Hushmail is a secure email service that allows you to send encrypted emails to all of the email addresses in your contact book. When it comes to security, the service gets a lot right, with the tried-and-true OpenPGP encryption standard at the ready. There are some problems with price and privacy, though, pushing the encrypted email provider down on our list of the most secure email services.
In this Hushmail review, we’re going to cover our experience after taking the service out for a spin. In addition to talking about setting up an email account, we’ll dive into the specifics of security and privacy so you can determine if Hushmail is the right service for you. You may also want to jump straight to our ProtonMail review, which we currently rate as the top secure email service.
Strengths & Weaknesses
- HIPAA compliance
- Form builder
- POP/IMAP support
- Native iOS app
- Unlimited email aliases
- A lot of data collection
- A little expensive
- No native Android app
Hushmail is packed with features, justifying the higher-than-average price tag. There are some minor feature differences between each plan — Small Business Plus comes with email archiving while Small Business doesn’t — but for the most part, the features are static across plans. Here are the highlights.
Sending Emails to Non-Hushmail Users
The problem with end-to-end encryption is that usually both users need to be on the same application to send messages back and forth. That’s not an issue for Hushmail. No matter who your recipient is or what email provider they use, you can send them an encrypted email with Hushmail.
In short, the process works like this. Under each email you draft, there’s a checkbox for encryption. When sending to another Hushmail account, the box is automatically checked. When sending to an external email address, you have to manually check the box. Whoever you’re sending the email to will receive a link instead of your message contents.
When they click on the link, they’ll set a passphrase. From there on out, they can open, read and reply to your emails as if they had a Hushmail account. If you want to be extra safe, you can add a security question to emails, too.
Hushmail Web, iOS and POP/IMAP
Hushmail is, for the most part, a web-based email service. Your account contents are accessible through the web interface regardless of operating system. You can also manage your email on the go with a dedicated iOS application. Unfortunately, Hushmail doesn’t have a native Android application.
You can still use Hushmail on all of your devices, though. It supports POP/IMAP, so you can use any desktop or mobile email application that you want. Still, we’d like to see a native Android app in the future.
One of the more unique features of Hushmail is that your account comes with some number of web-based secure forms. You can build the form using a drag-and-drop editor, similar to a website builder. These forms are encrypted, and you can attach them to any email you’re sending out. Although they don’t make much of a difference for personal users, they’re great for businesses.
Intake forms, in particular, are excellent with Hushmail. With Hushmail’s e-signature support, you can accept intake forms, consent forms and more, straight from your inbox. The form editor is, thankfully, dead simple to use, and there are a number of preset templates ready to go.
Hushmail and HIPAA
One of the big reasons to use Hushmail is that it offers HIPAA-compliant email services. Hushmail for Healthcare, as we’ll get to in a moment, is one of the most expensive services offered on the Hushmail.com site, with plans ranging from $10 per month up to hundreds of dollars per month. The price is worth it, though.
Included with all Hushmail accounts are secure forms, and Hushmail for Healthcare also includes HIPAA-compliant secure forms. Your forms automatically have the Business Associate Agreement necessary for HIPAA, allowing you to take in patient information through an online form.
Additionally, all plans include email archiving so that you always have a record of the correspondence with your patient. Although Hushmail offers business email for multiple industries, healthcare is the most important.
Hushmail Features Overview
- Encryption: OpenPGP
- End-to-End Encryption
- Zero Knowledge
- Custom Domain Support
- Supported Platforms: Android, Web
- Open Source: No
- Free Plan: No
- Email Support
- Live Chat Support: No
- Phone Support
- Forum: No
Hushmail is all about business subscriptions, so although there’s a personal plan, it clearly takes a back seat to those plans targeted at enterprises. Starting with the personal plan, there’s only one option: Hushmail Premium. It’s cheap at only $49.99 per year, and it covers all of the essentials, including 10GB of storage, an ad-free account and two secure web forms.
The kicker is that there isn’t a free plan, which is the same with CounterMail (read our CounterMail review). Unlike ProtonMail or Tutanota, you can’t sign up for Hushmail for free (read our Tutanota vs ProtonMail piece). There’s a 14-day free trial, no credit card required, but after that, you’ll need to pay. Thankfully, Hushmail maintains a 60-day refund policy, so you can get your money back in case you don’t like the service.
Things get more interesting with the business plans. Essentially, they’re the same as a personal plan, plus a few extras, including custom domain support, email forwarding, administrative tools and catch-all email. What’s weird is that the price per user for Hushmail Small Business is more expensive than Hushmail Premium.
The fact that Hushmail doesn’t offer any tiered discounts worsens the matter. You’re paying the same price per user no matter if you have five or 500 employees, which is a shame. The pricing for Small Business Plus doesn’t make much sense, either. For an extra $2 per user per month, Plus simply comes with email archiving.
You could solve that problem with an online backup service for only a few dollars per month (read our Backblaze review if that’s what you’re after).
The price isn’t the problem with Hushmail. It’s how the cost is distributed. With the current pricing scheme, it’s actually cheaper to buy Hushmail Premium accounts for all of your employees rather than signing up for a Small Business account. Small Business has some perks, including administrative tools, but still, the pricing doesn’t make sense.
Thankfully, the business plans are refundable for 60 days. However, there’s also a one-time setup fee of $9.99 for business subscriptions.
Hushmail for Healthcare, Law and Nonprofits
Hushmail has straightforward pricing for small businesses and individual users. Things get confusing with industry-specific email, though. In addition to the three plans detailed above, Hushmail offers services for healthcare, law and nonprofits. These aren’t just reskins of the small business plans. Rather, they offer features specific to a certain industry for a different price.
