Which provider is 'the most private'?

There is no single answer because the right choice depends on what you're defending against. cock.li is unmatched on signup minimalism; Tuta is unmatched on default-on encryption (including subjects); Proton is unmatched on usability and resources; Posteo is unmatched on cash-payment posture; Riseup is unmatched on community trust. Pick the one whose trade-offs match your threat model.

Is end-to-end encryption the same as privacy email?

No, but it's related. End-to-end encryption (E2E) means the operator cannot read the message content even if compelled. 'Privacy email' on this site is broader — it includes the signup posture, the metadata the operator stores, the legal jurisdiction. A provider can be E2E and still log lots of metadata (Proton with sealed-sender disabled); a provider can be non-E2E and store almost nothing (Posteo with at-rest encryption only).

Does Proton Mail's Swiss jurisdiction help me?

Sort of. Swiss law has a higher bar for compelled disclosure than U.S. law, but it is not absolute. The well-known 2021 case where Proton produced IP-at-login metadata in response to a Swiss-court order showed where the floor sits — Proton cannot read mail content, but it can be ordered to log a specific user's IP on login. Read the Proton transparency report; it is the most useful public document in the category.

Why is cock.li widely blocked?

Because over the years the @cock.li domain has been used heavily for spam, throwaway accounts, and trolling. Many large email systems (Google, Microsoft, several universities) drop or filter @cock.li by default. The domain still works for many uses but it is not a reliable primary inbox in 2026.

Can I run my own mail server instead?

You can; the question is whether it works in 2026. Self-hosted mail has the lowest metadata exposure but is hard to deliver from — most large providers default to dropping or filtering mail from small-IP-range senders without warm-up history. For users with the operational discipline to maintain it, self-hosting is the best privacy story. For everyone else, an evaluated provider is the realistic choice.

Privacy email providers compared on threat model, not features

'Privacy email' is a property of the operator and the protocol, not a marketing feature. This guide compares Proton, Tuta, Mailfence, cock.li, Posteo, Riseup, Disroot by what each one buys and costs.

“Privacy email” is mostly a marketing phrase. Underneath it there are four properties that actually vary across providers, and a useful comparison aligns on those:

Signup posture — what does the provider know about you from the moment you register?
Cryptography model — what does the provider see on your mail at rest and in transit?
Operator jurisdiction and posture — what does compelled disclosure look like?
Practical interoperability — does it deliver mail to the people you actually email?

Comparing on threat model#

Provider	Signup	Crypto model	Jurisdiction	Cash payment	Inbox interop
Proton Mail	Email-or-anon; abuse-prevention can ask for SMS	E2E (Proton↔Proton, PGP); at-rest E2E inbound	Switzerland	Crypto / card	Excellent
Tuta	Username only	E2E in-protocol (subjects too)	Germany	Crypto / card / bank	Good (closed protocol; no IMAP)
Mailfence	Username + email recovery	PGP-only	Belgium	Crypto / card	Excellent (IMAP/SMTP)
cock.li	Username only	At-rest, PGP-on-demand	Romania	Crypto only	Frequently blocked
Posteo	Username only; cash-by-mail funded	At-rest by user key	Germany	Cash-by-mail	Excellent
Riseup	Invite-only / justification	At-rest by user key	United States	Donation	Good (collective context matters)
Disroot	Username only	At-rest	Netherlands	Donation	OK

What each provider buys you#

Proton Mail is the well-funded mainstream choice. Strong cryptography, audited clients, professional product. The cost is that the signup happy path involves an email-or-phone fallback if you trip an anti-abuse heuristic, and Switzerland’s legal context can compel IP-at-login disclosure under court order. Best fit for users who want a polished product and accept the operator-side trust profile.

Tuta maximizes default-on encryption — subjects, address book, and attachment metadata are all encrypted at rest. The cost is the closed protocol: no PGP interop, no IMAP, no SMTP. You use Tuta’s client. Best fit when default-on metadata encryption is the requirement.

Mailfence is the PGP-native, IMAP-supporting, Belgian alternative. End-to-end encryption is PGP, so it interops with anyone else who uses PGP; metadata is visible to the operator. Best fit for users who want IMAP-compatible mail with explicit PGP support.

cock.li is the minimal-signup choice. Username only, no recovery email, donation-funded. The trade-off is delivery — many systems block the domain by default. Best fit as a side address for accounts that accept it.

Posteo is the cash-payment choice. Username at signup, cash-by-mail accepted as funding, operator explicitly does not bind payment to account. Cryptography is at-rest by user key, not E2E. Best fit when payment-side de-linking is the binding requirement.

Riseup is the activist-collective choice. 25+ years of operating, invite-only signup, U.S. operator with a strong community-trust record. Best fit for users embedded in activist contexts who already have an invite.

Disroot is the small-FOSS-collective choice. One username, several bundled services. Volunteer-grade reliability. Best fit as a side account in the FOSS-collective space.

How to combine them#

Most users who think hard about email privacy end up with a small portfolio:

A primary inbox with one of Proton, Tuta, or Mailfence — usable, deliverable, end-to-end where it counts.
A payment / billing inbox on Posteo (because cash-funded) or Tuta (because polished but minimal signup).
A throwaway inbox on cock.li or a SimpleLogin-style alias provider, for sites that ask for an email but should not have your real one.

The portfolio model exists because the trade-offs cannot all be satisfied by one provider. Tuta encrypts subjects but doesn’t do IMAP. Proton does IMAP (via Bridge) but knows your IP at login. Posteo accepts cash but encrypts only at rest. The portfolio buys you the union of strengths.

What it doesn’t buy you#

A privacy email provider does not change:

What recipients do with your mail. The most secure provider in the world cannot stop a recipient from forwarding your message to a list, replying with the original quoted, or screenshotting your message.
How email metadata leaks at the protocol level. SMTP envelopes are visible to every relay between sender and receiver. End-to-end encryption hides the content; it does not hide who sent to whom and when.
Your association with the inbox. If you signed up via your home IP without Tor, the operator can correlate the account to a network identity. Signup transport hygiene is part of the threat model.

A note on threat-model honesty#

There is a tendency in privacy-email discussions to grade providers on whether they are “really” private. The honest answer is that all of these providers are dramatically more private than mainstream alternatives, and the differences between them are about which specific failure modes you are most concerned about. The right comparison is “Proton vs. Tuta given my threat model,” not “is X really private.”

This directory’s job is to make the threat-model dimensions explicit so you can match.

Privacy email providers compared on threat model, not features

Comparing on threat model#

What each provider buys you#

How to combine them#

What it doesn’t buy you#

A note on threat-model honesty#

See also#

FAQ

Sources

Referenced by

Topic hubs

Quick answers