Do I step back from email privacy?

Having a zero-access encrypted mailbox and not being profiled based on my email contents are the only advantages of using privacy-friendly mail providers. However, the struggle associated with this choice is significant.

First of all, I always need to keep a Gmail account because most officials don’t accept email addresses from lesser-known providers like Proton and Tuta even when the system accepts these domains. If I write down my email address on any form, they ask for a Gmail address instead. I don’t want to teach them about the values of privacy in today’s world because they think that keeping their social media accounts private is a great step toward achieving privacy. I know I can’t change their mindset.

Even if I skip these situations and add my Proton or Tutanota address online, during KYC verification or any account verification, they strictly ask me to share my Gmail address.

Even if I overcome these issues, the battle isn’t over yet. Some systems don’t accept any domains other than Gmail, Hotmail, and Yahoo.

You might suggest using a Gmail address where absolutely necessary and forwarding the incoming emails to my privacy mail address. However, doing this means I would just receive all the emails in one mailbox, and my privacy would still be compromised.

In the past years, I’ve tested both AnonAddy and SimpleLogin, and I found that most sites don’t accept these domains here. I tested every single domain available in the paid plans of both services. Currently, majority services accept popular privacy mail domains, while most of them do not accept alias services.

Additionally, my friend and I conducted an experiment where we set up our email addresses in the same services— I used ProtonMail, and he used Gmail. The purpose of the test was to see if there was any time difference in receiving OTPs. Surprisingly, Gmail won the game; in some services, OTPs arrived at the same time in both mail addresses, while in others, the OTP was delivered to the Gmail address earlier than the ProtonMail address.

In my country, emails and mobile numbers are the only ways to verify our online accounts (no TOTP or passkey support till now), and there’s always a risk - if there’s any delay in receiving the OTP, it can lead to inconveniences, as the usual time frame to enter the OTP is 30 to 60 seconds.

This is not really relevant. Yes, 99% of people also have a Microsoft account, but it’s not like you must have one too.

Keep in mind that policies are different for these products: MS/Google cannot just freely use data from companies’ business activities, and especially not for marketing. Also your metrics may be a bit skewed, for me about 90% of senders are automated mailers such as Amazon SES and sendgrid.

Personally I believe usage of an aliasing service is far more important. Your identities being connectible (both to advertisers, and to everyone else as various services get hacked regularly) as well as getting spammed are more serious privacy threats than your mail provider having access to some data. Personally I use iCloud for this reason: it hits right on the privacy (acceptable privacy policy, by far the best across every big provider) vs convenience (IMAP/SMTP support, and not broken like gmail) vs price ($1/mo) vs value (unlimited aliases on a trusted domain, custom domains support) chart for me. It’s also pretty “normie-friendly” even if not as common as gmail.

Your priorities may be different of course, just sharing my experience. I don’t think you should give up completely, just try to find the service that best serves your priorities.

Also replying to your later post:

Many mass mailers will queue mails within a time window to reuse SMTP connections, this way reducing their costs. If many mails are queued up for a specific server, they may empty the queue ahead of time.

Gmail offers me easy acceptance, while privacy mail services often lead to multiple questions. There’s always a chance that a system might not accept these domains, whereas there is zero possibility that a system will not accept Gmail.

Secondly, to use multiple email addresses, I need to subscribe to the paid plan of privacy mail services, as domains from alias services are not accepted by most sites here. If I’m paying for a service, I expect better convenience, but even if I take the Proton paid plan, I still face frustrations.

Additionally, my friend and I conducted an experiment where we set up our email addresses in the same services—I used ProtonMail, and he used Gmail. The purpose of the test was to see if there was any time difference in receiving OTPs. Surprisingly, Gmail won; in many services, OTPs arrived at the same time in both email addresses, while in others, the OTP was delivered to the Gmail address earlier than to the ProtonMail address. There’s always a big risk - if there’s any delay in receiving the OTP, it can lead to inconveniences, as the usual time frame to enter the OTP is 30 to 60 seconds.

Yes, that’s true. But the ongoing struggle with privacy mail services makes me consider shifting back to Google, at least for sharing official details. I haven’t faced any problems with personal services like password managers and cloud storage, which is why I’ll continue using privacy mail for those.

I’ve almost eliminated Google from my life. Due to the recent implementation of Play Integrity, I have to start using the Play Store now, but other than that, I’m not using any Google services.

I don’t want to go back to Gmail, but the struggle is really painful for me. Moreover, we’ve seen that in some services, OTPs arrive at the Gmail address 15–20 seconds earlier than at the Proton address. Since OTP is the only verification method used here, there’s always a risk that if the OTP arrives late, it can create issues, as the usual time for entering the generated OTP is between 30–60 seconds.

Interesting, i never faced any issues acceptance of protonmail or even aliases.

Only time I am not sure is with epic games support, but their support form could also just have been broken.

I never knew gmail offered multiple addresses, interesting point.

I never had an email otp that was 60s, that is ridiculously and totally ignores the complexity of delivering email ;D

However in my country the market share of email services that aren’t gmail is probably high compared to others.

You do what ever is okay with your threat model.

Same. Their Pass and SL aliases are blocked regularly, but their main domains are not. It makes just as much sense to block them as it does to block fastmail.com or icloud.com

Like i said, I never had an aliases blocked either

Just my luck then

Me neither.

