Does anyone have any suggestions for the cheapest private email providers that:-
Allow use of a custom domain with preferably unlimited aliases
Has a zero-access encrypted inbox
I’m not bothered about E2EE as nobody I know uses it. If I ever need to use it in the future I could always use my free Proton account.
Most private email providers seem to cost around 30-60 euros/dollars a year.
Then there are cheaper providers like Runbox (20 dollars a year) who don’t scan your emails and allow one custom domain for that price, but emails aren’t encrypted at rest (at all it seems, never mind zero-access).
One possible option I came across is Purelymail. For 10 dollars a year I can have unlimited domains and aliases. It says data and passwords are encrypted at rest.
The only thing that makes me wary is their servers are hosted with Amazon Web Services. That probably makes them secure, but how private are they?
Thanks in advance for any answers and/or suggestions!
Addy.io is cheaper than sl. You can use any inbox provider you like, must be one that support imap then pgp encrypt on addy by adding public key there. Addy then will relay the pgp encrypted mail to the inbox provider. From the inbox provider pov, its garbled encrypted mail they can’t even read it even if they want to. You decrypt the mail locally yourself using thunderbird on desktop and android.
I actually upgraded my free Proton account to 2 years of Mail Plus a month ago! (Because I mistakenly thought I’d get unlimited aliases with my custom domain - but it turns out they are included in the plan’s 15 email addresses). With hindsight I could’ve stuck to the free account and bought a lifetime subscription of SimpleLogin when they had their recent Black Friday deal!
We have been very happy with Protonmail. I did note yesterday a service I cannot vouch for yer seemed affordable and privacy focused: https://www.fastmail.com/
Fastmail shouldn’t be considered as an alternative.
Do Fastmail employees have access to my data?
Due to the nature of their jobs, some employees have the capability to access customer data. We operate on a principle of least privilege, so employees only have access to data they need.
This might be a great solution!
I’d have to learn to do the public/private key thing, but I’ve been enjoying learning other privacy things so far (like flashing custom roms).
Would Mailvelope be the easiest way? Or does Thunderbird handle the keys natively?
Also, this might be a way to use a custom domain (via Addy) with my Posteo account? I might not have to even use pgp keys to achieve inbox encryption, as Posteo already has it enabled.
"At rest" means any permanent storage, excluding short-lived access through RAM or cache
Email content is encrypted with your password, meaning that even we can't read it without you supplying your password (if password reset is disabled)
How does this work when you log in for webmail or or using IMAP? Wouldn’t you have to supply your password for that purpose? I know that Posteo and Startmail also claim “zero access encryption” the devil is in the detail, namely that they do have access while you’re logged in (and e.g. an email client on your phone would mean you’re always logged in)
That is strange. I wonder if they mean in those cases where, average user, cannot make encrypted email work? Or to satisfy law enforcement requests. Could help to be clear.
Because of what I’ve read both on this forum and here on the Graphene forum I assumed it would be the same as Posteo and that they would have access to the unencrypted inbox briefly when you use IMAP.
By the way, this Reddit post is the only place I’ve found any info about whether hosting on AWS is private or not, and that had mixed answers, hence my asking the question here.
Not sure about thunderbird desktop, but on thunderbird android or k-9 the decryption is via Openkeychain client. Basically you have thunderbird/k-9 and openkeychain installed, create the private and public keypair on openkeychain, supply the pubkey to addy or sl, and addy/sl will use the key to encrypt. Opening the encrypted mail on thunderbird would seemlessly also decrypt via the openkeychain.
If you want only the incoming part, can even be done for free using Cloudflare email relay, or any other registrar or dns host that support email relay. Theres also forwardemail.net
Runbox has client side encryption. They are working on end-to-end encryption but no one knows when that will be out.
Just so you know, rogue employees can inject custom JS to steal your emails before they are encrypted even in Protonmail or Tuta. Only Proton-to-Proton (and other emails pre-encrypted by PGP) or Tuta-to-Tuta are safe from this. But then again, logically, if proton wanted, they could get your private PGP keys. And Tuta already has a known backdoor.
The best way to use email is to never use it for extremely private stuff and when you have to, encrypted it by yourself using Mailvelope or Thunderbird.
Yeah, I see this brought up occasionally. Sometimes it makes me think “Why bother at all?! Why not just stick to Outlook!”.
My ‘threat model’ though is just to avoid surveillance capitalism (esp. Google), and have a secure, private inbox (I don’t need E2EE). And I’d like to be able to use my own domain with aliases. I’m just looking for the simplest, cheapest way of doing this.
It’s starting to look like the simplest (one email provider only - no forwarding service like Addy, no keys to handle) and cheapest might be Tuta for 36 euros a year. I can use my domain with them and have unlimited aliases, and the inbox is encrypted. I was just hoping for something cheaper! (Unfortunately they appear to have suffered a few times recently from downtime due to DDoS attacks, and their subreddit seems to have a lot of complaints).
Or you can use Runbox ($20/year) and addy.io ($12). Create a PGP key pair and upload your public key to addy so that emails are forwarded to runbox encrypted. Then use thunderbird to read those emails.
Or, use POP to download emails from Runbox and delete them from their servers.
Or, don’t use any email provider for super secret stuff. Runbox ain’t gonna sell your data anyway. And I don’t think your threat model is that high.
I’ve been with PM since the beginning when they started with free accounts,and then went to premium members. I have 3 domains with them,and been very happy with there service’s.