I am divided on whether mailbox.org or posteo.de is the best solution for me. I am shifting from Proton Mail… I’ve been unhappy with their free email service and would rather not give any money to them.
Using a custom domain is a nice-to-have but not a must. I’m also looking for the cheapest service… it is unfortunate that Tutanota has just increased their prices.
Thank you.
I think mailbox.org is the better choice because they actually have a DMARC policy. With posteo, anyone can spoof posteo domain and the remote mail server has no way of checking that.
It’s a nice option to have, which is not possible with Posteo. They claim the reason is “for privacy”:
Can I use Posteo with my own domains?
No. We are an email provider with a particular, privacy-oriented model – and this is not compatible with incorporating own domains. One of our emphases is data economy: we do not collect any user information (names, addresses, etc) of our customers. We always answer requests from authorities for user information in the negative. On the other hand, own domains need to be registered to the name and address of a person. If you were able to use own domains with us, this would affect the entire concept of Posteo: we would need to start saving user information for all customers who use their own domains with us – and to provide these to the Federal Network Agency to be provided on request to the authorities.
Even if only the MX record pointed to us, we would still need to store the assignment of the domain in your Posteo account as user information. Thus we would possess your user information and be required to give it out. For this reason, we have decided not to offer this possibility and instead to use data economy.
They claim this is because of their “anonymity” however they have no anonymous payment options like Monero. It’s purely a “trust” thing that you “trust” they can’t reverse the transaction anonymization. They also leave out that there are anonymous “proxy owners” like Njalla for example who could register a domain for you.
The calendar/contacts encryption with Posteo, really isn’t anything special, and is a bit like Startmail’s vault, in that it’s decrypted server side when you login. We don’t call this “zero access” encryption.
Protonmail and Tutanota offer encrypted calendar, contacts, so they do that have over Mailbox / Posteo, but of course you have to use their client (or the bridge with Proton Mail).
You mean Posteo staff can read my mails, calendars, contacts, when I’m logged in via browser or Thunderbird?
Posteo offers inbound encryption like mailbox.org which will encrypt all incoming emails with a public PGP key, but only if you’ve set that up. All email headers will still be available. For Calendars/Contacts, yes they can read those. If there is no software on your device doing the E2EE then it’s not E2EE. What I don’t like about posteo is they are ambigious.
For example they say:
From then on, your data is encrypted and not viewable by third parties or by us.
which is at odds with
The encryption works without the user needing to do anything special, whether you use Posteo webmail or synchronise your data with different devices.
Emphasis added. Unless they used EteSync (which they don’t, otherwise they would say you need it) or had an app (like Tutanota or Proton Mail) that did the decryption, this not E2EE.
Whenever you access your data (from the address book or calendar) it is decrypted with your password (just for you) at the moment of access.
Yeah okay whatever, sounds like the vault. The point is that there is no way to do E2EE with CalDAV/CardDAV, it’s just served over a https end point, which means their server has to be able to send it to you, so it’s readable by them.
Beware! When you activate encryption, if you then forget your password, you will lose access to your address book and calendar
So that makes it sound like it’s decrypted on use, exactly like Startmail’s vault. Personally I think this kind of encryption is a lot weaker than true E2EE (where it’s decrypted in the app). It’s not going to provide strong security guarantees.
Thank you very much! That’s good to know!