Secure & Confidential Email Inbox
Status: In Progress

On the security side, Gmail is enough. For confidentiality and privacy, however, nothing is for free.

There is always a compromise to be had, and when choosing both, the price goes up. The cheapest way (I found), is to set up your own mail server using one of the available control panels (cPanel, Centos, CyberPanel...).

The standard approach will require you to reveal the IP address of your server (unless you pay more for proxying), and in the worst case, your IP might get put in a spam list.

Encrypted Inbox with Tutanota

I've decided to go for the premium $1/month Tutanota for 5 secure encrypted inboxes, all sharing a 1GB storage. It might seem too little, but it's actually more than enough when managed properly. You can use my referral link for an free additional 1 month

You can follow their FAQ to see how to set up your own custom domain. I thought their video tutorial was clear enough that I don't have to explain it here.

There is one catch: Tutanota does not use IMAP/SMTP. So if you need to programmatically send emails on your website (transactional emails), you'll have to use another service for that.

Transactional Emails using Amazon Simple Email Service (SES)

Amazon SES's Free Tier offers 62000 emails/month. There are some additional fees for storing attachments. For my use, I plan to use it for outbound emails only and direct incoming emails to my Tutanota inboxes if needed.

I've somewhere (trust me) that if you send in the range of millions of emails per day, it's actually cheaper to set your own mail server outside AWS scope (correct me if I'm wrong). For all purposes. that won't be needed here.

  • From the console, search and go to Amazon SES
  • Go to Create Identity to verify your domain
    • I'm using the subdomain ""
    • Choose Easy DKIM and the key length
  • You'll be provided a list on CNAME records to add to your domain DNS. In my case, I'm asked to add ???? So this name has to resolve to the provided value.
  • Verification shouldn't take long (few minutes for me)
  • Since we have our own domain, we'll go ahead and add our own "MAIL FROM" subdomain. I went for You'll be asked to create MX and spf DNS entries for This domain will replace the in the Sent from field (it's usually a long ugly one and might be on the spam list of the recipient).

SMTP settings

The natural next step is to get your SMTP credentials: Go to SMTP settings and get yours. My smtp endpoint in this case is and my credentials are... Oups!

I've followed an old tutorial so far and their way of creating emails did not work (2023). The new approach is by creating a new identity and choosing "email address" this time. I'm using [email protected] with no verification since the domain has been verified already. You can also just send a test email using any alias that is on the verified domain.

While in the sandbox, you can only send to verified emails/domains. Since I'm already using Tutanota, it's straightforward.

You can use the following python script to send a test email:

from smtplib import SMTP_SSL
import ssl

smtp_server = ""
smtp_user = ""
smtp_password = ""
server = SMTP_SSL(smtp_server, port=465, context=ssl.create_default_context())
server.login(smtp_user, smtp_password)

server.sendmail(from_addr="[email protected]",
                to_addrs="[email protected]",
                msg="Bot message from no-reply"

Emails from outside EC2 will count towards the $0.10/1000 email pricing. We'll explore later how to do that via a Lambda function (it counts as EC2) to benefit from those free juicy 62k emails/month.