- 1 Introduction
- 2 Safe Email Principles
- 3 Email Provider Comparison
- 4 Encrypted Email
- 5 Email Alternatives
- 6 Footnotes / References
On the Whonix ™ platform, there are two common methods for email:
These and other solutions are imperfect, but this is not a Whonix ™-specific issue -- it is a general issue with email over the Tor network.
Webmail refers to accessing an email service via a web browser when connected to the Internet. Emails are stored and accessed on the online servers provided by the service. This approach provides convenience, as: 
- Messages can be stored and accessed by different devices in different locations, with syncing of services across those devices.
- Difficult desktop email setup configurations are avoided, since third-party applications are not required.
In comparison, email clients like Thunderbird  manage emails via a desktop application. In Thunderbird's case, various settings must be configured like the email address and email port server settings (POP3, SMTP etc.), among others. There are several benefits to a properly administered email client: 
- No annoying webmail advertisements.
- Emails can be retrieved from providers at a specific time.
- New emails are stored on the home desktop computer. 
- Emails can be retrieved from multiple email addresses.
- It is possible to view and compose emails off-line.
- A properly configured client protects against tracking by Email Beacons.
Neither approach is foolproof, since email is inherently insecure. However, end-to-end, PGP-encrypted email with the Thunderbird email client is preferable because it provides better security than standard webmail. It is recommended to review comparisons of webmail providers [archive] and email clients [archive] before proceeding further.
Delta Chat [archive] is a cross platform encrypted messenger that uses the current email network for its transport; all major desktop and mobile operating systems are supported. The GUI is designed to resemble the Signal chat application as much as possible for a superior user experience.
As of 2019, Delta Chat core libraries are available in Debian Sid and a Flatpak release can be downloaded from their website [archive]. rPGP [archive] (Rust OpenPGP implementation) is used for the encryption back-end [archive]. Neither Delta Chat nor rPGP have been audited yet.
Pretty Easy Privacy
Pretty Easy Privacy (p≡p) is a pluggable data encryption and verification system. It provides automatic key management and a KeySync protocol (still in testing and not yet activated) to sync private key material across multiple devices that users want to read the same messages on.  Enigmail is supported, but the current implementation was experiencing serious bugs in late-2018 (now resolved).  
pEp is cross-platform, decentralized, has a peer-to-peer (P2P) [archive] design,  is message protocol-agnostic and provides end-to-end encryption. Most importantly, only users have the keys. It exists as a plugin for mail clients (Thunderbird and Outlook) on all major desktop systems and also as a mobile application for Android (beta) and iOS. Its cryptographic functionality is handled by an open source p≡p engine relying on already existing cryptographic implementations in software like: GnuPG; a modified version of netpgp (used only in iOS); and GNUnet (from p≡p v2.0). A non-transferable copyright cross-licensing agreement has just been concluded. This allows distributing of the GNUnet binary as part of pEp, with non-GPL licenses applying on restrictive platforms like the Apple store. 
In the default configuration, pEp does not rely on the Web of Trust or any form of centralized trust infrastructure. Instead users can verify each others' authenticity by comparing cryptographic fingerprints in the form of natural language strings, which the pEp developers have chosen to call "trustwords". If both sides are using pEp, it automatically uses the anonymous transport provided by GNUnet. With that technology, meta-data is no longer accessible to attackers. If the intended recipient has a GPG key, pEp is capable of inter-operating with legacy mail to secure that whenever possible ("opportunistic key exchange").  The pEp project is guided by a foundation that supports Libre software  and the code has also been audited. 
Safe Email Principles
Email attachments are often used as an exploit vector for infecting the recipient's machine(s), deanonymizing users, or tracking when attachments are viewed, forwarded and so on. To avoid being infected with malware, it is safest to open attachments in a separate VM that does not have an Internet connection. In Qubes-Whonix ™, DisposableVMs are ideal for opening potentially dangerous files.
SSL/TLS encryption is inadequate to protect emails from prying eyes. Whonix ™ supports the stock recommendation to use email encryption with Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. This is a suitable solution for the Whonix majority, unless individuals have self-assessed as being a high-risk target. 
Email providers can log valuable data, even if the email content is encrypted and subject lines are random, hidden, empty, use just a dash (-), or contain misleading content. Data logging might include:
- When emails are sent and the intended recipients.
- Login times and the session length.
- How often email is fetched.
- The Tor exit relay utilized for anonymous email.
Extensive metadata can potentially assist adversaries to make (false) assumptions about the user and their identity.
A number of service providers offer encrypted webmail that is easy to use, by alleviating the burden and complexity of managing encryption keys. Email and encryption is provided in a single and intuitive web interface, which means it is unnecessary to use a terminal interface or configure complicated encryption software. In fact all encryption operations are handled by the provider's server-side software, which provides seamless email encryption with minimal user interaction.
