Most secure Email Clients and Enigmail

PUBLISHED 31 AUGUST 2019

Author: InvisibleUser Team

In this guide, you will learn how secure email communication works. Not only your provider matters. A secure email client is equally important and perfectly complements a secure email provider like ProtonMail or Tutanota.

To read our review on the most secure email providers for privacy, visit the page “Encrypted Email Providers“.


What is a secure email client?

An email client is a program that helps you access and manage emails without opening the website in your browser. They often provide additional functions like calendars, contact management, news and RSS feeds.

Popular ones are Windows Mail, Microsoft Outlook, eM client, Postbox, Mailbird and the free and open-source Mozilla Thunderbird. Out of these, Thunderbird is our favourite. It is a full featured email client that provides you with tools to organise everything related to email communication. It is completely free and not plagued by all the backdoors and lack of transparency of Microsoft’s programs.


The most secure Email clients for Privacy

Mozilla Thunderbird

Thunderbird is the application we recommend for privacy purposes. It offers many useful plug-ins that expand its features or increase privacy and security. Later, we will go into greater detail with the Enigmail plug-in for encrypted communication. This email client is available for Mac, Windows and most Linux systems. Besides being good for privacy, Thunderbird filters spam and manages emails in folders. It also provides you with import/export functions for emails, the calendar and contacts.

Thunderbird’s Security Features

The application has very well developed security features. It can establish TLS/SSL-encrypted connections to servers for synchronising emails and is very stable. TLS/SSL means that the HTTPS protocol will be used. Therefore, Thunderbird is the secure email client of choice for many companies. It is so secure that it is even used by the French military. That means that Thunderbird matches the security requirements for the NATO’s closed messaging system. As with most Mozilla open-source projects, there is a fantastic documentation and community support available on the Mozilla website.

Unfortunately, Mozilla has stopped in-house development of new features for Thunderbird in 2012, so the interface is a bit clunky, but the client is still supported and its security features are up-to-date. In 2017, Mozilla even added new members to the Thunderbird development team. We expect to see further improvements in the following years.

Mailspring

For everyday use, where privacy is not crucial, we can also recommend the free and open-source email client Mailspring. It is based on Nylas Mail, which is a discontinued email client written entirely with web technologies (CSS, HTML, JavaScript, etc.) and Electron.

You are required to create an account, but otherwise it is a great application. The client is, however, not primarily designed for secure email communication. The reason we mention it is because Thunderbird could scare away new users, who would then use a proprietary alternative that is much worse for their privacy.

We are not going to lie, Thunderbird looks old-fashioned, Windows 98-style old-fashioned. Mailspring on the other hand, is simple and modern and the coding community has checked the source code for issues and has not found any backdoors. It is available on GitHub and on the official website.

To reach privacy that is equal to Thunderbird with Enigmail, you can send PGP encrypted text and files via Mailspring. Software we highly recommend for PGP encryption is GnuPG for Linux, GPG Suite (Mac GPG/GPGTools) for macOS and Gpg4win for Windows.


Enigmail

Enigmail is a Thunderbird plug-in designed to integrate PGP encryption from GnuPG (OpenPGP standard) into Thunderbird. It lets you encrypt, decrypt and sign emails in a very convenient way, while using Thunderbird’s full-featured email client.

To run Enigmail, you have to install the latest version of GnuPG for your operating system, which is available at the GnuPG website. Setting up, configuring and using Enigmail is very easy. You can create new key pairs, a public and a private key, and secure them with a password. It is also possible to import and store the public keys of your contacts in Thunderbird and manage them. Enigmail even supports searching for peoples’ public keys in online databases.

The only things in an email that Enigmail does not encrypt for you are the subject line and email address, so be careful with that. Please also disable JavaScript in Thunderbird to be safe from malicious scripts that could identify you.

Enigmail Guide

We will now get into setting up Enigmail:

  1. Install the Engimail plug-in from Thunderbird.net or the official website. This is done by going to the options in Thunderbird ( ☰ button) and then Addons>Extensions. That opens the Add-ons Manager. Search for Enigmail and install it with one click. Restart Thunderbird.
  2. Add your email account to Thunderbird if you have not done that yet.
  3. Generate keys: On the home screen, go to the options ( ☰ button) and hover over OpenPGP. Select Key Management. Click Generate>New Key Pair and select your account, passphrase and key strength (>2kb is plenty). Hit Generate key. You will be asked to generate a certificate. Do that too and save it in a secure location. If someone can access your certificate, that attacker can decrypt your emails, so choose wisely. Restart Thunderbird.
  4. Exchange keys: To communicate with someone through Enigmail, you first have to exchange keys, which is done through an initial email. Send the public key to your contact. Click the ☰ button, select OpenPGP. Right-click your key and choose Send Public Keys by Email. A window opens, choose the recipient. Your public key (.asc file) will be attached to the email. Send it.
  5. Import you contact’s key: Let your contact give you his/her public key via email. Save that key, then go to options ( ☰ button) and hover over OpenPGP. Select Key Management. Go to File>Import Keys and import the .asc file. Restart Thunderbird.
  6. Encrypt and send a secure email: Finally, write the email. Go to Write and type in the recipient’s email address and your message. Then, click the OpenPGP button on the top and tick the boxes Sign Message and Encrypt Message. Click OK and type in your password. The email gets encrypted and you can send it.
  7. Decrypt the reply: When you get a PGP encrypted reply, just open it. You will be asked for your password and it gets decrypted automatically.

A very good video that explains everything can be found here. There is a great guide on Enigmail and Gpg4win from CompariTech.

Efail Vulnerability

There is a severe vulnerability called Efail in all versions of Enigmail before the 2.0.5 version, so make sure you get the most recent one. Download it directly from the developer’s website.

The vulnerability occurs when a user activates displaying all HTML content for emails, instead of only simple HTML content. Also, loading additional content has to be enabled. That can then start malicious code within the HTML email. When you open an email, you decrypt it as usual, but the malicious code could potentially send an unencrypted copy of the email to the attacker. It is not specific to Enigmail, because its origin is related to Thunderbird. In version 2.0.5 it was fixed.


Verdict

All in all, Enigmail is a fantastic option for email privacy. Compared to encrypted email providers like ProtonMail and Tutanota, it has the advantage that you can still use your old email account. You are therefore able to take advantage of its features. It is then possible to keep your 15GB of free Gmail or Outlook.com storage and you are not restricted to 500MB of ProtonMail or 1GB of Tutanota accounts. This has, however the disadvantage that Google still sees who you contact. They do not see what you write, however, because that is encrypted by Enigmail.

Previous

Encrypted Email Providers

Next

Data Encryption protects your Privacy