To me using a privacy email is a clear benefit from gmail/outlook & co. Easy 2 benefits: I don’t get my emails scanned. I don’t have AI being shoved up by default.

the only time aliases were blocked was unironically xiaomi and apple
the rest have accepted aliases

A prominent refuser is GitHub, which does not allow SL addresses and, I think, also blocks Pass aliases. Some niche apps I use, like ListenNotes, also block them because people abuse free trials. Lately, people (myself included) can’t create new X accounts using SL addresses, but that might be something else.

That said, they are more accepted than one would expect. It helps that aliasing has become more popular, and major password managers are integrating it into their products.

I will not sign up for anything nowadays that does not allow shared SL domain unless it is critical. I don’t know what these services expect me to do, but if treating legitimate users who use email aliases as collateral damage works for them, who am I to judge?

If the major benefit of proton/tuta is encrypted email storage, couldn’t you just delete or export your sensitive (or all) emails from gmail/outlook etc?

Would simply storing your emails locally, such as with Thunderbird, not accomplish the same thing? If anything, it sounds better than encrypted email storage since you have full control and even the subject, sender, recipient, etc are kept hidden from outside eyes. It’s also free.

Yes, simply downloading your mails would achieve about the same degree of privacy assuming the services do actually perform the deletion, and you use the device doing this regularly. It does come with the inconvenience that you now can’t read your past emails on other devices. Mail originally worked like this in the age of POP3, persistent mailboxes and IMAP are later developments.

Thats assuming the provider itself doesn’t silently create a shadow copy behind your back, or if the server deleted mail are actually deleted and not shadow stored for 5 years for “audit” reason. Email is still an unsolvable problem. Even proton and tuta can silently intercept and store a shadow copy of that incoming cleartext (from their pov) mail from paypal, your doctor, your water company, your drug dealer etc etc. Using mail is basically we’re really trusting the provider, unless we’re the provider ourself ie selfhosting mail which is easier said than done.

I have my own domain and use my own email server and I have never encountered that.

Self-hosting should be the best for privacy? The potentially frustrating part of that is the outgoing SMTP - both doing everything right and being accepted by major ones who don’t.

Reminder that it’s not all-or-nothing - you can self-host the mailserver yourself but use a service provider as a relay for the outgoing traffic. That way you get a lot of the benefits (privacy and others) of self-hosting but without the most notorious headache.

Common setup for businesses in between the stages of “everything on the SaaS” and “taking care of ourselves”.

You can start even smaller: Keep the mailservers where it is and keep using it for incoming/outgoing. But instead of reading it straight on the server via webmail or the service provider app, start mirroring the entire inbox to your own setup where you actually read and write. Then when you’re comfortable with that you can have the sync also wipe the emails on the remote. You get a gradual transition towards independence where you can stop at any point.

Things also get a lot more flexible and you don’t have as much lock-in. Changing providers for your email is now more like changing ISP or power company instead of like moving houses.

I think the OP pretty much nailed it. I’ve been fascinated by this topic for more than a year now. In that time, I’ve created and even paid for multiple email subscriptions, but the Epstein emails basically convinced me that it’s a waste of time spending this much effort on email. Email is basically too insecure to address. You’re basically at the mercy of the recipient once the email is sent. A lot of focus is on the lack of privacy with Gmail and Hotmail, which is true, but even if Gmail were as private as Proton, the issues that the Epstein emails raised obviously can’t be addressed. As a result, I think there is still a case for having something like Proton, but I wouldn’t use it for any secured communication and be careful with what you send. A lot of famous people’s lives have been turned upside down by Epstein. Who knew old emails could somehow resurface and haunt anyone who was ever associated with Epstein? I would rely more on using Signal and a better idea would be to have the conversation in person for truly sensitive/important stuff.

I think E2EE storage is basically the major selling point of Proton. Email is still important in 2026, and I have no choice but to continue to use it, but I wouldn’t send anything sensitive or important. I think that’s the lesson that I learned from the Epstein emails.

email would be quite private if we all would use PGP encryption keys and open-open source email clients. Disclaimer: I don’t use them, beside the built-in proton encryption keys. Many people has now security hardware keys for passkeys auth, we could also get use to decrypt our email with such keys. Emails providers will still be aware of your social graph and email subjects, but not email content.

if we would watch in media more often cases of unrevealed email and there consequences, like now the Epstein’s, people in general would become more concern about privacy and ask more for easy-to-use privacy tools. I think this will come, it will become when we start to get use to hear that our contact was banned to enter in country due to some emails or DM in social media app, people will ask for more privacy.

some people have some concern about proton becoming an ecosystem of apps, but this is what normal people is able to transit to, they are not gonna go further, easy to use solutions

we, users of this forum, are very concern about privacy. We should in small doses teach about privacy concerns to the people is around us. I switched from wassap to signal in around 2018. I uninstalled wassap. So anyone who wants to communicate to me should use signal, end of the story. Since them many people has asked me why I do not have wassap/instagram… This has been always a good opportunity to open a bit their eyes.

I think we should start asking to our dentist, doctor, tax consultant, lawyer… if they are using a privacy respectful email provider / cloud storage.

I agree with the premise of your post, but let’s get real, it’s not like privacy all of a sudden became a concern. Even Apple, with all of its marketing about privacy, still doesn’t use E2EE with its emails. Neither does Microsoft nor Google. Hope isn’t a strategy. The sad reality is that the Epstein emails are a reminder not to use email for private communication. There are too many points of failure, and then the emails are revealed. I still have a subscription to Proton, and I will continue to use it mostly to receive emails and for general communication. There is still a need for email in 2026, and we should strive to secure it as much as possible. Other than that, I would use Signal and possibly iMessage (iPhones dominate in the US).