Proton vs Tuta vs Self-Hosted: Email Privacy, Practically Assessed
Three honest routes to private email, and the trade-offs nobody mentions in the marketing

Contents
“Private email” is one of those phrases that sounds like a single product and is in fact three completely different bargains. You can pay an encrypted provider to hold your mailbox in a way they can’t read. You can pay a different encrypted provider with a different idea of how that should work. Or you can host the lot yourself and own the whole problem. I’ve run all three at various points, and the right answer depends entirely on which trade-off you can live with — so let’s be specific about what each one actually costs you.
The fundamental limit nobody can sell their way around
Before comparing anyone, accept the uncomfortable truth: SMTP — the protocol that moves mail between providers — is plain text by design. The moment you email someone on Gmail, the content of that message lands on Google’s servers in a form Google can read. No provider can encrypt mail you send to people who aren’t using their encryption. So “encrypted email” really means: encrypted at rest in your mailbox, and end-to-end only between users of the same scheme or those exchanging PGP keys. Keep that in mind, because the marketing blurs it relentlessly.
Decide what you are actually defending against
Before any comparison is useful, name the threat, because “private email” means wildly different things depending on who you are worried about. Three broad models cover most people, and the right product changes with each.
If your concern is the provider mining your mail for advertising — the everyday Gmail bargain where your inbox trains someone’s ad model — almost any of these three ends it. Proton and Tuta do not read your mail to sell you shoes, and a self-hosted box has no vendor at all. This is the most common real motivation, and it is also the easiest to satisfy.
If your concern is a database breach at the provider, encryption-at-rest is the thing that matters, and here the three diverge sharply. A provider that holds your mail in a form it cannot read hands an attacker who dumps its database very little. This is precisely where Tuta’s metadata encryption and Proton’s zero-access storage earn their keep, and where a self-hosted box is only as safe as your disk encryption and your patching discipline.
If your concern is a determined, resourced adversary specifically targeting you — a nation state, a well-funded litigant — be honest that email is a poor hill to defend, because the person you are emailing is on Gmail and the message is readable there regardless of your cleverness. No provider choice fixes that, and pretending otherwise is where a lot of privacy marketing quietly misleads people. The realistic goal for most readers is the first two models, not the third.
Hold that framing while reading the rest, because a feature that is decisive under one threat model is irrelevant under another. A person fleeing ad-profiling and a person worried about a database breach can look at the exact same feature list and rationally reach opposite conclusions, and most arguments about “the most private email” are really two people with different threat models talking past each other.
Proton Mail
Proton encrypts your mailbox with your password so they can’t read stored mail, supports PGP for end-to-end with other PGP users, and has built out a wider ecosystem — VPN, calendar, drive, a password manager. It’s in Switzerland, which buys a reasonable jurisdiction story.
The practical catches: because of the encryption model, you can’t use a normal IMAP client directly — you run Proton Bridge, a local app that decrypts and re-serves your mail over localhost to Thunderbird or mutt:
| |
Bridge is paid-tier only, and it’s a process that must be running for desktop mail to work. Search is also limited because the server can’t read your messages to index them — you get client-side search instead, which is slower over a big archive.
There is a subtler catch worth naming: Bridge is a single point of friction on every device. On a laptop it is fine — it sits in the tray and you forget it exists. On a headless machine, a phone, or anything you cannot install a desktop app on, it simply is not an option, and you are back to Proton’s own apps and webmail. If your mental model of email is “I bring my own client everywhere,” Bridge is a compromise you make peace with rather than a feature you enjoy.
The ecosystem is the real pitch, though. Proton bundles VPN, calendar, drive and a password manager under one account and one bill, which for a lot of people is the actual reason to pay — not the email purity, but the convenience of one privacy-minded vendor for the lot. Whether you value that or find it a lock-in risk depends on your temperament. I lean towards owning my own pieces, but I understand the appeal of not assembling them yourself.
Tuta
Tuta (formerly Tutanota) takes encryption further: it encrypts the subject lines and metadata too, not just bodies, and even the address book. That’s a stronger at-rest story than Proton’s. The price is that Tuta does not speak standard PGP and does not offer an IMAP bridge at all — you use their apps, full stop. Mail to non-Tuta users is sent either as a normal (unencrypted-in-transit-only) message or via a password-protected link the recipient opens in a browser.
