# Privacy email providers compared on threat model, not features

> Source: https://fuckyc.org/guides/privacy-email-providers-compared/
> Published: 2026-01-19 · Last verified: 2026-01-19

'Privacy email' is a property of the operator and the protocol, not a marketing feature. This guide compares Proton, Tuta, Mailfence, cock.li, Posteo, Riseup, Disroot by what each one buys and costs.

## TL;DR

No single privacy email is "the most private." **Proton Mail** is the mainstream Swiss choice — strong cryptography, audited clients, Tor signup. **Tuta** encrypts subjects and address books by default (no IMAP). **Mailfence** is PGP-native with IMAP/SMTP. **Posteo** accepts cash by mail and explicitly de-links payment from account. **cock.li** is username-only signup but widely blocked. **Riseup** is the activist collective. Most privacy-aware users end up with a portfolio rather than a single provider.

---

"Privacy email" is mostly a marketing phrase. Underneath it there are four properties that actually vary across providers, and a useful comparison aligns on those:

1. **Signup posture** — what does the provider know about you from the moment you register?
2. **Cryptography model** — what does the provider see on your mail at rest and in transit?
3. **Operator jurisdiction and posture** — what does compelled disclosure look like?
4. **Practical interoperability** — does it deliver mail to the people you actually email?

## Comparing on threat model

| Provider | Signup | Crypto model | Jurisdiction | Cash payment | Inbox interop |
|---|---|---|---|---|---|
| Proton Mail | Email-or-anon; abuse-prevention can ask for SMS | E2E (Proton↔Proton, PGP); at-rest E2E inbound | Switzerland | Crypto / card | Excellent |
| Tuta | Username only | E2E in-protocol (subjects too) | Germany | Crypto / card / bank | Good (closed protocol; no IMAP) |
| Mailfence | Username + email recovery | PGP-only | Belgium | Crypto / card | Excellent (IMAP/SMTP) |
| cock.li | Username only | At-rest, PGP-on-demand | Romania | Crypto only | Frequently blocked |
| Posteo | Username only; cash-by-mail funded | At-rest by user key | Germany | Cash-by-mail | Excellent |
| Riseup | Invite-only / justification | At-rest by user key | United States | Donation | Good (collective context matters) |
| Disroot | Username only | At-rest | Netherlands | Donation | OK |

## What each provider buys you

**Proton Mail** is the well-funded mainstream choice. Strong cryptography, audited clients, professional product. The cost is that the signup happy path involves an email-or-phone fallback if you trip an anti-abuse heuristic, and Switzerland's legal context can compel IP-at-login disclosure under court order. Best fit for users who want a polished product and accept the operator-side trust profile.

**Tuta** maximizes default-on encryption — subjects, address book, and attachment metadata are all encrypted at rest. The cost is the closed protocol: no PGP interop, no IMAP, no SMTP. You use Tuta's client. Best fit when default-on metadata encryption is the requirement.

**Mailfence** is the PGP-native, IMAP-supporting, Belgian alternative. End-to-end encryption is PGP, so it interops with anyone else who uses PGP; metadata is visible to the operator. Best fit for users who want IMAP-compatible mail with explicit PGP support.

**cock.li** is the minimal-signup choice. Username only, no recovery email, donation-funded. The trade-off is delivery — many systems block the domain by default. Best fit as a side address for accounts that accept it.

**Posteo** is the cash-payment choice. Username at signup, cash-by-mail accepted as funding, operator explicitly does not bind payment to account. Cryptography is at-rest by user key, not E2E. Best fit when payment-side de-linking is the binding requirement.

**Riseup** is the activist-collective choice. 25+ years of operating, invite-only signup, U.S. operator with a strong community-trust record. Best fit for users embedded in activist contexts who already have an invite.

**Disroot** is the small-FOSS-collective choice. One username, several bundled services. Volunteer-grade reliability. Best fit as a side account in the FOSS-collective space.

