Email clients can reveal a lot of information about the user, so I decided to test different email clients (Thunderbird and the web clients of private email providers on https://privacytools.io* and 10 Minute Mail) that are often recommended for privacy.
For testing, I used Email Privacy Tester – a service that lets you test your email client’s privacy in great detail.
Each entry in the table can be thought of as a “leak”. A leak of data about the user. You don’t have to be concerned about most of the stuff in the “On enable remote content” column, though, as it’s not automatically loaded. For some entries perhaps even the opposite, since it’s basically functionality. As for the automatically loaded resources – the leaks, listed in the On receive and On open columns – some are more severe than others, but generally, the less leaks, the better.
* CounterMail and CryptoHeaven were obviously removed – shortly after I noticed the issues with those services while writing this article, that is.
Browser used: Chrome with privacy extensions
—- = nothing
N/A = Not Available
|Client||On receive||On open||On enable remote content||Note|
|Thunderbird 45||DNS Prefetch - Anchor, DNS Prefetch - Link||—-||Video Ogg, Video Webm, CSS Attachment, CSS background-image, Image Submit Button, CSS content, Video Poster, Image tag, Video tag, Iframe tag, Object tag - Flash, Object tag - data, Audio tag, Video MP4, CSS link tag||—-|
|Tutanota||DNS Prefetch - Anchor, DNS Prefetch - Link||—-||CSS background-image, Image tag||—-|
|Gmail||—-||—-||Image Submit Button, CSS background-image||Was initially in the spam folder – external resources weren’t loaded until the email was moved to a non-spam folder|
|Protonmail||DNS Prefetch - Anchhor, DNS Prefetch - Link||—-||Video Ogg, Video Webm, Video Poster, Video MP4, Audio tag, Video tag, Image tag||—-|
|Mailbox||DNS Prefetch - Anchor, DNS Prefetch - Link||—-||Image tag, CSS background-image||—-|
|Runbox||—-||Image tag||—-||1. Weird password policy. One (strong!) password from KeePassX accepted, another not – with the same password generation specifications 2. Very long wait for that email 3. Discloses your home directory location in their filesystem – extra data for attackers.|
|CounterMail||N/A||N/A||N/A||You can’t even register without Java! Browser Java is a security nightmare. Highly discouraged.|
|StartMail||—-||—-||Image tag, CSS background-image||—-|