When you are competing in the “secure email service” space against heavy hitters like ProtonMail and Tutanota, it helps to have an edge. Today, we are looking at Mailbox.org, another secure email service based in Germany.
Mailbox.org uses high-end security protocols to provide its users with privacy. But, it also resembles services like Office 365 or Google Workspace in terms of ease of use, so you can ramp up your productivity. This makes it a great alternative to Gmail – but with more privacy.
Mailbox.org includes the email, contacts, calendar, and file storage apps that you find in the leading email services, along with their own browser-based office suite of tools.
So let’s dive right into this Maiblox.org review and take a good look at what it has to offer. We will also cover how it compares with the competition. Let’s start!
| Based in | Germany |
| Storage | 2 – 100 GB |
| Price | €1.00/mo. |
| Free Tier | None |
| Website | Mailbox.org |
+ Pros
- PGP support (server-side or E2E through Mailvelope app)
- Company and servers located in Germany with strong privacy protections
- HSTS and PFS for messages in transit
- Protected against man-in-the-middle attacks
- Message and spam filters; Virus protection
- POP, IMAP, SMTP, ActiveSync support
- vCard, CardDAV, CalDav support
- Messages are encrypted at rest
- Supports custom domains
- Mobile apps for some of the Office features
- Open source
– Cons
- No mobile email clients (but can be used with third-party email clients)
- Some tracking during registration
- PGP encryption leaves message subject and metadata exposed
Mailbox.org features overview
Mailbox.org has several features that help it stand out from the crowd of secure email services. These include:
- An expanded range of apps: Mail, Calendar, Address Book, Drive (cloud storage), Tasks, Portal (access to all apps), Text, Spreadsheet, Presentation, and Webchat
- An automatic, guided tour of all the features and apps
- A clean, three-pane UI with drag-and-drop capability
- Published Transparency Reports and a detailed Privacy Policy
- Top rating for Privacy and Data Protection by Stiftung Warentest
- Enhanced Security Certificate provided by SwissSign Certificate Authority
We’ll take an in-depth look at some of these features below.
About Mailbox.org
Mailbox.org is a product of Heinlein Support GmbH, based in Berlin, Germany. The email service is based on an earlier product, which was redesigned and rebranded as Mailbox.org for its 2014 relaunch. The service is privately funded and debt-free, protecting it from influence by outside investors. (Note that this is not the case with some other secure email providers, as we covered in the ProtonMail review.)
The mail servers are located in two geographically separate German locations and run in parallel. Heinlein Support GmbH owns and manages its own hardware rather than renting servers from third parties. According to their website, the company uses 100% green energy, and banks with the German Bank for Social Economy.
While Germany is generally considered one of the better places to base a secure mail service, the country is a party to the 14 Eyes intelligence agreement. The German Federal Intelligence Service reportedly cooperates with the United States National Security Agency (NSA) in digital surveillance. This may be worth considering depending on your threat model.
Despite this, Germany seems to be a popular location for email providers, as Posteo and Tutanota are also based here.
Mailbox.org technical specifications
Mailbox uses a full range of industry-standard encryption algorithms and communication protocols to protect and transport your messages. These include:
- PGP (Pretty Good Privacy)
- TLS/SSL (Transport Layer Security / Secure Socket Layer)
- CSP
- PFS (Perfect Forward Secrecy)
- HSTS (HTTP Strict Transport Security)
- CAA (Certificate Authority Authorization)
- MTA-STS (MTA Strict Transport Security)
- X-XSS (cross-site scripting protection header)
- DNSSEC (Domain Name System Security Extensions)
- DANE/TLSA (DNS-based Authentication of Named Entities / Transport Layer Security Authentication)
The service also supports POP, IMAP, SMTP, and ActiveSync for synchronizing with other mail services and clients.
Mailbox.org hands-on testing
As is my usual practice, I’ve conducted this Mailbox.org review using the free, 30-day trial version and the browser-based client. Thirty days is sufficient time to test out the service and decide whether you want to continue using it.
Signing up for Mailbox.org
The signup process was pretty simple, but we should talk about it before you do it.
As you will see later in this review, the Mailbox team can be required, by law, to turn over any information they have about you. This includes any information you provide to them during registration, such as your name and country.
