BSI Analysis 2026: Why Choosing the Right Email Client Has Become a Security Issue for SMEs

An email client is much more than a user interface. It manages credentials, consolidates multiple accounts, and structures communication across devices. For an SME, it also functions as an archive and a central command hub. In Q2 2025, the BSI identified 26 products on the market and conducted an in-depth analysis of the 12 most relevant – from Apple Mail to Tuta Mail.

The goal of this investigation is to create a foundation for digital consumer protection. The key insight: email security doesn’t end when a message is sent – it starts with choosing the tool that processes it.

Confidentiality is the top priority. The BSI clearly distinguishes between transport encryption and content encryption.

Transport encryption (TLS)

All 12 tested programs support transport encryption via TLS. This secures data in transit between the email client and the mail server (point-to-point). Without this baseline, every email would be like a postcard—readable by anyone who handles it along the way.

End-to-end encryption (E2EE)

True protection for sensitive information comes only with E2EE. Here, the message content is encrypted on the sender’s device and can only be decrypted by the recipient, meaning even the email provider cannot access it.

• S/MIME: A certificate-based standard commonly used in business environments to ensure authenticity and integrity.
• OpenPGP: A decentralized model (“web of trust”) that does not rely on a central authority.

The BSI found that 9 out of 12 programs enable E2EE use, but the level of integration (native vs. plugin) varies significantly. Clients such as Thunderbird, Betterbird, and eM Client stand out for strong native support.

Phishing aims to steal identities and install malware. While spam is often just annoying, phishing is an existential threat for SMEs.

The analysis found that almost all programs (11 out of 12) offer junk filters. However, the quality of warnings for suspicious links or attachments differs dramatically:

• Warning mechanisms: Only some programs actively scan incoming emails for known fraud patterns and explicitly warn users before they open a risky link.
• Attachment checks: Only 3 out of 12 programs check attachments (e.g., file type or malicious patterns) and display warnings or isolate them in quarantine folders.

SMEs should prioritize programs that analyze email header metadata to better detect spoofed sender addresses.

A commonly overlooked factor is where emails and credentials are stored.

“The chosen storage location determines who carries the security responsibility. Local storage requires your own protective measures, while cloud solutions increase dependency on the provider.”

• Local storage: Most programs (e.g., Thunderbird, Apple Mail, eM Client) store emails locally. This enables full control, but it also means the SME must handle disk encryption, endpoint protection, and backups.
• Cloud processing: Programs like the new Outlook rely on cloud infrastructure. Email content and account data may be processed on the provider’s servers. This improves synchronization and convenience, but raises privacy concerns and creates vendor dependency.

Tracking pixels in HTML emails allow senders to learn when, how often, and from where an email was opened. This is not only a privacy risk—it can also be used to support targeted social engineering attacks.

The BSI recommends that email clients block external images by default or use a proxy connection to hide the recipient’s IP address. Plain text emails offer an additional security advantage because they prevent embedded scripts and tracking mechanisms from working in the first place.

Choosing software means choosing the security level of your entire organization. Weak protections can lead to:

• Financial pressure: Data loss often triggers high compliance costs and potential fines.
• Reputational damage: A successful phishing incident that spreads via the company’s email can seriously damage trust among customers and partners.
• Loss of data sovereignty: If emails are synchronized into cloud infrastructures without proper controls, SMEs may lose exclusive control over sensitive information.

When selecting an email client for business use, SMEs should look for the following:

• Demand encryption: Use E2EE (S/MIME or OpenPGP) for internal and external communication involving sensitive information.
• Security by default: Choose clients that block external content by default.
• Account protection: Prefer clients that support modern authentication methods such as OAuth2, enabling multi-factor authentication (MFA).
• Use a master password: If credentials are stored locally, a master password is essential to make extraction by malware more difficult.
• Keep systems current: Enable automatic updates to benefit from ongoing security improvements and fast vulnerability patching.

The 2026 BSI report makes one thing clear: there is no “perfect” email client – but there are informed choices. While cloud-based services offer convenience, locally installed open-source solutions like Thunderbird or KMail can provide higher data sovereignty. For SMEs, transparency about data flows is the foundation of security. Those who take email client selection seriously build a resilient base for their company’s digital future.

Why is the distinction between transport encryption and content encryption important?

Transport encryption only protects data in transit. Only content encryption (E2EE) ensures the message remains protected on the server and at the provider level as well.

Do existing employees also need to be informed about new security requirements?

Yes. Technical safeguards can be bypassed through social engineering. Regular awareness training is just as important as proper software configuration.

Are open-source programs more secure?

Open-source programs (such as Thunderbird or KMail) allow independent review of the source code for vulnerabilities, increasing transparency and trust.

What happens if my program doesn’t support E2EE?

In that case, users often have to rely on external add-ons or browser-based solutions, which can reduce usability and complicate secure day-to-day communication.