Fastmail Review

Founded 20 years ago, Fastmail provides its users with email, contacts, and a calendar. Fastmail has a lot of strengths and stresses their privacy and security features:

You can rely on Fastmail for service and support, and trust that your personal information is protected. You come first, and you can bank on it.

However, their views on privacy and security are rather different than those of products such as Tutanota and ProtonMail. If you are serious about securing the privacy of your email, you will definitely want to keep reading before investing in a Fastmail account.

Fastmail features overview

As mentioned previously, Fastmail provides email and contacts as well as calendar support. They redesigned the interface in June of 2019, giving the product a clean, modern look without choosing form over function.

If you have experience using virtually any modern email program, you will have no problems figuring out Fastmail.

Interesting features of Fastmail include:

• Web interface and mobile apps
• Easy integration with many email services and clients
• POP3, IMAP, CalDAV, CardDAV support
• Threaded conversations
• Full-text search of messages
• Support for custom domain names
• The ability to recover your account if you lose your password
• A promise not to scan your messages for marketing purposes
• Easy import / export of messages, contacts, and calendar data
• An extensive archive of support files
• Business-specific features

So far, this is looking good. Fastmail is full-featured and has had two decades to refine their product. So let’s dig a bit deeper.

Fastmail company information

Fastmail launched in 1999 and is based in Australia. Your data is stored on servers in New York City, USA. The company claims to operate under four core values:

1. You are our customer, not our product
2. Your data belongs to you
3. We are good stewards of your data
4. We are good internet citizens

These are all great values. From the perspective of privacy and security, numbers 2 and 3 are particularly important, so let’s look at them in more detail.

“Your data belongs to you”

Fastmail states, “You have a story and a footprint that deserves respect. You get complete ownership and control of your data, which is seen by no one else but you.”

This is exactly what we want from a privacy perspective. We should have complete control over our data, with no one else able to see it without our permission.

“We are good stewards of your data”

Fastmail states, “You’ve entrusted us to take care of your data and we take that seriously. Your data is always available to you, intact, and away from the wrong hands.”

This sounds good, too. I know I want my email provider to keep my data secure from being viewed by anyone I don’t want to see it.

Keep these two core values in mind. We’ll return to them in a little while.

Fastmail technical specifications

From our perspective, Fastmail’s technical specifications are pretty simple.

• They use SSL/TLS to encrypt data flowing between their servers and each user’s computer or mobile device.
• Data stored on Fastmail servers is encrypted with LUKS or directly on the server hardware for those servers that support this capability.

If you are familiar with private email services, you may have noticed what is not specified. Fastmail doesn’t do message-level or end-to-end encryption.

In a service like ProtonMail, your messages are encrypted before they ever leave your device, and remain that way until decrypted by the recipient. The service in the middle cannot read your messages since they don’t control the encryption keys, you do.

In Fastmail, your messages are protected by SSL/TLS while in transit, and by the server’s encryption when stored on a Fastmail server. But the messages themselves are not encrypted. That means when the messages arrive at Fastmail’s servers, they can be read by Fastmail. Once the messages are stored on Fastmail servers, outsiders can’t read them, but Fastmail personnel can.

It is possible to send encrypted messages with Fastmail. You can use an external program to encrypt your messages, then send them through the Fastmail system. Or you can install a browser extension like Mailvelope that will allow you to apply PGP encryption to messages in the browser-based Fastmail client.

Fastmail hands-on testing

We’ve based this part of the review on the browser-based Fastmail client. Fastmail talks about desktop clients in their literature. But they don’t mean that there is a Fastmail desktop client. Instead, they mean that you can connect someone else’s desktop client to Fastmail’s servers. So we’ll stick with the browser-based client.

Signing up for Fastmail

Signing up for Fastmail takes only a few moments. You don’t need to give them a credit card since you can sign up for their 30-day free trial to check out the service. You’ll need to select an email address and a password, accept the Terms of Service and so on. This is all standard stuff.

