Best Encrypted Email Tools for Journalists Protecting Sources (2026)

Proton Mail is the de facto standard for journalists who need encrypted email without sacrificing usability. Founded by CERN scientists and headquartered in Geneva under Swiss federal data protection law, it offers zero-access encryption — meaning Proton itself cannot read your stored messages even under court order. The company has a public, audited transparency report that documents every Swiss legal request and how it responded, which is rare and useful when you're vetting providers for a high-stakes investigation.

For source protection specifically, Proton's strongest cards are the maturity of its ecosystem and its willingness to be operationally journalist-friendly. You can sign up anonymously over the official onion service (proton.me's .onion mirror), pay in Bitcoin or cash, attach a custom domain for a professional-looking address that isn't @proton.me (avoiding the 'this person uses a privacy service' tell), and require hardware security keys for 2FA. The Proton Bridge brings IMAP/SMTP access to Thunderbird, Outlook, and Apple Mail without breaking encryption. Newsrooms including Reuters, the Guardian, and the BBC have publicly listed Proton addresses on their tip pages — meaning when you reach out to a source, there's a good chance they already have a Proton account, which is the only way E2EE actually works.

The one honest weakness for journalist use: Proton does not encrypt subject lines (Tuta does), and a 2021 case where Proton was legally compelled to log IP addresses for a French climate activist's account showed that Swiss law can compel real-time logging when foreign agencies route requests properly. Mitigation: always access over Tor, never reveal IP via mobile app on cellular.

Tuta (formerly Tutanota) is the hardline choice — the encrypted email service most paranoid about metadata. Run by a small team in Hannover, Germany under one of the strictest telecoms-secrecy regimes in Europe, Tuta's defining technical decision is that it encrypts subject lines and entire address books in addition to message bodies. That single design choice closes the most common metadata leak in 'encrypted' email and is reason enough to put Tuta near the top of any journalist's shortlist.

Tuta uses its own hybrid encryption (no PGP), which is a trade-off. The downside: you can't easily exchange E2EE messages with sources on Proton, ProtonMail, or anyone using a standard PGP client — external recipients get a password-protected web link instead. The upside: the system is post-quantum ready (Tuta has been rolling out PQC primitives since 2024), which matters if you're protecting documents that need to stay secret for decades. For ongoing correspondence with a fixed set of sources who all sign up for Tuta accounts, the friction is minimal and the metadata posture is the strongest of any service in this list.

German jurisdiction is another major plus for source protection. Tuta has gone to court against German authorities multiple times to limit the scope of surveillance orders, and the rulings have generally upheld telecoms secrecy more strongly than equivalent US or UK cases. Anonymous signup is available, the Android app is on F-Droid (no Google Play tracking), and there is a desktop client for Windows, macOS, and Linux. The web client also works over Tor without the kind of CAPTCHA hostility you sometimes get elsewhere.

Mailfence is the encrypted email service for journalists who want full PGP — keys you control, exportable, interoperable with anyone using GnuPG, Thunderbird/Enigmail, or any other standard PGP client. That matters because many of your most valuable sources (security researchers, government insiders, fellow investigative reporters) already have PGP keys published on keyservers; forcing them to create yet another account at yet another provider is a real obstacle. With Mailfence you simply import their public key and reply.

Mailfence is operated by ContactOffice from Belgium — outside the Fourteen Eyes intelligence-sharing arrangement, which gives it a quiet jurisdictional advantage over US, UK, Australian, and Canadian services. Belgian privacy law requires a specific judicial order from a Belgian court for data disclosure, and Mailfence publishes a transparency report showing how often (rarely) this has actually happened. The service includes integrated calendar, documents, and groups — so a small investigative team can run a whole encrypted collaboration suite without leaving the platform.

The trade-offs for journalist use: signup requires an existing email address (so use a one-time burner), the free tier is limited and the paid tiers are the most expensive in this list per gigabyte, and the apps feel utilitarian compared to Proton's polish. None of those matter much for the source-protection use case — what matters is that you get a real PGP keypair you control and can take with you if you ever leave. That portability is something Proton and Tuta do not offer in the same way.

Posteo is the operational-hygiene champion of encrypted email. Run from Berlin since 2009 by a tiny, cooperatively owned team, Posteo's defining feature is what it does not collect: by default, Posteo strips your IP address from outgoing message headers, does not log IP addresses on login, does not require any personal information at signup, and accepts anonymous cash payment mailed in an envelope. For journalists, this is exactly the right threat model — assume the database will be subpoenaed someday, and ensure there's nothing useful in it.

