Searching the internet for the latest memes and cat videos doesn’t cost a thing, and you can share your found treasures with your friends using a variety of free email services. But you don’t get something for nothing. You’re paying for your free email and search services with your privacy. The biggest search and email providers don’t hide the fact that they track and monetize your online activities. If you’d rather keep your online business to yourself, consider searching privately using ixquick or StartPage and keeping your email activity totally private using an encrypted email service like StartMail, reviewed here. StartPage, StartMail, and ixquick all come from the same privacy-focused Dutch company.
Your StartMail subscription comes with 20GB of email storage, and, unlike with some competing products, there’s no limit on the number of messages you can send. You can choose any username that’s not already taken, and you can create temporary email addresses—aliases for use when you don’t want to give your real address.
Like StartMail, PreVeil and Skiff offer an admirable set of email encryption features, and they’re both totally free. With PreVeil you keep your existing address; Skiff, like StartMail, requires that you spin up a new, pristine email address for encrypted communications. We’ve named these two Editors’ Choice for email encryption.
Looking at programs that protect your privacy, IronVest takes the Editors’ Choice crown. Like StartMail, it can mask your true email address, but it goes on to let you shop without revealing your actual credit card or phone number. Its browsre extension foils online trackers, and it includes a complete password manager utility.
How Much Does a StartMail Subscription Cost?
A StartMail subscription goes for $59.95 per year, which is on the high side. ProtonMail is a virtual twin of StartMail feature-wise, and it costs $47.88 per year. In addition, you can use ProtonMail for free if you can accept limits of 150 messages per day and 500MB of storage. Private-Mail, another similar service, will run you $49.99 per year, while the slightly less feature-rich SecureMyEmail is $29.99.
You can even encrypt your email for no cost at all. There’s no charge for Virtru Email Protection for Gmail, for example. And while Virtru only works with Gmail, and only in Chrome, the free Preveil service gives you professional-grade encrypted email for a fee of exactly nothing. Skiff, also free, goes beyond encrypted email, offering encrypted collaboration, file sharing, and calendar management.
With your basic StartMail subscription, you get a pristine new email address in the startmail.com domain. If you prefer not to change your email address, you can pay $10 more per year for a Custom Domain subscription, but this possibility comes with stringent requirements. You can’t use it with an email address that’s managed by a webmail provider such as Google or Yahoo, nor with an address provided by your employer or your ISP. You must literally own the domain in question. Most consumers can’t make use of this option.
Not sure this service is what you need? You can sign up for a free, feature-complete 7-day trial. You do have to supply a payment method (credit card or PayPal), so if you choose not to proceed after the trial you must actively cancel your subscription.
If you’re more interested in email aliases (also called temporary email addresses) than in encryption, you might prefer Burner Mail, which costs $29.99 per year. You could also go with Bulc Club or ManyMe, both of which are totally free. Continuing the theme of masking your personal data, for $39 per year IronVest can hide email addresses, credit cards, and phone numbers, manage your passwords, block online trackers, and more.
Preveil, SecureMyEmail, and Virtru all protect your existing email account. Like ProtonMail, Private-Mail, and Tutanota, switching to StartMail involves spinning up a brand-new email address with no spam baggage. If you make use of StartMail’s support for email aliases, you can keep that pristine address from ever hitting the spam lists.
Even with a regular email address that’s already been smeared all over the internet, you can still get some benefit from using email aliases, but not as much. That’s where a service like DeleteMe, Optery, or Privacy Bee comes in. These services look for your email and other private information on anywhere from dozens to hundreds of legitimate data-aggregating sites and send opt-out requests for you, following up as needed.
Prices for data broker opt-out services vary widely. DeleteMe costs $129 per year and Privacy Bee goes for $197 per year. The top service tier with Optery runs you $249 per year, but you can use Optery to find your data online at no cost, provided you have the time and energy to handle the opt-out process unaided.
Isn’t Gmail Encrypted?
A while ago Google tweaked Gmail so it always uses a secure HTTPS connection. When it sends your messages, it uses the standard encrypted Secure Sockets Layer (SSL). As of a couple years ago, Google states that it no longer reads your mail. However, it’s easy to accidentally give mail-reading permission to third-party apps. And Google doesdoes read your messages sufficiently to do things like automatically put airline flight notifications in your calendar. Google has a policy for when it releases your email to government entities, clearly indicating that it can do so if compelled.
StartMail naturally uses HTTPS and SSL, but it doesn’t stop there. Before it securely sends your messages, it actively encrypts them, using public key cryptography. It stores your messages in zero-access encrypted form, meaning that the company can’t decrypt your messages for a government entity even if subpoenaed, and a sneaky employee can’t weasel into your private message stash. Your StartMail email connection is encrypted from end to end.