However, the company has no way to confirm if the information you provided here is accurate. If you provide incorrect information during registration, they will turn over that information to the authorities. Keep this in mind as you go through the following steps.
Another thing to be aware of is that you will be required to complete a Google reCaptcha “to protect the service against spammers.”
Using reCaptcha to confirm that you are human is a potential privacy problem. The situation is somewhat complicated, and we don’t need to dig into the details here. A June 2019 article at Fast Company, Google’s new reCAPTCHA has a dark side explains the potential privacy and usability issues if you want to learn more.
The registration process also asks you for a telephone number or alternative email address. I prefer services that don’t ask for this kind of information, but in this case, there’s a twist. Mailbox.org asks you for the telephone number or email address after your registration is complete. And handing over that information is optional.
The idea here is that you would give the company one or both of these if you want the ability to reset a lost or forgotten password. Giving you the option to trade additional personal information in exchange for help recovering your account is a great idea.
How to sign up to Mailbox
So, with all that out of the way, here’s how to create your preliminary account:
- Go to the registration page
- Click on the “Get Started Now” button
Unless you are sure you will want to use the Premium plan, I suggest you start with the Standard plan.
- Fill out the form and click on the Continue button at the bottom
- Finish registration page is where you run into the requests for personal information as well as the reCaptcha. Fill out all the required fields, check all the boxes, and click the Create mailbox button. This will take you to the Your mailbox is set up page.
- Decide if you want to give Mailbox.org more data to make password reset possible
Keep in mind that they could be forced to turn over this data to the authorities on demand. - Hit the Save & to the mailbox button.
This will take you to the Portal.
The Portal – A unique Interface
Once you log in to your Mailbox.org account, you’ll know this isn’t your typical email service. The first thing you see is the Portal, a customizable interface that will help you navigate to the different sections of the service.
However, The Portal does much more than that. It also displays relevant information from each section, making it easy to do a quick status check of everything.
I recommend that you immediately take the short Welcome to mailbox.org Office tour to get acclimated to this unusual, yet very useful, interface. Once you finish, click the envelope icon in the green bar at the top of the window to move to the mail section.
The look and feel of Mailbox.org
Mailbox.org has an attractive, 3-pane user interface. Here’s the email section:
It looks a lot like the other email clients we’ve reviewed here and supports drag-and-drop as if it’s a dedicated client instead of a window in your browser.
You get all of the features you would expect: mail folders, message sorting (including sort by conversation), a reading pane, and the ability to sync to additional accounts.
Composing messages in Mailbox.org
You compose messages in a separate window that gives you access to all of the usual tools. There are also some premium features like signatures, read receipts, and the ability to attach vCards to your messages.
Once you’ve composed your message, you’ll just need to decide how you want to send it.
Sending messages
Mailbox.org lets you send messages with or without encryption, whether you are sending it to another user of the service or not. Sending regular messages doesn’t require any special effort on your part. However, sending encrypted ones takes a bit more work.
Sending encrypted messages
In the message composition window, click on the Open Lock icon at the bottom of the window (circled in red in the following image).
If this is the first time you do so, you will need to set up the Mailbox.org Guard. A wizard will pop up and guide you through the setup.
If you’re looking for ease of use, Mailbox.org seems like a good encrypted email service.
Guard runs on the Mailbox.org servers and uses the password you enter to PGP encrypt your messages. This makes using PGP super easy, but forces you to trust that your information is handled securely on their servers.
Note: Relying on the company’s server-side encryption is less secure than encrypting your messages on your device. Since even police departments and other government services are vulnerable to Chinese hackers and other groups, you should consider using end-to-end encryption. To do this, you’ll have to install Mailvelope, a browser plugin that manages your encryption keys and encrypts/decrypts messages on your device.
If the recipient of a message doesn’t use PGP, Mailbox.org gives them a link to a secure mailbox on the company’s servers where the recipient can view the message safely.
Receiving messages
Any messages you receive that are not encrypted will appear in your Inbox normally. If you receive an encrypted message, the message itself will be hidden and a form will appear in your Inbox asking you to enter your Guard password to decrypt the message.
