Email strategy - Custom domain, cheap, iOS

Privacy Questions
1

I’ve tried to keep this short but I’ve failed.

TLDR: I want to switch email providers. Tuta or Proton?

What I’m currently using:

  • Gmail: I mainly use it because it is free, the web app looks good and is easy to use, and the iOS app is literally perfect.
  • Outlook: Until recently I used it as a primary email and for custom domain catch-all (main address in Gmail and aliases in Outlook). The web and iOS apps are pretty good, only slightly behind Gmail.

Both of these providers require a third-party forwarding service to receive custom domain email. For my TLD, which is considered malicious, I am limited to Cloudflare (which doesn’t always work). Also, the only way I know of for sending emails is Brevo (previously Sendinblue), which broke for me when I added and later removed a second alias and it’s too complicated for me to troubleshoot (as SMTP is only a secondary feature rather than its main product).

My requirements:

  1. I have a custom domain which has my main address in addition to some aliases. (Every provider on my list can natively receive custom domain catch-all and send from multiple addresses.)
  2. I need something cheap. (Remember, I’m coming from something that is free.)
  3. I need at least some iOS support (as that is where I do all my emailing).
  4. I want it to look good and be easy to use. (I’m coming from the best iOS email app to ever exist.)
  5. I want encryption. (It’s not rational, I don’t need it, but it softens the blow of paying for something I could get for free so it is required unless something is superior in every other way).

What I considered:

iCloud Mail

The Good:

  1. It was the cheapest option on this list at $0.99/month (fixed price regardless of payment term), and this is what initially drew me in.
  2. The iCloud Mail web app looks okay.
  3. Hide My Email allows unlimited @icloud.com random aliases.
  4. Mail Privacy Protection sends trackers through two relays, hiding your IP.

The Bad:

  1. No zero-access E2EE.
  2. Mail Privacy Protection is disabled on iOS when using a VPN.

The Worse:

  1. When you delete a custom domain alias, all emails to it will bounce, and this overrides catch-all. It is not an option to never delete aliases as it limits you to 3 (2 with my main address).

The Dealbreaker:

  1. I tried Apple Mail on iOS… I HATED it. I couldn’t even have the Archive and Trash buttons together, it made me choose between one or the other (and that is nowhere near my biggest complaint). I genuinely surprised anyone actually uses it.
Forward Email

The Good:

  1. They are cheaper than the options I am still considering at $3.00/month (fixed price regardless of payment term).
  2. They appear to be one of the only privacy-concerned email forwarding services.
  3. It allegedly has zero-access E2EE.
  4. They are fully 100% open-source, including the front-end, the back-end, the database configuration, and even the encryption program and spam filter which they made themselves. This is not true of anything else on this list.

The Bad:

  1. As Reddit pointed out when they first started trying to become known in the privacy space, “Prices will never increase” and “we will never shutdown our service either” are not actually possible and are bad marketing. (They still have this on their website.)

The Worse:

  1. Forward Email requires a third-party email client. For iOS the best client looks to be eM Client; their desktop app is generally somewhat trusted (though not considered by PG) but there is little information about their mobile apps as they were released quietly this year. (Canary Mail is officially recommended by PG but I do not trust them.)
  2. Based on their data retention explanation, it appears you can only use a single client, as all provider-side temporary email files are deleted immediately after IMAP sync. This seems like the equivalent of you providing your own email server, except they provide the IMAP and SMTP services.
  3. To use a custom domain with SMTP, you must get their manual approval. A human staff member will review the domain and a required questionnaire about your usage; if they don’t find it trustworthy, they will ban your entire account and refund you. Related, the way they brag about their customers by name on their website just rubs me the wrong way.

The Dealbreaker:

  1. I signed up for their free plan to get away from Cloudflare Email Routing, even if just for a few days, and they did not allow me to connect my address as the Top-Level Domain is banned. (I found this to also be the case with ImprovMX and Mailtie). I don’t think it would even let me get to the aforementioned manual review process.
MXroute

The web app (Crossbox) looks good and the iOS app looks okay, but it has no encryption and it is too expensive for me.