But now things get unpleasant. To complete the registration, you must give Fastmail a mobile phone number they can use to verify your account. Telephone verification is about the least private way possible to verify your account. More privacy conscious services allow you to verify your account using an email address.

Once you verify your account over the phone you are ready to go. I haven’t seen any evidence of mandatory waiting periods like I experienced with Tutanota.

The look and feel of Fastmail

As I mentioned earlier, Fastmail was recently redesigned to give it a nice modern look and feel. You navigate between the sections of the client using the Main Menu. Press the Shift-G keyboard shortcut to open the Main Menu.

Composing Messages

Click Mail in the Main Menu, to open the Mail component of Fastmail. Then select the Compose icon at the top of the left-hand column to create a new message.

As you can see, all the formatting options you’ll need are readily available, making it fast and easy to create your messages.

Sending and receiving messages

Here is one place where Fastmail’s lack of message-level encryption is a benefit. Because there is no message encryption involved, you don’t have to worry about things like which email service either of you is using, or about exchanging encryption keys outside of the email system.

Searching messages and more

Fastmail’s Search feature is powerful. You can search for specific words or phrases, as well as construct complex searches that include characteristics like the message size or date. You can also sort the results in various ways and save searches for reuse later.

The Calendar, Contacts, and other components of Fastmail also have similar search capabilities.

Rules

Fastmail allows you to create rules that help automate the processing of messages. To do so, open the Main Menu, select Settings then Rules.

The inbox rules seemed to work well.

Contacts

The Contacts component of Fastmail allows you to keep track of the people you exchange messages with. You can add a person by clicking the New Contact button in the Contacts section, or by clicking their name in an email message and selecting Add to Contacts.

You can create Groups of contacts, but the process is a bit clumsy. You’ll need to click More, then Groups, and enter the group name. Once you do that, the group will appear in the Groups list, and you can start creating contacts within that group.

The Calendar, Notes, and Files

While Mail and Contacts are our main interest here, the fact that Fastmail includes Calendars, Notes, and File storage is a definite plus.

You can read more about the Fastmail calendar here.

Notes

Similar to the Notes feature of Microsoft Outlook, you can use this component of Fastmail to keep a searchable record of personal information that might otherwise get lost. Because the Notes are stored on the Fastmail servers, you can have access to them from your mobile devices as well as any web browser.

That said, since Fastmail Notes are not encrypted, this is probably not the best place to record things like passwords or bank account numbers. (Use a good password manager instead.)

Files

Store smallish (less than 50MB) files in the Fastmail Files component and you will have access to them from anywhere.

Again, unless you trust Fastmail to never look at your data, don’t upload any files you want kept private.

Fastmail mobile apps

Fastmail offers apps for both iOS and Android. I tested the Android app and find it to be perfectly acceptable. Here’s a screenshot of the Fastmail Android app:

The one drawback I saw was that the app does not function offline. If you need the ability to at least read your email when in an airplane for example, you won’t be able to do it with Fastmail.

Is Fastmail really private and secure?

When I visualize a private, secure email service, it looks something like this:

1. Every message I create is encrypted, at my device, using encryption keys that I control. The encryption technology used cannot have any back doors or methods that bypass the encryption. Only I, or the intended recipient, have the capability to decrypt them.
2. The messages are protected by SSL/TLS encryption while traveling between my device and the email service’s servers.
3. While any messages are stored on the service’s servers, the service applies an additional layer of encryption that they control. This can not compromise the original encryption in any way.

This is basically how secure email services like ProtonMail and Tutanota work.

A major strike against Fastmail appears in the portion of their Privacy Policy covering the global transfer of your data. It states that (emphasis added),

Your personal information may be disclosed, transferred to or processed outside of your country of residence. This includes to Australia, the United States of America, India, and the Netherlands, where it will be subject to the laws of the country to which it is transferred. These jurisdictions may not have an equivalent level of data protection laws as those in your country.

