Tuta Setup Guide: Getting Started with Encrypted Email

Tuta (formerly Tutanota) is a German-based encrypted email provider that takes a stricter stance on encryption than most competitors — including encrypting subject lines by default, something ProtonMail doesn’t do. Here’s how to set it up and get the most out of it.

Creating Your Account

Go to tuta.com and sign up for a free or paid plan. The free tier provides 1 GB of storage and one address — enough to evaluate whether Tuta works for you.

Domain choice: You get an address ending in @tuta.com. Legacy accounts may have @tutanota.com — these are the same service. Paid plans add @tutamail.com, @keemail.me, @tutanota.de, and custom domains.

Username considerations: Like ProtonMail, your Tuta username is your identifier and should be chosen carefully. Unlike some providers, Tuta doesn’t give you a display name separate from your address by default.

Verification: Tuta may ask for a phone number for account verification for new signups, similar to ProtonMail, as an anti-spam measure.

Key Differences in Tuta’s Encryption Model

Before diving into setup, understand how Tuta’s encryption differs from ProtonMail:

Subject-line encryption: Tuta encrypts the subject line, body, and attachments. When you email another Tuta user, none of that is visible to Tuta’s servers. ProtonMail only encrypts the body and attachments by default.

Proprietary encryption scheme: Tuta uses their own hybrid encryption (currently based on AES-128 and RSA-2048, with post-quantum updates in progress) rather than PGP. This means no PGP compatibility — you can’t use your Tuta keys with external GPG tools. If this matters to you, factor it in.

No IMAP bridge: Tuta does not offer an IMAP bridge like ProtonMail Bridge. You use the Tuta apps or the web app. This is either a limitation or a simplification depending on your workflow.

Tuta Desktop and Mobile Apps

Tuta has native desktop apps for Windows, macOS, and Linux, plus mobile apps for iOS and Android. This is a significant advantage over ProtonMail’s web-or-bridge model.

Download from tuta.com/download or your platform’s app store. Sign in with your Tuta credentials.

The desktop app uses Electron but is generally stable. It’s been through multiple security audits and the code is open source.

Initial Account Configuration

In Settings (gear icon), review these:

Security → Two-factor authentication: Enable immediately. Use TOTP (an authenticator app) rather than any phone-based method. Tuta supports TOTP and U2F security keys.

Security → Recovery code: Generate and store your recovery code. This is critical — if you lose your password and recovery code, your account is unrecoverable by design. Store the recovery code in a password manager or a printed safe location.

Email → Encryption settings: Tuta offers end-to-end encrypted external email via a shared password. In Settings, you can configure default external encryption behavior.

Notifications: Configure which notifications you want for desktop and mobile. Tuta’s notification emails for push notifications are intentionally vague — they say “you have a new message” without any content, because the content is encrypted.

Sending to External (Non-Tuta) Addresses

When you email a Gmail or other non-Tuta address, you have two options:

Password-encrypted: You set a password for the external recipient. Tuta sends them a link. They visit tuta.com, enter the password, and read the encrypted message. They can reply securely through the same interface. You share the password with them out-of-band (by phone, Signal, etc.).

Unencrypted: Sent as regular email. The recipient gets a normal email but the content isn’t end-to-end encrypted.

For one-time sensitive communication with someone who doesn’t use Tuta, the password-encrypted option works well. For ongoing correspondence, it’s impractical unless they also adopt Tuta.

Tuta can remember that an external contact should always receive encrypted email. After sending a password-encrypted message, you can pin that setting for the contact.

Custom Domain Setup

Available on paid plans. In Settings → Custom Domains:

1. Add your domain name
2. Tuta provides DNS records to add at your registrar:
   • MX records for mail routing
   • SPF TXT record
   • DKIM CNAME records
   • DMARC TXT record (recommended)
3. Verify DNS propagation — this can take up to 48 hours

Tuta’s DNS setup flow is clean and walks you through each step with copy-paste instructions.

Custom domain mailboxes can be created under Settings → Add Mailbox.

Tuta Calendar

Tuta includes an encrypted calendar, which is unusual. If you’re concerned about calendar privacy (appointment times, locations, meeting subjects), Tuta’s calendar encrypts all that on-device before syncing. Google Calendar, by contrast, reads everything.

The Tuta calendar is available in the app and web interface. It doesn’t support CalDAV sync, so you can’t use it with Apple Calendar or Thunderbird’s calendar — it only works through Tuta’s own interfaces.

Migrating Email In

Tuta doesn’t currently offer an import tool equivalent to ProtonMail’s Easy Switch. To bring historical email into Tuta, you’d need a third-party tool that can connect to your old provider via IMAP and transfer messages. imapsync is one option, but it’s a command-line tool and requires some technical comfort.

For most users, a cleaner approach is to start fresh with Tuta for new correspondence and let the old account receive legacy mail while you transition contacts.

Ongoing Use

Tuta’s interface is minimal and clean. The mobile apps are solid. The main friction points are:

No IMAP: Desktop users who want to integrate with a full-featured email client like Thunderbird are out of luck. You use Tuta’s apps or the web.

No PGP: If you have existing PGP contacts who want to send encrypted mail to you without using password-protected external email, that’s not possible with Tuta.

Limited integrations: Tuta’s ecosystem is primarily email + calendar. ProtonMail has a broader suite (VPN, Drive, password manager) if that’s relevant to you.

For users who want straightforward encrypted email with a native app, stricter encryption defaults, and a GDPR-friendly German jurisdiction, Tuta is an excellent choice. The limitations are real but are mostly issues for power users — for everyday encrypted email use, it’s one of the best options available.