Email Clients

Category Research Report

Your inbox is the most intimate digital space you have -- financial records, medical results, personal conversations, legal documents. The companies hosting it read it, scan it, and increasingly feed it to AI. This is the landscape, the data, and the opportunity.

---

The Landscape

Email is a $33-35B annual market. Over 4.7 billion people worldwide use email, sending 376 billion messages daily in 2025 (projected 392.5 billion by 2026). The paid email service market alone is forecast at $34.7B in 2026, growing at 13.2% CAGR.

Market share by email client opens (Litmus, 2025): Apple Mail ~53-59%, Gmail ~30.7%, Outlook ~4-10%, Yahoo Mail ~3.3%.

Sources: DemandSage Gmail Statistics 2026, Litmus Email Client Market Share, Proton 100M Announcement, Superhuman/Sacra Revenue Data, Business Research Insights - Paid Email Market, Clean.email Provider Stats 2026, EarthWeb Yahoo Mail Users, Clean.email Outlook Statistics.

---

The Enshittification Timeline

• 2004: Gmail launches with 1GB free storage -- revolutionary at the time. The catch: automated scanning of email content to serve targeted ads. Privacy advocates raise alarms immediately. Google's response: "It's just algorithms reading your mail, not humans."

• 2012: Google updates terms to explicitly state it "may analyze email content to customize search results, better detect spam and malware." The scanning scope expands beyond ads.

• 2014: Google settles a lawsuit and agrees to stop scanning student Gmail accounts for advertising. Consumer accounts continue to be scanned.

• 2017: Google announces it will stop scanning consumer Gmail for ad personalization, aligning free Gmail with paid G Suite policy. However, scanning continues for "smart features" -- categorization, Smart Reply, Smart Compose, calendar extraction. The language permitting content analysis remains in the privacy policy. (Sources: NPR, TIME)

• 2018: Gmail introduces Smart Compose, trained on billions of phrases from public web data and anonymized emails. Smart Reply follows. The AI layer begins to deepen.

• 2019: Superhuman tracking pixel scandal. The email client was embedding tracking pixels by default in every sent email, recording when, where (via IP geolocation), and how often recipients opened messages -- without recipient consent or knowledge. CEO apologized and made read receipts opt-in, deleted location data. (Source: Mike Industries)

• 2021 (May): Verizon sells Yahoo and AOL to Apollo Global Management for $5B -- roughly half of the ~$9B Verizon originally paid for both. The once-dominant internet brands become private equity assets. Apple introduces Mail Privacy Protection in iOS 15, preloading tracking pixels to prevent senders from knowing when/where emails are opened.

• 2023 (Jan): Google Workspace prices increase. Gemini AI begins integration into Workspace. The bundling of AI features with mandatory price increases begins.

• 2023-2024: Microsoft Exchange Online / Outlook.com breached by Chinese state hackers (Storm-0558) who forged authentication tokens using a stolen Microsoft signing key, compromising email at 25 organizations including government agencies. DHS Cyber Safety Review Board issues scathing report of Microsoft's security failures. Separately, Russian state group Midnight Blizzard infiltrates Microsoft's own corporate email via password spraying. (Sources: TechCrunch Copilot Bug, Bleeping Computer)

• 2024 (April): Fastmail raises prices: Basic from $3 to $4/mo, Standard from $5 to $6/mo. A 15-33% increase depending on region.

• 2025 (Jan): Google Workspace prices increase 16-22% across all business tiers, bundling Gemini AI into every plan with no opt-out from the price increase. Business Starter goes from ~$6 to $7/user/mo. Business Standard from ~$12 to $14/user/mo. (Source: 9to5Google)

• 2025 (Sept): Rodriguez v. Google LLC -- federal jury orders Google to pay $425M after finding it violated privacy rights of 98M Gmail users by tracking data even after users disabled "Web & App Activity." Google appeals. Plaintiffs file motion seeking $2.36B additional. (Source: ClassAction.org)

• 2025 (Oct): Yahoo finalizes sale of AOL to Bending Spoons for ~$1.4B. AOL's dial-up service shuts down September 30, 2025 with just 163,000 remaining users. Apollo reshapes Yahoo around email as its core asset.

