Strengthened phishing protection

The new system enables users to report messages as email phishing within the client.

To report an email as phighing, click on the three-dot button to the right and then on 'Report phishing'.

Based on these reports, phishing checks will be done - both on the server when receiving external emails and on the client when loading the inbox.

For these checks, no additional data is sent to the server to protect your privacy. The only data that is transferred is when you report an email for phishing. We show a warning informing you that data is transferred to the server when you report an email for phishing to make sure you do not report a confidential email by accident.

When an email is reported, we create signatures from it (hashes of different fields). When another user logs in, these signatures are downloaded. When you open an email, Tutanota calculates hashes of different email fields and compares them to the downloaded ones that have been reported. This happens locally on the client. If there are enough matches, the email is considered as phishing and marked accordingly.

We have protections against gaming the system in place as well. You can also whitelist individual emails if you believe it is wrongly marked as phishing.

Warning signs about phishing

Another part related to the increased phishing protection is showing full email addresses in all cases, even on mobile devices. Previously only the sender name was shown on mobile, even in expanded view, and users had to click on a sender to view the full email address.

Improved spam handling

With this release, we are also introducing more information about email authentication. Previously, when an email had a failing or missing SPF, DKIM or DMARC record, we put the email into spam. Now, we will show a banner with information about the missing or failing authentication. Emails with failing authentication will still be put in the Spam folder, but emails with a missing authentication record, will arrive in the Inbox, unless they are classified as spam for other reasons. This will lead to less false positives for spam.

We have also removed the warning triangle, which used to be shown when the technical sender differed from the FROM sender. The reason for this change is that it used to be shown too often and was not related to the DMARC status. The warning triangle is replaced by the information banner, which is more obvious and gives more insight into what might be wrong with this particular email.

Maximum privacy protection

We have implemented all these changes taking particular care about your privacy. To execute the phishing checks in your mailbox, no data is sent to the server to protect your privacy. The only data that is transferred is when you actively click to report an email as phishing.

At Tutanota we care for your privacy because we understand why privacy matters.