle by conventional rails that can carry billing identity.
Mailfence (Belgium) supports OpenPGP and custom domains and accepts Bitcoin, operating outside Five Eyes under Belgian and EU law. Its record notes no independent security audit, and Belgian law still permits compelled disclosure of the account and metadata it holds.
Aliases: a layer, not a mailbox
An alias service sits in front of a real mailbox and gives each signup its own forwarding address, so a leaked or spammed address can be disabled without touching the mailbox and no single sender learns the real one. It is a compartmentalization layer, not encryption: the alias service still holds account and forwarding metadata.
- SimpleLogin (CH): open source and self-hostable; see the provider record for audit status and payment options.
- addy.io (GB): open source and self-hostable; see the provider record for audit status and payment options.
Information is provided for educational purposes. Provider terms and jurisdictions change; the linked provider records carry the current review dates. Affiliate disclosure.
Frequently Asked Questions
What does a private email provider actually protect?
It protects stored mail the provider holds, when the provider encrypts it so it cannot read the content, and it can allow signup and payment without a legal name. It does not protect mail in transit to other providers, which carries readable headers, and it does not remove the sender, recipient, and timing metadata the provider handles for every message.
Is encrypted email end-to-end encrypted?
Only between users of the same provider, or when both sides use OpenPGP. A message to a Gmail or Outlook address is readable on the receiving side and processed under that provider’s terms. Stored-mail encryption protects what sits on the provider’s servers; it does not encrypt the path to an outside mailbox.
Does a private mailbox stop email scanning?
It stops the provider from scanning content it holds no keys for. Large webmail services scan and process mail under their own terms, so any message exchanged with those services is readable on their side regardless of the sender’s provider. Scanning is a property of the mailbox that holds the message, not of the network.
Can a private email account be opened without identity documents?
The providers compared here do not require identity documents to open a mailbox, and several accept cash or cryptocurrency so payment need not carry a legal name. Connection metadata such as IP addresses still accrues, and court orders in several jurisdictions have compelled providers to begin logging it for specific accounts.
What is an email alias and when does it help?
An alias is a forwarding address that hides the real mailbox from a sender. It limits what each signup learns and lets a leaked or spammed address be disabled without changing the mailbox. It does not encrypt mail or remove the account and payment metadata held inside the alias service.