When you are competing in the “secure email service” space against heavy hitters like ProtonMail and Tutanota, it helps to have an edge. Today we are looking at Mailbox.org, yet another secure email service based in Germany.
Mailbox.org resembles the best of secure services with its use of top-end security protocols and strong privacy protections. But it also resembles services like Office 365 or the Google suite of productivity tools.
How? Mailbox.org includes the email, contacts, calendar, and file storage apps that you find in the leading email services, along with their own browser-based office suite of tools.
So let’s dive right into this Mailbox.org review and take a good look at what it has to offer.
- PGP support (server-side or through third-party app)
- Company and server located in Germany with strong privacy protections
- HSTS and PFS for messages in transit
- Protected against man-in-the-middle attacks
- Message and spam filters
- Virus protection
- Full text search
- POP, IMAP, SMTP, ActiveSync support
- vCard, CardDAV, CalDav support
- Messages are encrypted at rest
- Supports custom domains
- Open source
- No mobile clients (but can be used with third-party email clients)
- Records your IP address during registration
- Germany is a 14 Eyes country
- Uses reCaptcha (Google) during registration
Mailbox.org features overview
Mailbox.org has several features that help it stand out from the crowd of secure email services. These include:
- An expanded range of apps: Mail, Calendar, Address Book, Drive (cloud storage), Tasks, Portal (access to all apps), Text, Spreadsheet, Presentation, Webchat
- An automatic, guided tour of all the features and apps
- A clean, three-pane UI with drag-and-drop capability
- Top rating for Privacy and Data Protection by Stiftung Warentest
- Enhanced Security Certificate provided by SwissSign Certificate Authority
We’ll take an in-depth look at some of these features below.
Mailbox.org company information and history
Mailbox.org is a product of Heinlein Support GmbH, based in Berlin, Germany. The email service is based on an earlier product, which was redesigned and rebranded as Mailbox.org for its 2014 relaunch. The service is privately funded and debt-free, protecting it from influence by outside investors.
The mail servers are located in two geographically separate German locations and run in parallel. Heinlein Support GmbH owns and manages their own hardware rather than renting servers from third parties.
According to their website, Heinlein Support GmbH uses 100% green energy, and banks with the German Bank for Social Economy.
While Germany is generally considered one of the better places to base a secure mail service, the country is a party to the 14 Eyes intelligence agreement. The German Federal Intelligence Service reportedly cooperates with the United States National Security Agency (NSA) in surveillance matters. This may be worth considering depending on your threat model.
Mailbox.org technical specifications
Mailbox.org uses a full range of industry-standard encryption algorithms and communication protocols to protect and transport your messages. These include:
- PGP (Pretty Good Privacy)
- TLS/SSL (Transport Layer Security / Secure Socket Layer)
- PFS (Perfect Forward Secrecy)
- HSTS (HTTP Strict Transport Security)
- CAA (Certificate Authority Authorization)
- MTA-STS (MTA Strict Transport Security)
- X-XSS (cross site scripting protection header)
- DNSSEC (Domain Name System Security Extensions)
- DANE/TLSA (DNS-based Authentication of Named Entities / Transport Layer Security Authentication)
The service also supports POP, IMAP, SMTP, and ActiveSync for synchronizing with other mail services and clients.
Mailbox.org hands-on testing
As is my usual practice, I’ve conducted this Mailbox.org review using the free, 30-day trial version and the browser-based client. Thirty days is sufficient time to test out the service and decide whether you want to continue using it.
Signing up for Mailbox.org
The signup process for Mailbox.org was pretty typical, but there were a couple of unusual aspects to it.
One controversial aspect is the appearance of a reCAPTCHA in the registration process. ReCAPTCHA is a Google service that attempts to verify that you are a human, and not a bot.
Using reCaptcha to confirm that you are human is a potential privacy problem. The situation is somewhat complicated, and we don’t need to dig into the details here. A June 2019 article at Fast Company, Google’s new reCAPTCHA has a dark side explains the potential privacy and usability issues if you want to learn more.
The registration process also asks you for a telephone number or alternative email address. I prefer services that don’t ask for this kind of information, but in this case there’s a twist. Mailbox.org asks you for the telephone number or email address after your registration is complete. And handing over that information is optional.
The idea here is that you would give the company one or both of these, if you want the ability to reset a lost or forgotten password. Giving you the option to trade additional personal information in exchange for help recovering your account is a great idea.
And that’s it as far as registering your account.
Once you log in to your Mailbox.org account, you’ll know this isn’t the typical email service. The first thing you see is the Portal, a customizable interface to the various sections of the service.
The Portal does more than help you navigate to the different sections of the service. It also displays relevant information from each section, making it easy to do a quick status check of everything.
I recommend that you immediately take the short Welcome to mailbox.org Office tour to get acclimated to this unusual, yet very useful, interface. Once you finish, click the envelope icon in the green bar at the top of the window to move to the mail section.