Getting Started With StartMail
Setting up a StartMail subscription is a snap. You start by choosing a username that isn’t already in use; the signup page lets you know quickly when you’ve chosen an available name. You also create a password to lock up your encrypted email. As you enter your password, it rates what you’ve typed, so don’t stop until you get to a strong password.
StartMail also creates a recovery code you can use to get into your account if you forget the password. As with the similar recovery file provided by Preveil, you must treat this key with utmost care. Your best bet is probably to print it out and store it in a fireproof lockbox. You can also go into settings and define a recovery email account as another way to avoid getting locked out.
As soon as you’ve created your account, StartMail opens to your Inbox’s Set up guide page. From here you can follow links to migrate from another email provider, configure StartMail to work with your preferred email client, enable multi-factor authentication, or create your first alias. I’ll discuss these options in detail below.
When I last reviewed StartMail, it offered a separate Classic user interface. Confusingly, both the standard interface and the Classic interface exposed features that the other interface did not. That problem no longer exists; StartMail now has a single, modern, consistent interface from which all features are easily available.
StartMail encrypts your messages locally and transmits them using secure HTTPS. The company has no access to the text of your messages and couldn’t decrypt them even if enjoined to do so by law enforcement. ProtonMail, SecureMyEmail, and Virtru go a step farther, letting you set each message to expire after a specified time.
What’s an email system without contacts? You can, of course, type in each email address as you go, but it’s probably easier to import your existing contacts from a file in vCard or CSV format. Just how you create that file depends on your email provider. Note that every time you send a message, StartMail adds any new recipients to its auto-complete list, a list that you can edit if necessary.
Securely Email Non-Users
As soon as your account is configured, you can start sending secure messages, or you can view the feature tour offered by StartMail. The tour points out: how to create an alias, so the recipient doesn’t receive your actual email address; how to enable encryption for a message; how to exchange encrypted messages with non-StartMail users; and how to digitally sign your messages. I’ll discuss these features in detail below.
Chances are good many of your contacts don’t use StartMail. For those who are technically inclined, you can exchange PGP keys, but you can also send a simple encrypted message without that preparation. You type in your message, supply a password, and transmit that password to the recipient under separate cover, perhaps using a secure messaging app like Signal. You can also add a non-encrypted Personal Message; this could be a subtle reminder of a password you’ve already shared.
Like most encrypted email services, StartMail offers a full WYSIWYG editor, with the ability to embed pictures, add attachments, and all the features you’ve come to expect. Private-Mail is an exception, as its encryption system strips out all formatting.
StartMail keeps the encrypted message in secure storage for 28 days and sends a notification to the recipient. All the recipient sees is the message subject, your display name, the personal message, and a link to read the message. Access to the message requires entering the password. The recipient can reply via the StartMail website. No evidence of your communication remains except the original notification message, and it comes from StartMail, not from you. Using ProtonMail, Private-Mail, or SecureMyEmail with outside contacts works in much the same way.
Pretty Good Privacy
Sending passwords for individual messages is fine as a one-off experience, but for ongoing private conversations you’ll want to rely on StartMail’s built-in public-key cryptography. Like PreVeil, Private-Mail, ProtonMail, and SecureMyEmail, StartMail relies on Pretty Good Privacy (PGP) for encryption and key management.
In the PGP system, you have two keys, a public key and a private key. Anyone can send a secure message to you by encrypting it with the public key—only your private key will decode the message. To send an encrypted message, you need to have the public key for each recipient in your virtual key ring. Conversely, you can digitally sign a message to prove it came from you by encrypting it with your private key. The fact that your public key decrypts it proves that it’s legitimate.
StartMail generates your public/private key pair from your PGP passphrase. Initially it uses your account password as the PGP passphrase, for simplicity. If you plan to up your security game by using a passphrase that’s different from your account password, you should do so before you send any messages. Otherwise, you’ll have to use the old passphrase to read old messages, which could get confusing.
Tech wizards can use StartMail’s PGP encryption to communicate outside the StartMail network. You’ll need to import public keys from your intended recipients and transmit your public key to them. Attaching your public key to a message is easy; just click the paperclip attachment icon and choose Attach public key. Even so, most users will probably stick with automatic encryption between StartMail users and password-based encryption for nonusers.
An encrypted message from another StartMail user (or a PGP user outside the StartMail network) initially displays “This message is encrypted using key id:” followed by a block of random-looking characters that represents your public key. Just enter your PGP passphrase to view the message. If you’d rather not enter that passphrase over and over, you can check a box to remember it until you log out.
