Most services build the product first and bolt security on later. We did the opposite: we built a foundation where your password never reaches the server and content is encrypted on your device, then built the product on top of it.
In a classic system, your password travels to the server and is verified there; if the server is compromised, your password goes with it. Here, sign-in runs on the SRP protocol: your device mathematically proves it knows the password without ever revealing it. No password crosses the network, and no password exists in our database.
Your encryption keys are also born from that same password, derived with Argon2id, and they never leave your device either. This model is called zero-knowledge: we are the Türkiye-based alternative to the approach used by services like Proton Mail and Tuta.
This is exactly what end-to-end encrypted email means: mail between email.tr users is encrypted on your device and can only be opened with the recipient's key. Not just the body: the subject line, the attachment name and the attachment content are encrypted too. Our servers hold only the encrypted form.
When mail from outside cannot arrive encrypted, we don't hide it: you see a clear "not encrypted" badge on it. And for your most sensitive encrypted mail there is a separate safe: Vault Mode, the vault mail layer on the Ultra plan. To see what this architecture means in daily use, visit the Mail page.
The password is yours, the key is yours; but what if you forget the password? When you open your account, we give you a 24-word recovery phrase. Those words are the second lock on your encryption key: even if you lose your password, your mail comes back with them.
Those words never reach us either; they live only on your piece of paper. When you change your password, your mail is not re-encrypted, only the key on top of the lock changes: it takes seconds, and nothing is lost.
A second layer on top of your password: a TOTP verification code (with your authenticator app) or a physical security key (FIDO2 devices like YubiKey). The physical key is the strongest: a code can be copied, a key cannot. To see which layer comes with which plan, compare the plans.
Sign-ins, password changes, devices: every security event on your account is written to an audit chain whose records are linked together with hashes. If a single record in the chain is deleted or altered, the integrity check exposes it.
The same discipline applies on our side: backups are encrypted with AES-256-GCM, and our own system changes are recorded with the same chain logic.
Good security is usually invisible: attacks end at the edge before they ever reach you.
Traffic is filtered at the edge of one of the world's largest networks: WAF, rate limits and bot filters act on every request before we even see it.
Our DMARC policy is at its strictest setting: mail sent from a fake "email.tr" address is turned away at the door by receiving servers.
CAA records limit which authorities may issue certificates for us; forged certificate issuance is blocked from the start.
Regular backups are encrypted with AES-256-GCM; the key is kept offline. Whoever reaches the backup cannot reach the content.
You are notified the moment your account is accessed from a new device; if you don't recognize it, you close all sessions with one click.
A service that earns from subscribers rather than ads has no need to sell your data. No trackers, no profiling.
We don't say it. Instead, we shrink the attack surface through architecture: a password we never hold cannot be stolen from us, and content that sits on the server only in encrypted form cannot be exposed in the clear. The risks that remain are managed with layer upon layer of controls and regular audits. Security is not a destination; it is a discipline earned anew every day.
Privacy is not a luxury; it is the default. Open your account, and every layer on this page is with you from day one.
Your password and encryption keys never reach the server; content is stored on the server only in encrypted form. email.tr is the Türkiye-based alternative to the zero-knowledge approach used by services like Proton Mail and Tuta.
Look for three things: does your password ever travel to the server, is content stored encrypted on the server, and can the claims be audited. Proton Mail and Tuta are well-known examples of this approach; email.tr follows the same zero-knowledge model as an alternative from Türkiye, and the service is provided in compliance with Turkish law and KVKK (legal documents).
YubiKey (FIDO2) hardware keys and Vault Mode are available only on the Ultra plan; TOTP two-step verification is on Premium and above. For all the layers, compare the plans.