When you are competing in the “secure email service” space against heavy hitters like ProtonMail and Tutanota, it helps to have an edge. Today we are looking at Mailbox.org, another secure email service based in Germany. So how does it stack up to the competition? This Mailbox.org review will give you all the answers.
Mailbox.org is a top performer with its use of top-end security protocols and strong privacy protections. But it also resembles services like Office 365 or the Google suite of productivity tools. This makes it a great alternative to Gmail, but with more privacy.
Mailbox.org includes the email, contacts, calendar, and file storage apps that you find in the leading email services, along with their own browser-based office suite of tools.
So let’s dive right into this Maiblox.org review and take a good look at what it has to offer.
- PGP support (server-side or E2E through Mailvelope app)
- Company and servers located in Germany with strong privacy protections
- HSTS and PFS for messages in transit
- Protected against man-in-the-middle attacks
- Message and spam filters
- Virus protection
- Full text search
- POP, IMAP, SMTP, ActiveSync support
- vCard, CardDAV, CalDav support
- Messages are encrypted at rest
- Supports custom domains
- Mobile apps for some of the Office features
- Open source
- No mobile email clients (but can be used with third-party email clients)
- Some tracking during registration
- PGP encryption leaves message subject and metadata exposed
Mailbox.org features overview
Mailbox.org has several features that help it stand out from the crowd of secure email services. These include:
- An expanded range of apps: Mail, Calendar, Address Book, Drive (cloud storage), Tasks, Portal (access to all apps), Text, Spreadsheet, Presentation, Webchat
- An automatic, guided tour of all the features and apps
- A clean, three-pane UI with drag-and-drop capability
- Top rating for Privacy and Data Protection by Stiftung Warentest
- Enhanced Security Certificate provided by SwissSign Certificate Authority
We’ll take an in-depth look at some of these features below.
Mailbox.org company information and history
Mailbox.org is a product of Heinlein Support GmbH, based in Berlin, Germany. The email service is based on an earlier product, which was redesigned and rebranded as Mailbox.org for its 2014 relaunch. The service is privately funded and debt-free, protecting it from influence by outside investors. (Note that this is not the case with some other secure email providers, as we covered in the ProtonMail review.)
The mail servers are located in two geographically separate German locations and run in parallel. Heinlein Support GmbH owns and manages their own hardware rather than renting servers from third parties. According to their website, the company uses 100% green energy, and banks with the German Bank for Social Economy.
While Germany is generally considered one of the better places to base a secure mail service, the country is a party to the 14 Eyes intelligence agreement. The German Federal Intelligence Service reportedly cooperates with the United States National Security Agency (NSA) in surveillance matters. This may be worth considering depending on your threat model.
Mailbox.org technical specifications
Mailbox uses a full range of industry-standard encryption algorithms and communication protocols to protect and transport your messages. These include:
- PGP (Pretty Good Privacy)
- TLS/SSL (Transport Layer Security / Secure Socket Layer)
- PFS (Perfect Forward Secrecy)
- HSTS (HTTP Strict Transport Security)
- CAA (Certificate Authority Authorization)
- MTA-STS (MTA Strict Transport Security)
- X-XSS (cross site scripting protection header)
- DNSSEC (Domain Name System Security Extensions)
- DANE/TLSA (DNS-based Authentication of Named Entities / Transport Layer Security Authentication)
The service also supports POP, IMAP, SMTP, and ActiveSync for synchronizing with other mail services and clients.
Mailbox.org hands-on testing
As is my usual practice, I’ve conducted this Mailbox.org review using the free, 30-day trial version and the browser-based client. Thirty days is sufficient time to test out the service and decide whether you want to continue using it.
Signing up for Mailbox.org
The signup process was pretty simple, but we should talk about it before you do it.
As you will see later in this review, the Mailbox team can be required, by law, to turn over any information they have about you. This includes any information you provide to them during registration, such as your name and country.
However, the company has no way to confirm if the information you provided here is accurate. If you provide incorrect information during registration, they will turn over that information to the authorities. Keep this in mind as you go through the following steps.
The other thing to be aware of before going through these steps is that you will be required to complete a Google reCaptcha “to protect the service against spammers.”