• 2025 (Oct-Nov): Google activates Gemini "Smart Features" for Gmail, Chat, and Meet users. A class action (Thele v. Google) alleges the activation occurred without consent, violating the California Invasion of Privacy Act. Google denies wrongdoing, says smart features were opt-in. However, multiple settings across different menus must be manually disabled -- critics call this a dark pattern. (Sources: Malwarebytes, CNBC)

• 2025 (Dec): Microsoft announces M365 price increases effective July 1, 2026: Business Basic from $72 to $84/user/yr (+17%), Business Standard from $150 to $168/user/yr (+12%). Security features and Copilot AI bundled as justification. (Source: Microsoft 365 Blog)

• 2026 (Jan): Google unveils Gmail overhaul powered by Gemini 3 -- AI Overviews, AI Inbox prioritization, upgraded Smart Replies, Proofread, natural language inbox search. Some features on by default; users must opt out. The inbox transforms from a message list to an AI-curated briefing. Google states content is not used to train public AI models but is processed within a "secure engineering privacy barrier." (Source: Google Blog)

• 2026 (Jan-Feb): Microsoft Copilot bug discovered: Copilot Chat reads and summarizes confidential Outlook emails (including Sent/Drafts marked confidential) despite DLP policies designed to prevent exactly this. Bug existed since January 21, 2026. Microsoft acknowledges and deploys fix. European Parliament IT department blocks AI features on staff devices. U.S. House of Representatives had previously banned Copilot for congressional staff. (Sources: Cybernews, PCWorld)

---

The Data Audit

Gmail (Google)

What they collect: Email content, attachments, metadata (who you email, when, how often), contacts, calendar entries extracted from emails, purchase history, travel itineraries, behavioral signals across the Google ecosystem.

How it is used: Spam filtering, "smart features" (categorization, Smart Reply, Smart Compose, calendar extraction), cross-product personalization (Google Maps restaurant suggestions from email confirmations, flight status in Google app). Google states consumer Gmail content is no longer used for ad personalization (since 2017) but is still processed for smart features. Ads are targeted based on other Google signals (search, browsing, YouTube, location).

AI scanning: Gemini 3 now processes inbox data for summaries, prioritization, and natural language search. Google says this stays within an "engineered privacy" boundary and is not used to train public AI models. However: you cannot selectively enable AI features -- it is a single on/off switch across all smart features. Disabling it removes spam categorization, Smart Reply, and calendar extraction along with AI scanning.

Lawsuits: $425M jury verdict (Rodriguez v. Google, Sept 2025) for tracking users who opted out. Separate class action (Thele v. Google, Nov 2025) alleging unauthorized Gemini activation.

Outlook / Microsoft 365

What they collect: Email content, metadata, calendar data, files in OneDrive, Teams chat data, behavioral signals across Microsoft 365.

How it is used: Spam filtering, Focused Inbox categorization, Copilot AI features (summarization, drafting, natural language queries). Microsoft states M365 content is not used to train foundation LLMs. However, Copilot processes all content a user has access to -- making existing over-permissions the primary risk.

Security record: Storm-0558 breach (2023-2024) compromised government email via forged tokens. Copilot confidential email bug (Jan 2026) bypassed DLP protections. Starting January 2026, Anthropic became a subprocessor for M365 Copilot -- Anthropic models are out of scope for EU Data Boundary commitments.

Yahoo Mail

What they collect: Email content, cookies, device identifiers, IP address, interaction data, links clicked, location, app data.

How it is used: Advertising is the primary revenue model. Yahoo Analytics and Advertising Insights systems collect data across Yahoo products for ad targeting. Updated Terms of Service (March 2025) allow data sharing with third-party AI providers. Yahoo Mail Plus ($5/mo) removes ads but data collection practices for the ad-free tier are less clearly documented.

Apple Mail

What they collect: Apple Mail is a client, not a hosting service -- it connects to iCloud, Gmail, Outlook, or any IMAP server. For iCloud email, Apple states it does not scan email content for advertising.

Privacy features: Mail Privacy Protection (iOS 15+, 2021) preloads tracking pixels, masking open times and IP addresses from senders. Adoption: ~96% of iOS users who see the prompt enable it. iCloud+ includes Private Relay (Safari browsing privacy), Hide My Email (disposable addresses), and custom email domains. All iCloud data in transit and at rest uses encryption; select categories use end-to-end encryption with Advanced Data Protection enabled.

Proton Mail

What they collect: Minimal metadata (IP addresses can be collected under Swiss law if required by court order; Proton offers onion routing to mitigate). Email content is zero-access encrypted -- Proton cannot read stored messages even if compelled.

Encryption: Two-layer approach. (1) Zero-access encryption: all stored messages encrypted with user's public key, decryptable only with private key held by user. (2) End-to-end encryption: between Proton users, messages are encrypted on sender's device before reaching servers. For non-Proton recipients, password-protected email option available. Uses OpenPGP (Proton maintains OpenPGP.js). Limitation: subject lines remain unencrypted in standard PGP. (Source: Proton Security)

Tuta

What they collect: Minimal. No IP logging by default. End-to-end encryption of emails (including subject lines -- unlike PGP-based providers), calendars, and contacts. Quantum-resistant encryption (TutaCrypt) deployed.