So Tuta is more private in storage but more isolated in practice. If you live in their app and mostly email other privacy-minded people, it’s excellent. If you need IMAP, a desktop client of your choice, or PGP interop, it will frustrate you fast. It’s German-jurisdiction and notably cheaper than Proton at the low tiers.
The metadata point deserves a moment, because it is the one genuinely distinctive thing here. On most “encrypted” email, the subject line is plaintext at rest, and subject lines leak an astonishing amount — “Re: your test results,” “Invoice #4471 overdue,” “Divorce paperwork draft.” Tuta encrypting those, plus the address book, closes a hole the others leave open. The cost of that choice is precisely the interoperability it sacrifices: you cannot encrypt a subject line and also hand a standard IMAP client a plaintext one to display. Tuta picked privacy over the protocol, and every friction you hit with it traces back to that single, coherent decision. It is a more honest product than the marketing makes it sound in either direction.
Self-hosting
Now the masochist’s option, which I say with affection because I do it. You own a domain, run a mail server, and nobody but you holds the mailbox. Mailcow or Mail-in-a-Box bundle the painful parts — Postfix, Dovecot, antispam, webmail — into something installable:
| |
The software is the easy 20%. The hard 80% is deliverability. You need correct SPF, DKIM and DMARC records, a clean static IP with matching reverse DNS, and a residential ISP that doesn’t block port 25 — and even then, Gmail and Outlook may shunt you to spam for months while your domain earns reputation. Self-hosting gives you maximum ownership and maximum at-rest privacy (it’s your disk), but the encryption-at-rest is only as good as your own disk encryption, and you are now personally responsible for security patches, backups, and the spam war.
Here is the honest shape of the ongoing burden, because the initial install is not the commitment — the operating is. A mail server is an internet-facing service that must be up when someone sends you something important, so it wants monitoring: I run mine behind an uptime checker so a dead SMTP port pages me rather than getting discovered three days later when a client asks why their email bounced. That is exactly the kind of always-on service where self-hosted uptime monitoring earns its place — email is the classic “silently broken and you find out socially” failure. It also wants backups you have actually tested restoring, because losing years of mail to a disk failure is a special kind of misery, and the entire point of self-hosting was that nobody else holds a copy.
Then there is the reputation maintenance nobody mentions in the tutorials. IP reputation decays if you go quiet and can be poisoned if your box is compromised and starts relaying spam. You will spend evenings reading DMARC aggregate reports, requesting delisting from blocklists, and tuning your spam filter to stop rejecting your accountant. None of it is hard, exactly. It is just yours, forever, in a way that clicking “sign up” on Proton is not.
So which one?
- Proton if you want strong privacy, PGP interop, a desktop client via Bridge, and a tidy ecosystem — and you’ll pay for it.
- Tuta if you want the strongest at-rest encryption including metadata, are happy living in their apps, and want it cheap. Skip it if you need IMAP or PGP.
- Self-hosted if ownership is the whole point and deliverability headaches sound like a fun weekend rather than a nightmare.
The verdict
For almost everyone who just wants out of Gmail, Proton is the pragmatic pick: it gives real at-rest privacy without forcing you to abandon standard clients. Tuta is the better privacy answer on paper and the worse interoperability answer in daily life. Self-hosting is the only option that truly removes the third party — but you become the third party, with all the duties that implies, and your mail’s privacy-in-transit is no better than anyone else’s because SMTP is SMTP. Whichever you choose, buy your own domain. It’s the one decision that makes the next migration a DNS change instead of a divorce.
One last piece of advice from experience: email is the wrong first thing to self-host. If you are drawn to owning your own data, cut your teeth on something where a bad day means a service is down for a few hours rather than important mail silently vanishing. Self-hosting your photo library with Immich or a personal-finance tool teaches you backups, monitoring and TLS on a service that nobody else depends on being reachable. Get comfortable operating those, and then, if you still want the last mile of ownership, run your own mail with your eyes open about the deliverability tax. Reach for the self-hosted mailbox because you want the sovereignty, not because you think it will be more private in transit — because it won’t be, and knowing that up front is the difference between a satisfying project and a disappointing one.