If I am reading this correctly (I am not a lawyer), the privacy of your personal data is subject to the whims of the politicians in any of the countries listed.

Remember those two core Fastmail values, “Your data belongs to you,” and “We are good stewards of your data”? They stated in part that,

• “You get complete ownership and control of your data, which is seen by no one else but you.”
• “Your data is always available to you, intact, and away from the wrong hands.”

If your personal information can be disclosed and processed in any of several countries, and be subject to the data protection laws of those countries, you clearly don’t have complete ownership and control of your data. It can be seen, collected, and shared with many other parties – and you may not even be alerted if/when your data falls into the “wrong hands”.

Australia is a bad location for secure email

The biggest strike against Fastmail is that it is based in Australia. That may sound strange, with Australia being a modern Western Democracy and all that. But in reality, Australia is a horrible place for online privacy. Here’s why:

The Five Eyes connection

Australia is a member of the Five Eyes Intelligence organization. This means, among other things, that they share intelligence with the other Five Eyes countries. Reportedly, this even extends to spying on each other’s citizens and passing along the information, allowing the members to skirt laws against spying on their own citizens. This realization sets the stage.

Your metadata does not belong to you (in Australia)

In 2017, the country’s highest court ruled that your metadata is actually data about your devices, not about you. This cleared the way for telecoms and other companies to record that data, and hand it over to the government on demand, while at the same time denying you access to the same data.

Since metadata can reveal a lot about your activities online even if it isn’t considered data about you, it became vital for people to use a quality VPN in Australia if they wanted to protect their privacy.

As we’ve pointed out before, it is a good idea to simply use a good VPN service at all times, which conceals your IP address and location. This will give you more online anonymity and control over your data, regardless of laws in Australia.

Australia leads the way for the world to spy on users

In 2018, the Australian government passed a draconian law called this Assistance and Access Bill. As the name suggests, this law requires technology companies to assist authorities in gaining access to user data. This can include direct access as well as adding backdoors or removing access bearers, to including breaking encryption.

According to human rights lawyer Lizzie O’Shea in a New York Times editorial,

Australia, which has no bill of rights, is a logical place to test new strategies for collecting intelligence that can later be adopted elsewhere. Among other things, the proposed law would create a process for “designated communications providers” — defined so expansively that it covers any business hosting a website — to assist intelligence and law enforcement agencies to do almost anything to give them access to encrypted communications. For example, providers may have to build tools, install software or keep agencies up-to-date with developments. In essence, state agencies will be able to circumvent encryption, either with the cooperation of tech companies or by compulsion.

And things do not look to be improving.

Australian politicians want more spying power

In June of 2019, the Home Affairs Minister promoted the idea of giving the government the ability to directly spy on its own citizens, while vehemently denying it at the same time. His arguments are too twisty for me to even summarize for you, so I suggest you check out this article if you want the details. The point is that despite already having massive spying powers, the government is looking for more.

You don’t control your content, Fastmail does

The privacy developments in Australia are horrible, but in a way, it doesn’t even matter. That’s because you don’t control access to your messages and other information; Fastmail does. Let’s go back to my vision of a secure, private email service for a moment. The first step in my model is:

1. Every message I create is encrypted, at my device, using encryption keys that I control. The encryption technology used cannot have any back doors or methods that bypass the encryption. Only I, or the intended recipient, have the capability to decrypt them.

Fastmail doesn’t bother with that step. They go directly to step 2, where my (unencrypted) messages are protected while in transit by the standard SSL/TLS encryption that virtually every business website uses these days. Once the messages arrive at the Fastmail servers, that encryption is removed, leaving my messages in plain text for anyone who happens to have access to the server to read.

On their site, Fastmail explains their rationale for taking this approach. As they put it,

To provide the services we offer, it is necessary for our computer systems to process unencrypted and unobfuscated data (for example: to build the search indexes which allow fast message retrieval, or to push alarm notifications for calendar events).

