Email Client Privacy Comparison

Email clients can reveal a lot of information about the user, so I decided to test different email clients (Thunderbird and the web clients of private email providers on* and 10 Minute Mail) that are often recommended for privacy.

For testing, I used Email Privacy Tester – a service that lets you test your email client’s privacy in great detail.

Each entry in the table can be thought of as a “leak”. A leak of data about the user. You don’t have to be concerned about most of the stuff in the “On enable remote content” column, though, as it’s not automatically loaded. For some entries perhaps even the opposite, since it’s basically functionality. As for the automatically loaded resources – the leaks, listed in the On receive and On open columns – some are more severe than others, but generally, the less leaks, the better.

* CounterMail and CryptoHeaven were obviously removed – shortly after I noticed the issues with those services while writing this article, that is.

Browser used: Chrome with privacy extensions

—- = nothing

N/A = Not Available

Client On receive On open On enable remote content Note
Thunderbird 45 DNS Prefetch - Anchor, DNS Prefetch - Link —- Video Ogg, Video Webm, CSS Attachment, CSS background-image, Image Submit Button, CSS content, Video Poster, Image tag, Video tag, Iframe tag, Object tag - Flash, Object tag - data, Audio tag, Video MP4, CSS link tag —-
Tutanota DNS Prefetch - Anchor, DNS Prefetch - Link —- CSS background-image, Image tag —-
Gmail —- —- Image Submit Button, CSS background-image Was initially in the spam folder – external resources weren’t loaded until the email was moved to a non-spam folder
Protonmail DNS Prefetch - Anchhor, DNS Prefetch - Link —- Video Ogg, Video Webm, Video Poster, Video MP4, Audio tag, Video tag, Image tag —-
Mailbox DNS Prefetch - Anchor, DNS Prefetch - Link —- Image tag, CSS background-image —-
10 Minute Mail XDG-OPEN prompt!, Video Ogg, Video Webm, Image Submit Button, Audio tag, Video MP4, Video tag, Video Poster, Image tag, Object tag - Flash, Iframe tag, Object tag - data, CSS content, CSS background-image, Script tag (javascript), Link Prefetch, CSS link tag Object tag - Flash, Object tag - data, Video Poster, Image Submit Button Feature N/A Email automatically opened before even clicking on it.
Runbox —- Image tag —- 1. Weird password policy. One (strong!) password from KeePassX accepted, another not – with the same password generation specifications 2. Very long wait for that email 3. Discloses your home directory location in their filesystem – extra data for attackers.
CounterMail N/A N/A N/A You can’t even register without Java! Browser Java is a security nightmare. Highly discouraged.
StartMail —- —- Image tag, CSS background-image —-
CryptoHeaven N/A N/A N/A NO HTTPS!