Anonymous Email Services with Onion Addresses - 2026 Comparison

Proton Mail (protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion) provides full access to Proton Mail functionality through Tor. The onion address is supported as an official feature, not an unofficial workaround. When accessed through this address, Proton's servers do not log the connecting IP address because they receive connections originating from Tor exit nodes, not directly from the user's ISP.

Proton Mail provides end-to-end encryption between Proton Mail users (PGP implementation), encryption at rest for all stored email, zero-access encryption meaning Proton cannot read email content, and a strong track record of resisting account disclosure requests. The 2021 case where Proton provided metadata (not content) to Swiss authorities when served with a legally valid Swiss court order revealed that Proton does collect some metadata even in accounts accessed through Tor.

Free accounts on Proton provide 1GB storage and limited sending capacity. Paid plans provide more storage and features. For activists and journalists who need the combination of established infrastructure, end-to-end encryption, and Tor access, Proton with the onion address is generally the most reliable option in 2026.

Riseup (vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion) is a privacy and security email service operated by activists for activists. Unlike commercial providers, Riseup is a collectively run non-profit that has explicitly stated it would shut down rather than compromise user data. This organizational stance provides a different trust model than commercially operated services.

Account creation requires an invitation from an existing account holder. This invitation-only model serves as a trust filter: Riseup accounts are distributed through networks of trusted individuals and organizations, making mass account creation by bad actors significantly harder than with open registration services. The limitation is that getting access requires having connections in the communities Riseup serves.

Riseup provides 1GB email storage, IMAP and SMTP access, and a Tor-accessible webmail interface. The service does not encrypt stored email end-to-end (unlike Proton), meaning Riseup technically could access email content if compelled. However, their stated organizational policy is to retain as little user data as possible and to resist all but legally mandatory disclosure requirements.

For organizations and advanced individuals who need complete control over their email infrastructure, self-hosting an email server as a Tor hidden service provides maximum operational independence. The trade-offs are significant: deliverability to clearnet addresses is problematic (clearnet mail servers may reject email originating from .onion relays), setup and maintenance require significant technical expertise, and the operator becomes responsible for all aspects of security and availability.

A self-hosted email hidden service is most appropriate for intra-organization communication where all parties use the same .onion mail server and external email delivery is not required. This setup is common in high-security operational environments where email isolation from the clearnet mail infrastructure is a deliberate design choice, not a limitation.

The technical stack for a self-hosted .onion email server: Postfix or Dovecot for SMTP/IMAP, configured to listen on localhost only, with the Tor hidden service providing external connectivity. Encrypt stored mail with GPG at the filesystem level. Generate new vanity or random .onion addresses for each use case that requires a separate mail identity.

Even with onion access, email has structural anonymity limitations. Email headers (From, To, Subject, Date, Message-ID) are metadata transmitted with every message that can reveal communication patterns, timing, and social graphs even when content is encrypted. These headers are visible to every mail server through which a message passes, regardless of transport encryption.

Correlation attacks remain a theoretical risk. Even if individual messages are encrypted and accessed through Tor, systematic analysis of when messages are sent, their approximate size, and other metadata can reveal communication patterns over time. For users with adversaries capable of global passive surveillance, email is an inherently limited anonymity tool regardless of the onion access mechanism.

For high-security communications, consider alternatives to email: Tor-accessible Signal or Signal fork (Session), XMPP with OMEMO encryption over .onion, or Briar which routes entirely through Tor and eliminates server-side metadata. These tools have weaker usability and interoperability than email but stronger anonymity properties for specific use cases where email's structural limitations are unacceptable.