No proper DMARC which means anyone can spoof your email address and send spam or illegal content and it’d be marked as legitimate. They also tried to hide this.
They do a lot of things better than other providers like the encryption you mentioned plus IMAP support and not requiring more PII than necessary, but without a proper DMARC, nothing else matters. Just stick with Disroot or one of the PG recommended providers.
You can’t really hide the output of dig _dmarc.posteo.de TXT. There are clearly different opinions around the handling of these technologies, in some contexts the usage of mailing lists is still important for example. By “tried to hide” are you reffering to the thing from 2018 about their server’s cipher suite configuration or something else?
Did you not see @jonah’s post I linked to about how they cut off a screenshot of Hardenize so it appears they have a perfect score when they didn’t?
But theoretically, anyone could send CSAM under your name and frame you for it.
I know that screenshot yup, sorry I didn’t get the reference. It’s not like there hasn’t been controversy before (arguing about which email provider is best has been a thing long before privacyguides was even conceived after all).
In my view for almost all providers you can find something in their marketing that isn’t perfect. The overall picture of Posteo for me is still positive in that regard though, considering these pages are meant to be read not just by people with deep technical understanding.
I think considering everything Posteo is a solid provider. And there are some others that are also quite good. Pick your poison. Personally I do not use Posteo.
Theoretically you have plausible deniability here more so than with other providers even if you send it yourself. But practically no difference: if I want to determine if an email is actually legit in a serious case like that I’d have to look into it manually anyway and if it lacks signing and is sent by a non-Posteo server changes are it’s not legitimate, whether some other email server accepted it or not.
(And whether it’s being accepted or not, well that’s up to any single email server anyway. They might listen to my dmarc none or strict, or they might not. It’s not like you can force other people to configure their servers in a particular way.)
Personally I’d just stick with Disroot if you need free IMAP.