<\/p>\n
Most people think of email as a private channel. The reality is the opposite: a typical promotional email contains between 5 and 30 invisible tracking elements. The moment you open it, the sender knows when, from which device, in which time zone, sometimes even your approximate location. By the time you’ve finished reading the subject line, your behavior has been logged, analyzed, and very often sold.<\/p>\n
This is not a niche problem. According to industry estimates, more than 70% of marketing emails sent in 2025 contained at least one tracking pixel. And these are just the “polite” trackers \u2014 the ones used by big brands. Add phishing campaigns, link manipulation, and metadata leakage from attachments, and email becomes one of the worst privacy nightmares of modern computing.<\/p>\n
At Onion Mail<\/a>, our mission has always been simple: to provide an email service that respects users by default. Not as a paid feature, not behind an opt-in, not as a marketing claim \u2014 by default, in the code, for everyone. Today we’re announcing a major release that brings our anti-tracking, anti-phishing, and data-leak protections to a level that matches or surpasses ProtonMail and Tutanota \u2014 the two services widely considered the gold standard of private email.<\/p>\n This article explains, in plain language, what we built, how it protects you, and how it compares to the alternatives.<\/p>\n Before diving into what’s new, it helps to understand exactly what email actually does to you when you’re not looking. We grouped the threats into five categories:<\/p>\n 1. Open tracking.<\/strong> A 1-pixel transparent image is embedded in the email. When your mail client downloads it (which happens automatically), the sender’s server logs the request \u2014 confirming you opened the email, your IP address, your device, and the exact timestamp.<\/p>\n 2. Click tracking.<\/strong> Links in the email don’t go directly where they claim. They pass through redirector services ( 3. Phishing.<\/strong> Visually deceptive links where the displayed text says one thing (“amazon.com”) but the actual URL points elsewhere (“amzon-security.ru”). Combined with spoofed sender addresses, this is how the vast majority of credential thefts happen.<\/p>\n 4. Metadata leakage.<\/strong> When you send a photo, that file contains EXIF data: GPS coordinates of where it was taken, camera model, exact timestamp, sometimes even the smartphone’s serial number. Sending an “innocent” picture from your home can reveal your address with meter-level precision.<\/p>\n 5. In-message malicious code.<\/strong> HTML emails can contain JavaScript, hidden iframes, deceptive forms, and external CSS that fingerprints your browser. A well-crafted email can attempt to compromise your account without you ever clicking anything.<\/p>\n A truly private email service has to defend against all five. Here’s how we did it.<\/p>\n Our incoming email engine now scans every message before rendering it and identifies tracking pixels by multiple signals: their dimensions (1\u00d71 or smaller), their style ( When detected, these pixels are removed from the DOM entirely<\/strong> before the email is displayed. Not hidden, not blocked at the network level \u2014 they’re never even part of the page. The sender gets no signal that you opened the email.<\/p>\n Even when an image isn’t a tracking pixel, the simple act of loading it leaks your IP address and the timestamp of when you opened the email. This is why services like Apple Mail Privacy Protection and ProtonMail block external images by default.<\/p>\n We do the same. Every image hosted outside Onion Mail is blocked on first load and replaced with a discreet “Blocked image” placeholder. A privacy banner at the top of the email tells you how many images were blocked, and a single click on “Show images”<\/strong> loads them all if you trust the sender. The choice is yours, not theirs.<\/p>\n Inline images embedded directly in the email (using Every link in incoming emails is rewritten to remove tracking parameters: We also force When an email contains a link whose displayed text looks like one URL (“amazon.com”) but whose actual We also detect URL shorteners \u2014 bit.ly, tinyurl, t.co, goo.gl, and 30 others \u2014 that hide the real destination from view. We never resolve the shortened URL (that would leak your IP to the shortener service), but we mark these links with a clear visual cue and an explanatory tooltip so you know the destination is unverified before you click.