- 1 Introduction
- 2 Safe Email Principles
- 3 Email Provider Comparison
- 4 Encrypted Email
- 5 Email Alternatives
- 6 Footnotes / References
- 7 License
On the Whonix platform, there are two common methods for email:
- Webmail accessed via Tor Browser; or
- Encrypted Email with Mozilla Thunderbird, Enigmail and TorBirdy.
These and other solutions are imperfect, but this is not a Whonix-specific issue -- it is a general issue with email over the Tor network.
Webmail refers to accessing an email service via a web browser when connected to the Internet. Emails are stored and accessed on the online servers provided by the service. This approach provides convenience, as: 
- Messages can be stored and accessed by different devices in different locations, with syncing of services across those devices.
- Difficult desktop email setup configurations are avoided, since third-party applications are not required.
In comparison, email clients like Thunderbird  manage emails via a desktop application. In Thunderbird's case, various settings must be configured like the email address and email port server settings (POP3, SMTP etc.), among others. There are several benefits to a properly administered email client: 
- No annoying webmail advertisements.
- Emails can be retrieved from providers at a specific time.
- New emails are stored on the home desktop computer. 
- Emails can be retrieved from multiple email addresses.
- It is possible to view and compose emails off-line.
- A properly configured client protects against tracking by Email Beacons.
Neither approach is foolproof, since email is inherently insecure. However, end-to-end, PGP-encrypted email with the Thunderbird email client is preferable because it provides better security than standard webmail. It is recommended to review comparisons of webmail providers and email clients before proceeding further.
Safe Email Principles
Email attachments are often used as an exploit vector for infecting the recipient's machine(s), deanonymizing users, or tracking when attachments are viewed, forwarded and so on. To avoid being infected with malware, it is safest to open attachments in a separate VM that does not have an Internet connection. In Qubes-Whonix, DisposableVMs are ideal for opening potentially dangerous files.
SSL/TLS encryption is inadequate to protect emails from prying eyes. Whonix supports the stock recommendation to use email encryption with Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. This is a suitable solution for the majority of users, unless they have self-assessed as being a high-risk target. Similarly, the TorBirdy extension is also recommended to make Thunderbird connections take place over the Tor network.
Users should bear in mind that only later versions of Enigmail encrypt the subject line, but the Whonix configuration does not currently encrypt the subject line.
Even if the email content is encrypted and subject lines are random, hidden, empty, use just a dash (-), or contain misleading content, the email provider can still log valuable data such as:
- When and with whom the user is in contact.
- When a user logged in and for how long.
- How often a user fetches mail.
- The Tor exit relay that was used for anonymous email.
Extensive metadata can potentially assist adversaries to make (false) assumptions about the user and their identity.
There are service providers that offer encrypted webmail that is easy to use and alleviates much of the complexity associated with encryption by managing and securing users encryption keys for them. Instead of fumbling around with a terminal interface or often complicated encryption software these providers incorporate email and encryption into a single and intuitive web interface. With this configuration all encryption operations are handled by the provider's server side software which provides seamless email encryption with minimal user intervention. While this may afford convenience, encrypted webmail comes with significant drawbacks. Since the provider maintains full control of the encryption keys, users must place their full trust in a single point of failure. If the server was compromised and the keys were stolen, all previously encrypted messages could be decrypted and read by the attacker.. Even if the provider becomes aware of the breach there is no guarantee that public will be informed since this could cause a loss of future revenue irregardless if the breach was through no fault of the provider. Moreover, if the service were to shutdown without warning it could be very difficult or impossible for users to retrieve their personal encryption keys. This would hamper secure communications until the user established trust with new encryption keys.
Avoid well-known, large, corporate email providers who purposefully invade user privacy. For instance, Yahoo and Gmail use automated software to scan emails for keywords to tailor advertising and sell products. Hotmail also has a history of reading private emails and messages.
Prefer email providers that:
- Are free.
- Provide an onion service.
- Support PGP encryption and key management.
- Have encrypted inboxes by default.
- Are outside Fourteen Eyes jurisdictions.
- Have desktop email compatibility with Mozilla Thunderbird. 
The email provider will always represent a single point of failure. An email account may be quickly closed or suspended in response to external pressure by authorities. Similarly, the administrators may decide (or be forced) to terminate the service completely, or for specific individuals.