This approach does have advantages such as those described here. It also makes it possible for Fastmail to recover your account for you if you lose your password, and so on. What it doesn’t do is give you privacy or security in the same league as other services.

The Fastmail model requires you to trust the employees of the company since they have the ability to read your messages. With a service like ProtonMail or Tutanota, it is literally impossible for them to read your messages.

Data stored on servers in the United States

As we noted above, Fastmail stores user data on servers in the United States. From their support page:

Our main servers are located at New York Internet (NYI) in Bridgewater, New Jersey, USA. Their facility is a high security, video monitored location; with backup power, air conditioning, fire systems, 24x7x365 monitoring, and onsite technical support.

Our secondary sites at NYI’s Seattle location has equivalent physical security.

Data stored in the United States is also risky business. US laws permit authorities to demand access to user data while also giving them authority to server gag orders that prohibit the company from disclosing what happened. This has happened on at least two occasions with Lavabit and also Riseup.

Fastmail business features

When you choose the Fastmail Professional plan, You get a few business-specific capabilities. In addition to the ability to use your own domain name (instead of a pre-existing Fasmail domain), you get:

• Administrator controls and archiving
• Topicbox for team sharing

Topicbox is a sister product of Fastmail. It is a group email app for teams. It gives you a shared archive, where you (the Administrator) can create controlled-access groups to manage the messages and knowledge of your teams. Instead of forwarding and CC’ing messages, you can send them to the relevant group on Topicbox to streamline communications and keep information organized.

Support

The Fastmail Support area includes lots of useful information. This is good, since they don’t offer live chat and the only way to contact their support personnel is via email. Responses may take several hours.

Fastmail plans and pricing

Fastmail has three plans: Basic, Standard, and Professional. As you can see in the image below, the prices for each plan seem reasonable for the amount of storage and capabilities that they provide.

Note that there isn’t separate business pricing. The Professional plan’s support for up to 100 domains and 600 aliases along with various administrative controls, gives it the power to handle small businesses.

Should you consider Fastmail?

As always, whether an email service is right for you depends on your threat model. Here is a summary of specific factors to consider:

• Jurisdiction – Fastmail is based in Australia, but your data is stored in New York City and Amsterdam. Neither Australia nor NYC are good places to keep private data.
• PGP support – Does not support PGP. Can be added using browser extensions.
• Import feature – Fastmail has the ability to import mail from most other email services and can export messages as well.
• Email apps – A web-based client as well as integration with 3rd party desktop clients, along with iOS and Android apps.
• Encryption – Emails and attachments are not end-to-end encrypted. Servers are encrypted and protect at-rest data, but Fastmail can access all your data.
• Features – Includes a built-in calendar, contacts, notes, and file storage along with full text search of all the above.

From this list, we can see that Fastmail is not a good privacy choice. The service does not provide end-to-end encryption, which means that employees (as well as local governments) may access your unencrypted data. And neither Australia or the United States (where New York City is located) are very supportive of online privacy.

Fastmail alternatives

I find that suggesting alternatives to Fastmail is a little bit awkward. That’s because I don’t really see a practical niche for the product. Now don’t get me wrong. Keeping your data out of the hands of mega corporations like Microsoft or Google is a great idea.

But if you are going to switch from Gmail, Outlook.com, or similar services, why would you switch to a service like Fastmail that doesn’t provide real privacy? Services like Tutanota and ProtonMail are continuously adding features like Calendars and the ability to search your data, while also eliminating the need to trust them not to read your stuff themselves.

If you are going to make the switch to a new email service, I urge you to choose one of the strong private services – see our email reviews here.

Fastmail review conclusion

Is Fastmail a good choice for readers of RestorePrivacy.com? That depends on your threat model. If your only concern is that a mega corporation like Google or Microsoft doesn’t mine your email messages for advertising purposes, then Fastmail could be a good choice.

If you are looking for a secure and private email service that doesn’t rely on trusting the company’s employees or a bunch of nosy Australian police and politicians, then steer away from Fastmail.