## How to combine them

Most users who think hard about email privacy end up with a small portfolio:

- A **primary inbox** with one of Proton, Tuta, or Mailfence — usable, deliverable, end-to-end where it counts.
- A **payment / billing inbox** on Posteo (because cash-funded) or Tuta (because polished but minimal signup).
- A **throwaway inbox** on cock.li or a SimpleLogin-style alias provider, for sites that ask for an email but should not have your real one.

The portfolio model exists because the trade-offs cannot all be satisfied by one provider. Tuta encrypts subjects but doesn't do IMAP. Proton does IMAP (via Bridge) but knows your IP at login. Posteo accepts cash but encrypts only at rest. The portfolio buys you the union of strengths.

## What it doesn't buy you

A privacy email provider does not change:

- **What recipients do with your mail.** The most secure provider in the world cannot stop a recipient from forwarding your message to a list, replying with the original quoted, or screenshotting your message.
- **How email metadata leaks at the protocol level.** SMTP envelopes are visible to every relay between sender and receiver. End-to-end encryption hides the content; it does not hide who sent to whom and when.
- **Your association with the inbox.** If you signed up via your home IP without Tor, the operator can correlate the account to a network identity. Signup transport hygiene is part of the threat model.

## A note on threat-model honesty

There is a tendency in privacy-email discussions to grade providers on whether they are "really" private. The honest answer is that all of these providers are dramatically more private than mainstream alternatives, and the differences between them are about which specific failure modes you are most concerned about. The right comparison is "Proton vs. Tuta given my threat model," not "is X really private."

This directory's job is to make the threat-model dimensions explicit so you can match.

## See also

- [Proton Mail](https://fuckyc.org/services/proton-mail/), [Tuta](https://fuckyc.org/services/tuta/), [Mailfence](https://fuckyc.org/services/mailfence/), [cock.li](https://fuckyc.org/services/cock-li/), [Posteo](https://fuckyc.org/services/posteo/), [Riseup](https://fuckyc.org/services/riseup/), [Disroot](https://fuckyc.org/services/disroot/) — the email-privacy category.


## FAQ

**Q: Which provider is 'the most private'?**

There is no single answer because the right choice depends on what you're defending against. cock.li is unmatched on signup minimalism; Tuta is unmatched on default-on encryption (including subjects); Proton is unmatched on usability and resources; Posteo is unmatched on cash-payment posture; Riseup is unmatched on community trust. Pick the one whose trade-offs match your threat model.

**Q: Is end-to-end encryption the same as privacy email?**

No, but it's related. End-to-end encryption (E2E) means the operator cannot read the message content even if compelled. 'Privacy email' on this site is broader — it includes the signup posture, the metadata the operator stores, the legal jurisdiction. A provider can be E2E and still log lots of metadata (Proton with sealed-sender disabled); a provider can be non-E2E and store almost nothing (Posteo with at-rest encryption only).

**Q: Does Proton Mail's Swiss jurisdiction help me?**

Sort of. Swiss law has a higher bar for compelled disclosure than U.S. law, but it is not absolute. The well-known 2021 case where Proton produced IP-at-login metadata in response to a Swiss-court order showed where the floor sits — Proton cannot read mail content, but it can be ordered to log a specific user's IP on login. Read the Proton transparency report; it is the most useful public document in the category.

**Q: Why is cock.li widely blocked?**

Because over the years the @cock.li domain has been used heavily for spam, throwaway accounts, and trolling. Many large email systems (Google, Microsoft, several universities) drop or filter @cock.li by default. The domain still works for many uses but it is not a reliable primary inbox in 2026.

**Q: Can I run my own mail server instead?**

You can; the question is whether it works in 2026. Self-hosted mail has the lowest metadata exposure but is hard to deliver from — most large providers default to dropping or filtering mail from small-IP-range senders without warm-up history. For users with the operational discipline to maintain it, self-hosting is the best privacy story. For everyone else, an evaluated provider is the realistic choice.

## Sources

- [Proton transparency report](https://proton.me/blog/transparency-report) — accessed 2026-01-19
- [Tuta transparency reports](https://tuta.com/blog/tag/transparency-report) — accessed 2026-01-19
- [Posteo transparency report](https://posteo.de/en/site/transparency_report) — accessed 2026-01-19