Searching for messages
The message search box looks for words or phrases in the current folder. As you type into the box, you get the option to limit the portion of messages that get searched, as shown here:
Mailbox.org Calendar
The Calendar does everything you could ask for, including syncing with external calendars, setting recurring appointments, and scheduling meetings based on the schedules of all attendees.
Address Book (Contacts)
Mailbox.org organizes our contacts into address books that you can search. You can also import and export contacts using CSV format. We find this basic feature with most of the other secure email services we have reviewed.
Drive (File Storage)
Drive is Mailbox.org’s name for your cloud-based file storage. As you can see below, the storage is divided into folders that you can share with other people, allowing them to view or edit files in the shared folders.
This is a good, fully-featured storage system and another benefit of Mailbox.org.
Additional features of Mailbox.org
Beyond the tools we’ve covered so far, Mailbox.org gives every user a Task manager, Text editor, Spreadsheet, and Presentation app. All of them offer templates for business documents. Finally, there is even a chat app built in.
Mobile apps and integration with other email clients
Mailbox.org does not offer a dedicated mobile or desktop app. If you want to use this service without relying on your browser, you will need to use SMTP, POP, or IMAP to connect with one of the many available third-party email apps.
The company provides instructions for connecting your Mailbox.org account to many popular third-party apps, such as Thunderbird.
You can quickly see if your favorite apps are supported by searching through their Knowledge Base.
How Private and Secure is Mailbox.org?
Mailbox.org has a good reputation as a secure and private email service. Let’s challenge this, starting with their Data Protection & Privacy Policy and their Transparency Report.
Mailbox.org Data Protection & Privacy Policy
I like the Mailbox.org Data Protection & Privacy Policy document. It does a good job of explaining everything in plain language, including describing what data is logged, how long it is held, and what they can do with it.
The main takeaway is that they are compliant with Europe’s GDPR (General Data Protection Regulation) laws. While Mailbox.org promises to resist turning over data about its users whenever it can, its ability to do that is limited.
A few paragraphs from the Data Protection & Privacy Policy stand out:
According to Section 113 of the German Telecommunications Act (Telekommunikationsgesetz, TKG), the public prosecutor’s office and the police have relatively easy access to the so-called database data of a telecommunications provider like us. In this case, simple requests for information are sufficient without the need for a judge’s decision.
According to Section 113 of the Telecommunications Act, a telecommunications provider cannot legally defend itself against this request for information – it must be fulfilled. It should be noted that according to Section 113 (II) of the Telecommunications Act the provider must maintain silence about the request and may not inform the affected customer about the access.
Mailbox.org is required by law to turn over basic information about its users to the government on request, and banned by law from telling you about it.
Access to the log data of mail or web servers or the email content of a mailbox requires a judge’s decision to disclose/search, unless the investigating authorities can directly establish “imminent danger”. The telecommunications provider has no legal means at its disposal, even against the search order; it can no longer defend itself against the “confiscation” of the log data.
A judge can force Mailbox.org to turn over its logs without any recourse. Investigators can, likewise, force Mailbox.org to turn over its logs without any recourse if they can establish “imminent danger.”
However, we cannot judge whether the database data you provided when you registered is correct and accurate. If you encrypt your email traffic with PGP, we are also not able to make the content of these emails readable either.
While Mailbox.org has to turn over this data, if you register anonymously, use a good VPN provider to hide your IP Address, and encrypt all your messages with PGP, the data is likely to be of little use to whoever wants it. Two of our top recommendations are NordVPN and ExpressVPN.
Mailbox.org Transparency Report
Mailbox.org publishes yearly Transparency Reports on its site. The reports go back to 2013 (the entire life of the service), which is great. However, there isn’t really much information in the reports, as you can see here.
As the site says:
In 2020, a total of 43 requests were found to be formally unlawful and consequentially rejected. Of all unlawful requests, 20 were subsequently re-submitted with their formal issues remedied and processed. 23 requests were ultimately rejected. – All requests needed to be lawful and free of errors to receive an answer from us.
Even privacy-focused email services need to fulfill lawful demands for user data coming through official legal channels. To protect yourself, you could utilize the PGP encryption feature and also hide your IP address through a good VPN provider, since IP address logs are being recorded.
How secure is Mailbox.org?