Using reCaptcha to confirm that you are human is a potential privacy problem. The situation is somewhat complicated, and we don’t need to dig into the details here. A June 2019 article at Fast Company, Google’s new reCAPTCHA has a dark side explains the potential privacy and usability issues if you want to learn more.
The registration process also asks you for a telephone number or alternative email address. I prefer services that don’t ask for this kind of information, but in this case there’s a twist. Mailbox.org asks you for the telephone number or email address after your registration is complete. And handing over that information is optional.
The idea here is that you would give the company one or both of these, if you want the ability to reset a lost or forgotten password. Giving you the option to trade additional personal information in exchange for help recovering your account is a great idea.
So with all that preliminary stuff out of the way, here’s how to create your preliminary account:
- Go to the registration page at https://register.mailbox.org/en.
- Click one of the two “Get Started now” buttons. Unless you are sure you will want to use the Premium plan, I suggest you start with the Standard plan. This will take you to the Get the address you want page.
- Fill out the information on this page and click the Continue button at the bottom of the form. This will take you to the Finish registration page.
- This page is where you run into the requests for personal information as well as the reCaptcha. Fill out all the required fields, check all the boxes and click the Create mailbox button. This will take you to the Your mailbox is set up page.
- Here you have to decide if you want to provide the company with additional information that will make it possible to do a password reset, remembering that they could also be forced to turn over this information to the authorities on demand. Fill out this form as you wish. When you are ready, hit the Save & to the mailbox button. This will take you to the Portal.
Once you log in to your Mailbox.org account, you’ll know this isn’t the typical email service. The first thing you see is the Portal, a customizable interface to the various sections of the service.
The Portal does more than help you navigate to the different sections of the service. It also displays relevant information from each section, making it easy to do a quick status check of everything.
I recommend that you immediately take the short Welcome to mailbox.org Office tour to get acclimated to this unusual, yet very useful, interface. Once you finish, click the envelope icon in the green bar at the top of the window to move to the mail section.
The look and feel of Mailbox.org
Mailbox.org has an attractive, 3-pane user interface. Here’s the email section:
It looks a lot like the other email clients we’ve reviewed here and supports drag-and-drop as if it was a dedicated client instead of a window in your browser.
You get all the features you would expect: mail folders, message sorting (including sort by conversation), a reading pane, and the ability to sync to additional accounts.
Composing messages in Mailbox.org
You compose messages in a separate window that gives you all the features you would expect. You also get niceties like signatures, read receipts, and the ability to attach vCards to your messages.
Once you’ve got your message composed, you just need to decide how you will send it.
Mailbox.org lets you send messages in the clear or encrypted, whether you are sending to another user of the service or not. Sending messages in the clear doesn’t require any special effort on your part. Sending encrypted messages takes a bit more work.
Sending encrypted messages
In the message composition window, click the Open Lock icon at the bottom of the window (circled in red in the following image). If this is the first time you do so, you will need to set up the Mailbox.org Guard feature. The first time you use Guard, a wizard will pop up and guide you through setting it up.
This makes Mailbox.org a good solution for encrypted email.
Guard runs on the Mailbox.org servers and uses the password you enter to PGP encrypt your messages. This makes using PGP super easy, but forces you to trust that your information is handled securely on their servers.
Note: Relying on the company’s server-side encryption is less secure than encrypting your messages on your device. When even police departments and other government services are vulnerable to Chinese hackers and other groups, consider going end-to-end. To get end-to-end encryption of your messages, install Mailvelope, a browser plug-in that manages your encryption keys on your device and encrypts/decrypts messages on your device as well.
If the recipient of a message doesn’t use PGP, Mailbox.org gives them a link to a secure mailbox on the company’s servers where the recipient can view the message safely.
Any messages you receive that are not encrypted will appear in your Inbox normally. If you receive an encrypted message, the message itself will be hidden and a form will appear in your Inbox asking you to enter your Guard password to decrypt the message.
Searching for messages
The message search box looks for words or phrases in the current folder. As you type into the box, you get the option to limit the portion of messages that get searched, as shown here:
The Calendar does everything you could ask for, including syncing with external calendars, setting recurring appointments, and scheduling meetings based on the schedules of all attendees.
