BSI checks email programs

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) has inspected several email programs more closely. Most of them enable secure handling of emails, login credentials, and malicious phishing or spam emails.

As the BSI states in the report, IT researchers initially identified 26 email programs that they found to be available in a market analysis. From these, they distilled the test field based on relevance regarding average search interest in Germany: Apple Mail, Betterbird, Blue Mail, eM Client, Gmail, KMail, Mailbird, Outlook (new), Proton Mail, Spark Mail, Thunderbird, and Tuta Mail. These are also clients that are available free of charge.

The BSI then checked the programs to see if they offer transport and end-to-end encryption, meaning they establish encrypted connections with the server or can encrypt and decrypt emails entirely using OpenPGP or S/MIME. Or if they have tracking protection that, for example, removes tracking parameters in URLs or blocks tracking pixels. Furthermore, spam and phishing protection is important, as is whether emails and login credentials are stored encrypted. The BSI also considered the timely response to security vulnerabilities with software updates. The authority finds “Usable Security,” meaning easily usable security measures, important. For this, the programs should, for instance, offer default settings with a high level of security.

Tests under multiple operating systems

The BSI installed the software under macOS, Ubuntu 25.04, and Windows 11 24H2 and checked the default settings. After installation, the analysts started the computers with an offline medium and performed a malware scan to ensure that no malicious software influenced the results. In contrast, the Mac systems were examined by the IT researchers in live operation.

After the review, the BSI concludes: “The security requirements set for email programs are largely met.” In the results presented in tabular form, “Spark Mail” is particularly noteworthy, as it does not support any special additional security features such as email encryption or spam and phishing protection. However, the BSI unexpectedly does not provide a critical assessment of Outlook (new), which transmits login credentials for IMAP accounts to Microsoft, allowing their cloud servers to scan all emails using artificial intelligence.

When looking for a suitable email program, the BSI also recommends paying attention to the additional security features that most programs offer.

Three weeks ago, the BSI addressed providers of web mail services in a whitepaper. Protection against phishing and identity theft is currently still implemented with gaps, and simple end-to-end encryption is not easy enough for users to utilize. Additionally, Germany's top IT security authority published a report on the security of password managers last week and found potential for improvement.

(dmk)