My options so far:

Mailbox.org

(Note that I didn’t research this much so I have limited information.)

The Good:

  1. They have a mid-range price of $3.25/month (fixed price regardless of payment term).
  2. The web app looks good.
  3. Their PGP encryption system makes it easier to transfer mail somewhere else.
  4. Free trial (but instead of a free plan).

The Bad:

  1. Their PGP encryption system is more complicated than the other services.
  2. All unpaid accounts are fully deleted after 30 days. (The other two services have free plans and do not delete accounts until they are inactive for at least 6 months after switching to the free plan.)

The Worse:

  1. Mailbox requires a third-party email client. For iOS the best client looks to be eM Client; their desktop app is generally somewhat trusted (though not considered by PG) but there is little information about their mobile apps as they were released quietly this year. (Canary Mail is officially recommended by PG but I do not trust them.)
Tuta

The Good:

  1. It has a good web app and iOS app (it’s been said they could have the most secure iOS email client except they won’t allow any IMAP or SMTP).\
  2. It has zero-access E2EE (general audit in 2021).

The Bad:

  1. $3.25/month for 12 months, but they increase the price to $3.90/month if you only pay for 1 month at a time.
  2. Tuta does not support the Web Key Directory standard, meaning it is not possible to automatically send emails that are encrypted in transit. (However, this does not affect me.)
  3. There were some issues on Reddit that started because they have two different paid plan termination forms for different purposes.
  4. In 2023, ex-RCMP official Cameron Ortis accused Tutanota, in court, of being a Five Eyes honeypot. However, after reading a few articles (which all conflicted with each other, even the CBC articles conflicted with other CBC articles) I’ve concluded the most likely explanation is that Ortis and Vincent Ramos (criminal phone expert) were going back and forth about secure communication, Ortis told Ramos to choose one, and he chose Tutanota, so later in court Ortis made up the honeypot story as a false excuse, which explains why they were willing to release the name of a honeypot (from a redacted transcript following a closed hearing, giving them ample opportunity to correct it) and why the government doesn’t have any information that wasn’t on unlocked computers. (According to the Crown prosecutor, Ortis would be free and leaking state secrets to China without anyone knowing if Bellingham police and the US FBI didn’t find one of Ramos’ computers unlocked.) Please comment if you can support any other interpretations. (Tuta said they were discussing with their legal team, but I have seen no follow-up.)

The Worse:

  1. In 2020, they were ordered by a German court to create a backdoor to intercept future emails to and from a specific address. Tuta said they would appeal, but I have seen no follow-up.
Proton

The Good:

  1. All of Proton’s apps (except their VPN, in my opinion) look great - they are generally considered to have the best UI in the private email business (with the possible exception of Skiff).
  2. It has zero-access E2EE (web app audit in 2024, audit of iOS app and public source code in 2021).

The Bad:

  1. Proton is able and willing to log and give your IP address, recovery email, and any other unencrypted data to foreign governments. This only happens when it is ordered by Swiss authorities (meaning it must abide by both Swiss laws and the laws of the first jurisdiction) or when Proton is convinced there is immediate danger; however, it is not unknown for the Swiss government to approve a fraudulent foreign interpretation of a law. (This is probably also true of all the other services also though…?)

The Worse:

  1. Proton is about as expensive as I am willing to go, at $3.49/month for 24 months. However, they increase the price to $3.99/month if you only pay for 12 months at a time, and to $4.99/month if you only pay for 1 month at a time.

Looking forward to your responses.

2

I have all of them first one
Tuta which i have premium that when it was 1$.
I also have proton but premium but if you need the features that they offer which are pass vpn and drive which are actually good after ivpn and mulved this really a good option but i am also think to use a custom domain that will allow me to easily swap between providers.
Which is really nice.
Proton have a better looking apps but tuta is also not that bad though.
Never used mailbox.
I use to have that outlook and i have deleted all as i no longer a windows user switch to linux and mac.
And i have a gmail which is no longer use activity.

