[mike-cardwell]

Loads external images. By Default. With no option to turn off.

Not a viable webmail client for anyone who expects privacy.

[edit] The email that it sends to external addresses does not have a text/plain part, only html

[edit] Stores your email address in session storage and then pre-fills next time you log in. Does not let you opt in or out and doesn't warn you that this will happen. Unsuitable for a "public" machine.

[edit] Nice, they support DANE. When I email a Tutanota user, or a Tutanota user emails me (@grepular.com), SMTP is forced to use SSL or fail, and the certificate is forced to verify with the fingerprint published in our DNSSEC secured DNS zones. No SMTP MITM's here.

[darklajid]

I'd say these things are fixable so far [1].

- Image loading: I'd assume that this is possible to implement, given the current implementation?

- text/plain & multipart mails: I'd expect the same, really. Doesn't sound too bad to build it.

- same for session storage

I agree with all your points, but these are things that are conceptually quite viable, imo. I'd expect these to be valid issues on Github [1] and reasonably easy fixes, no?

1: https://github.com/tutao/tutanota

[mike-cardwell]

Yeah, they can be fixed. FWIW, I used their feedback form to mention the automatic image loading privacy leak.

[MatthiasPfau]

I am one of the founders. Thanks for your feedback. We will fix this early next year!

[mike-cardwell]

FWIW, I discovered the image loading problem by using https://emailprivacytester.com/ with a test account. Might be worth testing any such changes that you make there. (I am the author of that website).