Users should create backup anonymous email addresses with different providers so that alternative communication channels remain open in response to potentially hostile third party actions.
Other potential tracking vectors include web beacons (webbugs)  which are embedded on various websites, allowing cookies to be implanted in the browser in order to track browsing habits. Email beacons use a similar tracking technique. In this case, tiny images are embedded in emails with unique identifiers in the URL. After the email is opened and the image is requested, the email sender learns when the message was read, along with the IP address (or proxy) that was used.
The best balance of usability and security is realized by configuring Encrypted Email with Mozilla Thunderbird, Enigmail and TorBirdy. It is also preferable to use POP3 and SMTP, since IMAP leaks more metadata. 
Email Provider Comparison
The earlier Email Provider section noted that email is always a single point of failure. Despite the many claims made by different services, they are unable to significantly improve privacy by design. Only a few questions are truly relevant:
- Is anonymous registration over Tor possible?
- Is any personal information required for registration?
- Can the account be exclusively paired with Tor - preferably via a (v3) onion service?
- Will the provider bow to external pressure by authorities and close or suspend the account when free speech issues arise? This has a greater impact for projects or movements, rather than individual accounts.
Privacy by policy can only ever provide a weak layer of protection compared to privacy by design. One possible exception might be "pseudo-email" services  like BitMessage, I2P-Bote and Freemail. For instant messenger protocols with equivalent features, see Richochet IM and RetroShare.
A few mail providers who are frequently discussed as possible options are briefly considered below. Whonix stands neutral in this regard; objectively speaking no particular mail provider can be recommended.
As noted in the Google Data Collection Techniques entry:
Email content is processed and read (scanned) by a computer for targeted advertising purposes and spam prevention. Under Google policies, there is an unlimited period of data retention and the potential for unintended secondary use of this information. Google has already admitted users have "no reasonable expectation" of confidentiality regarding personal emails.
Although Google allegedly stopped scanning all emails for advertising purposes in 2017, it is clear that employees are tasked to read users' emails for security or other purposes.  Further, Google has simply replaced one data-siphoning avenue with another -- third-party apps which can access and share data from Gmail's 1.4 billion users (in 2018).  Since Google is hostile to privacy, no-one should be surprised that pairing Tor with Gmail is exceedingly difficult. Mike Hearn from Google addressed this very issue on tor-talk in 2012: :
Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that:
1) With Tor active, log in via the web and answer a security question, if any is presented. You may need to receive a code on your phone. If you don't have a phone number on the account the access may be denied.
2) Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access.
Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy.
Based on Google's poor privacy record, anti-Tor stance, and unrivaled profiling / data exfiltration in all ecosystems, Gmail is strongly recommended against. It would be very difficult to register an account and exclusively login over Tor. Google's insistence on personal identifiers such as mobile phone verification makes it practically impossible to achieve without jeopardizing anonymity. 
Wikipedia provides a simple overview of the I2P email service: 
I2P has a free pseudonymous email service run by an individual called Postman. Susimail is a web-based email client intended primarily for use with Postman's mail servers, and is designed with security and anonymity in mind. Susimail was created to address privacy concerns in using these servers directly using traditional email clients, such as leaking the user's hostname while communicating with the SMTP server. It is currently included in the default I2P distribution, and can be accessed through the I2P router console web interface. Mail.I2P can contact both I2P email users, via user@mail.I2P and public internet email users from a user@I2Pmail.org address.
Although it is beneficial to clean the mail header, applications like TorBirdy can do the same. Further, it is technically impossible to encrypt mails to clearnet addresses such as Gmail, Riseup and other providers, unless the sender and recipient are using end-to-end encryption such as OpenPGP. When these factors are considered, the I2P email service is no more or less secure than using alternatives.
Even though the service is based on I2P, it can still be accessed in Whonix over Tor; see I2P for instructions on tunneling I2P over Tor. To date, there has not been any notification of email account suspensions.  Factors outlined in the Safe Email Principles section may also equally apply.
Issues discussed in the Safe Email Principles section equally apply to Riseup.
Riseup provides a number of advantages for users who value privacy: 
- No personal information is require to register an account, since the system relies upon "invite codes" from other users.
- Riseup works reliably on mailing lists.