Mailbox.org is a very secure service. It uses HTTPS (TLS/SSL) along with PFS to protect communication between your devices and their servers. But it doesn’t stop there. As stated on the website:
In order to rule out any data manipulation by third parties, we were one of the first providers to secure our domain with DNSSEC and DANE/TLSA. Moreover, whenever there is an opportunity to increase communication security further, we will do so. For example, we use mechanisms such as HSTS, CAA, CSP, MTA-STS and X-XSS to effectively prevent ‘man-in-the-middle’ attacks. This helps us make sure that your communication with our servers via SSL/TLS is truly secure.
The built-in Guard system provides easy-to-use, server-side PGP encryption, and you can boost your security even further by installing the Mailvelope plug-in and storing your encryption keys locally.
I like that the service applies PGP encryption to all messages at rest on their servers, whether or not they were encrypted originally.
Two additional security features help Mailbox.org stand out amongst secure email services:
- TLS-Check. A system that checks to see if a message “will be transmitted over secure SSL/TLS-encrypted connections – before it is actually sent!”
- alias@secure.mailbox.org domain. You can create an email alias with the secure.mailbox.org domain, which forces any messages from this address to travel over secure connections or not at all.
However, there is one drawback to the Mailbox.org security model. The PGP protocol does not support the encryption of message subject lines and metadata. There are also some other problems with PGP you may want to consider.
How private is Mailbox.org?
Based on what I found in their Data Retention & Privacy Policy, Mailbox.org does a good job of protecting your privacy.
Like any service with a physical location, they are subject to the laws of the country (Germany) they are located in. The company records as little personal information as possible and points out that they have no way to confirm that the personal information you do enter into their system is true (hint, hint).
Despite being a member of the 14 Eyes alliance, Germany has good privacy laws in general. Combining that with Mailbox.org’s compliance with GDPR means your communications and other data are about as private as they can get.
Assuming your threat model doesn’t involve activities that would cause a German judge to issue a court order for your messages, or would get the attention of national intelligence agencies like the NSA or Germany’s Bundesnachrichtendienst (BND), you should be fine.
Mailbox.org business features
Mailbox.org offers scalable and highly customizable email and groupware services for businesses. Their business offerings are really too diverse to list here. If you are looking for a SaaS email service that can be optimized for your business, check out their offerings here.
Support
Support is a potential problem area for Mailbox.org. While I have no complaints about them, I’ve seen quite a few criticisms floating around the net. While some people report fast, professional service, others complain of long waits for unprofessional responses.
Given this, it is good to know that the Mailbox.org website has links to an extensive Help/FAQ section as well as a fairly active User Forum.
Mailbox.org Plans and Pricing
With all the options they offer, it isn’t surprising that Mailbox.org pricing is complicated. Here are the individual options:
Business price plans
Mailbox.org also offers a full range of business price plans. There are three service packages (Silver, Gold, and Platinum) along with lots of options for the number of email inboxes and storage capacity. If they don’t meet your needs, you can also contact Mailbox.org for a personalized quote.
To get all the details on the Mailbox.org business plans, visit this page.
FAQ
Here are some commonly asked questions that I came across while doing this review.
Does Mailbox.org have a free plan?
No, Mailbox.org does not have a free plan. They do offer a 30-day free trial that you can sign up for without providing a credit card. That said, their most basic plan, the Light plan, only costs €1 per month, which is pretty darn close to free.
Is Mailbox.org the best secure email service for you?
Whether Mailbox.org is the best secure email service for you depends on your threat model as well as whether or not you will benefit from all of its extra features. Here’s my summary of factors you should consider relative to your threat model:
- Jurisdiction – Mailbox.org is based in and has servers in Germany.
- PGP support – It includes server-side PGP encryption and supports Mailvelope, so you can improve your security by using end-to-end encryption.
- Import feature – Uses Audriga service to import your data from other services.
- Email apps – Mailbox.org is a web-based client that can sync with third-party apps.
- Encryption – Emails and attachments are encrypted in transit. Messages encrypted at rest on Mailbox.org servers. See our encrypted email guide for more info.
- Features – Offers a cloud-based office suite in addition to a full set of email-related apps.
- Open Source Code – Most code is Open Source. Per their website, “Internal backend infrastructure (‘Glue’, internal API-Server, backup scripts, maintenance scripts, anti-abuse detection systems, process logic) are developed by us and not open source.”