<\/p>\n Most email services validate SPF, DKIM, and DMARC headers behind the scenes \u2014 protocols that prove an email really came from the domain it claims. Almost none of them show you the result.<\/p>\n We added three small badges next to every email’s sender address: green \u2713 if the email passed authentication, red \u2717 if it failed (likely spoofed), grey if the sender doesn’t configure that protocol. We also detect when the Reply-To<\/strong> address is on a different domain than the From<\/strong> \u2014 a classic phishing pattern \u2014 and show a red warning badge inline.<\/p>\n If you’ve ever wondered “is this email really from my bank?”, these three badges give you the answer in less than a second.<\/p>\n Email HTML is one of the most dangerous content types on the internet. We defend against malicious code with three independent layers:<\/p>\n For each email, you see a privacy banner<\/strong> at the top summarizing what was blocked: “\ud83d\udee1\ufe0f 3 tracking pixels, 12 external images, 1 suspicious link blocked.” A “Details” button shows the full list. Transparency isn’t optional \u2014 you should know exactly what your mail client is doing on your behalf.<\/p>\n Privacy isn’t just about what you receive \u2014 it’s also about what you send. We added three protections for outgoing email:<\/p>\n EXIF stripping from image attachments.<\/strong> When you attach a JPEG or PNG, our engine automatically removes all metadata before the file is uploaded. GPS coordinates, camera model, software, timestamps, even thumbnail previews \u2014 all gone. You see a confirmation banner: “EXIF metadata removed from 1 image (~12 kB saved).” This protects your physical location and identifies less about your device. We do this entirely in your browser, so the original metadata never even reaches our servers.<\/p>\n Tracking parameter cleanup in your links.<\/strong> If you paste a URL into your email that contains Sensitive data warning before sending.<\/strong> Before an email leaves your account, we scan it for patterns that suggest sensitive information: passwords, PINs, OTP codes, credit card numbers, IBANs, social security numbers, BIP-39 seed phrases, and PGP private key blocks. If anything is detected, we show you a warning modal listing what we found, and ask you to confirm \u2014 with a strong recommendation to use PGP encryption instead.<\/p>\n This last feature, as far as we know, is unique to Onion Mail. Neither ProtonMail nor Tutanota currently offers it.<\/p>\n We also added quality-of-life features that respect your privacy:<\/p>\n A Print button<\/strong> in every email’s header generates a clean, printable version with all UI chrome removed (navbar, sidebar, banners, action buttons). Just the email content.<\/p>\n An Attachment preview system<\/strong> lets you view images, audio, video, text files, and PDFs without downloading them to your disk<\/strong>. This means fewer files clutter your hard drive, and a malicious file is opened in a sandboxed preview rather than executed by your operating system. PDFs in particular get an extra security warning \u2014 they can contain JavaScript and have historically been used as attack vectors \u2014 and you can choose between previewing in a sandboxed frame, opening in a new tab (recommended), or downloading.<\/p>\n Let’s be direct and honest. ProtonMail and Tutanota are excellent services, and they pioneered many of the privacy practices that everyone now takes for granted. They have larger teams, more resources, and longer track records. Where they excel, we acknowledge it.<\/p>\n That said, here’s a feature-by-feature comparison of where each service stands today on email privacy:<\/p>\n ProtonMail offers end-to-end encryption at rest<\/strong> by default \u2014 your mailbox is encrypted with your password, and even Proton can’t read it. This is a fundamentally different threat model than ours. We use Mailvelope for PGP encryption, which is excellent but requires the user to manage their own keys. ProtonMail’s approach is more accessible to non-technical users.