- POP email settings are available to download email and delete it from Riseup servers.
- The infrastructure is completely Tor-friendly. Onion services are available to help improve anonymity and circumvent censorship.
- The Whonix Project is unaware of any email accounts being suspended. 
- Riseup claims users' emails are personally encrypted on the servers, so they can only be unlocked and read with the account holder's password.
On the downside:
- Servers are hosted in the US. 
- In recent times, the warrant canary was not updated on a fixed, regular basis.  
- Privacy by policy is not a guarantee of improved anonymity. For instance, Riseup claims that IP addresses are not logged is impossible to verify.
Anonymity Friendly Email Provider List
None of the following providers are explicitly recommended by the Whonix team.
As it is impossible to maintain an up-to-date list of possible providers who are anonymity-friendly, readers should undertake proper research before making a final decision. Another anonymity network provider (JonDonym) maintains a list (w) of their recommended email providers. The Whonix team does not check this list for accuracy or completeness, but it might be a good starting point, even though many require payment. In late-2018, the following providers are listed:
Onion Service Providers
This Reddit thread is actively curated and maintains a list of privacy-friendly (Tor-accessible) providers. In late-2018, the list of providers with onion services includes:
- AnonyMail (v2 onion)
- Autistici.org (v2 onion)
- BitMessage.ch (v2 onion)
- CicadaMail.com (v2 onion)
- Cock.li (v2 onion)
- Danwin1210.me (v2 onion)
- EasyCrypt.co (v2 onion)
- Elude.in (v2 onion)
- GuerrillaMail.com (v2 onion)
- h4x0rz.ml (v2 onion)
- Mail2Tor.com (v2 onion)
- Mailbit.io (v2 onion)
- Mailbox.org (v2 onion)
- MailCity.ws (v2 onion)
- Novo-Ordo.com (v2 onion)
- o3mail.org (v2 onion)
- OnionMail.info (multiple onion servers)
- Paranoid.email (v2 onion)
- ProtonMail.com (v2 onion)
- RayServers.com (v2 onion)
- RiseUp.net (v2 onion)
- SCRYPTMail.com (v2 onion)
- secMail.pro (v2)
- Systemli.org (v2 onion)
- TorBox (v2 onion)
- VFEMail.net (v2 onion)
The Mozilla Thunderbird email client, together with the add-ons Enigmail and TorBirdy   are installed by default in Whonix. If used correctly, they can be used for easy GPG encryption and anonymous (or pseudonymous) email messaging.
A complete set of instructions is now available to:
- Install the latest TorBirdy plugin for the Thunderbird email desktop client.
- Create an email account anonymously with a suitable provider via Tor Browser.
- Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
- Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
- Encrypt and store the revocation certificate securely.
- Configure Thunderbird preferences for greater security and anonymity.
- Configure additional OpenPGP preferences via Enigmail.
- Key management: import GPG public keys.
- Export the public key to a GPG key server (optional).
- Prepare an email signature with the public GPG key ID and fingerprint (optional).
- Compose and send a test encrypted email.
- Open an encrypted email received in Thunderbird.
Anonymous Remailers are a generation of privacy networks that precede Tor. These are single purpose networks (only support sending email) that use high-latency designs to defeat surveillance. The latest on-going project is the Mixmaster network. While sending one-way messages is relatively straightforward, receiving replies requires registration with a Nymserver and setting up a program to fetch messages from the decentralized Usenet boards.
This entry has been moved here.
Like most Freenet plugins, Freemail makes use of an anti-spam mechanism called the Web of Trust  to block abusers. Attachment sizes are virtually unlimited and users simply upload files on Freenet and link to them in Freemail messages.
See recommended tips for Freemail.
I2P-Bote is a serverless, encrypted email plugin that uses I2P for anonymity. Messages are stored in the distributed hash table (DHT) for 100 days, during which the recipient is able to download them.
To back up I2P-Bote data, copy the i2pbote folder inside the I2P config directory (~/.i2p/i2pbote on Unix systems or /var/lib/i2p/i2p-config when running as a daemon).
Compartmentalize activities and only use the I2P-Bote/Susimail VM snapshot for this purpose. Generally, applications that run with a browser interface are vulnerable to a whole class of bugs, including cross-site request forgery (CSRF).