This design affords convenience, but encrypted webmail comes with significant drawbacks. Since the provider maintains full control of the encryption keys, full trust is placed in a single, potential point of failure. If the server is compromised and the keys are stolen, all previously encrypted messages can be decrypted and read by the attacker.  Even if the provider becomes aware of the breach and they were not at fault, a disclosure is not guaranteed because it could severely impact future revenue. 
Another problem with encrypted webmail relates to the ongoing operation of the service. In the past, a number of providers have suddenly shutdown without warning, meaning it was difficult or impossible to retrieve personal encryption keys for specific accounts.  It is impossible for those affected to re-establish secure communications and trust until new encryption keys are created. 
Avoid well-known, large, corporate email providers who purposefully invade user privacy. For instance, Yahoo [archive] and Gmail [archive] use automated software to scan emails for keywords to tailor advertising and sell products. Hotmail [archive] also has a history of reading private emails and messages.
Prefer email providers that:
- Are free.
- Provide an onion service.
- Support PGP encryption and key management.
- Have encrypted inboxes by default.
- Have desktop email compatibility with Mozilla Thunderbird [archive]. 
The email provider will always represent a single point of failure. An email account may be quickly closed or suspended in response to external pressure by authorities. Similarly, the administrators may decide (or be forced) to terminate the service completely, or for specific individuals.
It is recommended to create backup anonymous email addresses with different providers so that alternative communication channels remain open in response to potentially hostile third party actions.
Other potential tracking vectors include web beacons (webbugs)  which are embedded on various websites, allowing cookies to be implanted in the browser in order to track browsing habits. Email beacons use a similar tracking technique. In this case, tiny images are embedded in emails with unique identifiers in the URL. After the email is opened and the image is requested, the email sender learns when the message was read, along with the IP address (or proxy) that was used.
Registration and Personal Data
The personal data recommendation is strongly reinforced by the early-2019 leak of personal information attached to email accounts for an estimated one billion people. In what is thought to be the largest data breach to date, an unsecured 150GB database linked to Verification.io was found to leak information like:  
- Social media accounts.
- Place of employment.
- Actual emails.
This breach reinforces the danger of pairing personal information with email accounts, since it increases the risk of being hacked, spammed, or becoming a victim of fraudsters in the future.
The best balance of usability and security is realized by configuring Encrypted Email with Thunderbird and Enigmail:
- Control is retained over the strong OpenPGP encryption key pair created for email encryption/decryption.
- Email Beacons are neutralized with the correct settings.  
- Various, additional configuration changes are recommended, such as preferring POP3 and SMTP since IMAP leaks more metadata. 
Email Provider Comparison
The earlier Email Provider section noted that email is always a single point of failure. Despite the many claims made by different services, they are unable to significantly improve privacy by design. Only a few questions are truly relevant:
- Is anonymous registration over Tor possible?
- Is any personal information required for registration?
- Can the account be exclusively paired with Tor - preferably via a (v3) onion service?
- Will the provider bow to external pressure by authorities and close or suspend the account when free speech issues arise? This has a greater impact for projects or movements, rather than individual accounts.
Privacy by policy can only ever provide a weak layer of protection compared to privacy by design. One possible exception might be "pseudo-email" services  like BitMessage, I2P-Bote and Freemail. For instant messenger protocols with equivalent features, see Richochet IM and RetroShare.
A few mail providers who are frequently discussed as possible options are briefly considered below. Whonix ™ stands neutral in this regard; objectively speaking no particular mail provider can be recommended.
As noted in the Google Data Collection Techniques entry:
Email content is processed and read (scanned) by a computer for targeted advertising purposes and spam prevention. Under Google policies, there is an unlimited period of data retention and the potential for unintended secondary use of this information. Google has already admitted users have "no reasonable expectation" of confidentiality regarding personal emails.
Although Google allegedly stopped scanning all emails for advertising purposes in 2017, it is clear that employees are tasked to read users' emails for security or other purposes.  Further, Google has simply replaced one data-siphoning avenue with another -- third-party apps which can access and share data from Gmail's 1.5 billion users (in 2019).  Since Google is hostile to privacy, no-one should be surprised that pairing Tor with Gmail is exceedingly difficult. Mike Hearn from Google addressed this very issue on tor-talk in 2012: :
Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that:
1) With Tor active, log in via the web and answer a security question, if any is presented. You may need to receive a code on your phone. If you don't have a phone number on the account the access may be denied.
2) Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access.
Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy.
Based on Google's poor privacy record, anti-Tor stance, and unrivaled profiling / data exfiltration in all ecosystems, Gmail is strongly recommended against. It would be very difficult to register an account and exclusively login over Tor. Google's insistence on personal identifiers such as mobile phone verification makes it practically impossible to achieve without jeopardizing anonymity. 
