German Cybersecurity Agency Evaluates Security Features of Popular Email Clients
The Federal Office for Information Security (BSI) has conducted an extensive evaluation of commonly used email clients to assess their security standards. The assessment focused on how these programs handle sensitive information, defend against cyber threats such as phishing and spam, and manage data encryption.
As part of its market analysis, the BSI initially identified 26 available email clients. The final evaluation centered on a selection of widely used, freely accessible programs in Germany, including Apple Mail, Betterbird, Blue Mail, eM Client, Gmail, KMail, Mailbird, Outlook (new version), Proton Mail, Spark Mail, Thunderbird, and Tuta Mail. These email clients were chosen based on their popularity and relevance in the German market.
Security Criteria and Features AssessedThe BSI's evaluation examined whether the email programs support both transport and end-to-end encryption--ensuring secure connections to mail servers and the capability to encrypt entire emails using standards such as OpenPGP or S/MIME. The analysis also considered the presence of tracking protection mechanisms, such as blocking tracking pixels and removing tracking parameters from URLs.
Other critical factors included the effectiveness of spam and phishing protection, encryption of stored emails and login credentials, and the promptness of software updates in response to emerging vulnerabilities. The usability of security features was another key consideration, with emphasis placed on whether programs offer secure default settings that are straightforward for users to apply.
Testing Procedures Across Multiple Operating SystemsThe BSI installed and tested these email clients on macOS, Ubuntu 25.04, and Windows 11 24H2. The software was assessed under default configurations to reflect typical user scenarios. For non-Mac systems, analysts performed malware scans using offline media to ensure the integrity of the testing environment, while Mac systems were examined during live operation.
The agency reported that the majority of tested email clients met most of the established security requirements. However, the evaluation highlighted some differences between the programs. For instance, Spark Mail was noted for lacking advanced security features such as comprehensive email encryption and robust phishing or spam protection.
Observations and RecommendationsWhile the report covered a range of security dimensions, it did not address certain aspects, such as the handling of user credentials by Outlook (new), which transmits IMAP account data to Microsoft servers for processing with artificial intelligence. The BSI did not provide further commentary on this particular practice within the scope of its evaluation.
The agency recommends that users consider the range of supplementary security features offered by each email client when selecting a solution for personal or organizational use. Features such as effective spam and phishing filters, tracking protection, and strong encryption are important for ensuring the confidentiality and integrity of email communications.
Ongoing Efforts in Digital SecurityThis assessment of email clients is part of the BSI's broader initiative to improve digital security across communication platforms. In recent publications, the agency has addressed gaps in phishing and identity theft protection among webmail providers and identified areas for enhancement among password managers.
The BSI continues to advocate for the implementation of accessible, user-friendly security features in digital communication tools, emphasizing the role of default secure settings in safeguarding users against evolving cyber threats.