by default sending from one encrypted email system to the exact same all your traffic is encrypted
so for instant tutanota to tutanota is encrypted
sending from any encrypted email to any other email system by default is not encrypted
so for instance sending from tutanota to protonmail is not encrypted
for those instances you are promoted to first create a password and then the reciever would enter that password to decrypt the message
you would send that password by some other means to the intended recipient of that email so they can enter it and decrypt the message
if that password is lost or forgotten that email cannot be opened.
emails that are encrypted cannot be read by the server admin. this is very important security wise.
anyone not using an encrypted email is taking a risk that their emails could be read by server admins and or intercepted when sent and then read
the only risk with a encrypted email system is if the password was hacked. if you use a complex password made up of letters, numbers and symbols the chance of being hacked are somewhere near slim to none.
also its important to log out of your email every time
and to keep your password list in a secure place preferably not in a unencypted word document on your desktop.
also be careful to not log into a public computer and forget to log out.