Email Privacy Tester

Known Bad Email Clients

This is a list of known bad email clients, which you should avoid using if you wish to avoid tracking. Special thanks go to Andrew Klapper of the GNOME project for incentivising me to create this page; I have been meaning to create one for some time.

If you wish to keep track of updates on this page, you can follow my blog via my RSS feed or alternatively Mastodon / Bluesky. If you wish to submit more bad clients, contact me. Projects will always be given the opportunity to fix their security/privacy issues before they are listed.

  1. Evolution Mail

    As of 2025-July-19, Evolution Mail is vulnerable to two privacy issues, linkPreconnect and dnsLink. I do not know how long they have been vulnerable to these two issues, but they have been aware of one of them for at least 15 months so far and have done nothing to address it or warn their users. They refuse to even put a notice in the client warning people to not rely on the "Load Remote Content" feature for privacy, preferring to delay indefinitely, for the fix to be handled in a library they're choosing to use.

    If/when these two issues are fixed, I still can not recommend using Evolution Mail, as the devs have proven that they are completely uninterested in addressing privacy issues in a timely manner, or informing their users when they are exposed. If/when I am confident the bugs and culture are fixed, I will remove Evolution Mail from this list of known bad email clients.

  2. Balsa

    As of 2025-July-19, Balsa is vulnerable to two privacy issues, linkPreconnect and dnsLink. They were advised in a bug report which was summarily closed, the same day, without a fix. Development of this client appears to be unfortunately affected by the toxic development culture at GNOME, which does not accept responsibility for security issues in the libraries they choose to use.

    Until these issues are fixed, and the culture of denial of responsibility for security issues at GNOME is fixed, I can not recommend using this client.

  3. Geary

    As of 2025-July-19, Geary is vulnerable to linkPreconnect. They were advised in a bug report which was summarily closed, the same day, without a fix. Development of this client appears to be unfortunately affected by the toxic development culture at GNOME, which does not accept responsibility for security issues in the libraries they choose to use.

    Until these issues are fixed, and the culture of denial of responsibility for security issues at GNOME is fixed, I can not recommend using this client.

    2025-July-20: Jeff Fortin of GNOME, helpfully advised that this project is unmaintained. So yeah, don't use it. He also doubled down on this insane idea that GNOME devs have that security vulnerabilities in dependencies in their projects, can be ignored forever, as long as a bug report exists. This is not an opinion shared by the vast majority of software developers and distributors. And if you disagree, or publicise their errors, they scream "harrassment" and "smearing" and start trying to lock down the conversation. Take this as the strong signal that it is.