Posteo is also one of the rare services that sells inbox-side and full-disk encryption as separate, optional features you can toggle. You can use Posteo as a normal IMAP/SMTP account with standard clients (Thunderbird, Apple Mail) and add OpenPGP yourself, or you can enable Posteo's server-side message encryption so that even Posteo cannot read stored mail. The flexibility is unusual and useful — you can match the encryption posture to the sensitivity of each conversation rather than being locked into one model.

The constraints are real. Posteo's pricing is admirably cheap (€1/month) but the storage caps are tight, there is no custom domain support, and the address is locked to @posteo.de/.net/.eu — which is itself a tell that the user is a privacy-conscious journalist. For source-only correspondence that's actually fine; for primary email it's limiting. The German jurisdiction, court-tested resistance to overbroad orders, and the no-IP-logging design earn Posteo a place in any journalist's stack as the 'cleanest' inbox even when it's not the primary one.

StartMail is the encrypted email service from the team behind the Startpage search engine, based in the Netherlands. Its defining advantage for journalists is unlimited disposable email aliases — a feature that genuinely changes the operational game for investigative work. Need a single-use address to register on a leaked-document platform? Generate one. Need a persistent alias to give to a specific source so you can compartmentalize their messages from a different investigation? Generate one. Burn it later without losing the inbox. For a beat reporter juggling multiple ongoing investigations, this alone is worth the subscription.

StartMail uses standard PGP for end-to-end encryption with external parties and offers server-side encryption for stored mail under your master password. The Dutch jurisdiction is moderate — it's an EU member with GDPR but also a Nine Eyes intelligence partner, so it's a step below Switzerland or Belgium for raw legal resistance. StartMail mitigates this with a published transparency report and a strict no-logs-by-default policy. The service has been operating since 2014 with a clean track record on user data requests.

For journalist workflow specifically, StartMail's web client is purpose-built for working with PGP — encrypting and decrypting in-browser using Web Crypto APIs, with key management UI that doesn't require command-line GnuPG knowledge. This makes it easier to onboard a source who is willing to use PGP but who will never install Thunderbird and Enigmail. The tradeoff: there's no first-party mobile app currently (you connect via standard IMAP), which slows down on-the-go workflow.

Mailbox.org is the most professional-feeling encrypted email service in this list — and that matters more than it sounds. If you're a staff reporter at an organization that requires you to use a custom domain, integrate with calendars, attach a real-feeling office suite, and not look like you're hiding behind a privacy service when you email a press officer, Mailbox.org delivers. It's run from Berlin by Heinlein Support, an established German hosting company that has been doing email professionally since the 1980s.

The encryption model is opt-in PGP with standard interoperability, plus an optional 'Guard' feature that lets you set up server-side automatic PGP encryption of incoming mail — useful if you want every message a source sends you to be re-encrypted at rest with your key, even if the source themselves doesn't use PGP. German jurisdiction provides the same legal posture as Tuta and Posteo, and Mailbox.org has publicly resisted German law-enforcement requests it considered overbroad. Two-factor authentication supports YubiKey and TOTP.

For journalist workflow, Mailbox.org's killer feature is that it works exactly like a normal professional email account — IMAP, SMTP, CalDAV, CardDAV, full Open-Xchange office suite — while still giving you the encryption knobs when you need them. That makes it the best 'primary inbox that also handles sources' option for reporters who can't or won't run two separate accounts. The trade-off: it is not anonymous-friendly. Signup requires payment with a verified method (no Bitcoin, no cash by default), so it's better suited to journalists with stable institutional backing than to lone freelancers protecting their identity.

Runbox is the elder statesman of privacy-focused email — a Norwegian provider that has been quietly running since 2000 without a single reported breach or compelled disclosure to a foreign government. Norway sits outside the EU, outside the Five Eyes, and has telecoms-secrecy law that is functionally similar to Switzerland's. Runbox is owned by its employees, runs on Norwegian renewable hydroelectric power, and has a reputation among veteran journalists as a quiet, reliable backup when geopolitical risk shifts.

Runbox supports standard PGP via desktop clients (Thunderbird with the built-in OpenPGP support is the canonical setup), full IMAP/SMTP, custom domains, and aliases. The company does not publish a flashy transparency report because its compliance volume has been close to zero for two decades, which is its own kind of evidence. For a journalist who wants a backup encrypted inbox in a different jurisdiction from their primary one — a hedge against a single country's legal climate shifting — Runbox is a credible second-string option.

The limitations are honest. The web client looks like it's from 2015 because it largely is, mobile apps are minimal, and Runbox does not do zero-access server-side encryption — your stored mail is encrypted at rest with provider-held keys, which is weaker than Proton or Tuta's model. So treat Runbox as a 'PGP transport in a friendly jurisdiction' rather than as a zero-knowledge inbox. For correspondence where both you and the source use PGP and the body of every message is encrypted before it ever reaches the server, that's enough.