Email Aliases Protect Your True Address
Like the masked email addresses generated by IronVest, Burner Mail, ManyMe, and others, StartMail’s aliases let you communicate without giving away your actual email address. Aliases come in two flavors: quick and custom. The auto-generated quick email address is a random bunch of characters like this: [email protected].
Custom aliases don’t have the weird random appearance that disposable ones do. You create them yourself, limited only by the need to choose an address that hasn’t already been snagged by any other StartMail user. Pick a nickname, a joke name, anything you want. If it’s already taken, you’ll get a warning. When you create either type of alias, you can optionally set it to expire in an hour, a day, a week, a month, or never.
The point of using an alias is that you can shop online, sign up for newsletters, even email with a new acquaintance without giving away your true email address. Messages sent to an alias arrive in your Inbox, and your replies go out as if from the alias. You can easily use a different alias for each merchant or contact, so if you start getting spam on one of them you know who to blame. In that case, you just disable or delete the alias (and maybe look for a more reliable merchant).
In addition to their email encryption abilities, Private-Mail and Tutanota also offer a modicum of support for email aliases, but they’re limited. With Private-Mail’s standard subscription you can have only five aliases; paying twice as much for the Pro tier raises that limit to 20. With Tutanota, you get just five aliases total, and once you’ve used one it’s locked in, unchangeable. StartMail is definitely a more practical solution if you want email encryption and email alias protection in a single package.
Burner Mail also offers both random burner addresses and custom ones, though only paying customers can create custom burner addresses. ManyMe , like Bulc Club and SimpleLogin, doesn’t make you pre-register your aliases (which it calls FlyBy addresses). Every FlyBy includes your unique account name, so you can make one up even when you’re not online. Say you meet a company rep at a trade show. You could offer a FlyBy like this: myaccount[email protected].
Like Burner Mail, Private-Mail, ProtonMail and Tutanota, StartMail supports multi-factor authentication. You do need Google Authenticator or another authenticator app that supports standard Time-based One-Time Password (TOTP) authentication.
In Account Settings, click the button to enable multi-factor authentication. StartMail will display a QR code. Snap the QR code with your authenticator app and enter the returned code back in StartMail. That’s it. Now each time you log in you’ll need both your password and the latest code from your app. More importantly, a hacker who stole your password couldn’t use it to log in because they can’t get that code from the app on your phone.
Tutanota kicks multi-factor up a notch with support for your YubiKey or other U2F (Universal Two Factor) security key. You can use the security key instead of or alongside app-based authentication.
IMAP and Mobile Access
Email clients like Outlook and Thunderbird typically manage email accounts using POP3 or IMAP, as do mobile email apps. You can configure StartMail to make your messages available via IMAP but doing so is a serious pain. Really, just use webmail.
Preveil, ProtonMail, Private-Mail, SecureMyEmail, and Tutanota offer apps for iOS and Android. StartMail does not, instead recommending that you use the responsive web-based app. Despite that recommendation, StartMail offers detailed instructions for adding an account on your mobile devices.
I followed the instructions on the Google Pixel 4 that I use for testing. The tedious process involved filling in details of the IMAP and SMTP servers, along with a 16-character device-specific password generated by StartMail. When I did manage to make the connection, I found that I couldn’t read encrypted messages using the default Gmail app, nor could I encrypt or digitally sign sent messages. I would have had to switch to an email app that supports encryption, and configure it to use my public and private keys. Don’t try this; just use the website on your mobile devices.
What some mail systems call message rules are dubbed Filters in StartMail. This feature isn’t as elaborate as Outlook’s message rules system, but it does the job. If an incoming message’s From, Subject, To, or CC field (but not body text) contains a specified word or phrase, move it to a particular folder—that’s a rule. Private-Mail, ProtonMail, and Tutanota also support some form of rules or filters.
You probably take it for granted that you can search through the messages in your standard webmail account, but searching encrypted messages is a different story. For security reasons, the search must take place on your local device, as message contents aren’t available on the server. Tutanota’s free tier limits searching to the last 30 days. StartMail makes a point that its search is secure, local, and unlimited.
StartMail’s user interface is slick, modern, and responsive; and it works on any platform. Its combination of email encryption and temporary email addresses lets you communicate securely with trusted correspondents and interact with untrusted sources without giving away your true email address. The current edition removes limitations on the email alias system and ends a confusing dichotomy in the previous user interface. It’s a serious improvement.
However, Preveil brings you professional-grade email encryption with a unique key recovery system, secure cloud storage, and file sharing. It does all that without charging a fee, and without requiring you to change your familiar email address. Preveil remains our Editors’ Choice for email encryption.