What are some Mailbox.org alternatives?
Mailbox.org is a very unique email service. As such, we didn’t find any other provider that offers its combination of secure email, complete office suite, and optional team and business features.
But, if you don’t like this service and don’t need any of the special features it offers, you will probably be happy with one of these:
- ProtonMail (see our ProtonMail review)
- StartMail (see our StartMail review)
Mailfence and Posteo are other popular alternatives we’ve reviewed that may also be worth considering.
Our secure email roundup discusses these and other options as well.
Mailbox.org review conclusion
Mailbox.org is a very secure and affordable email service. It also offers a lot of additional value with its built-in office suite and tools for teams and big businesses. If you don’t mind dealing with a service based in 14 Eyes member country Germany, you should take advantage of its 30-day free trial. Mailbox.org is a contender.
You can see all our other email reviews here:
- ProtonMail Review
- Tutanota Review
- Mailfence Review
- Hushmail Review
- Posteo Review
- Fastmail Review
- Runbox Review
- StartMail Review
This Mailbox.org review was last updated on January 19, 2024.
I like reading this and many other article’s on Restoreprivacy. But the world is changing big time since COVID-19, stories, wars etc today’s happen where unbelievable when you mention it 5 yrs ago. Without picking sides, look EU countries just follow their own agenda, no matter when law is broke to get their goal. Before pointing our fingers to countries in the Middle East about violation human rights, or point to Asia where the police or other officials are corrupt and for sale. Now we see it happen in our own country maybe more often, just the story around to cover it up is better? USA is now (try?) to change the law on President Trump’s security for take away this profit for ex-presidents. The only reason after the hunt on him without the results they want is to make him a target, to kill. Look the interviews with FBI and others who you must trust to serve and protect but it is all a lie. Google Pixels with GrapheneOS is a good example for some privacy and security minded project, but now already has the name only criminals using this. Protonmail only give some data when the SWISS gouverment ask them, 99% think then we are safe, but last week we saw Spain ask the SWISS gouverment, who ask Protonmail who gave the recovery mail adress what exposed the person behind the Protonmail account. So without any problems with the SWISS, other countries just ask the SWISS gouverment, who ask Protonmail. People can still use privacy friendly projects, but need to understand how they work and stop betting their lives on it. This website gives a lot of info for that, and even with my poor English, I wanna thank you team!
I’m highly concerned. During the Israel bombing Palestinians campaign of October 2023, all the way in Germany, the German police force started raiding Muslims who could possibly be “suspicious”. No proof of any crimes. They looked through their bank and computer accounts!! They took some to the police station!
I have a German email provider. I don’t live there. Im happy with my email service but I’m thinking of moving services. I’m not Muslim but so what. It’s a sneak peek of their overreach.
While I was liking everything about I was reading here and on their site.
However once I started digging into their privacy policy I’m seeing a lot of things I don’t like in relation to logging.
A lot of recording of Message ID’s in various logs, forcing your name onto your primary email address, recording account names in various places, essentially limited browser fingerprints etc etc…
And with the direction the EU is going…. All of what I’m seeing hardly qualifies as private in my opinion.
Even with their onion services which I liked I’ll grant you, it’s enough to turn me off at this point.
Nice review. I have been using mailbox.org for a while now, and unfortunately found some issues that are just deal breakers for me. So I still have it (paid for it) but have since moved on.
1. They filter out your spam for you. Suspected spam does not go into a spam mail folder for you to sort – it is rejected. I missed out on some important mail, and had no idea I had until I was contacted via other means. This is poor, I’m a big girl and do not need my emails (suspected spam or otherwise) rejected for me without me even knowing.
2. Emails took forever to turn up in my mailbox inbox. Like up to 30 minutes or more. It drove me mad.
Pity really, initially i thought it had so much promise
Mailbox.org has the option to mark and send spam to the junk folder. The default is reject back to sender, but you can change that in the settings.
As for a delay, I have not seen that in my three years on Mailbox.
I saw on the website of mailbox.org that if a new user receives an invitation from an existing customer, they can get a discount for two years of service at the price of one year. Can anyone who has subscribed for the service send me an invitation? Link?