<\/p>\n ProtonMail also has a larger ecosystem<\/strong>: native mobile and desktop apps, Calendar, Drive, VPN. We focus on email and email only \u2014 by design.<\/p>\n Tutanota’s proprietary encryption<\/strong> also encrypts subjects and metadata at rest, while standard PGP only encrypts the body. For users who need maximum metadata protection, Tutanota offers a unique advantage.<\/p>\n Three areas where Onion Mail goes further:<\/p>\n Outgoing privacy.<\/strong> We protect not just you, but the people you email. Tracking parameter cleanup in outgoing links, EXIF stripping from your photos, and the sensitive data warning are not standard features in any major privacy-mail service. They protect your network of contacts.<\/p>\n Tor integration.<\/strong> Onion Mail has been designed from day one for Tor users. Our Account recovery without compromising privacy.<\/strong> Most services force a brutal trade-off: either you set up a recovery email\/phone (which links your account to your real identity), or you accept that losing your password means losing your account forever. We integrate with Tox<\/a>, a peer-to-peer encrypted messenger, to allow account recovery via your Tox ID \u2014 no email, no phone number, no identity link.<\/p>\n Anonymous payments.<\/strong> We accept Bitcoin, Monero, and other cryptocurrencies for paid plans, with no KYC and no identity verification. ProtonMail accepts Bitcoin but with more friction; Tutanota does not accept cryptocurrency at all.<\/p>\n In the spirit of honest comparison, here’s what we deliberately chose not<\/strong> to do:<\/p>\n We don’t use external reputation services for link checking.<\/strong> Some services check every URL in your email against databases like PhishTank, VirusTotal, or Google Safe Browsing. This is effective but requires sending the URLs (and therefore information about the email content) to a third party. For a privacy-first service, this is unacceptable.<\/p>\n We don’t use server-side AI for spam or phishing classification.<\/strong> AI-based classification is increasingly accurate, but it requires our servers to read every email \u2014 defeating the purpose of email privacy. Our anti-phishing checks are 100% client-side and pattern-based.<\/p>\n We don’t track usage analytics.<\/strong> We have no idea how many of you opened this article, clicked a link, or use which feature. There’s no telemetry. We can’t optimize what we can’t measure, and that’s a trade-off we choose deliberately.<\/p>\n We don’t offer end-to-end encryption at rest by default.<\/strong> This is our biggest gap compared to ProtonMail and Tutanota. We provide PGP via Mailvelope, which is the standard, open, interoperable approach \u2014 but it requires more user effort. We’re aware of the trade-off, and improvements in this area are part of our roadmap.<\/p>\n Email is 50 years old. The protocols that carry your messages were designed in an era when surveillance capitalism didn’t exist. Today, your email reveals more about you than your browser history, your location, and your social media combined. It tells advertisers what you buy, when you read, who you talk to, where you bank, what diseases you research, what political causes you support.<\/p>\n You have two options. You can accept that as the cost of “free” email, and pay with your data forever. Or you can use a service that treats privacy as a default \u2014 not a feature, not an upsell, not a paid tier. Just the way email should have worked from the beginning.<\/p>\n That’s the choice we made when we built Onion Mail. With this release, we believe we’ve narrowed the gap with the best privacy-mail services in the world, and in some areas surpassed them.<\/p>\n
\nThe five categories of email privacy threats<\/h2>\n
mailchimp.com\/mc\/click\/...<\/code>, bit.ly\/...<\/code>, etc.) that record which recipient clicked, when, and how often. They then forward you to the real destination.<\/p>\n
\nWhat’s new in Onion Mail: a complete privacy overhaul<\/h2>\n
1. Tracking pixels: blocked, not just tolerated<\/h3>\n
display:none<\/code>, opacity:0<\/code>), suspicious filenames (open.gif<\/code>, track.png<\/code>, pixel.gif<\/code>, beacon.gif<\/code>), and crucially, their host. We maintain a list of more than 40 known tracker domains \u2014 Mailchimp, SendGrid, HubSpot, Mailtrack, Sendinblue, ActiveCampaign, Klaviyo, Marketo, Constant Contact, and many others.<\/p>\n2. External images: blocked by default, on your terms<\/h3>\n