Address Book (Contacts)
Mailbox.org organizes our contacts into address books that you can search. You can import and export contacts using CSV format. We find this basic feature with most of the other secure email services we have reviewed.
Drive (File Storage)
Drive is Mailbox.org’s name for your cloud-based file storage. As you can see below, the storage is divided into folders which you can share with other people for either viewing the contents of folders, or viewing and editing files in the shared folders.
This is a good, fully-featured storage system and another benefit of Mailbox.org.
Other elements of Mailbox.org
Beyond the features we’ve seen so far, Mailbox.org gives every user a Task manager, Text editor, Spreadsheet, Presentation app, all with templates for business documents. There is even a chat app built in.
Mobile apps and integration with other email clients
Mailbox.org does not offer a dedicated mobile or desktop app. If you want to use this service without relying on your browser, you will need to use SMTP, POP, or IMAP to connect with one of the many available third-party email apps.
The company provides instructions for connecting your Mailbox.org account to many popular third-party apps, such as Thunderbird.
Search the Knowledge Base to see if your favorite apps are supported.
Is Mailbox.org Really Secure? Is it Really Private?
The main takeaway is that they are compliant with Europe’s GDPR (General Data Protection Regulation) laws. While Mailbox.org promises to resist turning over data about its users whenever it can, their ability to do that is limited.
According to Section 113 of the German Telecommunications Act (Telekommunikationsgesetz, TKG), the public prosecutor’s office and the police have relatively easy access to the so-called database data of a telecommunications provider like us. In this case, simple requests for information are sufficient without the need for a judge’s decision.
According to Section 113 of the Telecommunications Act, a telecommunications provider cannot legally defend itself against this request for information – it must be fulfilled. It should be noted that according to Section 113 (II) of the Telecommunications Act the provider must maintain silence about the request and may not inform the affected customer about the access.
Mailbox.org is required by law to turn over basic information about their users to the government on request, and banned by law from telling you about it.
Access to the log data of mail or web servers or the email content of a mailbox requires a judge’s decision to disclose/search, unless the investigating authorities can directly establish “imminent danger”. The telecommunications provider has no legal means at its disposal, even against the search order; it can no longer defend itself against the “confiscation” of the log data.
A judge can force Mailbox.org to turn over its logs without any recourse. Investigators can likewise force Mailbox.org to turn over its logs without any recourse if they can establish “imminent danger.”
However, we cannot judge whether the database data you provided when you registered is correct and accurate. If you encrypt your email traffic with PGP, we are also not able to make the content of these emails readable either.
While Mailbox.org has to turn over this data, if you register anonymously, use a good VPN provider to hide your IP Address, and encrypt all your messages with PGP, the data is likely to be of little use to whoever wants it.
Mailbox.org Transparency Report
Mailbox.org publishes yearly Transparency Reports on their site. The reports go back to 2013 (the entire life of the service), which is great. However, there isn’t really much information in the reports, as you can see here.
As the site says:
In 2020, a total of 43 requests were found to be formally unlawful and consequentially rejected. Of all unlawful requests, 20 were subsequently re-submitted with their formal issues remedied and processed. 23 requests were ultimately rejected. – All requests needed to be lawful and free of errors to receive an answer from us.
Even privacy-focused email services need to fulfill lawful demands for user data coming through official legal channels. To protect yourself, you could utilize the PGP encryption feature and also hide your IP address through a good VPN provider, since IP address logs are being recorded.
How secure is Mailbox.org?
Mailbox.org is a very secure service. They use HTTPS (TLS/SSL) along with PFS to protect communications between your devices and their servers. But they don’t stop there. As they state on their site:
In order to rule out any data manipulation by third parties, we were one of the first providers to secure our domain with DNSSEC and DANE/TLSA. Moreover, whenever there is an opportunity to increase communication security further, we will do so. For example, we use mechanisms such as HSTS, CAA, CSP, MTA-STS and X-XSS to effectively prevent ‘man-in-the-middle’ attacks. This helps us make sure that your communication with our servers via SSL/TLS is truly secure.
The built-in Guard system provides easy-to-use, server-side PGP encryption, and you can boost your security even further by installing the Mailvelope plug-in and storing your encryption keys locally.
I like that the service applies PGP encryption to all messages at rest on their servers, whether or not they were encrypted originally.
Two additional security features help Mailbox.org stand out amongst secure email services:
- TLS-Check. A system that checks to see if a message “will be transmitted over secure SSL/TLS-encrypted connections – before it is actually sent!”
- firstname.lastname@example.org domain. You can create an email alias with the secure.mailbox.org domain, which forces any messages from this address to travel over secure connections or not at all.
There is one drawback to the Mailbox.org security model. The PGP protocol does not support the encryption of message subject lines and metadata. There are also some other problems with PGP you may want to consider.
How private is Mailbox.org?
Like any service with a physical location, they are subject to the laws of the country (Germany) they are located in. The company records as little personal information as possible and points out that they have no way to confirm that the personal information you do enter into their system is true (hint, hint).
Despite being a member of the 14 Eyes alliance, Germany has good privacy laws in general. Combining that with Mailbox.org’s compliance with GDPR means your communications and other data are about as private as you can expect. Assuming your threat model doesn’t involve activities that would cause a German judge to issue a court order for your messages, or would get the attention of national intelligence agencies like the NSA or Germany’s Bundesnachrichtendienst (BND), you should be fine.
Mailbox.org business features
Mailbox.org offers scalable and highly customizable email and groupware services for businesses. Their business offerings are really too diverse to list here. If you are looking for a SaaS email service that can be optimized for your business, check out their offerings here.
Support is a potential problem area for Mailbox.org. While I have no complaints about them, I’ve seen quite a few criticisms floating around the net. While some people report fast, professional service, others complain of long waits for unprofessional responses.
Mailbox.org Plans and Pricing
With all the options they offer, it isn’t surprising that Mailbox.org pricing is complicated. Here are the individual options:
Business price plans
Mailbox.org also offers a full range of business price plans. There are three service packages, Silver, Gold, and Platinum, along with lots of options for the number of email inboxes and storage capacity. If these options don’t meet your needs, you can also Mailbox.org for a personalized quote.
To get all the details on the Mailbox.org business plans, visit this page.
Here are some commonly asked questions that I came across while doing this review.
Does Mailbox.org have a free plan?
No, Mailbox.org does not have a free plan. They do offer a 30-day free trial that you can sign up for without providing a credit card. That said, their most basic plan, the Light plan, only costs €1 per month, which is pretty darn close to free.
Is Mailbox.org the best secure email service for you?
Whether this is the best secure email service for you depends on your threat model as well as whether or not you will benefit from all the extras that this service gives you. I can’t really help you with that part of the equation, but here’s my summary of factors you should consider relative to your threat model:
- Jurisdiction – Mailbox.org is based in Germany and its servers are in Germany.
- PGP support – Includes server-side PGP encryption. Supports Mailvelope for extra secure end-to-end encryption.
- Import feature – Uses Audriga service to import your data from other services.
- Email apps – A web-based client. Can sync with third-party apps.
- Encryption – Emails and attachments encrypted in transit. Messages encrypted at rest on Mailbox.org servers.
- Features – Offers cloud-based office suite in addition to a full set of email-related apps.
- Open Source Code – Most code is Open Source. Per their website, “Internal backend infrastructure (‘Glue’, internal API-Server, backup scripts, maintenance scripts, anti-abuse detection systems, process logic) are developed by us and not open source.”
What are some Mailbox.org alternatives?
If for some reason you don’t like Mailbox.org, but still want all the features it offers, I’m not sure that there is an alternative out there. Their combination of secure email, with a complete office suite and optional team and business features, is unique in my experience.
If you don’t like this service and don’t need any of the special features it offers, you will probably be happy with one of these:
Mailfence and Posteo are two other popular alternatives we’ve reviewed that may also be worth considering.
Our secure email roundup discusses these and other options as well.
Mailbox.org review conclusion
Mailbox.org is a very secure email service at a bargain price. It also offers a lot of additional value with its built-in office suite and tools for teams and big businesses. If you don’t mind dealing with a service based in 14 Eyes member country Germany, you should take advantage of their 30-day free trial. Mailbox.org is a contender.
You can see all our other email reviews here:
This Mailbox.org review was last updated May 1, 2022.