Wikipedia provides a simple overview of the I2P email service: 
I2P has a free pseudonymous email service run by an individual called Postman. Susimail [archive] is a web-based [archive] email client intended primarily for use with Postman's mail servers, and is designed with security and anonymity in mind. Susimail was created to address privacy concerns in using these servers directly using traditional email clients, such as leaking the user's hostname while communicating with the SMTP server. It is currently included in the default I2P distribution, and can be accessed through the I2P router console web interface. Mail.I2P can contact both I2P email users, via user@mail.I2P and public internet email users from a user@I2Pmail.org address.
Although it is beneficial to clean the mail header, other applications can do the same.  Further, it is technically impossible to encrypt mails to clearnet addresses such as Gmail, Riseup and other providers, unless the sender and recipient are using end-to-end encryption such as OpenPGP. When these factors are considered, the I2P email service is no more or less secure than using alternatives.
Even though the service is based on I2P, it can still be accessed in Whonix ™ over Tor; see I2P for instructions on tunneling I2P over Tor. To date, there has not been any notification of email account suspensions.  Factors outlined in the Safe Email Principles section may also equally apply.
Riseup provides a number of advantages for users who value privacy: 
- No personal information is required to register an account, since the system relies upon "invite codes" from other users.
- Riseup works reliably on mailing lists.
- POP email settings are available to download email and delete it from Riseup servers.
- The infrastructure is completely Tor-friendly. Onion services are available to help improve anonymity and circumvent censorship.
- The Whonix ™ Project is unaware of any email accounts being suspended. 
- Riseup claims users' emails are personally encrypted on the servers, so they can only be unlocked and read with the account holder's password.
On the downside:
- Servers are hosted in the US. 
- In recent times the warrant canary was not updated [archive] on a fixed, regular basis.  
- Privacy by policy is not a guarantee of improved anonymity. For instance, Riseup claims that IP addresses are not logged is impossible to verify.
Anonymity Friendly Email Provider List
As it is impossible to maintain an up-to-date list of possible providers who are anonymity-friendly, readers should undertake proper research before making a final decision.
Onion Service Providers
Additional Provider Lists
If a suitable provider cannot be found above, then also check the following lists:
- Dismail.de's Email server security list [archive]
- PrivacyTools.io Email Providers List [archive]
- Prxbx.com's Privacy-Conscious Email Services [archive]
- ThatOnePrivacySite's Email Section [archive]
- Also check this list [archive] for possible alternatives.
The Mozilla Thunderbird email client and Enigmail add-on  are useful additions for your operating system. If used correctly, they provide for easy GPG encryption and anonymous (or pseudonymous) email messaging.
A complete set of instructions is now available to:
- Install the Thunderbird email client.
- Install the Enigmail add-on for Thunderbird.
- Due to the unavailability of the TorBirdy plugin, configure Thunderbird preferences for safe use of email.
- Create an email account anonymously with a suitable provider via Tor Browser.
- Store the login credentials in KeePassXC.
- Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
- Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
- Encrypt and store the revocation certificate securely.
- Configure Thunderbird preferences for greater security and anonymity.
- Configure additional OpenPGP preferences via Enigmail.
- Key management: import GPG public keys.
- Export the public key to a GPG key server.
- Prepare an email signature with the public GPG key ID and fingerprint.
- Compose and send a test encrypted email.
- Open an encrypted email received in Thunderbird.
Anonymous Remailers are a generation of privacy networks that precede Tor. These are single purpose networks (only support sending email) that use high-latency designs to defeat surveillance. In this model a Usenet news group or person can receive email without learning your name or email address. Unfortunately the latest project -- the Mixmaster network -- has been removed from Debian because development has ceased and it is considered insecure.  
This entry has been moved here.
Like most Freenet plugins, Freemail makes use of an anti-spam mechanism called the Web of Trust  to block abusers. Attachment sizes are virtually unlimited and users simply upload files on Freenet and link to them in Freemail messages.
See recommended tips for Freemail.
I2P-Bote [archive] is a serverless, encrypted email plugin that uses I2P for anonymity. Messages are stored in the distributed hash table (DHT) [archive] for 100 days, during which the recipient is able to download them.
To back up I2P-Bote data, copy the i2pbote folder inside the I2P config directory. On Unix systems the relevant directory is ~/.i2p/i2pbote, or /var/lib/i2p/i2p-config if running it as a daemon.
Compartmentalize activities and only use the I2P-Bote/Susimail VM snapshot for this purpose. Generally speaking, applications that run with a browser interface are vulnerable to a whole class of bugs, including cross-site request forgery (CSRF) [archive].  