- A webmail interface.
- A user interface translated into 15 languages.
- One-click creation of email accounts (called email identities).
- Emails can be sent either under a sender identity or anonymously.
- 2048-bit ElGamal, 256/521-bit Elliptic Curve and NTRU-1087 encryption.
- Transparent, automatic encryption and signing without relying on third-party software such as PGP/GnuPG.
- Sending and receiving via relays with delay periods set by the user, similar to Mixmaster.
- Theme support.
- POP3 / IMAP / SMTP.
- Cc and Bcc support.
- Delivery confirmation.
- Basic support for short recipient names.
- Android support (via I2P's Android client).
- An outproxy to interoperate with clearnet mail servers.
- Custom folders.
- Multi-device identity syncing.
- Support for short email addresses like firstname.lastname@example.org
- HashCash as an anti-spam solution should it become a problem.
- Lots of other small improvements.
Pretty Easy Privacy
pretty Easy privacy (p≡p) is a pluggable data encryption and verification system. It provides automatic key management and a KeySync protocol (still in testing and no yet activated) to sync private key material across multiple devices that users want to read the same messages on.  Enigmail is supported, but the current implementation is reportedly buggy (late-2018). 
pEp is cross-platform, decentralized, has a peer-to-peer (P2P) design,  is message protocol-agnostic and provides end-to-end encryption. Only users have the keys. It exists as a plugin for mail clients (Thunderbird and Outlook) on all major desktop systems and also as a mobile application for Android (beta) and iOS. Its cryptographic functionality is handled by an open source p≡p engine relying on already existing cryptographic implementations in software like GnuPG, a modified version of netpgp (used only in iOS) and (as of p≡p v2.0) GNUnet. A non-transferable copyright cross-licensing agreement has just been concluded to allow distributing of the GNUnet binary as part of pEp under non-GPL licenses on restrictive platforms like the Apple store. 
In the default configuration, pEp does not rely on the Web of Trust or any form of centralized trust infrastructure, but instead lets users verify each others' authenticity by comparing cryptographic fingerprints in the form of natural language strings, which the pEp developers have chosen to call "trustwords". If both sides are using pEp, it automatically uses the anonymous transport provided by GNUnet. With that technology, meta-data is no longer readable for an attacker. pEp is capable of inter-operating with legacy mail to secure that whenever possible ("opportunistic key exchange"), if the intended recipient has a GPG key.  The pEp project is guided by a foundation that supports Libre software  and the code has also been audited. 
Footnotes / References
- Outlook is the equivalent on the Windows platform.
- Via a mail transfer agent.
- As history has shown webmail is a high reward target for would be attackers as one of largest data breaches in history came at the expense of Yahoo webmail users
- Yahoo waited 2 years to inform the public of the data breach breach, See: https://www.washingtonpost.com/news/the-switch/wp/2016/09/22/report-yahoo-to-confirm-data-breach-affecting-hundreds-of-millions-of-accounts/?noredirect=on&utm_term=.81f158c7b669
- Email provider Lavibit was abruptly shutdown. See: https://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowden
- While established trust with keys not under the users control is similar in context to the OpenPGP Web of Trust the two should not be confused.
- Formerly "Icedove", but now re-branded in Debian following resolution of trademark issues.
- For example, how long a user has been running the mail client. IMAP comes with other risks, like saving drafts on the server as the user is typing.
- In the past users asked whether I2Pmail was safer than Tor Mail, although Tor Mail is now offline because it was hosted on Freedom Hosting which was taken down by the FBI.
- These have a different design to classical email and are therefore incompatible.
- Google will also have knowledge of online phone and messaging services and any prior history of blacklisting for verification purposes.
- It is unknown whether spam abuse has become an issue.
- It may have happened for spam abuse, but that is a separate issue.
- Home of the global surveillance-complex.
- The provider also "forgot" to update the canary on multiple occasions.
- TorBirdy Homepage
- TorBirdy Source Code
Liberte Linux Philosophy page Copyright (C) 2013 Maxim Kammerer <mk at dee dot su> Whonix Anonymity wiki page Copyright (C) 2013 - 2018 ENCRYPTED SUPPORT LP <email@example.com> This program with ABSOLUTELY NO WARRANTY; for details see the wiki source code. This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)