|Storage||5 - 50 GB|
|Free Tier||Up to 500 MB|
Mailfence is an email (and more) service aimed at privacy-conscious users, businesses, and universities. In this Mailfence review, we created a new account and tested the features to see if it’s on par with other secure email providers.
Right away we noticed that Mailfence is a strong advocate for online privacy rights while also donating to the cause:
…we will lose our right to online privacy if we don’t fight for it. Therefore we pledge to donate 15% of all income of the Pro plan to foundations like the Electronic Frontier Foundation and the European Digital Rights Foundation that fight for the defence of our rights in the digital world.
If you want a fully-featured alternative to Gmail with more security and privacy, then Mailfence may be the perfect fit. Now let’s examine the details.
- Offers end-to-end encryption and digital signatures; Data is stored on Belgian servers
- Offers OpenPGP encryption
- Includes Messages, Documents, Calendar, Contacts, and Groups
- SMTP, POP, and IMAP support
- Can synchronize with other email clients
- Supports password-protected messages with expiration time
- Removes IP addresses from mail headers
- Two-Factor Authentication (2FA) support
- OpenPGP user keystore
- Great user interface (recently updated)
- Cryptocurrency payment options
- Belgium is a 14 Eyes country
- Code is not open source
- Logging of IP address and some other data
- No built-in options for encrypting entire inbox (at rest)
Mailfence features overview
Mailfence provides a full suite of services, Messaging, Contacts, Calendars, Groups, and Document storage. They use industry-standard OpenPGP encryption and digital signatures to protect your data and authenticate your messages. With support for messaging protocols like SMTP, POP, and IMAP, Mailfence can synchronize with many popular desktop and mobile email clients.
Interesting features of Mailfence include:
- A built-in Keystore to manage your OpenPGP encryption keys
- The ability to send encrypted messages to users who don’t use PGP
- Ability to digitally sign emails using OpenPGP
- Easy integration with many email services and clients
- SMTP, POP, IMAP, CalDAV, CardDAV, ActiveSync support
- A heavily-customizable business version
Mailfence company information
Mailfence is a secure email suite that offers end-to-end encryption (through PGP support) and the ability to work with different email clients. It is offered by ContactOffice Group SA, a Belgian company founded in 1999. The founders launched Mailfence in November of 2013. Your data is stored on Mailfence’s own servers in Belgium, which has pros and cons.
Being based in Belgium is good because the country is not part of the Five Eyes intelligence alliance, and does not use National Security Letters (NSLs), gag orders, or other techniques to secretly gather data about users. Mailfence maintains a Transparency Report and Warrant Canary so users can see what legal requests for information it has received in any six-month period.
Being based in Belgium also has drawbacks, however, as a member of the Fourteen Eyes intelligence alliance. In 2016, the Belgian government imposed new data retention rules. The period of retention remains 12 months as before.
Mailfence technical specifications
Mailfence uses strong encryption algorithms to ensure that your messages cannot be read or tampered with. These include:
- OpenPGP for digital signatures and for encrypting your data (PGP-MIME and inline-PGP)
- SSL/TLS, Perfect Forward Secrecy (PFS), MTA-STS and HSTS for protecting your data while in motion
Other supported protocols include SMTP, IMAP, POP, ActiveSync, WebDAV, CalDAV, and LDAP.
Mailfence hands-on testing
I created a free account to test out the service for this Mailfence review. The free version gives you all the basic features, while reserving synchronization ability and business-related features (like custom domains) for the paid versions. I suggest you begin your Mailfence experience with the free version since you can easily upgrade when/if you need to.
Let’s get started.
Signing up for Mailfence
Signing up for Mailfence is quick and easy. Go here, click the blue Sign me up button and follow the steps.
As you go through the process, you’ll need to feed Mailfence an email address so they can send you an authentication message. This is annoying, but it is far better than being required to cough up a telephone number like some services (this one, for example).
The look and feel of Mailfence
I’ve had a Mailfence test account for about two years. The new and updated layout is a big improvement over the previous version. It feels cleaner and more intuitive than previous versions. In particular, the design makes it simple to move from section to section by clicking one of the four icons at the top center of the window.
As you can see in the following screenshot, we’re looking at the Messages (email) section right now:
The design uses the standard 3-column layout for Messages, with the folders you’ll want on the left and the commands you are most likely to need right at the top. And unlike some web-based interfaces I’ve seen, the controls stay at the top of the window as if this were a standard app rather than a browser-based interface.
