Privacy Stacks
Threat-Model StacksBeginner

Escape the Gmail Inbox: Encrypted Email and Aliases

A threat-model stack for leaving Gmail — an encrypted provider that can't read your mail, paired with an alias layer so no signup ever sees your real address.

July 7, 202620 minutesBeginner

Escape the Gmail Inbox: Encrypted Email and Aliases

Gmail reads your inbox to profile you, and your real address is the tracking key every site you sign up for quietly shares. This stack fixes both.

Who this is for, and what it defends against

This is for anyone leaving Gmail or Outlook for private email, and for anyone who wants a per-signup alias layer so their real address stops leaking across the web.

It defends against two exposures:

  • Inbox scanning and profiling — a provider that reads mail content to build an advertising picture of you.
  • Real-address exposure — every signup that gets your true address turns it into a cross-site tracking identifier and a breach liability. One leaked list and your address is in a hundred databases.

What it does not cover, honestly: encrypted email is not magic. Mail to a recipient whose provider does not support encryption travels in the clear, and subject lines and routing metadata are often still visible. Migrating years of mail and rerouting logins takes an afternoon — plan for it rather than switching cold.

Layer 1 — A provider that cannot read your mail

The foundation. Pick one; you do not need four.

Proton

Privacy-by-default encrypted mail with a large surrounding ecosystem. The easiest landing spot for most people leaving Gmail, and the least disruptive to daily habits.

Tuta

End-to-end encrypted mail, calendar, and contacts that encrypts more of the mailbox than most rivals, including the subject line. Fully open-source (GitHub). The tradeoff: it uses its own encryption scheme, so interoperating with outside PGP users is limited.

Mailbox.org

A secure provider that serves both personal and business needs, with strong standards support if you want to bring your own mail client rather than live in a web app.

Mailfence

End-to-end encrypted email with built-in OpenPGP key management — a fit when PGP interoperability with other people actually matters to you.

Layer 2 — A client to tie it together

Mozilla Thunderbird

A free, open-source desktop client with native encryption support, so a standards-based provider like Mailbox.org or Mailfence runs in one place alongside the rest of your mail. Open-source.

Layer 3 — An alias for every signup

This is the layer single-provider pages skip. Never hand a site your real address again.

SimpleLogin

Generate an unlimited number of aliases that forward to your real inbox; kill any one the moment it starts drawing spam or shows up in a breach. Open-source.

Firefox Private Relay

Masked email — and phone — from Mozilla, integrated into Firefox for one-click alias creation right at the signup box. Open-source (GitHub).

Addy

Anonymous email forwarding with generous free limits, and self-hostable if you want full control of the masking layer. GitHub.

ForwardEmail

Private forwarding built around your own custom domain, so your aliases are not tied to a provider you might one day leave. GitHub.

Where these overlap — and what it costs

Providers and alias tools solve different problems. Do not substitute one for the other.

Choice            Pick for…              Alternative        Cost
───────────────   ────────────────────   ────────────────   ─────────────────
Proton            easiest migration      Tuta               ecosystem lock-in
Tuta              deepest encryption     Proton             limited PGP interop
Mailbox.org       bring-your-own client  Proton             more setup
SimpleLogin       provider-neutral       Firefox Relay      one more service
ForwardEmail      own-domain control     Addy               you run the domain

The honest call: a provider decides who can read your mail, an alias layer decides who ever learns your address. Doing only one leaves half the door open. Pairing them is the whole point of this stack — and it is exactly the combination single-provider pages avoid, because a masking layer that works with anyone dilutes their own signup.

FAQ

What is the most private email provider?

There is no single winner — it depends on what you weigh. Proton is the smoothest migration from Gmail; Tuta encrypts more of the mailbox and is open-source; Mailbox.org suits people who want to run their own client. Match the provider to your threat model, not to a leaderboard.

Are email aliases the same as a burner email?

Close, but better. A burner is a throwaway account you abandon. An alias from SimpleLogin or Addy forwards to your real inbox, so you keep receiving mail while the site only ever sees a masked address you can disable at will.

Can I keep my Gmail address while going private?

Yes, as a transition. Point a forwarding alias at your new encrypted inbox and update logins gradually. The goal is to stop handing out your Gmail address for new signups, then wind the old one down once nothing important still routes through it.

Is encrypted email actually end-to-end encrypted?

Between two users on the same encrypted provider, or two people exchanging PGP keys, yes. Mail sent to an ordinary Gmail or Outlook recipient is not end-to-end encrypted, and metadata like subject lines and routing can still be exposed. Knowing that boundary is what keeps you honest about your own exposure.

Do I need PGP to use these?

No. Proton and Tuta handle encryption automatically inside their networks. PGP only matters if you need to exchange encrypted mail with people on other providers — that is where Mailfence and a client like Thunderbird earn their place.

Take this stack with you

Want the complete private-email stack as a printable checklist — every tool, why it made the list, and the order to migrate? No account. No tracking. We do not track opens, and we never share your address.

Tags

encrypted-emailemail-aliasesprivate-emailgmail-alternativethreat-model

Build your stack

Browse the vetted directory to compare every tool, or run a free check on your own exposure.