For example, Hushmail for healthcare is compliant with HIPAA, while Hushmail for law includes a signed agreement claiming attorney-client privilege. The oddball is Hushmail for nonprofits. This plan doesn’t offer any specific features, but it’s cheaper than a standard Small Business plan ($2 less per month per user).
For all other configurations, Hushmail offers Enterprise plans. Although the name suggests that these plans are only for massive corporations, that isn’t the case. Enterprise plans are available through contact only, allowing you to customize a plan that meets your business’ needs.
Ease of Use
Signing up for Hushmail is simple with an easy three-step process. In addition to entering your account information and creating a new email address, you’ll also be asked to set up two-factor authentication. Unfortunately, this is handled over text instead of the best 2FA apps, but it’s still nice to see.
After using the Hushmail login, you’ll be booted to the web app. If you’ve used another webmail service, it should feel pretty familiar. Hushmail doesn’t have a lot going on in the app. There are few tabs in the left-side menu and multiple filtering options, but that’s it. Hushmail doesn’t have a complex interface, and it doesn’t need to.
There are a few ways you can make it your own, though. You can further organize your emails by adding folders, either above the current hierarchy or within it. There’s plenty to mess around with in the settings, too, from email address alias to automatic replies.
Then, there are some things that don’t make sense. For instance, you’re asked to authenticate with your phone number during signup, but yet 2FA isn’t enabled by default. There’s also a severe lack of spam settings — you can simply choose where suspected spam goes — and no way to personalize the interface.
Hushmail is easy to use, but it doesn’t have a lot going on. At least on the personal plan, it feels like the bare minimum, which a tough sell. There are plenty of free, open-source alternatives that accomplish the same thing from a security and usability standpoint, pushing Hushmail back.
If security is your primary concern, we recommend reading Hushmail’s technical documentation. We’ll cover the basics here, but if you’re looking for a specific policy or compliance, the technical papers are the best place to check. They’re dense with information, but when it comes to email security, that’s a good thing.
Starting at the top, Hushmail provides end-to-end encryption with OpenPGP. Each recipient has a unique key, and they need that key to match with the sender to open the email.
As is the case with all OpenPGP implementations, only the email body and attachments are encrypted. Recipients and subject lines aren’t encrypted, at least not in the same manner as the body (read our description of encryption for more).
Encryption happens at rest and in transit. At rest, it’s OpenPGP, and in transit, it’s SSL/TLS. In addition to the standard SSL/TLS tunnel, Hushmail provides other security features, including forward secrecy, certificate pinning and HTTP Strict Transport Security (HSTS). The last, in particular, protects against downgrade and other man-in-the-middle attacks.
Of course, your account is protected by a password, and Hushmail uses a zero-knowledge model to protect against fraud. In short, Hushmail stores a hash of your password for authentication. Although Hushmail doesn’t go as far as the best password managers, a hashed password is enough, in most cases.
Encrypting for Non-Hushmail Users
Hushmail’s security system works great for Hushmail-to-Hushmail communication, but things work a bit differently when sending to a third-party email service. When sending a message externally, you don’t actually send it to the recipient. Rather, you send it to Hushmail’s servers, and Hushmail deals with the authentication from there.
As explained in the “features” section above, those with a different email service can view your message by clicking a link and setting a password. This link goes to Hushmail’s servers, where the recipient can decrypt the message.
In practice, this means that your emails are always protected by OpenPGP, no matter if you’re sending to another Hushmail address or to an external email account.
Hushmail isn’t the most private email service around, but it takes more steps to secure your information than Gmail does.
Starting with account creation, Hushmail records your IP address and all the information on the intake form. When using the service, Hushmail records account actions, email subjects, attachment file names, email addresses, account usernames, URLS in unencrypted email bodies and a slew of browser metadata.
Basically, Hushmail has plenty of probes in the service to monitor your activities. Not that it actively does so, though. For example, if you’re participating in activities punishable under the laws of British Columbia — where Hushmail is located — your account may be monitored. Of course, illegal activity is against Hushmail’s terms of service, so it makes sense why this is the case.
The amount of data is, frankly, a little shocking, but Hushmail has some safeguards in place to protect you. Your information is never shared with any third party other than to prevent account abuse, and your data is never sold to advertisers. You’re still protected from connection snooping, government surveillance programs and unauthorized content analysis.
Of course, as a site dedicated to online security, we prefer less collection over more. There are enough safeguards, thankfully, to protect you from mass surveillance and networking snooping. However, your data is still collected and processed.
Hushmail is a secure email service, but not a private one. For personal use, it’s hard to justify a $49.99-per-year price tag when there are more private, more feature-rich options for free. It’s clear where the focus is, and it isn’t on individual users.
The focus is on businesses, particularly those in the healthcare and legal fields. For this purpose, Hushmail is great, allowing you to easily communicate with clients and patients through an encrypted channel. The price is steep, though, with no tiered discounts for large businesses.
What do you think of this Hushmail review? Are you going to give the free trial a shot? Let us know in the comments below and, as always, thanks for reading.
What Is Hushmail Good For?
Hushmail is good for sending encrypted emails and secure forms. Unlike standard webmail services, your emails are protected with OpenPGP encryption, meaning no one but the intended recipient can see the message contents or attachments.
Is Hushmail Free?
No, Hushmail isn’t free.
How Much Does Hushmail Cost?
A personal subscription to Hushmail costs $49.99 per year. There are various business plans, too, ranging from $3.99 per month per user, up to $9.99 per month per user.