Creating and managing encryption keys
Before you go any further with Messages, I suggest you set up your encryption keys. You’ll need these before you can send or receive encrypted messages with Mailfence.
Follow these steps in the webmail app:
- Click your icon at the top right of the interface.
- In the shortcut menu that appears, select Settings.
- In the menu that appears on the left side of the window, select Encryption (it is under the Messages heading).
- From here you can Generate a new personal key or Import a key.
To complete the process, follow the steps in the wizard that appears.
I won’t go through the complete process of creating, sharing, and using encryption keys here. If you want to see the details, you can see the instructions on the Mailfence Keystore page.
Sending and receiving messages
Composing messages with Mailfence is straightforward and easy. Click the New button in the Messages section to open up a New Message window.
You can create a plain text message with the defaults, or you can click More to see a menu of options, including the ability to use Rich Text Formatting while writing your message.
Once you are done writing your message, you’ll need to decide how you want to send it. You can send the message either encrypted or “in the clear” (with no encryption), and either signed or unsigned.
Click Encryption and a wizard appears that walks you through sending the message either protected by a Password or by OpenPGP encryption.
Click Sign & Send to digitally sign your message before you send it. You can also click the down arrow in that button to send the message without signing it.
Receiving a message is also easy and works as expected.
As any good email program should, Mailfence offers an integrated Contacts feature.
Happily, you don’t need to worry about each contact’s encryption keys here, since they are all managed in the Keystore.
Once you’ve entered your Contacts, you can create Groups. After setting up a Group, you can add both users and the data they need into that group, making it easy to collaborate.
To create and work with Groups, follow the instructions on this page.
Mailfence supports one personal Calendar per user. You also have access to the Calendars associated with any Groups you belong to, as well as external Calendars from other services.
The Mailfence Calendar has a huge range of capabilities. To see what it can do, go to this blog post.
Not surprisingly, Documents is a place where you can upload documents/files so you can access them from any web browser or share them with other Mailfence users.
You can learn more about Documents, including how to use group-oriented features like managing permissions, in this Documents blog post.
Does Mailfence store emails encrypted at rest?
By default, Mailfence does not store your emails encrypted at rest, which is a drawback when compared to some other secure email providers. The only exceptions to this are messages and attachments that have been encrypted using PGP. These will remain encrypted in your inbox when stored on Mailfence servers. You can also use a third-party local client for encryption.
I also asked Mailfence staff for additional clarification on inbox encryption. This was their reply:
All end-to-end encrypted emails are encrypted, including attachments. However, this indeed does not cover emails that are being sent/received in plain-text and we do plan to work on encrypted folders that would potentially cover this case. This is scheduled for Q1/Q2 next year.
As a work around, for users with higher threat models, or who simply don’t want to trust our strong internal ACLs and other security measures, can use any OpenPGP capable local client of their choice to store their entire mailbox encrypted. Thanks to our ‘as-is’ OpenPGP implementation which makes it easier by not forcing any extra program to be installed for SMTP-IMAP/POP3 or ActiveSync connections.
While this is a major drawback for anyone wanting full encryption of their inbox, Mailfence is working on a solution that should be ready sometime in 2020. (We’ll update this Mailfence review when that solution goes live.)
Here are a few email providers we’ve reviewed that offer full encryption of your stored emails:
- Tutanota (automatic)
- ProtonMail (automatic)
- Mailbox.org (can be enabled in settings)
- Posteo (can be enabled in settings)
Mobile and desktop apps
This is one area where Mailfence lags behind other secure email competitors. Unlike services such as Tutanota, Mailfence does not offer desktop or mobile apps. Instead, they offer integration with third-party desktop email clients and a reduced version of their website for mobile devices.
The reduced site looks like this:
Because the mobile “client” is a web page, whether you can use it or not depends on which mobile browser you have and how it’s configured. Using my smartphone, I was able to log in to the site through my browser without any issues.
Mailfence business features
Describing Mailfence for Business is a bit tough. That’s because, as they describe it,
With Mailfence for Business you get a customized version of the Mailfence secure and private email solution in order to adapt it to the specific security and usage needs of your organization or business.