The look and feel of Mailbox.org
Mailbox.org has an attractive, 3-pane user interface. Here’s the email section:
It looks a lot like the other email clients we’ve reviewed here and supports drag-and-drop as if it was a dedicated client instead of a window in your browser.
You get all the features you would expect: mail folders, message sorting (including sort by conversation), a reading pane, and the ability to sync to additional accounts.
Composing messages in Mailbox.org
You compose messages in a separate window that gives you all the features you would expect. You also get niceties like signatures, read receipts, and the ability to attach vCards to your messages.
Once you’ve got your message composed, you just need to decide how you will send it.
Mailbox.org lets you send messages in the clear or encrypted, whether you are sending to another user of the service or not. Sending messages in the clear doesn’t require any special effort on your part. Sending encrypted messages takes a bit more work.
Sending encrypted messages
In the message composition window, click Security, then Encrypt. By default, the Mailbox.org Guard feature will kick in to encrypt the message for you. The first time you use Guard, a wizard will pop up and guide you through setting it up.
Guard runs on the Mailbox.org servers and uses the password you enter to PGP encrypt your messages. This makes using PGP super easy, but forces you to trust that your information is handled securely on their servers.
If you want complete end-to-end encryption without having to trust Guard, you can install Mailvelope, a browser plug-in that manages your encryption keys on your device and encrypts/decrypts messages on your device as well.
If the recipient of a message to doesn’t use PGP, Mailbox.org gives them a link to a secure mailbox on the company’s servers where the recipient can view the message safely.
Any messages you receive that are not encrypted will appear in your Inbox normally. If you receive an encrypted message, the message itself will be hidden and a form will appear in your Inbox asking you to enter your Guard password to decrypt the message:
Searching for messages
The message search box looks for words or phrases in the current folder. As you type into the box, you get the option to limit the portion of messages that get searched, as shown here:
The Calendar does everything you could ask for, including syncing with external calendars, setting recurring appointments, and scheduling meetings based on the schedules of all attendees.
Address Book (Contacts)
Mailbox.org organizes our contacts into address books that you can search. You can import and export contacts using CSV format.
Drive (File Storage)
Drive is Mailbox.org’s name for your cloud-based file storage. As you can see below, the storage is divided into folders which you can share with other people for either viewing the contents of folders, or viewing and editing files in the shared folders.
This is a good, fully-featured storage system and another benefit of Mailbox.org.
Other elements of Mailbox.org
Beyond the features we’ve seen so far, Mailbox.org gives every user a Task manager, Text editor, spreadsheet, Presentation app, all with templates for business documents. There is even a chat app built in.
Mobile apps and integration with other email clients
Mailbox.org doesn’t include any dedicated mobile or desktop app. If you want to use this service without relying on your browser, you will need to use SMTP, POP or IMAP to connect with one of the many available third-party email apps.
The company provides instructions for connecting your Mailbox.org account to many popular third-party apps. Search the Knowledge Base to see if your favorite apps are supported.
Is Mailbox.org Really Secure? Is it Really Private?
The main takeaway is that they are compliant with Europe’s GDPR (General Data Protection Regulation) laws. While Mailbox.org promises to resist turning over data about its users whenever it can, their ability to do that is limited.
According to Section 113 of the German Telecommunications Act (Telekommunikationsgesetz, TKG), the public prosecutor’s office and the police have relatively easy access to the so-called database data of a telecommunications provider like us. In this case, simple requests for information are sufficient without the need for a judge’s decision. According to Section 113 of the Telecommunications Act, a telecommunications provider cannot legally defend itself against this request for information – it must be fulfilled. It should be noted that according to Section 113 (II) of the Telecommunications Act the provider must maintain silence about the request and may not inform the affected customer about the access.
Mailbox.org is required by law to turn over basic information about their users to the government on request, and banned by law from telling you about it.
Access to the log data of mail or web servers or the email content of a mailbox requires a judge’s decision to disclose/search, unless the investigating authorities can directly establish “imminent danger”. The telecommunications provider has no legal means at its disposal, even against the search order; it can no longer defend itself against the “confiscation” of the log data.
A judge can force Mailbox.org to turn over its logs without any recourse. Investigators can likewise force Mailbox.org to turn over its logs without any recourse if they can establish “imminent danger.”
However, we cannot judge whether the database data you provided when you registered is correct and accurate. If you encrypt your email traffic with PGP, we are also not able to make the content of these emails readable either.
While Mailbox.org has to turn over this data, if you register anonymously, use a good VPN provider to hide your IP Address, and encrypt all your messages with PGP, the data is likely to be of little use to whoever demanded it be turned over.
Mailbox.org Transparency Report
Mailbox.org publishes yearly Transparency Reports on their site. The reports go back to 2013 (the entire life of the service), which is great.
However, there isn’t really much information in the reports, as you can see here.
They received 72 requests, finally rejected 13 of them, and supplied the user data that was requested in the other 59 cases.
Even privacy-focused email services need to fulfill lawful demands for user data coming through official legal channels. To protect yourself, you could utilize the PGP encryption feature and also hide your IP address through a good VPN provider, since IP address logs are being recorded.
How secure is Mailbox.org?
Mailbox.org is a very secure service. They use HTTPS (TLS/SSL) along with PFS to protect communications between your devices and their servers. But they don’t stop there. As they state on their site,
In order to rule out any data manipulation by third parties, we were one of the first providers to secure our domain with DNSSEC and DANE/TLSA. Moreover, whenever there is an opportunity to increase communication security further, we will do so. For example, we use mechanisms such as HSTS, CAA, CSP, MTA-STS and X-XSS to effectively prevent ‘man-in-the-middle’ attacks. This helps us make sure that your communication with our servers via SSL/TLS is truly secure.
The built-in Guard system provides easy-to-use, server-side PGP encryption, and you can boost your security even further by installing the Mailvelope plug-in and storing your encryption keys locally.
I like that the service applies PGP encryption to all messages at rest on their servers, whether or not they were encrypted originally.
Two additional security features help Mailbox.org stand out amongst secure email services:
- TLS-Check. A system that checks to see if a message “will be transmitted over secure SSL/TLS-encrypted connections – before it is actually sent!”
- firstname.lastname@example.org domain. You can create an email alias with the secure.mailbox.org domain, which forces any messages from this address to travel over secure connections or not at all.
There is one drawback to the Mailbox.org security model. The PGP protocol does not support the encryption of message metadata. There are also some other problems with PGP you may want to consider.
How private is Mailbox.org?
Like any service with a physical location, they are subject to the laws of the country (Germany) they are located in. The company records as little personal information as possible, and points out that they have no way to confirm that the personal information you do enter into their system is true (hint, hint).
Despite being a member of the 14 Eyes alliance, Germany has good privacy laws in general. Combining that with Mailbox.org’s compliance with GDPR means your communications and other data are about as private as you can expect. Assuming your threat model doesn’t involve activities that would cause a German judge to issue a court order for your messages, or annoying national intelligence agencies like the NSA or Germany’s Bundesnachrichtendienst (BND), you should be fine.
Mailbox.org business features
Mailbox.org offers scalable and highly-customizable email and groupware services for businesses. Their business offerings are really too diverse to list here. If you are looking for a SaaS email service that can be optimized for your business, check out their offerings here.
Support is a potential problem area for Mailbox.org. While I have no complaints about them, I’ve seen quite a few criticisms floating around the net. While some people report fast, professional service, others complain of long waits for unprofessional responses.
Mailbox.org Plans and Pricing
With all the options they offer, it isn’t surprising that Mailbox.org pricing is complicated. If you want to move from the free 30-day trial to a paid plan, you’ll have to brave their confusing pricing page.
Individual price plans
It took a few minutes to puzzle out the pricing page. That’s because the section on Individual Price Plans lists an individual plan (Secure Mail), a plan for teams of up to 10 members (Team Mail), and all their business plans (Business Mail).
Ignore Business Mail for the moment. A basic, single-user Secure Mail account runs 1 Euro per month. Team Mail is 2,50 Euro per user, and includes a range of Team and Groupware features, along with more mail storage and aliases.
Business price plans
Mailbox.org also offers a full range of business price plans. There are three service packages, Silver, Gold, and Platinum, along with lots of options for the number of email inboxes and storage capacity. If these options don’t meet your needs, you can also Mailbox.org for a personalized quote.
To get all the details on the Mailbox.org business plans, visit this page.
Is Mailbox.org the best secure email service for you?
Whether this is the best secure email service for you depends on your threat model as well as whether or not you will benefit from all the extras that this service gives you. I can’t really help you with that part of the equation, but here’s my summary of factors you should consider relative to your threat model:
- Jurisdiction – Mailbox.org is based in Germany and its servers are in Germany.
- PGP support – Includes server-side PGP encryption. Supports Mailvelope for extra secure end-to-end encryption.
- Import feature – Uses Audriga service to import your data from other services.
- Email apps – A web-based client. Can sync with third-party apps.
- Encryption – Emails and attachments encrypted in transit. Messages encrypted at rest on Mailbox.org servers.
- Features – Offers cloud-based office suite in addition to a full set of email-related apps.
- Open Source Code – Most code is Open Source. Per their website, “Internal backend infrastructure (“Glue”, internal API-Server, backup scripts, maintenance scripts, anti abuse detection systems, process logic) are developed by us and not open source.”
If for some reason you don’t like Mailbox.org, but still want all the features it offers, I’m not sure that there is an alternative out there. Their combination of super secure email, with a complete office suite and optional team and business features, is unique in my experience.
If you don’t like this service and don’t need any of the special features it offers, you will probably be happy with one of these:
Our secure email roundup discusses these and other options as well.
Mailbox.org review conclusion
Mailbox.org is a highly-secure email service at a bargain price. It also offers a lot of additional value with its built-in office suite and tools for teams and big businesses. If you don’t mind dealing with a service based in 14 Eyes member country Germany, you should take advantage of their 30-day free trial. Mailbox.org is a contender.
You can see all our other email reviews here.