data:<\/code> URLs) and attached images (cid:<\/code>) are always shown \u2014 they pose no privacy risk because no external request is made.<\/p>\n3. Link cleanup: tracking parameters stripped automatically<\/h3>\n
utm_source<\/code>, utm_campaign<\/code>, utm_medium<\/code>, fbclid<\/code>, gclid<\/code>, mc_eid<\/code>, mkt_tok<\/code>, and 22 others. When you click a cleaned link, the destination still works perfectly \u2014 but the recipient site no longer receives identifiers tying that click back to you.<\/p>\nrel=\"noopener noreferrer nofollow\"<\/code> on all external links, preventing the destination page from accessing your previous tab via window.opener<\/code> and from reading the referring URL. The destination knows you arrived; it doesn’t know from where.<\/p>\n4. Phishing detection that actually works<\/h3>\n
href<\/code> points elsewhere, our engine flags it visually with a wavy red underline<\/strong> and a tooltip that shows the real destination. This is the single most effective defense against the most common phishing pattern.<\/p>\n5. Sender authentication, made visible<\/h3>\n
6. Three-layer security against malicious content<\/h3>\n
\n
<script><\/code> tags, event handlers (onclick<\/code>, onerror<\/code>, etc.), <iframe><\/code> injections, <form><\/code> elements, and external <style><\/code> tags before the email is rendered.<\/li>\nscript<\/code>, style<\/code>, and form<\/code> provides a defense-in-depth layer that doesn’t rely on DOMPurify defaults.<\/li>\n<\/ul>\n7. Outgoing privacy: protect the recipient too<\/h3>\n
utm_*<\/code>, fbclid<\/code>, or other tracking parameters, we detect it and offer a one-click “Clean tracking parameters” button. This protects the people you’re emailing \u2014 they shouldn’t be tracked just because you copy-pasted a link from a newsletter.<\/p>\n8. Print and preview: privacy preserved<\/h3>\n
\nHow does Onion Mail compare to ProtonMail and Tutanota?<\/h2>\n
\n\n
\n \nFeature<\/th>\n Onion Mail<\/th>\n ProtonMail<\/th>\n Tutanota<\/th>\n<\/tr>\n<\/thead>\n \n Block tracking pixels<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n Block external images by default<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n Strip tracking parameters from incoming links<\/td>\n \u2705<\/td>\n \u2705<\/td>\n Partial<\/td>\n<\/tr>\n \n Phishing link detection (text vs. URL)<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n URL shortener flagging<\/td>\n \u2705<\/td>\n Partial<\/td>\n \u274c<\/td>\n<\/tr>\n \n SPF\/DKIM\/DMARC visibility<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n Reply-To mismatch warning<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u274c<\/td>\n<\/tr>\n \n iframe sandbox + DOM sanitization<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n EXIF stripping from attachments<\/strong><\/td>\n \u2705<\/td>\n \u2705 (mobile\/desktop)<\/td>\n \u274c<\/td>\n<\/tr>\n \n Tracking cleanup in outgoing links<\/strong><\/td>\n \u2705<\/td>\n \u274c<\/td>\n \u274c<\/td>\n<\/tr>\n \n Sensitive data warning before sending<\/strong><\/td>\n \u2705<\/td>\n \u274c<\/td>\n \u274c<\/td>\n<\/tr>\n \n Native PGP encryption<\/td>\n \u2705 (Mailvelope)<\/td>\n \u2705 (built-in)<\/td>\n \u2705 (proprietary)<\/td>\n<\/tr>\n \n End-to-end encrypted at rest<\/td>\n \u26a0\ufe0f (PGP only)<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n Free tier available<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n Onion service (.onion address)<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u274c<\/td>\n<\/tr>\n \n Anonymous payment (Bitcoin\/Monero)<\/td>\n \u2705<\/td>\n \u2705 (Bitcoin)<\/td>\n \u274c<\/td>\n<\/tr>\n \n Open source webmail<\/td>\n \u2705<\/td>\n \u2705<\/td>\n \u2705<\/td>\n<\/tr>\n \n Tox-based account recovery<\/td>\n \u2705<\/td>\n \u274c<\/td>\n \u274c<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/h3>\n
Where ProtonMail is stronger<\/h3>\n
Where Tutanota is stronger<\/h3>\n
Where we’re stronger<\/h3>\n
.onion<\/code> service isn’t an afterthought \u2014 it’s the recommended way to use the service. ProtonMail offers an onion address but the service is primarily designed for the clearnet.<\/p>\n
\nWhat we don’t do \u2014 and why<\/h2>\n
\nWhy all of this matters in 2026<\/h2>\n
\nTry Onion Mail today<\/h2>\n