In other words, their team will work with you to make Mailfence the perfect fit for your business needs. Here is a partial list of the customizations you can request:
- The graphic presentation including your logo and the look of your login page
- Storage space based on your organization’s specific needs
- Integration with external services
- A custom control panel for managing accounts
- And of course your own custom email domain names
The Mailfence for Business API allows you to automate many tasks and integrate with LDAP, Active Directory, and CAS.
Contact Mailfence Support for the latest specification or request specific features.
Like other reviewers and users, I’ve found Mailfence Support to be great if you need any assistance. They are quick to respond and give quality answers to your questions.
The Mailfence Knowledge Base is a good addition to their Support system. It provides useful information on a wide range of topics and will likely continue to grow over time.
Mailfence plans and prices
Mailfence offers four pricing plans in total. Three (Free, Entry, and Pro) are designed for individuals.
The fourth plan is the Business plan. As we just saw, Mailfence for Business is a highly-customizable plan that lets you specify the characteristics and features that best suit your business needs. All Business plan users get 24/7 telephone support, along with the custom features they requested. As a result, the price for each Business plan subscription will vary based on the features you choose.
Mailfence supports all major payment options. For situations where you require additional privacy, you can pay for your subscription using the Bitcoin and Litecoin cryptocurrencies. Registering for the service with an anonymous email account (for the recovery address) and paying with cryptocurrency will give you an additional layer of privacy on top of what’s already provided by Mailfence.
Should you consider Mailfence?
While many secure email services are somewhat restrictive with features, Mailfence is a fully-featured alternative to Gmail. Whether you are a regular privacy-conscious user or managing a business team, Mailfence can cater to your needs. Aside from basics like the price and whether it offers all the features you need, there are two other things to consider with Mailfence:
- Do you want to use built-in encryption or to manage your own?
- Does the Mailfence threat model match your needs?
Let’s examine each of these questions.
1. Do you want to use built-in encryption or to manage your own?
As you’ve seen in this review, Mailfence uses PGP encryption (via the OpenPGP standard) and a built-in Keystore to give you complete control over the encryption of your data. Once you’ve got your encryption keys set up and shared properly, working with encrypted messages is easy. But as you’ve also seen, there can be a significant amount of work required to create and manage keys so that you can use PGP encryption with others.
Other end-to-end encrypted services like Tutanota handle all that encryption setup and management in the background. But with a solution like this, you lose some of the control you have. You also have to trust the email service to not do anything sneaky in the background. It is up to you to decide which way you want to handle your encryption.
2. Does the Mailfence threat model match your needs?
To know if a secure email service will meet your needs, you have to understand the kinds of threats you want to protect against. Once you know that, you can evaluate whether or not any given service can meet those needs.
One of the nice things about Mailfence is that they have long published their threat model. Here is a summary of their model:
Mailfence protects against:
- Eavesdropping on your connection
- Mass surveillance
- Message forgery / tampering attacks
- Compromised account
- Data theft
Mailfence does NOT protect against:
- A compromised device
- A compromised or forgotten passphrase
- Sophisticated Man-in-the-Middle attacks
- Attacks by powerful state adversaries (NSA and similar heavy hitters)
The Mailfence threat model report is definitely good reading if you want to learn more.
Mailfence is a powerful secure email suite, but it may not be what you want. If that’s the case, you have a few different options to consider.
If you like the secure nature of Mailfence and its additional features, such as Calendar and Documents, but don’t want to manage encryption keys, you might want to investigate Tutanota.
If you like that Mailfence supports PGP and integrates with other apps, but don’t want all the complexity of the Mailfence suite, you might find ProtonMail more to your liking.
Mailfence review conclusion
If a secure email suite with full PGP control and interoperability is what you seek, Mailfence could be the solution. It has all the features and options that you are likely to need, whether you are looking to manage the mail for an entire organization, or just want a great service for personal use.
With 500 MB of free account storage, you can test drive Mailfence risk-free by going here.
Appendix: Mailfence interview (10 Questions)
In December 2018, I conducted an interview with Patrick De Schutter of Mailfence. Because the interview may help users who are considering Mailfence, I’m appending the responses to this review.
