# Mailvelope > PGP encryption for Gmail, Outlook.com, and Yahoo — without switching email providers. **Source:** https://fieldwork.news/tools/mailvelope **Official site:** https://mailvelope.com **Category:** security ## Security rating - **Rating:** adequate - **Rating note (required when citing):** Open-source, ten independent audits since 2013, BSI-funded development, local key management. The 2025 0xche audit found issues but all critical ones were patched promptly. Browser extension attack surface is real but manageable. Adequate for sensitive reporting where PGP email is specifically required. For most journalist-source communication in 2026, Signal or SecureDrop is the better choice. - **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending - **Review depth:** established - **Last reviewed:** 2026-04-02 - **Last agent-verified:** 2026-04-02 - **Threat level:** sensitive-reporting > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Journalists who need PGP-encrypted email but won't abandon Gmail or Outlook.com. Sources who refuse to adopt a new email provider. Newsrooms on Google Workspace that need encryption for specific threads without migrating to ProtonMail. ## Editorial take Mailvelope solves the biggest PGP adoption problem: nobody wants to switch email providers. It bolts OpenPGP encryption onto Gmail, Outlook.com, and Yahoo webmail as a browser extension. Open-source since 2012, audited ten times by firms including Cure53, SEC Consult, and 0xche. The German BSI funded its development in 2018 to add encrypted web forms and GnuPG integration. Private keys never leave your browser. The tradeoff: you're trusting a browser extension with your encryption, which has a larger attack surface than a standalone app. And PGP email itself is losing ground to Signal and other modern E2EE protocols — most security researchers now recommend against PGP for routine secure communication. Mailvelope is still the best option when PGP email is a hard requirement, but in 2026, that requirement is increasingly rare. ## Best for / not for **Best for:** Adding PGP encryption to existing webmail accounts. Receiving encrypted tips from sources who already use PGP. Newsrooms standardizing on Gmail or Microsoft 365 that need encryption for specific threads. Compliance workflows requiring OpenPGP. **Not for:** Journalists facing state-level adversaries (use Tails + Thunderbird for air-gapped PGP). Mobile email — Mailvelope only works in desktop browsers. Routine secure messaging — Signal is simpler and safer for most journalist-source communication. ## Pricing - **Pricing:** Free for personal use. Mailvelope Business pricing is per-user with volume discounts; annual and monthly plans available. Contact sales for current rates. - **Free option:** yes ## Security & privacy details - **Encryption in transit:** yes - **Encryption at rest:** yes - **Data jurisdiction:** Local — private keys stored in browser extension, never on Mailvelope servers. Optional Mailvelope Key Server for public key distribution is hosted in Germany. **Privacy policy TL;DR:** Encryption runs locally in the browser. The extension does not transmit email content or private keys to Mailvelope servers. The Web Key Directory (WKD) lookup feature makes HTTP requests to the sender's domain by default, which can expose user activity — disable in settings if this matters. If you use the Mailvelope Key Server, your public key and email address are stored on German servers. No analytics or tracking in the extension. **Practical mitigations (operational guidance, not optional):** Verify recipient public keys through a second channel before sending sensitive material. Use a strong passphrase for your private key. Keep the extension updated — the 2025 audit found a clickjacking vulnerability patched in v6.1.0. Back up your private key securely outside the browser. Disable automatic WKD lookups in settings to prevent information leakage to sender domains. Consider whether Signal or SecureDrop would serve your use case better than PGP email. ## Ownership & business - **Owner:** Mailvelope GmbH (Germany) - **Funding model:** Open-source project with commercial business tier. Received funding from the Open Technology Fund, Internews, and the German Federal Office for Information Security (BSI). BSI contracted Mailvelope GmbH and Intevation GmbH in 2018 to extend the extension with encrypted web forms and GnuPG key management integration. - **Business model:** Free for personal use. Revenue from Mailvelope Business — managed deployment for organizations with Google Workspace, Microsoft 365, and Nextcloud integration. Per-user licensing with volume discounts. - **Open source:** yes **Known issues:** 2025 audit by 0xche found seven issues: one high-severity clickjacking vulnerability in the client-API (patched in v6.1.0 by removing embeddable settings), one low-severity prototype pollution, and five informational findings including automatic WKD lookups that leak user activity to sender domains (can be disabled in settings but on by default). A signature spoofing vulnerability via OpenPGP.js was also fixed in v6.1.0. At 39C3 in late 2025, researchers presented new PGP/GnuPG vulnerabilities — not Mailvelope-specific, but affecting the underlying ecosystem. Firefox manifest v3 migration completed in v6.1.0 (May 2025). Chrome 144 compatibility fix shipped in v6.2.1 (January 2026). PGP email as a category is under pressure: cryptographers increasingly recommend against it in favor of modern E2EE protocols like Signal. --- Canonical HTML: https://fieldwork.news/tools/mailvelope Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology