Are your emails and attachments safe from prying eyes?
Unless you are using a secure email service that respects your privacy, the answer is probably no.
Most large email providers, such as Gmail and Yahoo, do not respect the privacy of your inbox. For example,
- Gmail was caught giving third parties full access to user emails and also tracking all of your purchases.
- Advertisers are allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
- Yahoo was also caught scanning emails in real-time for US surveillance agencies.
Another concern is where your email service is located and how this may affect your data and privacy. Some jurisdictions have laws to protect data privacy (Switzerland), while others have laws in place to erode it (United States). We’ll cover this in more detail below.
On a positive note, there is a relatively simple solution for keeping your inbox more secure: switch to a secure email provider that respects your privacy.
What is the best secure email service?
With so many different types of users, there is no single “best secure email” service that will be the top choice for everyone.
While some may prioritize maximum security and strong encryption, others may want convenience and simplicity with user-friendly apps for all devices.
Here are just a few factors to consider when switching to a secure email provider:
- Jurisdiction – Where is the service located and how does this affect user privacy? Where is your data physically stored?
- PGP support – Some secure email providers support PGP, while others do not use PGP due to its vulnerabilities and weaknesses.
- Import feature – Can you import your existing emails and contacts?
- Email apps – Due to encryption, many secure email services cannot be used with third-party email clients, but some also offer dedicated apps.
- Encryption – Are the emails end-to-end encrypted in transit? Are emails and attachments encrypted at rest?
- Features – Some features you may want to consider are contacts, calendars, file storage, inbox search, collaboration tools, and support for DAV services.
- Security – What are the provider’s security standards and policies?
- Privacy – How does the email service protect your privacy? What data is being collected, for how long, and why?
- Threat model – How much privacy and security do you need and which service best fits those needs?
The goal of this guide is to help you find the best secure email solution for your unique needs.
This list is not in rank order. (Choose the best secure email service for you based on your own unique needs!)
Here are the most secure email providers that protect your privacy.
1. ProtonMail – Secure email in Switzerland
| Based in | Switzerland |
| Storage | 5 - 20 GB |
| Price | $4.00/mo. |
| Free Tier | Up to 500 MB |
| Website | ProtonMail.com |
ProtonMail is a Switzerland-based email service that enjoys a great reputation in the privacy community. It was started by a team of academics working at MIT and CERN in 2014. Shortly thereafter, it was promoted in American media as “the only email system the NSA can’t access” – which was around the time Lavabit was shut down for not cooperating with the US government.
Looking at the service itself, ProtonMail does a lot of things right. It utilizes PGP encryption standards for email and stores all messages and attachments encrypted at rest on Swiss servers. ProtonMail has a unique feature for “self-destructing messages” and they have also added address verification and full PGP support.
Regarding encryption, however, it’s important to note that ProtonMail does not encrypt subject lines of emails, which is an inherent limitation with PGP (not ProtonMail). Additionally, the ProtonMail search function can only search subject lines within your inbox, but not the actual content of your emails. This is another functional limitation that comes from integrating more encryption and security into the service.
ProtonMail does offer some great apps for mobile devices (Android and iOS). You can also use ProtonMail with third-party apps through the ProtonMail Bridge feature (restricted to paid users).
Overall ProtonMail is a well-regarded email provider, and should be a great secure email option for most users. Switzerland remains a strong privacy jurisdiction that is not a member of any surveillance alliances. In addition to email, the same team also offers a VPN service, which we have tested for the ProtonVPN review.
+ Pros
- Can import contacts and emails through bridge feature
- Strips IP address from emails
- Emails are encrypted at rest and stored on Swiss servers
- Officially under Switzerland jurisdiction
- Apps for mobile devices
- Can be used with email clients through the ProtonMail Bridge feature
- Open source Android app
– Cons
- Takes funding from United States VC investors and government entities
- Utilizes phone number verification
- Above-average prices
https://ProtonMail.com/
See our ProtonMail review for more info.
2. Mailfence – Fully-featured secure email in Belgium
| Based in | Belgium |
| Storage | 5 - 50 GB |
| Price | €2.50/mo. |
| Free Tier | Up to 500 MB |
| Website | Mailfence.com |
Mailfence is a fully-featured secure email provider offering calendar and contacts functionality, file storage, and PGP encryption support. It is based in Belgium, which is a good privacy jurisdiction with strict data protection laws.
For those wanting full PGP control and interoperability, without plugins or add-ons, Mailfence is a solid choice. Whether you are a personal user or you need a secure email solution for your business or team, Mailfence likely has all the features and options you’d want.
While many secure email services sacrifice features and functionality for security, you can have it all with Mailfence. This makes Mailfence a great alternative to full email and productivity suites, such as G Suite or Office 365.
In testing everything out for the Mailfence review, I found it to work very well with an intuitive design, slick layout, and tons of features. Mailfence also offers email and phone support, in addition to cryptocurrency payment options.
One of the main drawbacks with Mailfence, which separates it from other secure email providers, is that there’s no built-in way to encrypt your entire inbox. Instead, your only option to do this is locally with a third party client. Fortunately, they are working to integrate a built-in encryption option in the coming months.
+ Pros
- Based in Belgium, with all data stored on Belgian servers
- Full OpenPGP encryption support and digital signatures
- Includes Messages, Documents, Calendar, Contacts, and Groups
- SMTP, POP, and IMAP support
- Can synchronize with other email clients
- Supports password-protected messages with expiration time
- Removes IP addresses from mail headers
- Two-Factor Authentication (2FA) support
- OpenPGP user keystore
- Great user interface (recently updated)
- Cryptocurrency payment options
– Cons
- Code is not open source
- Some basic connection logs are kept
- No built-in options for encrypting entire inbox (at rest)
https://Mailfence.com
See our Mailfence review for more info.
3. Tutanota – Private and secure email in Germany
| Based in | Germany |
| Storage | 1 - 1,000 GB |
| Price | €1.00/mo. |
| Free Tier | Up to 1 GB |
| Website | Tutanota.com |
Tutanota is a Germany-based secure email service run by a small team of privacy enthusiasts, with no outside investors or owners. While their service is focused on providing you with the highest levels of email security, it still remains user-friendly and intuitive.
Rather than using PGP and S/MIME, Tutanota utilizes their own encryption standard incorporating AES and RSA. This standard encrypts the subject line, supports forward secrecy, and can be updated/strengthened if necessary against quantum-computer attacks, as they explain here.
All messages in your inbox, contacts, and calendar are encrypted at rest on servers in Germany. For sending encrypted emails with Tutanota, you have two options:
- Emailing another Tutanota user, which encrypts everything automatically (asymmetric encryption)
- Emailing an external (non-Tutanota) user with a link to the message and sharing a password key for encrypting/decrypting messages (symmetric encryption).
While Tutanota uses high encryption standards and is arguably one of the most secure email providers anywhere, it also comes with some tradeoffs. This includes no support for PGP, IMAP, POP, or SMTP. Additionally, you cannot import existing emails into your encrypted Tutanota inbox, but they’re currently working on adding a migration feature – see the roadmap.
To explain why Tutanota does not rely on PGP standards, Tutanota cofounder Matthias Pfau wrote this piece for Restore Privacy readers, Let PGP Die: Why We Need a New Standard for Email Encryption.
If you are looking for a transparent, high-security email provider run by a team of privacy enthusiasts, Tutanota is a solid choice.
Downtime Alert – One problem we have noticed in the past year is that Tutanota has suffered from lots of downtime. We have seen Tutanota blame DDOS attacks for these problems. Regardless of the reasons, the downtime has been a frustrating issue for many Tutanota users, especially those who need continuous access for business email. Keep this in mind when considering Tutanota.
+ Pros
- Messages (including Subject lines) Address Book, Inbox Rules and Filters, Search Index, encrypted at rest and stored on German servers
- Strips IP address from emails
- Open source code (including mobile apps)
- Great apps for mobile devices
- Free accounts with 1 GB of storage
- Encrypted calendar and contacts
- Discounts and additional support for non-profits
– Cons
- Issues with down time
- Does not support PGP
- Potentially delays with account approval
- No way to import existing emails
https://Tutanota.com
See our Tutanota review for more info.
4. Mailbox.org – Private email in Germany
| Based in | Germany |
| Storage | 2 - 100 GB |
| Price | €1.00/mo. |
| Free Tier | None |
| Website | Mailbox.org |
Another Germany-based secure email provider worth considering is Mailbox.org. Unlike some of the other secure email services in this guide, Mailbox.org is fully-featured and can function as a full email and productivity suite, similar to Mailfence. It offers a huge lineup of features: Mail, Calendar, Address Book, Drive (cloud storage), Tasks, Portal, Text, Spreadsheet, Presentation, and Webchat. The layout and design of Mailbox.org are also user-friendly, even with all the features and preferences.
When choosing a secure email provider, you often have to choose between features and security. With Mailbox.org, you can arguably get the best of both worlds. From the security and encryption side, Mailbox.org offers full PGP support and options to easily encrypt all your data at rest on their secure servers in Germany. You can also use Mailbox.org with mobile apps and third-party email clients.
Lastly, Mailbox.org is very affordable, with basic plans starting at only €1 per month and going up for more storage and features. You can pick up a free 30-day trial if you want to test-drive this privacy-focused email provider.
+ Pros
- PGP support (server-side or through third-party app)
- Company and server located in Germany with strong privacy protections
- HSTS and PFS for messages in transit
- Protected against man-in-the-middle attacks
- Message and spam filters
- Virus protection
- Full text search
- POP, IMAP, SMTP, ActiveSync support
- vCard, CardDAV, CalDav support
- Messages are encrypted at rest
- Supports custom domains
- Open source
– Cons
- No mobile clients (but can be used with third-party email clients)
- Some tracking during registration
https://Mailbox.org/
Check out our Mailbox.org review for more details.
5. Posteo – Privacy-focused email in Germany
| Based in | Germany |
| Storage | 2 - 20 GB |
| Price | €1.00/mo. |
| Free Tier | None |
| Website | Posteo.de |
Posteo is (another) German email provider that offers a high level of privacy and security for its users. In some respects, it has much in common with Mailbox.org. Both are fully-featured email providers that utilize PGP encryption standards, with similar prices. But in a few key areas, Posteo is a bit different:
- Custom domains are not supported.
- There is no spam folder (all emails are either delivered to your inbox or rejected).
- There’s no trial or free tier (but still quite affordable).
In terms of privacy, Posteo really makes an effort to protect the privacy of their users. IP addresses are automatically stripped from emails, no logs are kept, and they offer strong encryption standards. In short, this email takes security and privacy very seriously.
Posteo also supports completely anonymous registration and anonymous payments – even allowing you to send cash in the mail for no digital trail. (We see this trend with VPN services as well.) And if you pay with a credit card, PayPal, or some other digital method, they manually separate account details from payment info.
+ Pros
- Mail, Calendar, Contacts, and Notes are encrypted at rest with OpenPGP on secure servers in Germany
- Subject, headers, body, metadata, and attachments are encrypted
- Includes Messages, Calendar, Contacts (Address Book), and Notes
- Completely Open Source
- Strong commitment to privacy, sustainable energy, and other social initiatives
- Self-financed; good track record (operating since 2009)
- No logs, IP address stripping, secure email storage with daily backups
- Allows anonymous (cash) payments
- Supports SMTP, POP, and IMAP protocol + Two-Factor Authentication
– Cons
- Custom domains not supported; no “.com” options available
- No spam folder (spam emails are either rejected or delivered to regular inbox)
- No trial or free version
- Cryptocurrency payments not supported
https://Posteo.de/
See the Posteo review for more info.
6. Runbox – Private and sustainable email in Norway
| Based in | Norway |
| Storage | 1 - 25 GB |
| Price | $1.66/mo. |
| Free Tier | 30 day trial |
| Website | Runbox.com |
Runbox is a long-running private email service in Norway that has been operating for over 20 years. Norway is also a good jurisdiction with a strong legal framework for privacy. All Runbox servers are located in secure Norwegian data centers, running on clean, renewable, hydropower energy.
One unique feature of Runbox is that it gives you 100 aliases to use with your account. Secure file storage is also included, with different pricing tiers. Runbox fully supports SMTP, POP, and IMAP protocols and can be used with third-party email clients. This year they released Runbox 7, which is a webmail client, but they do not offer custom mobile or desktop clients.
Unlike some other secure email providers, Runbox does not have a built-in option for encrypting your entire mailbox. And while you can use PGP with Runbox, it is not yet built into the platform. Another drawback is that Runbox does not offer a built-in calendar, but this feature may be included in Version 7 (when released).
Runbox offers 30 day free trials and makes importing your existing emails simple with the guides on their site. They are currently offering a discount “2 years for the price of 1” on their website here.
+ Pros
- IP addresses stripped from messages
- Includes Webmail, Contacts, and Files
- Servers run on renewable energy
- Supports SMTP, POP, and IMAP protocols
- Synchronizes with other email clients
- GDPR compliant
- Norway has strong data protection laws
- 100 email aliases per mailbox
- Custom domain names on some paid accounts
- Numerous payment methods accepted (including cash and cryptocurrencies)
– Cons
- Browser-based; no desktop or mobile apps
- Not open source (but version 7 should have open source client)
- Data not encrypted within the Runbox system or at rest
- No business-specific features
https://Runbox.com
Check out our Runbox review here.
7. CounterMail – Private and secure Swedish email service
| Based in | Sweden |
| Storage | 4 GB+ |
| Price | $4.83/mo. |
| Free Tier | 7 day free trial |
| Website | CounterMail.com |
Next up on our list is CounterMail, a secure email provider based in Sweden. CounterMail has been operating for over 10 years with a philosophy to “offer the most secure online email service on the Internet, with excellent free support.” CounterMail uses OpenPGPG encryption with 4,096-bit encryption keys along with no-logs, diskless servers to protect user privacy. Countermail anonymizes email headers and also strips the sender’s IP address. All emails and attachments are stored encrypted at rest using OpenPGP on servers in Sweden.
While CounterMail is a bit more expensive than some other secure email providers, they explain this price difference comes from using only high-quality servers and implementing strong security measures. CounterMail also protects users from identity leaks and Man-In-The-Middle attacks with RSA and AES-CBC encryption on top of SSL. It may not have all the frills, but CounterMail is a serious security-focused email provider with a 10+ year track record.
+ Pros
- Supports cryptocurrency payments
- Secure, built-in password manager
- All emails and attachments stored encrypted on no-logs, secure servers in Sweden
- Custom domain support
- Message filter and autoresponder features
- Uses RSA, AES-CBC, and SSL encryption to protect against leaks and MITM attacks
– Cons
- Design and UI feels outdated
- More expensive than other secure email options
https://CounterMail.com
8. CTemplar – An “armored email” service in Iceland
| Based in | Iceland |
| Storage | 1 - 50 GB |
| Price | $6.00/mo. |
| Free Tier | Up to 1 GB |
| Website | CTemplar.com |
CTemplar is a newer service in Iceland claiming to be the “The most secure & private email service in the world.” As they correctly point out, Iceland has very strong privacy laws, perhaps the best in the world. CTemplar offers some interesting security features, which you can read about here. All emails, attachments, and contacts are stored encrypted at rest on bare-metal servers in Iceland.
Although it is relatively new, CTemplar seems to be a strong contender in the secure email space. You can learn how they aim to raise the bar with security standards on their website. CTemplar offers free accounts with up to 1 GB of email storage, but to get access to all features you’ll need a paid plan.
+ Pros
- Strong encryption standards with built-in support for end-to-end encrypted emails (uses OpenPGP)
- 100% open source code
- Based in Iceland, with some of the strongest privacy laws in the world
- Zero logs; IP address stripped from emails
- Anonymous signup options (no phone verification)
- Support for Bitcoin, and Monero payments
- Self-destructing emails and Dead Man’s Timer
- Can send encrypted emails to non-CTemplar users
- 2FA support
– Cons
- No email clients (Android app in beta)
- Higher prices for paid plans (and all features)
- No support for IMAP/SMTP and third-party email clients
https://CTemplar.com
Check out the CTemplar review to see how this service did in our tests.
9. Kolab Now – Fully-featured Swiss email
| Based in | Switzerland |
| Storage | 2 GB+ |
| Price | $4.50/mo. |
| Free Tier | 30 day trial |
| Website | KolabNow.com |
Based in Switzerland, Kolab Now is a private email service offering lots of features and full email suite functionality. A Kolab Now subscription includes email, contacts, calendar, scheduling, collaboration/sharing tools, and cloud file storage. All of the features and options make Kolab Now an excellent choice for business users, teams, and privacy-focused individuals.
While Kolab now does offer numerous features and support for all major operating systems and devices, it also does not offer as much encryption for those who want the highest levels of security. End-to-end encryption for emails is not built-in and emails are not stored encrypted at rest.
The price is also on the higher end, especially if you want access to all features and more storage. However, for those wanting a feature-rich email suite hosted in Switzerland, Kolab Now may be a good fit.
+ Pros
- Accepts cryptocurrency payments
- Full support for POP, SMTP, and IMAP
- Switzerland jurisdiction with strong privacy protection
- Full email suite with numerous features to replace Gmail, Office365, etc.
- Support for custom domains, teams, and business users
– Cons
- End-to-end email encryption is not built-in
- Email not encrypted at rest (but stored in high-security Swiss data center)
- Higher price
https://KolabNow.com
10. Startmail – Private email hosted in The Netherlands
| Based in | The Netherlands |
| Storage | 10 - 20 GB |
| Price | $5.00/mo. |
| Free Tier | 30 day trial |
| Website | StartMail.com |
StartMail is a secure email service brought to you by the team behind Startpage, a private search engine based in the Netherlands. While there was surprising news about System1 investing in Startpage, StartMail is its own unique entity under StartMail B.V. – a company operating under Dutch law in The Netherlands.
The Netherlands is a good jurisdiction for privacy and StartMail aims to keep as little data as possible to run their operations (see privacy policy). Unlike most secure email providers, StartMail handles encryption server-side, rather than in the browser – see their white paper explaining why.
StartMail allows users to utilize PGP encryption with emails also being encrypted at rest on their Dutch servers. One cool feature with StartMail is they give you the ability to create temporary, disposable email addresses “on the fly” to use with different services. IMAP and SMTP are also supported if you want to use StartMail with third-party apps such as Thunderbird.
+ Pros
- Can create temporary, disposable email addresses
- Accepts cryptocurrency payment
- IMAP and SMTP support; can use custom domains
- Headers and IP address stripped from all emails
- Accounts come with 10 GB file storage
– Cons
- No custom mobile apps
- Not open source
- Interface feels a bit outdated
https://www.StartMail.com
11. Soverin – Basic private email in Netherlands
| Based in | The Netherlands |
| Storage | 25 GB |
| Price | €3.25/mo. |
| Free Tier | No |
| Website | Soverin.net |
Soverin provides a basic and private email service at a reasonable price. Plans come with 25 GB of storage and custom domains are supported. All data is stored on servers in Germany. Soverin strips IP addresses from headers while also using strong encryption standards, although email is not stored encrypted at rest by default.
For those wanting a basic private email with lots of storage that is protected by European privacy laws, Soverin may be a good choice. It can also be used with third-party email clients and importing old emails is relatively simple.
+ Pros
- 25 GB of data storage for all plans
- Data protected under Dutch privacy laws and GDPR
- Can be used with third-party email clients
– Cons
- No custom mobile apps
- Not open source
- No built-in encryption options
https://Soverin.net
12. Thexyz – A fully-featured private email service in Canada
| Based in | Canada |
| Storage | 25 - 100 GB |
| Price | $2.95/mo. |
| Free Tier | No |
| Website | www.Thexyz.com |
Another privacy-focused email service worth noting is Thexyz. It is a secure email and web hosting business based in Canada that offers solutions for businesses and private users. The email arm of Thexyz has been operating since 2009, as explained on the about page. While Canada may not be the best jurisdiction for privacy (Five Eyes), this may not be too concerning depending on your needs and threat model.
Thexyz does offer some great privacy and security features. Accounts come with encrypted cloud storage as well as contacts, calendar, and team collaboration tools. All emails are stored encrypted at rest using AES 256-bit encryption, with double geo-location redundancy. With a basic account, you get unlimited aliases and 25 GB of storage (upgradable to 100 GB). Even with all the perks and features, Thexyz is still very affordable at $2.49/mo with the premium webmail plan.
+ Pros
- Great applications and user interface
- Email encrypted at rest with 256-bit AES
- Subscriptions include calendar, contacts, chat, and encrypted cloud storage
- Unlimited aliases; emails can include up to 50 MB attachments
- Support for custom domains
- Autoresponder, spam filters, and incoming email filtering
- Apps for iOS and Android
- Accounts come with 25 GB of email storage (upgradable to 100 GB)
– Cons
- Based in Canada (not the best privacy jurisdiction)
- Support for end-to-end email encryption is not built-in
https://www.thexyz.com
Worth mentioning
Aside from the secure email services we discussed above, we are also keeping our eye out for new services emerging into this niche.
CyberFear Anonymous Email
CyberFear is an anonymous e-mail service in Poland that has caught our attention. It does not serve ads or log IP addresses, while also offering full encryption on par with our other recommendations. Here is an overview of CyberFear:
- End-to-end encryption of emails and metadata
- At rest, all of the following email elements are encrypted: email body, subject line, attachments, sender address, recipient address
- Anonymous registration with only username and password
- No IP logs
- Offshore servers (Poland)
- Cryptocurrency payments supported
- TOR support (Onion address is cyberfear4hlcsac.onion)
- Disaposable aliases
- Custom domains supported
- No external scripts nor captchas
- 2 factor authentication option
- PGP support
- Sending encrypted emails outside (will require password to decrypt)
- Option to host CyberFear frontend on your own computer
- Push notifications
- Open source frontend (and backend coming soon)
So far, CyberFear is looking good. You can learn more on their website here.
Email jurisdiction and data privacy
Where your email service is located (jurisdiction) can seriously impact the security of your data. Depending on your threat model, this could be a major consideration. For an overview on jurisdiction and privacy, you may want to read my article on the Five/9/14 Eyes surveillance alliances.
Here are some reasons to pay attention to jurisdiction.
United States (leading member of the Five Eyes)
Tech companies in the US can be forced to give government agencies direct access to their servers for “extensive, in-depth surveillance on live communications and stored information” – as explained in the PRISM surveillance program. Data requests can also be accompanied by gag orders, which forbids the company from disclosing what’s going on (see also National Security Letters).
There are a few known cases of US email providers being forced to give up data. In one prominent example, Lavabit decided to shut down the business rather than give up user data. Another US email provider, Riseup, was also forced to give up data to authorities.
After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization).
There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary” [warrant canary that warns users about these events].
Germany (member of the 14 Eyes)
While Germany has long been a rock-solid jurisdiction for privacy-focused tech companies, I’ve noticed some troubling trends recently:
- In January 2019, a German court ruled that Posteo must log IP addresses if required by a valid court order. Posteo explained they would not change their system to log all users’ IP addresses, but would comply for specific users, if ordered by a German court.
- In November 2019, a German court ruling forced Tutanota to provide real-time access to unencrypted emails for specific users targeted by a court order. As Tutanota explained, only unencrypted messages sent after the court order was received would be affected.
All email providers must comply with the law
While some of these cases may seem alarming, the truth is that all email providers must comply with legal requirements in the country they are operating in. For example, ProtonMail, a Switzerland email provider, has also been forced to log IP addresses and disable accounts by valid court orders, as they disclose in their transparency report.
(Note: If you are concerned about your email service logging your IP address, then simply use a good VPN service.)
Considering everything, some jurisdictions are much better than others, so choose wisely. As a general rule, I’d still avoid email services in the US, and perhaps other Five Eyes jurisdictions.
Want secure email? Pay for it.
The unlimited “free” email business model is fundamentally flawed. It offers a free service, which is used to collect data and thereby monetize the user and make money on ads. With these privacy-abusing “free” services, you are actually paying for the product with your data.
In contrast, here we recommend privacy-friendly, secure, ad-free email services. While some of these private email services offer limited free subscriptions, you will need to upgrade to a paid plan for more storage and premium features (the freemium business model).
Support good privacy businesses
Fortunately, you can “vote with your dollars” by supporting these privacy-respecting businesses and upgrade to paid accounts. This will help secure email providers to grow, improve, and serve more people with an ethical business model that does not rely on exploiting their users’ data.
Secure email shortcomings and PGP flaws
Most secure email solutions mentioned in this guide utilize PGP for end-to-end encrypted email. PGP, which stands for Pretty Good Privacy and was invented back in 1991 by Phil Zimmermann.
PGP flaws – While PGP is considered a trustworthy, secure encryption method, there have been some flaws in implementing PGP that have made headlines recently – see also the EFAIL vulnerabilities. While the news did attract lots of attention, the “flaws” were mainly limited to the incorrect implementation of PGP by third parties. To my knowledge, this did not affect the secure email providers mentioned in this guide.
Limited Use – Another fundamental problem with adopting secure email is that few people are willing to go through the hassle of PGP key management, encryption, decryption, etc. There are some solutions, to this, however, and by some measures encrypted email usage continues to grow.
Many providers address this issue by making encryption automatic and seamless. Tutanota, for example, uses built-in AES encryption that automatically encrypts emails between Tutanota users, including headers, subject line, body, and attachments. They also provide a secure, two-way communication contact form called Secure Connect.
Vulnerabilities – Even when using a secure browser, there are still vulnerabilities to consider with browser-based email clients. Phil Zimmermann gave an interview highlighting some of these shortcomings:
“The browser is not a terribly safe place to run code. Browsers have a large attack surface,” he said.
Wherever encryption and decryption take place, though, it’s a vast improvement on no encryption. But even encrypting messages may not be enough, depending on the threat model. The very nature of email makes it vulnerable.
“Email has an enormous attack surface,” Zimmermann said. “You’ve not only got cryptographic issues but you’ve got things like spam and phishing and loading images from a server somewhere that might have things embedded inside.”
On a positive note, however, there are many options for securing and hardening your browser – see the secure browser and Firefox privacy guides. Furthermore, most secure email providers offer protection against these attack vectors by blocking email images by default while also utilizing virus filters.
Keep in mind, however, that non-browser email clients can also be problematic – potentially revealing unique information about your operating system (user agent) as well as your IP address and location.
Regardless of these limitations, using a secure email provider will help keep large tech companies from harvesting your email data for third parties.
Secure email vs secure messaging apps
Depending on your threat model, you may also want to consider using secure messaging apps, which do not have all of the vulnerabilities discussed above with email.
We have tested many different encrypted and secure messaging apps and compiled a list of our favorites. Here are a few reviews of some of the best options we’ve tested:
Encrypted messaging apps generally offer a higher level of security over email, plus they are much easier to use than PGP email encryption.
Finally, encrypted messaging apps are also convenient for back-and-forth conversations, document sharing, and collaboration with others. For more information, check out our roundup guide on the best secure messaging apps.
Always use a good VPN with email
One fundamental problem with email is that it can expose your IP address and location to third parties, by design.
While some secure email services strip IP addresses and conceal metadata, many others do not. Even the popular Enigmail encryption plugin, which is used with Thunderbird, was found to be leaking user IP addresses. Some email services may be forced to log user IP addresses by valid court orders, without disclosing any information to the user.
There have also been many cases where email services are compelled to log user IP addresses by court orders. We’ve seen this with email providers in the US, Germany, and even Switzerland.
Finally, there’s also the fact that many email services keep logs for security, which may include user IP addresses, connections times, and other metadata. Of course, whenever you have logs, this data could end up with third parties (for various reasons).
To effectively conceal your IP address and location, you can simply use a good VPN service.
A VPN creates a secure tunnel between your device and a VPN server, encrypting your traffic and concealing your real IP address and location. The VPN will encrypt and anonymize your internet traffic, while you carry on with business as usual. Some of the larger providers, such as NordVPN and Surfshark, offer apps for all major devices and large server networks around the world.
Due to the security and privacy benefits a VPN offers, it’s a smart idea to use one whenever you’re online. Internet providers in many countries are recording user browsing history (via DNS requests), which may be passed off to advertisers or government agencies (mandatory data retention laws). With a VPN, your DNS requests are encrypted and handled by the VPN server and unreadable to your ISP or other parties.
For more info, see these best VPN services.
Conclusion on secure and private email
Whatever your situation is, using a secure and private email provider is a smart step to protect your data. Gmail, Yahoo, Microsoft, and the other big email players do not place the highest priority on your privacy. Paying for a good email service that values privacy ensures you aren’t paying with your personal data.
As a brief recap, below is a table highlighting the best secure and private email providers. If you have a specific question about one of these services, you may want to reach out to them directly through their website.
See the main privacy tools guide for other privacy and security essentials.
We also have a guide on encrypting email.
Email Service
Storage
Price/mo.
Website
Up to 20 GB
€4.00
(Free to 500 MB)
Up to 20 GB
€2.50
(Free to 500 MB)
20 GB+
€1.00
(Free to 1 GB)
50 GB+
€1.00
Up to 20 GB
€1.00
Up to 25 GB
$1.66
4 GB+
$4.00
(Free 1 week trial)
Up to 50 GB
$6.00
2 GB+
€4.41
Up to 20 GB
$5.00
25 GB
€3.25
Up to 100 GB
$2.95
Have you used one of these secure email providers? Feel free to leave your feedback/review of the service below.
Why would protonmail use the Google recaptcha spyware device as part of the sign up process ?, the people behind protonmail are US educated CERN insiders which is a globalist stronghold . After two years Protonmail caused a sneeze in my sniff test (yes i have an account there& yes two years in is absurdly late for my curiosity ) , many so called privacy applications are gooooooogle honey trap spywares. And proton is now offering me VPN as my PIA account is due to expire YES YES i know i should have killed that account years ago & i did SEVN but they got me back with a ridiculously low please stay offer. I have since come to the conclusion that if you’re not paying for the product you are the product.. Yes i am probably over paranoid im aware of that still, profile pictures now eh? (if that’s the real you?) i expected the site of old where there was no face to the infamous SVEN TAYLOR.. for whatever reason i still prefer privacy gurus remain private. that said …that is a fine byrd your sportin there capitan, top knot is a bit shinny tho 😛 .. what say you sir am i being overly paranoid? does ProtonMail still deserve to fondle my private parcels?
Choosing privacy tools all comes down to trust, which only you can decide. ProtonMail is open source and has a good reputation in the privacy community, but there are lots of alternatives to consider as well.
Any thoughts on Criptext? Is it worth getting?
I want to get a VPN immediately, but I’ll need to register with an email of course, so I’m trying to figure out which. It seems difficult to find one out of the 5/9/14 eyes alliance jurisdiction (though I believe CTEMPLAR is). Two questions:
1. May I ask which email provider you use/trust, Sven?
2. I’ve just recently become a privacy enthusiast, so how is the interaction between secure email services like these and regular big brother providers like gmail/yahoo/etc? Will correspondence work normally, or will there be issues?
(Sorry if this answer was in the comments; I tried to scan them.)
p.s. Wish that I knew what I know now, when I was younger.
Hi Penny.
1. We test and use a few different providers. I like Mailfence for the features. Tutanota and ProtonMail are also great, but more limited with the encrypted mailbox.
2. Yes, correspondence works normally, but now you have control over the inbox and your data, but remember that most people still use Gmail. For more security and encrypted communications, I’d recommend a secure messaging service over email anyway.
Thank you! Since you said “remember that most people still use Gmail”, does that mean that in that specific scenario (my secure email sent to Gmail/other standard provider), having the secure email provider is pointless (since any encryption will be unencrypted in the recipients account?), or does it still help privacy in some way?
For example, with sending sensitive information like SS number, etc.
@Penny Lane,
I highly suggest ProtonMail.
No issues in emails, solid security and a great VPN as well.
Been using them almoat a year now and it has been rock solid for me and my NPO.
[https://digdeeper.neocities.org/ghost/email.html#ProtonMail]
They finally admit to direct surveillance – In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities. And you will never be told you’re being watched. So, what we have here is a provider that does not support mail clients, requires personal info to sign up while claiming otherwise, spies on you on their website, stores your e-mail metadata (and IP in certain cases) forever and immediately gives it up whenever government knocks on the door and shouts “terrorism!”. Its encryption is also lacking according to researchers, and cannot be used for non-ProtonMail accounts without paying. And then – after all that – it claims to be a champion of privacy.
Appreciate the thoughts. Here are the issues.
1) the website itself looks chintzy at best.
2) Most if not all, the authors “issues” have been answered and solved. Yet he rejects it.
3) Out of date. He claims several times that ProtonMail does not have client support (false. Called a bridge). There are a few other things that he is not straight forward on such as the info collected, etc.
4) The very source (OpenPGP, and other libraries) which aid in encryption (which providors such as CTemplar use) is maintained by and owned by ProtonMail.
5) He points out flaws in the encryption. But why not point out the $50k bounty that is offered to ANY hacker who can find a flaw? I find it hard to believe that this offer was ignored. Yet the sites author acts as though it is hushed up.
6) The author encourages PaleMoon and Vivaldi browsers! Either he is a) really out of touch with what these browsers do and then why trust him on anything else? B) He is not really sure what he is saying so he is just repeating what he heard. C) He is bought and paid for by these companies. D) he has a bur against Protonmail. E) he wrote the site and just left it.
So, I would again say that ProtonMail has been proven solid. I have followed up with the issues of requests. I have looked at the MLAT treaty (the author doesn’t touch that…wonder why?), and I have asked the hard questions to the point of being obnoxious rom PM directly.
7) Look at his recommendations for Email: Riseup and Disroot. Really? Riseup was forced to hand over docs and did (Lavabit chose to shut down), and disroot? Who is that? Then he recommends posteo, Countermail, and one other as secondary. Ok. Fine. But why pass over Tutanota?
8) lastly, all apps and resources are Open Source. You can read their codes.
Look at this site for the pros and cons. I will not say that for everyone ProtonMail is the “best” as that is subjective. But I can recommend what I do based on what I see and read.
Even on this site, Sven only has two marks against ProtonMail and NONE of them have to deal with Privacy and security. The biggest mark was funding but that too has been answered publicly as well. You can see this on the proton mails own review here.
The “evidences” on the linked site is…sketchy at best.
But I appreciate the link. Thank you.
Just one more note. Digging on his site, the guy seems to be a loony. I will just leave it as that.
Hey I’m neither for or against it and only sharing info found.
1) I thought it was a hip looking site with the dark theme shown.
Could be limited in the offering being neocities produced.
The information on Proton seemed through enough.
2) Can’t comment here.
3) Author meant users can’t use a 3rd party mail client for proton has no support of The Bat, eM Client, Mailbird Pro, Thunderbird, etc.
4) Maintained by and owned by ProtonMail is worrisome. If there was any flaws in the encryption proton would be first know and it might be along time before users caught winds of it. Doesn’t sound to defensive of measures for backdoor proofing or vetting. Just an observation and question meaning it’s closed source proton software? I guess you answered that in 8.
The info of that site may be dated but it’s time and efforts the author once made to understand things and any facts he found is inspiring as he looked at many. Tell me more of sites like this.
If I was shopping I would look for all the out-sourced audits done, not only for proton but any I be interested in. Preferences are like fingerprints each one unique in their own right.
@Rosemary’s baby,
I get you. I appreciate the info you shared. I, as well, was just sharing what I was seeing.
In regards to the issues of the open source, that was announced that it is fully open: https://protonmail.com/blog/android-open-source/
When dealing with the clients, such as Thunderbird, Outlook, etc. I use a Linux with Thunderbird. Granted, the bridge is a little clunky to set up and I find that if I change my password or whatnot, it messes my bridge up. However, they do offer that: https://protonmail.com/blog/bridge-security-model/
The biggest hesitation I had was with their funding. Much has been answered online, from what I have seen (I don’t have the exact link at the moment, and maybe someone can put that up for me), it has been cleared. For example, the EU gave money to help support the concepts of Privacy. Because Switzerland is not a member of the EU (https://www.americanswiss.org/resources_and_publications/switzerland-and-the-european-union/), the laws do not carry the weight that they do in such places as Germany, France, etc. However, Switzerland has, for the most part, shown themselves to be very solid when it comes to privacy. The amount given was not a controlling figure, and therefore ProtonMail is still independent.
The other concerning thought was that of the Venture Capitalist from America. What was explained to me in a private letter was that the amount given was substantially less than what would ever afford them any controlling decision as well. Which then brings us to the bigger concern, the support from Swiss government themselves.
When I asked about this, they said that the money given was a full grouping of money given to private and public entities directly to help the businesses to equip the privacy technology needed. This was left to the companies to decide what equipment and develop it themselves apart from the government control. I was still a little skeptical because the gov does not just give that away.
What helped was that they said the company is still private and owned by the employees themselves. At least the bulk ownership. This allows them to function as they do and yet keep the privacy as they have.
The owned and ran by Proton itself is, I agree, interesting, but if I may, let me explain what I can.
First, the coding used in all of their system is open sourced (as explained above). Second, the libraries used are battle hardened and tested around the world: https://protonmail.com/blog/openpgp-test-suite/.
To be completely fair to Proton, even high encrypted email services, including some that are positioning themselves to be stronger than even ProtonMail, use these libraries: https://ctemplar.com/ctemplar-recognizes-protonmails-openpgpjs-maintenance/.
I use a free CTemplar email as a backup as well, and honestly, the only thing holding me back from going to them is the cost. They have combined the amazing security of ProtonMail and Tutanota into one. But they are just so expensive. To get what I have with ProtonMail, I am paying almost $400 a year (and they do not offer discounts for NPO’s).
But I digress with that. Protonmail also offers a bounty for finding any flaws: https://protonmail.com/blog/protonmail-bug-bounty-program/
I was wrong though as I said it was $50K, the max is actually $10K with other values added as seen in the link near the bottom.
While I know it is not a lot, if there are problems, it is an easy and quick cash. If I was at least smart, I would look into it :). But I can do minor things (I do use a linux) but it is such petty stuff that I would be laughed at if I thought I saw an error. LOL!
One thing I hate about message boards, emails and texting, is that you cannot hear the voice inflection or see facial expressions in the way they are intended. So I was not trying to say you were wrong in putting that site up, I just disagree with what he is saying because, unlike restoreprivacy.com, many of the issues, have been taken care of.
The email works. That is all I can ask it to do.
The calendar is in Beta and from when it first came out to now, the improvements have been amazing! So much so that I use it. I am just waiting for there to be notifications and I will switch completely over to it.
This fall, they are unveiling the Beta for their ProtonDrive. I cannot wait to use it as I have been missing that since I left Google.
I sent in a highly suggested thought that they should work with LibreOffice, and see about setting up instances with them to have an online version (LibreOffice does already have that: https://www.collaboraoffice.com/code/)
My push was to have them re-brand it (legal to do) and integrate it with Email. I know that is a lot but then they become that much more of a competitor to places such as Google. If not, I may try to get it running myself, but then I like the connectivity with my email if I can.
Rosemary’s baby, I hope you don’t think I am attacking. I am not. I am simply here to learn and also help others to learn as well. The best way we do that is through engaging discussions such as these and with the understanding that what is read is often not how it is meant to come out. So please accept my apology if I came or come across as rude. That is not the intent.
@ Rosemary’s baby,
Leave it to me to forget one point. I don’t know how you feel about Tutanota, but they also roll out their own encryption keys as well.
I have mentioned several times that if it is set up correctly, great. But it does go back to trust and whether or not they did set it up right.
Just forgot to add that in my last message. Sorry.
at J.M. It’s all about preferences and I understand you to know that you have looked for better and held stay here in proton. Where things in where a company generates and controls your key pairs is not good privacy administered and that’s only my opinion. But read on as I try to proof the pudding.
Allow me, Encrypted Email Services Can Hack You Using JavaScript
[https://ctemplar.com/world-leading-icelandic-privacy-laws/]
If JavaScript is required for encryption, it can also be used to hack users who use end-to-end encrypted email services.
Same link above:
Does having open-source code eliminate this risk? No, because open-source code is just an act to encourage users’ trust. The audited code in GitHub might not be the same code that is sent to you from a companies private server. There is no assurance or promise that the code hosted is the same as the one is served.
NOT THE SAME CODE as audited, who might think such things if it wasn’t possible? Backdoor I don’t know but see the link. This is illustrated by Gizmodo, USENIX, Ask Leo, Stack Exchange, ITNEXT, and it is a recurring theme at the hacker conference DEFCON. JavaScript hacks are also the primary way to de-anonymize Deep Web users. In November of 2018, Professor Kobeissi revealed this knowledge [https://eprint.iacr.org/2018/1121.pdf]
CTemplar’s 4 Wall Protection
[https://ctemplar.com/ctemplars-4-wall-protection/]
Wall 2: The Only “Zero Access” End-to-End Encryption:
“End-to-End Encryption” by using javascript has flaws. The CTemplar team was the first to solve the flaws making our End-to-End encryption the very first “Zero Access” email platform.
A service that offers end-to-end encryption is worthless if they can decrypt your emails and give them to anyone who asks.
The power words here are in “End-to-End encryption and Zero Access”. These seem to be missing on proton’s platform.
Seems to me the intell you have pointed to about open source is- All ProtonMail apps are now open source. To that end, open source has long been a priority at Proton. Our web app has been open source since 2015, our iOS app is open source, our desktop Bridge app is open source, and all ProtonVPN apps are open source.
This means that all Proton apps that are out of beta are open source.
Ok I got that the apps themselves are this open for inspections. Now consider the neglect on proton’s part to mention anything about the 4) The very source (Open PGP, and other libraries) which aid in encryption (which providers such as CTemplar use) is maintained by and owned by ProtonMail.
Leads me to question is the OpenPGP encryption code open-sourced, beings it is maintained by and owned by ProtonMail?
No transparency is given on proton’s part if all users are always sent the same code hosted (and possibly audited by third-party) in this the very same code as the one in which is served to every proton user.
What if you or anyone’s account is deemed a certain case?
The e-mail service, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times. Active accounts will have data retained indefinitely. Proton does store IP logs forever in certain cases – and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions. If you use their VPN then your real IP address is known – yes?
You got a big company with outside money investments to growth. Our government is big and think of all those lost and unknown departments it has. Compare and regroup or move on.
Judge things on a micro-scale that extends your security into privacy. Leaving your mail on a server, sometimes almost forever, is like looking at the earth from mars. Nothing micro to it.
I have nothing new or more to offer, but choose wisely 🙂
Thank you for the info. I will look at it and follow the links.
I would say that no system is perfect. Some, better than most.
In the end, it does come down to trust. But I appreciate the links and will look at it. Thank you.
@Rosemary’s baby,
Thank you again for the links. I wish to leave my final remarks to finish up our discussion.
You brought out a few things about JavaScript that I was unaware of, and I really appreciate. So I have done some digging, and I would like to share just a little of what I found and then I will let the discussion drop.
First, while it is true that it can be used to breach privacy and security (https://www.makeuseof.com/tag/3-ways-javascript-can-used-breach-privacy-security/) there are ways it can be mitigated against.
It seems the biggest issues are what is called MITM (Man In The Middle) attacks. This is the danger of JavaScript, and it is up to the web developers themselves to help make sure their use of it is done right.
The question then bears of that with the systems and coding used. I have traced down the report of Professor Kobeissi, and while what he said is true, I have also tracked down several other encryptologists who have refuted his findings as well.
In a debate directly with ProtonMail, there seems to be chinks in the Professor’s arguments and backtracking on several points which resulted in deleted statements: https://www.reddit.com/r/ProtonMail/comments/9yqxkh/an_analysis_of_the_protonmail_cryptographic/
In fact, digging deeper into his paper, I have ran across several sites that have pointed out the paper is not even peer reviewed for evidence. True, it is all opinions, but ProtonMail has answered the challenge: https://protonmail.com/blog/cryptographic-architecture-response/
Even on a security website, one of which a “poster” on this site, Mirimir took part in and while I may not understand everything, it seems as though ProtonMail held its own mostly: https://www.wilderssecurity.com/threads/anyone-using-protonmail.394862/page-1.
It seems as though the Professor’s paper has several holes. Therefore, I also tried to find others that would answer this question: Here is another place I looked: https://www.reddit.com/r/ProtonMail/comments/48o6lf/is_javascript_cryptography_insecure_by_default/.
Now, I know that many will say, “REDDIT!”. I agree. I do not trust what I read there, but wish to verify. So I did the best, last thing I could. I messaged a friend.
I have referenced my friend before on here. He does programming, IT security, and development of codes. He also is what a company would hire to find weaknesses in their system (A white hacker) who is paid to find problems.
I shared with him everything that I am seeing. I am only going to paraphrase what he said. He said that what is being proposed by the JavaScript is partially true. Everything goes back to trust. Trust in the system, programming, etc. However, you must balance security with usability. You can make something most secure…but then it is not usable. Furthermore, if you are using a keyboard to type up a response on this site, and you did not code the keyboard yourself, program the structure yourself, and design and develop the keyboard yourself, even your keyboard can, if someone is malicious enough, can record keystrokes using the embedded code to make the keyboard work. This is done using the firmware.
Therefore, the concept that JavaScript itself is inherently dangerous is a misnomer. Caution should be taken and evaluated at all turns, but in the end, you must trust.
So, the professor may be right. I don’t know. I fall back on the expertise of my friend. Are there questions regarding the professor’s paper? Yes. Enough to make me doubt him? No, but not enough to have me change who I am using.
So, the search for security continues. Until said time, however, I have to balance consumer convenience to use and security, and right now, for me, ProtonMail has it. Privacy, on the side, is not a major thrust. My name, and organization are in my email address directly. There is no privacy for me on that part. So, I try to balance what I can.
Thank you again for the information, and I will keep researching this. As you said, and as I am agreeing with, I don’t really have much else to add. So, we continue on. Thanks again.
I have used Startmail for five years and was satisfied with their service.
I know they have denied any direct connection to, or influence by System1/ Privacy One Group and it’s associated companies. System1 has bought or have invested in, and therefore influence not only StartPage, which was excellent, info.com (another search engine), Waterfox browser, as well as MapQuest. So they know what you search, which websites you visit, and everywhere you go if you use the aforementioned products. There is a reason they buy these companies, and it is not to lose money or protect your privacy.
Their history and business model tells you what you need to know.
I do not necessarily believe StartMail’s denial. I seem to remember some questionable statements made by Google and Facebook, as well as others.
Perhaps it is just a coincidence that I now cannot renew my subscription with StartMail if I am using a VPN. The purpose of using StartMail was security and privacy, but now I am unable to continue to connect the way I have for the past five years, including when I initially subscribed.
This was their reason for my inability to renew. I remain dubious and am evaluating other options. If I cannot trust my email provider I may as well use GMail and save $60 per year.
Thanks for the information Sven. Excellent as always.
Rather than Gmail, try Zoho Mail.
https://delta.chat worth checking out. No server, autocrypt, email in the form of instant messenger.
I looked at it. They are using email servers.
Depending on the email services used, you may find it is very insecure and privateless.
Just what I saw.
Would you be able to do a review on Criptext?
It’s free, open-source, encrypted and emails don’t stay on their servers.
Interesting. Email based on Signal protocol and saves messages on device? It’s like the email version of Signal.
Sven, 4-29-2020
I just read down this page and you are one amazing person to take such time to help so many people deal with the corporate crap. My hat is off to you, SIR. And seldom do I use all caps on that designation. Seriously – you are a unique and kind helpmate.
My question is for you and all of your readers – since the betterment of dealing with the lack of privacy is a disgusting legacy being left by our generation. But at least we are starting to get back on our feet with innovation to compete with the evil.
Now. I just visted == swismail.com == and did a swisscows search for reviews on this swismail service – and came up empty handed. I couldn’t even find one serious review by people who investigate this stuff. BTW == only one ‘S’ – in the .com address.
And, on the swismail website, I could not find any privacy policy or detailed account info … just the stuff on the page, which are just basic features and intents (that actually looked rather up to date and impressive). Now, it appears to be abreast of our plight, but one would think there would be more specific info. It appeared as though ‘sign-up’ was very private – as I saw no requests or fields demanding any data to be linked to an existing email or phone account. So, sign-up appears to be ‘VERY privacy friendly’ – like most email services aren’t. But, if it truly is a valid service – could you maybe try it out with a computer that has a decent firewall and other safeguards that I don’t even understand – let alone use? I would try to sign up – but what if they launch a worm that goes to read my whole hard-drive? I wouldn’t know what to do to stop it – and that assumes I would even know it was taking place. Know what I mean? Some email service privacy policies even claim they read your OS, browser used and all kinds of other stats from the internal data. I don’t know enough about this stuff to risk investigating … swismail.com … So, if you could and know how to guard yourself against their possible intrusion … I would appreciate a heads up. Maybe it’s the greatest thing since sliced bread and we could all use an account with them. Who knows…
Well, thanks again … and my hat’s off to you, SIR.
Sincerely,
Jim
Jim, I have not heard of “Swismail” before and it does not appear to be an active service, with the website footer dated 2018. I would look at alternatives.
I first thought it was trying to get a foot hold on the future offering of https://mail.swisscows.com/en
playing on the name – where people might mistake it for the cows coming mail service.
I only see one domain to choose from for an address of your mail account even though it has a drop-down arrow that opens.
I do see on the sign-up page giving the TOS, which will usually point to a sites (privacy policy). Not here – https://swismail.com/tos
Putting – /pp or /privacypolicy after it’s web address leads to – – Error
Not Found
These I find interesting from it’s TOS.
4. Your Content
In these Website Standard Terms and Conditions, “Your Content” shall mean any audio, video text, images or other material you choose to display on this Website. By displaying Your Content, you grant SwisMail Inc a non-exclusive, worldwide irrevocable, sub licensable license to use, reproduce, adapt, publish, translate and distribute it in any and all media.
[Wonder if that’s referring to your mailbox contents – ?]
12. Governing Law & Jurisdiction
These Terms will be governed by and interpreted in accordance with the laws of the State of Switzerland, and you submit to the non-exclusive jurisdiction of the state and federal courts located in Switzerland for the resolution of any disputes.
[Usually we get more here of the company address and departments titles of who to contact.]
It’s free and the ‘private secure’ evidently means the company’s business end. Jim, I’d PASS on this one for sure. Not enough said to be informative as what your getting into…
@sonar
Which one do you use or recommend at this moment (of what you know)? Because of your great knowledge I’m very interested in your opinion.
Tutanota?
Posteo?
CTemplar?
Thanks in advance!
I think the new encryption protocol they’re developing is designed so they won’t have access to the keys? And thus they won’t be capable of giving up their clients accounts or data, if such a situation were to happen again.
(I’m not an expert)
youve never done a review of novo-ordo.com an email provider that prides itself on privacy .
How do you feel about them. Not much reviews online about them.
I don’t know much about that email service.
How secure is Mailfence vs. Privatemail.com ( Which Is Torguard ). mailfence seems to log everything , log IP , Time Stamps , etc… Id like a your revew on Privatemail.com . They are USA based but claim once you delete emails they are gone forever. Id like your feedback on privatemail.com. I was reading up on protonmail , although they get allot of good press they can be hacked cuz they use a web based cryptograpy.
Private-mail from TorGuard.
Ok, we can keep that in mind for a future review.
Hey Flash,
Depends on the mail type of user based you are, what good are electronic mail services that encrypts – when people in your most as contacts of mailing don’t do any sort of encrypting likewise.
**Encrypt adds that security in the minds hype as well can be useful if the applied encryption concept is understood correctly.
It’s because using encrypted electronic mail services – as some use encryption means to protect your accounts inbox contents, not only for an encryption of your sent and received messages over the open internet. As user account enforced Encryption as controlled by each users account password to their accounts, basically refers to these encrypted services as the zero-knowledge mail services. Your user account inbox could have (most) of the departments there as well encrypted to include contacts, attachments, email body, and whatever in that a mail electronic mail service offers for users based accounts protections there.
BTW:
ENCRYPTION being used as part of an electronic mail service can mean it’s grounded in ENCRYPTION only by chosen WHY method(s) and by WHOM and WHERE as well to WHAT is it’s applied parts in trying to protect the mail services users and their accounts inbox. Some do it in an encryption WAY by the most adaptive / universal means! (Referring to accounts messages transmissions over the open web – how’s the inbox encrypted?)
Also it means there are closed off encrypted mail eco-systems to some of these offered email services. Where then others (sender-recipient) outside of it’s or a specific electronic mail service your using, possibly allows TWO means of your messages transit.
1st) All non-registered users of an email service that are sent messages to – will be send and received as clear-texts messages traffic from your email service having some encryption scheme used. (see BTW)
2nd) Symmetric Encryption – where needed & prior for your having given of the message recipient as to sharing of a password / paraphrase for this message in your receivers ability to view it’s encrypted contents. Ability they have to answering it back by their reply and it’s been encrypted by the container. Thus by just a ‘link’ as given to them in their mail service inbox. So of this one message stays on your email accounts mail server / they do not never send it out across the open web.
***Do have a look down in the comments here Flash. Real users comments, and/or questions have generally been covered as what you have asked… And they weren’t addressed by Sven – as he’s a busy man.
Both [https://torguard.net/] and [https://privatemail.com/]
https://restoreprivacy.com/email/secure/#comment-61876
Read the real replies of the proprietor of a very small secure email service, “Sub Rosa Secure Email” [novo-ordo.com] here – and downward to the whole conversation that took place…
https://restoreprivacy.com/email/secure/#comment-60492
My final drift or stance of Sub Rosa email is it’s not for long term storage and even then the only encryption they may offer on their side is on their mail server…
Quote from Rick the proprietor:
[Messages should be encrypted before being sent and should not be left on the server longer than necessary.]
Hi Sven,
Could you please review this email provider: https://www.mailo.com/
Thanks
Hey Anna,
Mailo looks interesting for a secure email provider catering a solution for everyone: adults, children, seniors. Attention to families and children’s security. Performing tools for professionals.
The service is fully hosted in France and carefully follows European and French regulations on private correspondence and data protection.
The users’ data is confidential: no backdoor is open for anyone, even authorities requesting access outside a specific legal framework.
@MarkR was just asking what good are mail services that encrypt when his contacts don’t do any encrypting likewise. I answered with kind of covering that in some of these mail services it’s not just the message(s) that gets encrypted with some of them. But, as your mailbox and departments there of. But I got his direction of point and maybe Mailo looks interesting to him and others because the way I read it-
“With Mailo, you can choose for each e-mail you send whether you want to encrypt and/or sign it with PGP. In order to use PGP when sending an e-mail, you only have to set the PGP encryption option when writing the e-mail.”
**I read you have a choice ‘for each e-mail you send’ by being given ability to ‘set the PGP encryption option’ in composing it optionally as to sending it out as encrypted otherwise. https://www.mailo.com/mailo/en/sending-pgp-e-mails.php
Dollar to features as the service offers is value that speaks loud to me also. https://www.mailo.com/mailo/en/features.php
Though France jurisdiction is questionable to some. ‘The Mailo users’ data is protected by French and European laws.’
I say it’s interesting enough and should catch Sven’s eye for a closer look to maybe making it on the list.
Mailo has some strong points for around $13.05 USD yearly.
History – https://www.mailo.com/mailo/en/history.php
Mail, contacts, calendar: configure your Mac for Mailo
https://blog.mailo.com/blog/configurer-apps-mac-pour-mailo.htm#more-2257
I have registered a test account on mailo.com and while I cannot comment about privacy, the service seems buggy.
1. All emails I sent out arrived with a delay of one hour or more. I checked that with multiple recipients and even with mail testers like mail-tester.com, I do not think they use graylisting so this is a problem with mailo.com.
2. I added an IMAP account to Thunderbird and sent an email. Now there are two copies of “Sent” folder, one used by Thunderbird, another one used by webmail. Thunderbird doesn’t see messages sent from webmail because they are in a different “Sent” folder. Webmail displays both “Sent” folders (separately). WTF?
3. No DKIM, no DMARC, spam score is quite high.
Overall, the web site looks serious but the functionality looks amateurish and buggy.
Hi Sven,
My apologies if I’ve missed the point of your general review or if there are answers in the comments, but…
I like the idea of getting away from Gmail, Outlook, Yahoo, or ISP-hosted email, and maybe that’s reason enough to go with one of these providers. But, how much good is doing that if virtually all the people I email don’t use a similar service, PGP, or something like that?
MarkR
That’s a good point. But with a secure email that respects your privacy, you have control over your own inbox without third parties collecting your email contents and profiling you for ads. You can’t control other peoples’ inboxes, but you can take control of your own.
@MarkR,
I’ll agree some of these mail services seem off in a closed eco-system to use, as encryption standards being applied across the board for mailing simplicity.
That’s not me hitting the nail on the head of your concerns though, but I’ll try.
YOUR CONCERNs:
“But, how much good is doing that if virtually all the people I email don’t use a similar service, PGP, or something like that?”
That’s a very good focused point on the nails head before driving it home as a service you’d pick and use – Sir.
As Sven has already pointed it out these mailer listed are representing mail services that don’t read and scan your email contents to selling off of that personal info, nor knowing how to profile you for any advertising. That’s your excelling privacy stance with these secure mail guys and with encryption.
That’s encryption basically done in the users account end with any encryption as being the LOCK on the account and it’s controlled by each users account password.
Not to be mistaken as some encryption principle to having been generally applied to the mails service ‘SERVER’ holding your mailbox that some of it’s employees have access – even though not knowing or needing your account password. These kind are a lesser breed to user privacy of mailbox contents…
– Thus it’s account enforced Encryption as controlled by each users account password of their accounts, basically refers to these services as the zero-knowledge mail services. Cause in your user account (most) departments are encrypted as to contacts, attachments, email body, and whatever in that a mail service offers for users accounts there.
Now hoping we can understand this, who can we use of these encrypted mail services for sending messages without any encryption applied to our message or the fact to that of all our messages -if wished- sent out as clear texts only?
I’m only giving you a couple, one mail service offers in the account contents encryption as automatically covered besides a choice of message going out as encrypted or clear texts. The other service you have to set it all up but, stands on users account privacy principles, but as both to are fair in users account pricing…
**Posteo – you have to set it all up to encrypt anything in your account – good stance and standards on Users Privacy and sends clear texts messages out by default.
***Tutanota has an option labeled “Default Delivery” with a “Confidential” check box next to it in the “Settings” > “Email” section. Make sure that it’s check box is unchecked, and by default email will be handled as unencrypted as clear texts for sending out. You’ll know if it’s working as if you’re NOT prompted to setup a password for (symmetric encryption), for persons outside of Tutanota’s system.
I would heed of a fact that THIS is what you’ve asked for and because Tutanota uses some encryption to protect your account, nor is it only of messages sent with (symmetric encryption). But un-encrypted clear texts delivery – messages handled internally and stored – it’s had encryption applied and unlocked easy with your accounts access.
WHERE as, if it were to be emailed to an external (non-same service) user with just a link given to the message on Tutanota’s server – – and – – – prior to your having given of the recipient as sharing of a password / paraphrase with this message for your receiver to view it. The encrypting/decrypting in THAT one messages ability by an (symmetric encryption) would be applied, or again sending your messages to outside addresses beyond your particular mail services and as encrypted texts to the another persons mail service. Is offered in Tutanota but altogether different that you sought of no encryption.
Thanks
Posteo has got many informative help snips about it’s service.
Understanding encryption as helpful in their service as setting it up see:
Topics of manual selections as it’s encryption is not automatically enforced as being applied to your accounts end…
Encryption- https://posteo.de/en/help?tag=encryption
Transport route encryption- https://posteo.de/en/help?tag=transport-route-encryption
End-to-end encryption- https://posteo.de/en/help?tag=end-to-end
Inbound encryption- https://posteo.de/en/help?tag=inbound-encryption
@Kate,
I think I remember you and at this time I was answering you by the HardSell handle then, and tried to help you out. [ I’m new to VPNs and need help to understand how I can overhaul all of my devices connected to the internet that are not private at this moment. ] If so I remember you – Hi ; )
Going as @sonar now because it pleases me more than @HS – sounding like a crack of a whip. sonar sounds more perceptive, friendly and playing with sonar says, says, say as I did of the change made over.
Just seemed like the old analog sonar displayed on TV shows from the center traveling in outward circles to encompassing the field. Seem it’s close as what I try to do here listening to the core facts and finding the direction of best help I could offer.
Core fact – “But in the past 24 hours my internet has slowed dramatically,”
Although, I’m not personally in understanding OS X platform workings, Sven better. I can offer some suggestion of why the slow speed you’ve seen.
For one, is it’s being tied to this social distancing faze we all are going through, has put a high maybe very large demand. On all of the major CDN’s > ad networks > local IPS > to users speed related issues. That is the sheer amount of users online with free time to stream and other surf online than has ever been witnessed before till now of so much demand to the supplying or serving up transmission components of the web matrix. Just think of millions x10 in everybody that needs to signup for unemployment as an employee to a business to those employees of the business in supply chains to them and others. Are moreless forced to shut down in the wait out time being required till the pandemic hit’s it’s peek around the country and world for that matter.
I had gotten this:
To our customers,
We are increasing your Internet service speed by more than 60%—at no additional cost to you—to keep you connected to your families, workplaces, schools and information as our country responds to the coronavirus (COVID-19).
Your ISP to your home or phone is the first place I check with questioning of them are they at capacity causing your slow speed? Have they had daily periods where they’ve seen such a taxing demand. So great that can be a cause in your slow connections speed? Mobile ISP’s usually run prioritizing software when there is great demand on a tower – so everybody in the neighborhood get’s a usable piece of the stream available, unless it’s soft capped by amount consumed till all the towers demand eases as they get their advertised speed back.
If that’s not it, then it’s probable out of your control, if it’s not the Express VPN server network itself in someway. (ex. webs interstructure matrix bogged-taxed then encrypted tunnels toll to your speed too). Recall all VPN’s routes you through hops to it’s servers, but still you could make any number of intermediate server hops to the server you wish to get serving up that site. For that absolute anonymous IP try another server close to your surfing out of location, after that I’m not sure the intermediate hops before you get to the site server .
The Internet is a cooperative PUBLIC DATA NETWORK. Its data traffic flows around the globe freely, transported by an incredible variety of intermediate carriers. These carriers cooperate because they need each other equally: “I’ll carry your traffic if you’ll carry mine.” And the system works.
I don’t claim to understand it, but trying to understand it enough down to the packet level I wish to get.
– Then if, it can be anything like airing up a tire with an air pod, to put 30psi in the tire requires the pod to have at least a minimum of 60psi to push out 30psi till equal pressure is reach between it and the tire. Minimum of 120psi to fill 2-tires to 30psi or more thann 30psi in one tire. Looking at hdd/ssd memory, server system ram in about the same way might apply.
Hope it was informative if not a place to start = 1st your ISP, then support @Express or it’s community to see slow speed buzz talk.
Sven, I need your help. Months ago, I discovered VPNs through your site, I believe, and also signed up for a tutanota account. I even got an ExpressVPN subscription, which I love. I can now access blocked US sites when I am in Europe by using a US VPN. But in the past 24 hours my internet has slowed dramatically, and I need to run a speed test with and without the VPN engaged. The problem is that I can’t remember how or where I formatted the kill switch settings in my OS X. I did it manually. I vaguely recall following a blog post you had. Maybe not. Can you please tell me where I did can find those settings on my Macbook?
Hi Kate, the only thing I can think of is if you enabled the “Connect on demand” option when setting up an IKEv2 profile on your MacBook. I discuss that in this guide, and if that’s the problem, you can just uncheck “Connect on demand” for the IKEv2 profile you previously were using.
Hi Sven,
Any chance of a review of Vivaldi’s mail service? My understanding is it is based in Iceland with a privacy and security focus.
Sven
Just a respectful suggestion from my experience reading when I dove into the topic above here, as I’ve read this or it (3 weeks) extensively at first find of it’s offering when finding your site about a 18+mts ago.
Novice to the subject I was overwhelmed often reading here in your break down of each as offered. Scrolling between what’s offered of the emails services is there on the space given, and thank you Sven it’s of a small bit of highlights, clearly useful and helpful but, for someone trying to take it all in. The minds sponge of the first few visits gets saturated fast in all that’s offered.
I shortly learnt it takes people learning new terms, what those terms actually imply and being applied how by related means here when the word encryption comes up. Then trying to understand a difference to all of the email services that encrypts and how their encryption style/mode/means differences of all the possibilities as listed email services being used.
That can’t be done of the Novice breed (least myself easy) without lots of off-sight leg work and in focus to their minds coordination by weighting in the different facts and aspects as they relate, finding they can very much differ – by how and in what way they happen to differ comes to readers very slowly. That when visiting 2-3 email services homepage listed above.
Along with catching your in depth reviews given to most of them separately.
https://restoreprivacy.com/email/reviews/
and jumping back to their mention here of easy found – Pro’s – Con’, then to more offsite reading of what’s covered as these -/+ checks and balances, and then to sorting it against of the other on the list here as well of their short overviews.
Tough as I found it all being a novice, because maybe I had a group look for all of the listed as secure email services, and basically in my mind secure meant to me as encryption used – relating that to the ease of a VPN set go out of the box. To my general understanding as a novice of this time would of been all of these services were blended shades of just one encryption’s color to a users privacy on an email policy of standardization covering users privacy as a gated two-way street you get on.
Instead I’d realized something as more visits over time with my coming back repetitively researching most of each one of these services. Found out it’s user privacy by multiple encryption’s colors used in palette to privacy of the user on different email service in user info required, different strengths of user friendliness, compartmentalization in encrypted features of an account by concept formation in coverage, and scope to deal with metadata involved.
This still as an enlightening overall captured web resource, along with more across the site you’ve graciously offered as your email guides, had me exultant to be so lucky. As I didn’t know what I was shopping for offhand but to get away from the likes of who’ve I used and that medium there based in free rides without any users regards of privacy…respected.
Sir you do excellent job please don’t hear me wrongly or different than I’m trying to mean or be herd saying but, as an aid to you and your readers from my combing it over many times in the past.
**A suggestion is to use small Icon tiles for your readers narrowing it down for them to a quick view information assembly by visual means of icons in what makes these email services different at the core level understanding. Say having of any differences in A than F and J, to all the others on the numbered listing. I mean sure the listing of them by number is not necessarily having any particular purpose to a service merits getting numbered 2 slot over compared to 9 slot as example – you’ve told us that.
I could see your guide at any emails service numbered spot now, line up all the icon tiles as that match this email service where it covered in their business model. Then it’s possible to drop the numbers all together and list the email services from the most icons to the least. As looking from that point of perspective to an overall understanding.
Important to me as I learnt was of the encryption concepts being used here and that various methods are employed as going in different directions on the listed services.
For the encryption icon used, the icon like seen in the address bar in a SSL opened browser window on secured site. You could assign colors codes used for type or style, as closed encrypted eco-system or PGP and S/MIME. With an elongated loop of the locks hook say for the departments and storage areas covered by encryption of the service offered.
That encryption icon I see as becoming difficult to represent accurately of a service and the degree it’s covered!
**So maybe make it a generic look offering a few characteristic in purpose as the, Lock icon is there because basically encryption is used or offered, the locks view is cut in halve when encryption is limited or keys controlled by the user and not automatic handled.. Whole lock icon view, offers users a fuller encryption automatic options. Color’s used could be applicable to represent as yellow/basics, orange/intermediate and green/advanced for the different areas least to most in where the encryption use to safe guarding users privacy or exchange of encrypted messages overall.
The other icons used could represent what is also covered in the secure email service, as well what is to be understood as an icon offered can be for a users shopping list weeding tool. Giving users a tool by visual icons means to honing in quickly on their solution for their unique needs they seek by observing the icons and it’s displayed color found vs slow crawl to get that understanding.
Allowing this visual impact leads to less need for the preliminary leg work on a readers part to a point their focus becomes understood quicker in a few of email services that hit their interests and they can begin comparing them in reading about each service of interest.
That same 3 color level scale B/I/A can be applied as applicable from least to feast in any icons to category for a particular service…To you also could use the icons at the starting of the single emails reviews given in depth you’ve made on some email service, as the same readers visuals to quick takes of the service being review at their start of exploring it.
ICONS:
Globe icon – Browsers allowed access to webmail
Lightening Bolt – Company own security standards-policies
Flag icon – Jurisdiction headquarters regarding privacy
Cellphone icon – Email apps availability or open market apps
Folder icon – Calendars, file storage, collaboration tool, group space
Curved dbl head Arrow – Emailing an external users w symmetric encryption
Fort icon – Encryption in strong core user fundamentals (user controls access)
Server icon – Controlled encryption w/o user input access (server encrytion)
TV icon – Device platforms accessibility
Pin Drive icon – 2FA
Each icon shaded yellow, orange, green means something specific about it’s involvement to that service. Maybe a number after the icon of counts in that category being offered with the color shade as least to feast repersented.
Sorry as it was a long brain fa_t. Hope you could picture it and in time we get there ; )
Thanks
Thanks for the feedback Sonar.
Sven,
I noticed the other day – while study reading (= very granular look and comprehension), of the ‘NordPass’ review by Heinrich Long.
There was an image used that showed he had an account @ ctemplar, would he comment here on that service, or could you probe him to his regards toward it?
Specifically the image had this under it – “Click one of those icons and NordPass will display a LOG IN WITH list (circled in red below) with all the Logins it has stored for that particular site.”
Thanks Sven.
Hey Sonar, funny you should ask because Heinrich is working on a CTemplar review right now. It should be live later in the week. I haven’t used or tested it myself.
I would of gone better that the free I was trying, as better like (Prime) if they’d be more reasonable in price. Even 50. is a stretch for me no more than I would use it so 72. is like throwing dollars in the toilet of we deserve it cause _ _ _ we’re Special. More like special gimmicks no one else is using ! They look good on paper but, what hit me was I sent a msg to theirs support – they answered – I answered back but I stopped for the night and saved it as a draft. Finished on set it on.
– This is where it got interesting, The two way conservation as messages build on as all back and forth between the parties – – Full copies mind you were present in the inbox, sent, and drafts folder – all the time. Seemed to me your free allotment of storage would go fast.
Never did stay long enough to see how the work using alias style’s like Tutanota as this way I liked cause it complete hides your real email address better, or Proton that I didn’t cause it’s liken to mail going to a certain folder in sorting your account based. Using the real email usename as part of the alias – receiving end just drops the alias part throws the username with the domain = true account email address.
https://protonmail.com/support/knowledge-base/creating-aliases/
Pricing they’re up nosed like Proton compared to our friends at POSTEO and TUTANOTA. The twist CTemplar trying to put in the business field doing what they’re doing to advertise a Armored 4 Wall Protection, if it works out would be different. Then being anymore advantageous to privacy maybe that’s why the prices get so ridiculous after the 72. Prime tier. Still there’s a short history and their being the new player, you’d think Prime would be offered lower as a tester level to sell the others then.
Thanks Sven and Heinrich looking forward to it.
Yes and they are also hosted and store all data in Iceland, which typically has much higher server costs than other locations.
Yes,
I liked it (so other readers) don’t see what I’ve said of it otherwise.
Just didn’t know how to prove to myself of their claims they’ve made. To warrant their cost over some of the others in the same conscience given to users Privacy’s of the freermium-Paid email realm. Did notice for an “user account interface” Ctemplar’s is as close to Proton’s than any I’ve used prior. Which Proton’s was much better than the ones I’ve had as local IPS, G or Y mails – soverin email services used.
[12. Dedicated Bare-Metal Servers
Cloud servers have legal and unauthorized access risks. We use physical servers located in Iceland to protect your data. / Because we use physical servers in Iceland, we are not able to reduce our price using cheap cloud storage – (sounds to as users are helping pay for their interstructure).]
Agree with what you’ve added about their location and visited their site to see the layout has changed somewhat –
Now – [https://ctemplar.com/]
Dec 04 2019 – [https://web.archive.org/web/20191204195825/https://ctemplar.com/]
Thanks
GMX was great email back when you could still pay for their “Pro” offering in the early 2000s. Today? Stay away. While German/EU data legislation applies, they’re hardly private and they’ve had such a bad reputation for spam that many providers still block them by default (ie, messages mysteriously never arrive). You can do better.
Like to point out an annoyance of protonmail, and possibly tutanota. Crocker.com email would not accept emails from protonmail and when I asked protonmail, I was told this was an ongoing issue that Crocker refused to unblock Protonmail. For me I had been sending emails to press without anything being posted in the paper. Finally I called several and found nothing was in their inboxes, though I sent from both protonmail and tutanota. This is a huge aggravation, but I blame crocker more than tutanota and protonmail. I’d hate to see other email services do the same as crocker.
Thanks, funny how most sites are US based. So only except supposedly corporate emails. So my Gmail or other secure mails as you mentioned seemed to be on there not corporate emails. Ive seen this a few times now on a number of businesses. I am not keen on the 3rd party go between, lot of messing around … Becoming more common when signing up for things or getting information,. Like signing up for security info at ISA/IEC won’t accept any email other than my corporate one. Which I cant use as the company blocks a ton of stuff, besides I want it at my email in case I leave. So trying to find a suitable mail recognised as non Gmail, yahoo, outlook, Tutonata, ProtonMail to list a few I tried.
Agree. Third party is not the best, but I was trying to figure a work around.
Someone with better thoughts can chime in.
Hey Mike
Two methods are described here don’t know if it helpful.
https://www.wpbeginner.com/beginners-guide/how-to-create-a-free-business-email-address-in-5-minutes-step-by-step/
at Mike, I’d made a reply to you about obtaining your own domain to appearing as a business like entity to those orgs that write you off as not being one, because of the personal email choice you’d want used.
#2 It hasn’t made it to a posting yet as I see now. Maybe they will post relatively in their order, then simultaneity to each other.
(I’m thinking ST has got personal matter he’s handling about now for the reasoning of delayed replies). Note: this description uses a lot of web addresses examples and as such may be caught by some filter the site uses – so I tried as spelling out the (dot) instead of just the use of a (.) symbol.
This is then an extension too and hope for better understanding by my low/run down to your own domains use:
DNS is not just a server with records for other servers. The DNS system spans the globe , and is comprised by a hierarchy of organisational units, resembling a tree. At the end root, there is ICANN, a nonprofit organisation responsible for policy, creation and management of new top-level domains (such as .com, and .uk) as well as for operating the root name servers, and managing the IPv4 and IPv6 address space.
Then there are the top-level domain registries (companies like VeriSign) which own and sell “in bulk” top-level domains to the registrars, which organizationally fall under them. Domain registrars are the companies you go to buy a domain for your website. (note you need not make a website to use the domain service and only then occupy the use of it’s custom mail address offered.) Though if you’d want a website for any reason it’s there too.
At the final level of the organisation, there is the domain (which you are responsible for) and its records. The nameserver that you select to hold the records of your domain, is called the authoritative name server. Meaning that it is this nameserver that holds the “official” records for your domain.
The DNS protocol describes a lot of different records for different purposes but, the most common ones you will work with are the
A,
CNAME,
and MX records:
Address (A)
The Address (or simply A) record, is probably the most fundamental and widely used. It is the one that maps names to IP addresses. For an example only, the following record: yourwebsite(dot)com. In A record 23.9.62.14 will map the domain yourwebsite(dot)com to IP address 23.9.62.14. The IP address is usually given to you by your hosting provider.
Canonical Name (CNAME)
The CNAME record is used to create a host alias. This is typically used when you need to have multiple hostnames (www,ftp,mail) to point to the same domain. For an example only, the same server could also be responsible for ftp, or mail. For an example only: www – In – CNAME – yourwebsite(dot)com.
As so will create an ‘www’ alias to yourwebsite(dot)com, so that when someone connects to http://www.yourwebsite(dot)com, will be redirected to yourwebsite(dot)com.
Mail Exchange (MX)
The MX record is used to define the A record that will handle all incoming email for that domain. For an example only, if you want mail.yourwebsite(dot)com to handle all mail addressed to yourwebsite(dot)com, you’ll use the following MX records:
website.com. MX 10 mail.website(dot)com
website.com. MX 20 mail-backup.website(dot)com
The number next to the MX string corresponds to it’s priority assigned. If for some reason mail.website(dot)com becomes unavailable, then all mail will be handled by mail-backup.website(dot)com.
I’ve spent mucho time to run down this for you and others alike interested in a solution like what your up against. Hey a thanks is in order for the caring kind, I do acknowledge yours already that’s why I dug deeper to offering this up.
at mike
Your best bet I’d see is owning your own domain (leased really), as another way to get on the interesting ‘org’ sign-up mailing lists for companies that require company addresses. Using your purchased domains accounts in it’s domain management center by settings via your cPanel. Set up the email account for your domain and then forwarding it’s received email to either of your personal emails that the org’s refused to accept. It will run yearly in costs (say 13.00 for the com (TLD) and really look at the renewal price as a heads up, because sales happen all the time.
Top Level Domain with a business sounding name supposedly would pass the restriction about email ex: mike@ (your domain) mcdonaldcompany(use)com or mcdonaldsecurity(use)com
I think sven’s site here uses the namecheap domain service – might get a yea or nea from big honcho.
https://www.namecheap.com/support/knowledgebase/article.aspx/110/31/how-to-create-an-email-account-in-cpanel
Yep, I like and use Namecheap. It comes with free Who Is Guard and is very affordable.
@ Mike McDonald,
I will try to answer your question below. The reply button was not working.
If an org is rejecting an email, say Tutanota. There is a way around it but it does remove the whole concept of privacy.
Make a dummy email that does work (GMail, Yahoo, etc.) And use that for the org.
Then set the email to do an Email forwarding to tutanota and just never log on to the intermediary email.
The email will be forwarded and I would suggest using POP 3 as it downloads from the server and in theory does not store anything.
Again, it is a work around that may not be the beat but it works. Use Thunderbird as your client (or in Tutanota’s case their desktop app) and the emails are saved on your desktop rather than the servers.
Again, you still have the intermediary email but it can work. If you don’t Dox yourself, can we get the situation specifically and maybe we can help better?
Hope this works.
With comment replies, this is a bug that keeps coming back. We’re working on it…
I’m pretty sure it’s a question generally being asked as why it’s happening for Mikes McD to his understanding it.
B2B if it’s what Mike McD speaks of where, from the blockers side I find a hint described somewhat here. To the blocked personal email addressed domains, like Gmail.com and Outlook.com.
Importantly Mike should contact the support team of the blocking organization for insight and resolutions. Advise on how to be allowed and his following up there.
https://docs.microsoft.com/en-us/azure/active-directory/b2b/allow-deny-list
Odd question, but more orgs are not allowing certain email addreses unless corporate. If my own company is Gmail, outlook or whatever it’s blocked.as not being corporate..is there secure ways of creating I guess a company email alias linked back to Gmail whatever or actual.emails viewed as corporate type ?
Hi
Anyone used these?
MeSince the official version was provided to global users on December 14, 2018, MeSince® is registered in China, USA and UK.
https://www.mesince.com/download/2020_new_year_discount_en_signed.pdf
“MeSince” is the transliteration of Chinese name “密信” that means “Encrypted Letter”, “Encrypted Mail”, “Encrypted Message”, it’s pronunciation is /mi:sins/.
MeSince Technology Limited, registered in Shenzhen, Hong Kong SAR and UK. It is a wholly-owned subsidiary of WoTrus CA Limited, specializing in digital signature technology, certificate encryption technology and timestamp technology research and development, to provide PKI technology-based information encryption products, services and solutions to users around the world.
MeSince® is an encrypted communication system based on the email system. All messages are encrypted by default. All confidential information is encrypted from sending and stored in the email inbox. Your email inbox becomes a “coffer” that can safely store variety of confidential information and documents.
Even if encrypted documents are illegally obtained somehow, they are worthless because they cannot be decrypted.
A free email client that uses S/MIME standard to encrypt and digitally sign email, supports cross-platform (Windows, Android, and iOS).
https://www.mesince.com/en-us
https://www.mesince.com/en-us/Solution
Another way.
The SpiderOak team needed a secure solution for group messaging and file sharing without the risks of email or off-the-shelf collaboration tools. We made Semaphor, group messaging with private blockchain encryption.
Semaphor works on all of your computers and mobile devices. Supported platforms include Windows, macOS, Linux (beta), iOS, and Android.
Semaphor is free for teams of 5 or less. All teams include unlimited message and file retention, unlimited file sharing, a single file size limit of 2 GB, and unlimited channels and messages.
https://spideroak.com/semaphor
I looked and couldn’t find it, so I want to ask:
With Protonmail, is it more secure to use Thunderbird or direct access online?
My Thunderbird doesn’t always work as messages show they are loaded but not readable and other things.
What do you all say? @Sven, please feel free to post your thoughts because I am having a hard time justifying an email Client right now. Thanks.
I would think the desktop client with Thunderbird would be your best bet, given the vulnerabilities with browser-based email.
Thanks. So maybe some guiedance would be helpful.
I have Linux Mint and just got my Linux ProtonVPN installed. This has played with my Thunderbird more than normal.
Is Thunderbird still a strong option or is there a better and more up to date client? Thanks.
Yep, Thunderbird is a great choice, being open source and offering cross-platform support.
OK. Thanks.
@Sven,
Not to throw more on you, but maybe a good review would be with email clients. I bet there are some really good things there. Just a thought.
Thanks J.M., I’ll keep that in mind.
Dear Sven,
Here is some additional information about mailbox.org:
1. Only Inbox and Sent (?) folders are encrypted (Encrypted Mailbox option)
2. The message’s sender, recipient, and subject line are not encrypted
3. Calendar and Address Book are not encrypted
https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox
https://kb.mailbox.org/display/MBOKBEN/Encryption+of+calendar+and+address+book
Мailbox vs Posteo (Translation from German required)
https://usefulvid.com/mailanbieter-test-posteo-gegen-mailbox-org/
Thank you.
I notice lavabit (https://lavabit.com/) has relaunched, after the 2013 shutdown. You have to wonder if, with the relaunch, and despite their boilerplate mission statement, they now have an ‘arrangement’ with the NSA.
ProtonMail Caught Lying Again
A few days ago, a poster asked the following question: “If I delete my account, does ProtonMail keep all of the data? Am I just disabling my account or deleting all data linked to it?”
https://www.reddit.com/r/ProtonMail/comments/esnw4i/if_i_delete_my_account_does_protonmail_keep_all/
The response he received from TauSigma5 was as following: “Your data will be deleted from production servers immediately. It will be deleted from backups within 14 days.”
This is a blatant lie!
Regarding data retention, the Swiss surveillance law BÜPF states as following: All metadata have to be retained for six months. Other identifying data, such as IP addresses, also will have to be retained for a period of six months after termination of a specific e-mail account. (Art. 19 Abs. 4 nBÜPF für Postverkehr und Art. 26 Abs. 5 nBÜPF für Fernmeldeverkehr, & Art. 21 Abs. 2 und Art. 22 Abs. 2 nBÜPF). However, the law does not stipulate a minimum retention period shorher than six months. In fact, ProtonMail must retain certain metadata for a period of ten years. This regulation forms part of the Swiss C.A. (Art. 957a Abs. 3 i.V.m. Art. 958f OR).
As a consequence, if TauSigma5 states that “Your data will be deleted from production servers immediately. It will be deleted from backups within 14 days.” he is either lying or ProtonMail does not comply with the Swiss C.A. nor with the BÜPF. The sum it up: From account termination onwards, PM must store metadata for a period of at least six months but – if PM elects to do so – can store that data indefinitely. Certain information pertaining to the Swiss C.A., such as credit card & other payment information, must be stored for a period of ten years.
All over Europe, above all within the E.U., there are country and E.U. specific retention periods. If you want to choose an ESP that deleted your e-mails immediately, you have to look for a U.S. based ESP. It seems the corresponding law there is much less stringent than here in Europe.
Data retention generally applies to internet service providers / telecoms. However, we’ve seen some strange court cases in Germany over the past year where judges forced email providers to give user data under certain court orders. Are you certain this 6 month data retention law applies to email? (Perhaps nobody is certain, with laws intentionally written vaguely and even judges who don’t agree on the exact application of the law…)
Well, first here my response to the PM people.
The data retention issue is twofold: On the one side, we talk about metadata plus e-mails; on the other side payment information is concerned. The first part is regulated by the new Swiss wire law and the second one by the Swiss C.A.
However, only after having written my comment, I found by chance something very interesting that confirms what I wrote:
Dutch law forces StartMail to store your invoices for “7 years, or whichever period may be prescribed under applicable tax law”.
Norway does the same to Runbox but for even longer – “as financial records must be kept for 5 years according to the Norwegian Bookkeeping Legislation”
MailFence (Belgium) keeps deleted account data for a year – “i.e. the Belgian law imposes 365 days after account closing”
Sorce: https://digdeeper.neocities.org/ghost/email.html#laws
Of course, the Companies Acts of the various countries all stipulate a minimum retention periods for accounting / payment information. And that term typically is ten years.
Now the second part: How long does an ESP store e-mails (provided he has to store them at all)?
In Europe, including Switzerland, all ESPs have to store e-mails for a certain period. According to the new Swiss wire law, that minimum period is six months. Again, the corresponding paras of the BÜPF (“wire law”) have been mentioned. However, even before that wire law came in to force, all Swiss ESPs had to store e-mails for a period of six months.
The BÜPF and the Swiss Companies Act are not that hard to understand. In fact, I learnt the C.A. during my apprenticeship, which means I learnt where to look for in the C.A.
Whether an ESP really deletes the e-mails after a certain period once you have closed your account, I do not know. Gmail definitely could NOT do that, since they got backups of a client’s e-mails in their data centres all over the world.
You make a very good point: “Perhaps nobody is certain, with laws intentionally written vaguely and even judges who don’t agree on the exact application of the law…”
For Switzerland, it is clear-cut. In theory. In practice, law enforcement – and that can be any police force – can directly and informally request information on your e-mail accounts with the following providers: Gmail, Yahoo, Outlook (formerly Hotmail) and…. yes … Yandex. Within Switzerland, in most cases requests for information are made in an informal way so no state prosecutor or subpoena is needed. That’s why no Swiss ESP has a clear-cut transparency report. The PM transparency report, to be honest, is just marketing and drivel.
To end the story, here a good example of a simple Swiss police officer (actually the one who illegally purchased “Galileo” from the former “Hacking Team”) who wrote to “Weebly” asking them to take down a website. “Weebly” did the right thing: They refused and asked for a proper U.S. court order.
Here the link:
http://frauenohnegrenzen.weebly.com/us-refuses-to-remove-website.html
http://archive.is/WnB1A
You also mention Germany. Now, Tutanota – in some reviews – is not covered anymore because of the Trump joke. There, I only can speak for encryption software. At the beginning of the 80s (around 1982), one of the best Western German encryption firms was (informally) forced to close business (no name, just that the company was located in West Berlin [the owner, by now, must have retired]), since their proprietary encryption algorithm was too strong and they did not want to co-operate (I should write “collaborate”) with the German BND in Bonn. All German encryption software must incorporate backdoors. That’s all I can tell you.
What is the conclusion? Get a small ESP in the States. They won’t make any shortcuts, even if you are not an U.S. citizen. Most of them will request a U.S. court order / subpoena. And choose one that allows you to delete e-mails so that they are gone – forever, i.e. not even backed up.
for privacy I recommend servermx.com. It is an Italian company and it is GDPR compliant.
Thanks for this article, and your whole site. I’ve been trying to survey the current landscape before setting up a new e-mail account, and the best information I’ve been finding is here. I’ve also marked a number of your non-email articles to go back to another day.
Alas, what I’m reading doesn’t leave me with many options. It’s essential for me that my mail service is free (I have no reliable income) and accessible via iMAP on third-party clients. As for security, I’d prefer encrypted e-mail but most of my correspondents are either using GMail or are staff at government agencies. So true security isn’t an option, and I try to treat all mail I send as potentially FOIA-able. Still, I don’t want to make it easy for the snoops, or the advertisers. And so far, it’s looking like I can get two out of three criteria (free, IMAP, privacy somewhere between truly secure and sitting in Big Brother’s lap) but Mailfence may be my only option for all three. If you know of any alternatives I’ve missed, I’d appreciate a pointer! But this article has certainly helped cut down on the many many hours I would have spent otherwise trying to research each provider individually.
Hello Sven,
Whats meant by ‘Warning: Inconsistent server configuration’ ?
https://www.ssllabs.com/ssltest/analyze.html?d=soverin.net
Soverin account users (usually new), in the contents of their mailbox data in Soverin’s unencrypted e-mail mailbox service is readily accessible to the mail service providers team/employees/interns/partners/associates.
Because Sir –
It’s only given their “treatment of Customer Confidential” as the strongest guarantee of trust that AnyOne’s got TO their promise – we are not gonna Look at it.
Enforcing that’s why their so good you’ll need to pay, by falsely given you this-
“Think about what’s in your inbox. It holds the most intimate details of your life, it’s like a database of your life. That personal data deserves to be protected. Data has turned into a valuable asset in our digital world. ”
OK offer encryption to us…then.
[https://soverin.net/features] I’d want any encryption used over it setting in clear texts. Real truth is that all email providers must comply with the legal requirements in the country they are operating in – as repeated here many times.
25Gb is a lot of storage not to lock it up, and simply to pretend an affixed “do not open sign” is proper enough to wart off would be lookers as good. Let’s Soverin fails your readers – at when you say no more about Soverin’s encryption than-
‘while also using strong encryption standards, although email is not stored encrypted at rest.’
Inexperienced and noobie’s users are probably looking for encryption’s term used as a barb to catch on and combined with 25Gb of storage draws them in. This Encryption’s feature as not being understood in the terms of the different areas that’s possible to ensure all mailbox contents privacy while the data is at rest…setting in your mailbox / Soverin don’t tell you of them.
I wouldn’t use encryption’s term at all associated with Soverin.
Because the only time it happens is in transit ((A+ grade SSL/TLS connection)). Account users control no encryption availed by Soverin.
Then it’s forgot by Soverin as soon as it’s passed to the end.
The industry wide use of SSL/TLS transit of message data is not deployed as evenly being enforced amongst all mail servers – unless both mail service servers (sender/receiver) has a set policy to HTTP Strict Transport Security (HSTS). https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Encrypted at rest which remains the highest level of protection that you could expect within an zero-knowledge hands off email provider system.
So really it’s a trust based email service that pushes a zero-knowledge platform without encrypting it’s users data is not Trust that is earned – and you can take to the bank – only user trust and data that is being surrendered by the user as well as some money.
Without the full encryption route of your messages and your mailbox at rest encryption being offered within any mail service, how can any one of them say they are secure, private and respect a users privacy ? Think breaches, or court ordered access for worst case events happening to your 25Gb account.
– Soverin also requires you provide them with Your phone-number for account starts verification purposes.
Hello Sven,
I would like to correct my over-looked fact, you have and do mention – ‘No built-in encryption options’. Missed that – Sir ; )
That’s true and with the Soverin email service offered today as what I call a “trust govern” model in where the users/account holders must surrender the most of it, as with their money to boot now.
That “trust govern” model is why I left Gmail and Ymail and they were free. Alot of differences between the 3-mailers I’ll agree – but users faith and trust are still preyed on and easily abused of these types – in a mailbox model without encryption at rest.
No guarantees given (factually-implemented) that only YOU can access your unencrypted 25Gb stored… Where encryption is a guarantee – that in ‘take our word’ is not.
If one ran their own encryption scheme on the contexts before reaching the 25Gb Soverin mailbox, then it would be a crypto-blob store to all of Soverin’s side / as well anyone but U the account holder – but then any encryption actions while signed in to your dashboard of the Soverin account are not possible…and they must be done out side the Soverin account.
– and if Soverin tried to see or to understanding the data – it’s garbled.
I’m not saying Sovein is a real bad choice – just give your readers an understanding as it presents some cautionary flags to observe… As it’s made it to your Secure eMail listing as suggested to used or being listed in choice as considered by your readers.
Maybe it would be better to break down this list and present it as by what and how their encryption schemes are working, parts covered, universal deployed, closed off accessible. Ex: Easy/Automatic – Strongest/Universal – None …
As the easy way for your RP Readers to figure out a category in what someone new doesn’t yet understand or have considered in their threat mode protections.
Thank You
Hi Sven,
Been some time since I’ve been in the body of the article above.
Nice to see your additions of Ctemplar and Soverin for considerations and user discussions. I did wonder why Ctemplar was hot in replies of late – Duh…
My suggestion when you do an update of any article/guide and it’s tiled on your homepage – run it for 3 months as a notification alert of an update.
– I see two things you could use possibly for an alert system. The home page tiles of your articles/guides have what appears like a thin bright white border around each of the backgrounds of the image tile. Then the gray shadow box the image tile sets centered over. Going with these areas then consider-
1. Suggested either the thin border -or- the shadow box change in color of the updated referenced tile.
2. Ex: 1-st month Bright, 2-nd month Dulled, 3-rd month Faint almost gone.
Note – blue and black are theme colors of the homepage and it’s tile images, this is an alert system so red, orange, and gold. Makes sense to draw readers attentions to them – subtle their not / maybe green or purple tints.
3. Use a one color fading alert system on a tile or rotate thru the ROG colors for a tile. What to do with side-by-side updated homepage tiles ?
Would it matter as two updated articles/guides would still be an indication of an update – as with the 3 step color change or one color fade system tells how long since it happened at a readers glance on it.
Thanks
Thanks HardSell.
Hi HardSell!
I have no complaints about CTemplar, they are new to this business, they need to develop. But they promise a lot, compare themselves with the established players of Tutanota, ProtonMail. The functions they offer are interesting, but the question is how competent and honest they really are. How well implemented is what they are declaring ?! Prices for services are quite high. Who is their team ?! All these are unanswered questions.
Everyone chooses for himself, I choose the responsibility and sustainability of services, combined with security. I know HardSell that you are not a fan of Proton, but for most it is very good, in fact, like many other services: Mailfence, Posteo, Mailbox.org, Countermail , Tutanota.
Mail is just mail, it is only a small part of our lives.