1. There are a number of secure email providers on the market today. How does Mailfence stand out from the crowd?
2. Mailfence is inter-operable with any other OpenPGP comptatible encrypted email service.
3. All encryption operations take place in the browser making it a browser-based end-to-end encrypted email solution.
4. Mailfence integrates digital signatures.
5. Mailfence gives full control over key management alongside advance options with an integrated keystore.
6. Mailfence allows full reversibility. Users can leave our platform at any point in time, along with all their Encrypted keypairs and end-to-end encrypted data. We do not confine them in our digital island.
2. In 2013 Lavabit was basically forced to shut down because they refused to cooperate with government agencies that wanted access to user emails. As a secure email provider operating in Belgium, could you elaborate on any challenges you face in terms of agencies demanding access to your customers’ data?
In many countries, government sponsored programmes collect massive amounts of data from the Internet. This data collection is done without any search warrant, court order, or subpoena. In Belgium, where Mailfence is located and our servers are hosted, the law protects privacy. Only a valid Belgian court order can force us to release data. Since we have no foreign parent company, we never comply with any rogue or other data requests from either domestic or foreign authorities. We are not liable to US gag orders or NSL’s [National Security Letters]. Our up-to-date warrant canary and transparency report can also be found on our blog.
3. How does being located in Belgium help to protect user privacy?
Belgium has very strict privacy laws. In addition European GDPR and ePrivacy laws are applicable to any company operating in Belgium.
This data is deleted regularly. The only requests we have received up to now is for identification data i.e., IP addresses from which users connect or with which they created their account initially.
[Restore Privacy note: The easy solution here is to always use a VPN with your email provider to conceal your IP address and location. See the best VPN services here.]
5. PGP was recently in the news with the EFAIL vulnerabilities, prompting some to even proclaim PGP is “dead”. What are your thoughts on the future of PGP and email encryption standards in general?
Mailfence is not impacted by the OpenPGP Efail vulnerability due to our application design and the way we handle end-to-end encrypted and digitally signed emails on our web-interface. A detailed analysis can be found on our blog. Also, based on the mentioned issues in the technical paper, the OpenPGP protocol itself is safe to use, if you are not using it with a buggy email client.
6. Mailfence is currently not open source. Any plans for doing so?
Yes, we plan to put our client in open-source. We are also open to audits from professional security specialists
7. In your design philosophy you mention peoples’ “absolute and irrevocable right to privacy” and you also support different privacy advocates. Why do you feel online privacy is an important topic in the digital age?
In order for democracy to function properly there must be discussion and opposition brought by political parties, journalists, civic groups or others. Even more important, is that government misdeeds can only be exposed if whistleblowers, journalists, activists can investigate and take action without being surveilled, intimidated or pressured. Any person, organization or government with access to our personal data acquires the power to manipulate, intimidate or blackmail us and in the process weaken or destroy our democratic institutions. So giving up our privacy is not nothing, it means giving up the freedoms on which democracy depends. I would like to refer to following post for more detailed view: Why online privacy matters, now more than ever.
8. What are the trends you are seeing in email and privacy and do you think awareness about these topics will continue to grow?
After the 2013 revelations of global mass surveillance, we have seen a steady rise in general awareness towards data privacy and digital freedom among the masses. Thanks to all individuals and groups, who either independently or collectively striving and carrying on this battle in the right direction. However, there’s still a lot of work to be done, and Mailfence actively tries to play its role, not only by providing secure and private email-suite, but by also continuously educating our users and the community with best data privacy and security practices – alongside of contributing 15% our annual Pro plan income to EFF and EDRi.
9. What does the future hold for Mailfence in terms of updates, features, or changes to the service?
Presently we allow users to send both OpenPGP encrypted and non-encrypted emails
Soon we plan to release the possibility to send password encrypted emails, which will help non technical users in protecting delicate information while not having to understand anything about encryption keys. [Update: this feature has been released.]
Next on our roadmap is Mailfence for Business, an easy to use admin panel for Businesses allowing any SME or Enterprise to benefit from Mailfence secure email technology. [Update: the admin console feature has been released.] This will position us as the alternative for less-private email offerings like G-suite and Office365. We presently see a big interest from companies to leave Google and Microsoft solutions.
10. What makes Mailfence a good option for someone who is just deciding to move away from Gmail or similar email services?
With Mailfence they not only get an email, but an entire suite allowing them to migrate mail, calendar, documents and much more – without having to compromise their data privacy.
Updated on December 18, 2019 with more information on inbox encryption.