Security

Here, security is not a feature.
It is the architecture itself.

Most services build the product first and bolt security on later. We did the opposite: we built a foundation where your password never reaches the server and content is encrypted on your device, then built the product on top of it.

email.tr/en/security
SRP-6a
Passwordless proof of identity
OpenPGP v6
End-to-end encryption
Argon2id
Key derivation
AES-256-GCM
Encrypted backups
FIDO2
Hardware keys
Zero-knowledge login

Your password
never reaches us.

In a classic system, your password travels to the server and is verified there; if the server is compromised, your password goes with it. Here, sign-in runs on the SRP protocol: your device mathematically proves it knows the password without ever revealing it. No password crosses the network, and no password exists in our database.

Your encryption keys are also born from that same password, derived with Argon2id, and they never leave your device either. This model is called zero-knowledge: we are the Türkiye-based alternative to the approach used by services like Proton Mail and Tuta.

  • The password is never written to the network or the database
  • Progressive lockout against brute force: 5 failures, 15 minutes; 20 failures, 24 hours
  • Instant notification email on every new device sign-in
On all plans, standard for every account
Your device
Server
a9f2…e7
End-to-end encryption

Subject, body, attachments:
all locked.

This is exactly what end-to-end encrypted email means: mail between email.tr users is encrypted on your device and can only be opened with the recipient's key. Not just the body: the subject line, the attachment name and the attachment content are encrypted too. Our servers hold only the encrypted form.

When mail from outside cannot arrive encrypted, we don't hide it: you see a clear "not encrypted" badge on it. And for your most sensitive encrypted mail there is a separate safe: Vault Mode, the vault mail layer on the Ultra plan. To see what this architecture means in daily use, visit the Mail page.

  • Subject + body + attachment name + attachment content encrypted
  • Even search doesn't break the encryption: the index is decrypted on your device
  • Vault: a separate password-protected safe with its own 12-word recovery code; it locks itself when idle
On all plans; Vault on Ultra
Only the recipient's key can open it
Recovery

24 words:
the spare key to your vault.

The password is yours, the key is yours; but what if you forget the password? When you open your account, we give you a 24-word recovery phrase. Those words are the second lock on your encryption key: even if you lose your password, your mail comes back with them.

Those words never reach us either; they live only on your piece of paper. When you change your password, your mail is not re-encrypted, only the key on top of the lock changes: it takes seconds, and nothing is lost.

  • BIP-39 standard: 24 words, generated on your device
  • Password changes are instant; content is never re-encrypted
  • The recovery code can be regenerated on request; the old one becomes invalid immediately
On all plans
Two-step verification

If you like, carry the key
in your pocket.

A second layer on top of your password: a TOTP verification code (with your authenticator app) or a physical security key (FIDO2 devices like YubiKey). The physical key is the strongest: a code can be copied, a key cannot. To see which layer comes with which plan, compare the plans.

  • TOTP verification codes and single-use backup codes
  • FIDO2/WebAuthn hardware key support
  • Close all sessions with one click if a sign-in looks suspicious
TOTP on Premium and Ultra; hardware keys on Ultra
Your account's black box

Every critical event, in a sealed
chain.

Sign-ins, password changes, devices: every security event on your account is written to an audit chain whose records are linked together with hashes. If a single record in the chain is deleted or altered, the integrity check exposes it.

The same discipline applies on our side: backups are encrypted with AES-256-GCM, and our own system changes are recorded with the same chain logic.

  • Tamper-evident hash chain
  • Device list and session management in your hands
  • Full compliance with legal retention periods for traffic logs
On all plans
SHA-256
The invisible layers

Turned away before they reach your door.

Good security is usually invisible: attacks end at the edge before they ever reach you.

Global edge protection

Traffic is filtered at the edge of one of the world's largest networks: WAF, rate limits and bot filters act on every request before we even see it.

A domain that can't be impersonated

Our DMARC policy is at its strictest setting: mail sent from a fake "email.tr" address is turned away at the door by receiving servers.

Certificate lock

CAA records limit which authorities may issue certificates for us; forged certificate issuance is blocked from the start.

Encrypted backups

Regular backups are encrypted with AES-256-GCM; the key is kept offline. Whoever reaches the backup cannot reach the content.

New device alert

You are notified the moment your account is accessed from a new device; if you don't recognize it, you close all sessions with one click.

Ad-free business model

A service that earns from subscribers rather than ads has no need to sell your data. No trackers, no profiling.

An honest word

Anyone who says "100% secure"
is lying to you.

We don't say it. Instead, we shrink the attack surface through architecture: a password we never hold cannot be stolen from us, and content that sits on the server only in encrypted form cannot be exposed in the clear. The risks that remain are managed with layer upon layer of controls and regular audits. Security is not a destination; it is a discipline earned anew every day.

security.txt is live; responsible disclosure channel [email protected]

Founded to be Türkiye's
most secure email service.

Privacy is not a luxury; it is the default. Open your account, and every layer on this page is with you from day one.

Frequently asked questions

What does zero-knowledge mean?

Your password and encryption keys never reach the server; content is stored on the server only in encrypted form. email.tr is the Türkiye-based alternative to the zero-knowledge approach used by services like Proton Mail and Tuta.

How do I choose a secure email service?

Look for three things: does your password ever travel to the server, is content stored encrypted on the server, and can the claims be audited. Proton Mail and Tuta are well-known examples of this approach; email.tr follows the same zero-knowledge model as an alternative from Türkiye, and the service is provided in compliance with Turkish law and KVKK (legal documents).

Which plan includes YubiKey and Vault Mode?

YubiKey (FIDO2) hardware keys and Vault Mode are available only on the Ultra plan; TOTP two-step verification is on Premium and above. For all the layers, compare the plans.