I’ve been using mailbox.org for about 6 months now. I really appreciated the review on this site, which helped me find them and choose them. Some features that were important to me:
(1) They support POP3—I like to keep messages on my own computer, not leave them “in the cloud”. I use the service with The Bat!, so I don’t use any of their web-based services.
(2) They allow lots of free aliases. I can configure The Bat! so messages for some aliases go into an inbox for that particular alias, and others go into the main inbox I have for mailbox.org.
(3) They allow lots of custom domains. With my standard account they allow 50 aliases with custom domains. I was amazed that they do not have a separate limit for custom domains: if I had only one alias for each custom domain, I could have 50 custom domains. I have 2 now, which is all I need at the moment. Their Support has been very helpful, especially regarding setting up the custom domains. They answer email inquiries in a day or two.
I think their charge for a standard account (€3/month) is reasonable, less than ProtonMail (which does not support POP3) but more than Tutanota. There is a lot I like about Tutanota, but there are so many more features that The Bat! has than the Tutanota client that I prefer using The Bat! Of course, Tutanota does not support POP3 or IMAP and cannot be used with any third-party email client.
I am slowly transitioning my correspondents and online accounts to my new email addresses. (I started using my custom domains at the same time as I started using mailbox.org.) Later I plan to transition family members, and we will have a team account for which I will be the administrator. I have had many questions along the way as to how to do something that wasn’t clear enough on their website, and Support answered my questions, but I have never had any technical problems whatsoever with mailbox.org.
In response to the comment in another review—”I haven’t given them any personal info and a payment through Paypal.”—I asked Support about privacy with different payment options, and I found out that PayPal actually passes on more information to them than their credit card processor. PayPal sends the customer’s name and email address, whereas for a typical credit card transaction, they do not receive customer’s name, address, or email address (but this may differ from one transaction to the next, depending on the card, issuer, etc.); the information they receive includes the issuer’s name and issuer’s country.
Be AWARE that Mailbox.org allows any user to send emails as (“from”) any other user via SMTP and these emails will look legit since they pass SPF and DKIM checks. Many consider this a security issue!!!
There was a quite lengthy discussion about this in their forum but they deleted it since. They refused to fix it. Archive.org still has it. Content is in German (sorry):
https://web.archive.org/web/20210123192856/https://userforum.mailbox.org/topic/mailbox-org-smtp-server-stellt-mails-mit-gefakten-absender-zu
Source:
https://news.ycombinator.com/item?id=30224906
https://userforum-en.mailbox.org/topic/anti-spoofing-for-custom-domains-spf-dkim-dmarc
i like this behaviour if long as my team members can cooperate. I probably use this feature nonstop. They implement IP whitelisting feature now and that one is far more beneficial than this glitch. That’s what they should focus on.
On the 30 day free trial, you can only send emails to other mailbox.org accounts. Which makes it impossible to test the speed of their email servers by sending a test message to one of your other email accounts elsewhere. What a ridiculous restriction!
” located in Germany with strong privacy protections”
germany is just becoming a hell of a surveillance state. nada priv prot
I’ve had mailbox.org for years. My needs are simple so having the full office setup complete with calendar is great for stuff like a wedding or family reunion. I have a standard box, never had any problems or had to access a “capcha”. I haven’t given them any personal info and a payment through Paypal. I can only give my experience and the only gripe I have is the length of time it takes to get an email if you are waiting for a verification for an account at an online store or something. I don’t like giving out cell numbers or basically any numbers and they give me enough aliases to use and go. I got a three year deal and paid waaaay less than €3.00 a month. at the time I think it was about $35 for three years, but everything has gone up everywhere. One thing I appreciate is Mailbox.org advocates for freeing mail services in more restrictive countries and offers help for other causes as well. I’m in my late 70’s and for my money they’re great! I also wanted to pass on a great program to Sven for erasing anything! It’s open source and at [https://www.bleachbit.org]… Thanks
In the comparison of subscriptions, the €9 and €3 options include GDPR-compliant CDP agreement, while the €1 light option does not. What are the implications of this?
If I don’t sent nor receive encrypted emails, will my messages on the servers still be private? I don’t like the fact that gmail and like mine and profile everything I send and receive and wonder if mailbox.org is a good alternative. I like that it works with Mail.app on Mac (unlike protonmail and tutamail). Thanks!