# email.tr Security: zero-knowledge architecture and end-to-end encryption

email.tr's slogan is "Türkiye's most secure email service", and the claim rests on measurable criteria: a zero-knowledge architecture, password-free login with SRP, encrypted content, hardware key support and published legal documents. Instead of absolute promises, we explain the design.

## Zero-knowledge architecture

- **Your password never reaches the server:** login runs over the SRP-6a protocol; instead of the password itself, the server receives a mathematical proof that you know it.
- **Keys are generated on your device:** your encryption keys are stored only in encrypted form, wrapped with a key derived from your password; the server sees only encrypted data.
- **Recovery words (BIP-39)** are held only by you. If the password and the recovery words are both lost, the encrypted content cannot be opened, by design; that is not a flaw but the price of the zero-knowledge model.

## End-to-end encryption and Vault Mode

- Subjects, bodies, attachment names and attachments are stored encrypted. Mail between email.tr users cannot be read on the server side; the protection of mail sent to external recipients depends on the recipient's server, and the interface marks this distinction with a badge.
- **Vault Mode (Ultra):** the top protection layer, which some users search for as "vault mail". Encryption happens entirely on your device; the data is locked before it leaves the device, and only the encrypted form reaches the server.

## Login security

- Two-step verification (TOTP): on the Premium and Ultra plans.
- **YubiKey / FIDO2 hardware keys (Ultra):** sign-in cannot complete without the physical key; this is the strongest layer against phishing.
- New device sign-in notifications, session management and brute-force protection.

## Infrastructure

Cloudflare's global network, WAF, rate limiting and tamper-evident hash-chained audit logs. System health is published on the /en/status page.

## An honest comparison with Proton Mail and Tuta

Proton Mail (Switzerland) and Tuta (Tutanota, Germany) are respected, privacy-focused services; they have applied the end-to-end encryption approach successfully for years. email.tr shares the same zero-knowledge seriousness; the differences are these: a .tr address, a Turkish interface and Turkish-language support, tools like calendar + drive + e-signature offered within the same subscription (e-signature is on the Ultra plan), and a service operated within the scope of Turkish law. We do not disparage competitors; we say we are the natural alternative for users who live in Türkiye or expect service in Turkish.

## The honest limit of our claims

We do not say "nothing can be hacked"; no serious service can. Our design is built so that a single breach does not turn into content exposure: the server sees only encrypted data.

Legal documents and contracts (including the KVKK privacy notice): https://mail.email.tr/sozlesmeler