Encryption: Uses custom protocol rather than PGP, enabling subject line encryption. Both parties on Tuta get automatic E2EE. External recipients can receive password-protected messages via a web portal. Open source. Based in Germany under GDPR. (Source: Help Net Security)

Superhuman

What they collect: Superhuman is a client layer on top of Gmail/Outlook -- it accesses whatever the underlying provider accesses, plus its own usage analytics. The 2019 tracking pixel controversy revealed that read receipts with geolocation were enabled by default on all sent emails. After backlash, location tracking was removed, data deleted, and read receipts made opt-in. Superhuman now offers built-in tracking pixel blocking for incoming mail.

Sources: Snopes on Google AI Email Access, Yahoo Analytics Policy, Proton Zero-Access Encryption, Apple iCloud+ Features, Redact.dev - Can Google Read Your Emails.

---

The Vulnerability Score

Overall vulnerability: Medium-High. The technical and monetization fundamentals are strong. Network effects are weak -- email's federated nature is a gift. The primary barrier is switching cost from address lock-in, which can be solved with domain-based email and migration tooling. User resentment is rising but has not yet hit a mass tipping point.

---

The Your 99 Blueprint

A user-owned email service would be subscription-funded, privacy-first, and built on open standards.

Revenue model: $5/user/month ($60/year). No advertising. No data mining. No AI training on user content. Transparent privacy policy in plain language.

Key differentiators beyond ownership:

• Custom domain included at every tier (solving the portability/lock-in problem permanently)
• JMAP-native architecture for modern sync performance
• Migration wizard that imports from Gmail, Outlook, Yahoo, Proton, Fastmail with forwarding setup
• Zero-access encryption for stored mail by default
• Optional end-to-end encryption between platform users
• Tracking pixel blocking on all incoming mail by default
• No AI features that process email content without explicit per-feature opt-in
• Open source server and client code

Draft Contribution Map:

• Using the service (subscriber months) -- base contribution
• Referring new users who convert -- multiplied contribution
• Building features, clients, or integrations (developer contributions) -- high contribution
• Bug reporting and quality assurance -- moderate contribution

Economics at three scales:

At $5/mo and 99% distribution, the per-user return roughly equals the subscription cost -- effectively making the service free through ownership returns at steady state. The value compounds across the Your 99 ecosystem: email is the identity layer that connects to every other service.

Minimum viable feature set:

• Send/receive email (SMTP/JMAP)
• Custom domain with DNS setup wizard
• Web client and mobile apps (iOS/Android)
• Import/migration tool (Gmail, Outlook, Yahoo)
• Spam filtering
• Search
• Contacts
• Calendar (basic)
• 15GB storage per user at launch

---

Open Questions

• Deliverability reputation: New email services face deliverability challenges. Gmail and Microsoft control inbox placement for billions of users. How do you build sender reputation from zero without having legitimate mail land in spam?

• Spam filtering without scanning: The best spam filters (Gmail, Outlook) are trained on massive datasets of user-flagged spam. Can a privacy-first service build competitive spam filtering without reading user mail at scale? Proton Mail and Tuta have demonstrated it is possible but acknowledge the gap.

• Is email the right first product? Email is the identity layer -- it touches everything else. But it is also operationally complex (uptime requirements, deliverability, abuse prevention). The counter-argument: email's federated, open-standard nature makes it one of the few categories where a new entrant does not need to overcome network effects.

• JMAP adoption timing: JMAP is technically superior to IMAP but adoption is still early. Neither Google nor Microsoft support it. Building JMAP-native is forward-looking but may limit third-party client compatibility in the near term. Thunderbird's upcoming Thundermail service and its JMAP support could accelerate adoption.

• How to make domain-based email accessible? The portability solution (own your domain) requires DNS knowledge most users do not have. The migration and setup experience must be radically simplified to achieve mainstream adoption. Fastmail and Proton have made progress here but the bar is not yet low enough.

• What would make you switch? The community should discuss: is privacy alone a sufficient motivator, or does the email client need to be demonstrably better in daily workflow to drive adoption? Superhuman's growth suggests that speed and UX matter as much as privacy to many users.

---

Sources compiled from research conducted February-March 2026. All figures sourced from company announcements, regulatory filings, court documents, and third-party analytics firms as cited inline. Proton's 100M figure is total Proton accounts (not email-only users). Fastmail and Hey.com do not publicly disclose user counts. Gmail's 1.8B figure is an industry estimate -- the last official Google confirmation was 1.5B in 2018.