Email Provider Security Tests

These are tests we’ve run from public tools (today) on January 5, 2024. Note that indicates perfect score or >= 90% and indicates failure to load or < 90% score.

Forward Email (100% open-source)

• Hardenize
• 115/100 Mozilla Observatory
• 100% Internet.nl Site
• 100% Internet.nl Mail
• ~94% Google PageSpeed Insights

Startmail (closed-source back-end)

• Hardenize
• 80/100 Mozilla Observatory (e.g. invalid CSP)
• 100% Internet.nl Site
• 83% Internet.nl Mail (e.g. lack of IPv6, bad TLS version, bad TLS cipher, incorrect DANE)
• 100% Google PageSpeed Insights

Proton Mail (closed-source back-end)

• Hardenize (e.g. bad CSP)
• 65/100 Mozilla Observatory (e.g. bad CSP, bad cookies)
• 66% Internet.nl Site (e.g. lack of IPv6, bad key exchange, lack of DANE)
• 75% Internet.nl Mail (e.g. lack of IPv6)
• ~80.25% Google PageSpeed Insights

Mailbox (closed-source back-end)

• Hardenize (e.g. SRI, TLS, XSS issues)
• 115/100 Mozilla Observatory
• 92% Internet.nl Site (e.g. missing HSTS, bad cipher order, bad key exchange params, bad CSP, bad security.txt)
• 71% Internet.nl Mail (e.g. lacking IPv6, bad DMARC, some mail servers unavailable for STARTTLS check, major TLS and cipher issues - or perhaps they block the tests?)
• 86.5% Google PageSpeed Insights

Tuta (closed-source back-end)

• Hardenize (e.g. should not use X-XSS-Protection header)
• Failed to Load/100 Mozilla Observatory (fails to load)
• 100% Internet.nl Site
• 87% Internet.nl Mail (e.g. lack of IPv6, bad TLS settings, bad TLS ciphers)
• ~90.5% Google PageSpeed Insights

Skiff (closed-source back-end)

• Hardenize
• 115/110 Mozilla Observatory
• 97% Internet.nl Site (e.g. supports HTTP compression, bad cipher selection, bad cipher order, lack of DANE, bad CSP, lack of security.txt)
• 87% Internet.nl Mail (e.g. lack of IPv6)
• ~79% Google PageSpeed Insights (49/100 performance rating)

–

P.S. For a comparison technology/feature wise, we’ve provided a table at https://forwardemail.net/blog/docs/best-quantum-safe-encrypted-email-service#email-service-provider-comparison.

May be good to add the www. subdomain results as well.

Just per example Website test: www.forwardemail.net here actually TLS configuration is still somewhat unfortunate.

@ph00lt0 Hi there Note that www is a redirect and non-issue, if you visit, it redirects you via Cloudflare routing. We also have HSTS enabled to ensure https.

Self-promotional materials aren’t allowed for non-developer-group members, this may be re-reviewed in the future.