- Themeable webmail interface
- User interface translated in many languages
- One-click creation of email accounts (called email identities)
- Emails can be sent under a sender identity, or anonymously
- ElGamal, Elliptic Curve, and NTRU Encryption
- Encryption and signing is transparent, without the need to know about PGP
- Delivery confirmation
- Basic support for short recipient names
- IMAP / SMTP
- Custom folders
- Sending and receiving via relays, similar to Mixmaster
- Lots of small improvements
Footnotes / References
- https://windowsreport.com/webmail-desktop-email-client/ [archive]
- https://difference.guru/difference-between-an-email-client-and-webmail/ [archive]
- Outlook is the equivalent on the Windows platform.
- Via a mail transfer agent.
- https://news.ycombinator.com/item?id=12827020 [archive]
- https://pep.foundation/blog/enigmailpep-current-release-for-windows-is-faulty-solution-in-progress/index.html [archive]
- This bug affected Windows users and meant the reliable encryption and decryption of emails only occurred in the classic Enigmail mode.
- https://techterms.com/definition/p2p [archive]
- https://lists.gnu.org/archive/html/gnunet-developers/2016-12/msg00046.html [archive]
- https://pep-project.org/2014-09/s1410740156 [archive]
- https://pep-project.org/ [archive]
- https://pep.foundation/blog/press-release--pep-releases-first-code-audit-of-the-pep-engine/index.html [archive]
- The TorBirdy extension was formerly recommended to make Thunderbird connections take place over the Tor network, but it is incompatible with Thunderbird 68.
- History is replete with successful webmail breaches. Webmail is a high value target for attackers -- one of largest data breaches in history [archive] came at the expense of Yahoo webmail users.
- In Yahoo's case they waited two years to inform the public of the data breach, see: Yahoo data breach casts 'cloud' over Verizon deal [archive].
- See: Lavabit email service abruptly shut down citing government interference [archive].
- Note: while established trust with keys not under the user's control is similar in context to the OpenPGP Web of Trust, the two issues should not be confused.
- Formerly "Icedove", but now re-branded in Debian following resolution of trademark issues.
- https://en.wikipedia.org/wiki/Web_beacon [archive]
- https://nypost.com/2019/03/29/emails-of-nearly-1-billion-people-leaked-in-massive-data-breach/ [archive]
- Passwords and credit card details were not leaked.
- Such as disabling remote images embedded in HTML emails or enforcing plain text email messages. In the Whonix configuration, the TorBirdy plugin previously disabled HTML email (manual setting changes are now required).
- TorBirdy previously enabled Tor network connections without complicated changes to server options and the display character set.
- For example, how long a user has been running the mail client. IMAP comes with other risks, like saving drafts on the server as the user is typing.
- In the past users asked whether I2Pmail was safer than Tor Mail, although Tor Mail is now offline [archive] because it was hosted on Freedom Hosting which was taken down by the FBI.
- https://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/ [archive]
- Notably the FBI network investigative technique (NIT; aka "hack") used with Tor Mail relied on malicious code that sent the real IP address to a Virginian server [archive]. However, the code appeared before users logged in, meaning it was a dragnet technique rather than a targeted measure; innocent users of the service would have been similarly hacked.
- These have a different design to classical email and are therefore incompatible.
- https://betanews.com/2018/07/04/google-response-to-gmail-privacy-concerns/ [archive]
- https://expandedramblings.com/index.php/gmail-statistics/ [archive]
- https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html [archive]
- Google will also have knowledge of online phone and messaging services and any prior history of blacklisting for verification purposes.
- https://en.wikipedia.org/wiki/I2P [archive]
- Like the former TorBirdy add-on.
- It is unknown whether spam abuse has become an issue.
- https://riseup.net/en/email#what-is-special-about-riseup-email [archive]
- It may have happened for spam abuse, but that is a separate issue.
- Home of the global surveillance-complex.
- The provider also "forgot" to update the canary on multiple occasions.
- https://motherboard.vice.com/en_us/article/bmv34m/warrant-canary-for-activist-email-service-riseup-seemingly-expires [archive]
- And previously TorBirdy; see TorBirdy Homepage [archive] and TorBirdy Source Code [archive]
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880101 [archive]
- While sending one-way messages was relatively straightforward, receiving replies in Mixmaster required registration with a Nymserver and setting up a program to fetch messages from the decentralized Usenet boards.
- https://github.com/freenet/plugin-Freemail/blob/master/docs/spec/spec.tex [archive]
- https://wiki.freenetproject.org/Web_of_Trust [archive]
- https://chaoswebs.net/blog/2016/12/01/Exploiting-I2P-Bote/ [archive]
- https://chaoswebs.net/blog/2016/10/15/Stealing-Your-I2P-Email/ [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)