No proper DMARC which means anyone can spoof your email address and send spam or illegal content and it’d be marked as legitimate. They also tried to hide this.
They do a lot of things better than other providers like the encryption you mentioned plus IMAP support and not requiring more PII than necessary, but without a proper DMARC, nothing else matters. Just stick with Disroot or one of the PG recommended providers.
You can’t really hide the output of dig _dmarc.posteo.de TXT. There are clearly different opinions around the handling of these technologies, in some contexts the usage of mailing lists is still important for example. By “tried to hide” are you reffering to the thing from 2018 about their server’s cipher suite configuration or something else?
Did you not see @jonah’s post I linked to about how they cut off a screenshot of Hardenize so it appears they have a perfect score when they didn’t?
But theoretically, anyone could send CSAM under your name and frame you for it.
I know that screenshot yup, sorry I didn’t get the reference. It’s not like there hasn’t been controversy before (arguing about which email provider is best has been a thing long before privacyguides was even conceived after all).
In my view for almost all providers you can find something in their marketing that isn’t perfect. The overall picture of Posteo for me is still positive in that regard though, considering these pages are meant to be read not just by people with deep technical understanding.
I think considering everything Posteo is a solid provider. And there are some others that are also quite good. Pick your poison. Personally I do not use Posteo.
Theoretically you have plausible deniability here more so than with other providers even if you send it yourself. But practically no difference: if I want to determine if an email is actually legit in a serious case like that I’d have to look into it manually anyway and if it lacks signing and is sent by a non-Posteo server changes are it’s not legitimate, whether some other email server accepted it or not.
(And whether it’s being accepted or not, well that’s up to any single email server anyway. They might listen to my dmarc none or strict, or they might not. It’s not like you can force other people to configure their servers in a particular way.)
Personally I’d just stick with Disroot if you need free IMAP.
Best “standard email not terrible for privacy” is your own email server, hosted on your own hardware. You need a fixed IP (ideally not in a residential range) and a domain name. However it is unclear how much privacy this buys you if you send or receive email from the usual suspects (Google, Apple, Yahoo, etc.)
Disroot and RiseUp are free. I would trust more Disroot. Forward Email has a free plan
Other options include Posteo, Mailbox, Fastmail and Startmail but they are all paid. Ultimately, Proton and Tuta have the best free plans but none of all of these respect your requirements, except Disroot and RiseUp.
Look at autistici too.
I just use my domain registrar free mailbox via thunderbird. Not proper private like proton or tuta but i don’t use email like instant messaging, just for receiving incoming registration mail, notifications etc. Probably only send outgoing mail once or twice per year. In theory they can profile me based on my incoming mail but i trust small, niche business more to not to sell my profile data compared to mainstream google, microsoft, yahoo etc.