3

Personally I use iCloud Mail, and I’m surprised you had such a bad experience with the Mail app. For me it works fine for reading and replying, and I do more complex mail management on PC. In fact, Proton and Tuta not being interoperable (or not well at least) was a much bigger dealbreaker. Since most of my mailing is just registration mails (which are essentially absent of private information that isn’t already in the metadata) I decided I’ll just take the hit of not having encryption. I download my mails periodically anyways, which also significantly mitigates the issue.

Interesting behavior on the domain alias thing. I got by with the 3 aliases per domain so far, and don’t have catch-all due to spam. I’ll make sure to be careful with deleting aliases in the future.

4

Pick Proton. It supports OpenPGP and WKD and it’s also the best option if you want alliasing because of SimpleLogin and Proton Pass.

5

This is literally the case for any service that wants to run and not be shutdown. Also, they gave data because the court said so, do you want to live in a world with no laws and courts? I surely don’t.

7

Thanks for the info, I’ll probably go with Proton then, but there is one concern I have about them.

For iCloud I read about deleted aliases overriding custom domain catch-all on Reddit but I can’t find that thread - it was from when the feature first released, someone said it was intended only for organizations but they weren’t going to fix it.
Proton also has a lot of marketing towards organizations - does anyone know if they have the same thing where disabled or deleted aliases do not receive mail even when catch-all is enabled?

8

I decided to try Proton, and so far I like it. Here is my experience/review/thoughts:

Proton Mail

Because I chose the Free plan when first creating my account, I was offered Mail Plus for $1 for the first month.

Proton sends a number of welcome emails (advertisements for their other apps) spread out over the first month; this can be easily disabled.

It is easy to import emails, calendars, and contacts from other services through Easy Switch. Proton has native integration with Gmail, Yahoo, and Outlook, which imported all emails in those accounts and applied a label to them; Proton’s account access needed to be manually removed on the Google side but for Microsoft it seemed to disconnect itself automatically. They also have manual support for other services through IMAP (email), ICS (calendar), and CSV or vCard (contacts).

Email forwarding is easy enough to do with any provider. With Outlook it is important to note that there are 3 different types of forwarding, which each have limitations (for example native Forwarding does not work properly in some organizations, and Redirects rewrite some headers which makes SimpleLogin see it as spam). With Gmail, you have the option to connect your Proton account to Google to capture all incoming email (as an alternative to native Forwarding, which also works well).

The iOS apps are easy to use. Unlike with Google, you need to sign into each app separately, as it does not store your login details outside the app.

Instead of providing an outside email or phone number, it is possible to save a recovery phrase and/or a PGP key to unlock the account without a password.

Setting up my custom domain was slightly confusing because I was able to send and receive mail almost immediately after adding the records, but Proton did not acknowledge the records were there until a few hours later.
DANE is fully supported for both Proton addresses and custom domains, but MTA-STS is only available for Proton addresses, so you need to add it to your domain yourself (or just don’t, that works too).

Proton Mail has zero support for IPv6. From what I’ve read, this also includes their support lines - they will not receive anything from an IPv6-only mail server.

A few random things I don’t like:

  • Proton uses a different icon for “Move to trash” (the normal trash symbol) and “Delete permanently” (an X in a circle).
  • They use a different keyboard shortcut (“T” instead of “Delete”) for “Move to trash,” and there is no way to change this.
  • Many settings require you to enter your password if you want to change them.

Addresses

Here’s where things get complicated.

Proton Mail domain

When you create your account, you have a choice of starting with a @proton.me address or a @protonmail.com address. On the free plan, you can only use this “Free personal address” [1], except that Proton Mail does support Plus addressing [2].

After creating your account, if you have the Mail Plus plan, you can have up to 10 Proton Mail domain addresses. This includes your Free personal address and any other addresses you create - you can choose from @proton.me, @protonmail.com, @protonmail.ch, and @pm.me.

All Proton Mail users on paid plans can have a Short domain email address [3], which is the same as your Free personal address but @pm.me instead of @proton.me or @protonmail.com. This does NOT count towards your 10 addresses.

Note that you are only allowed to delete 1 alias per year. (This only applies to Proton Mail domain addresses.) Any address can be disabled at any time, but it will still count towards your 10 addresses.

Custom domain

All Proton Mail users on paid plans can attach a custom email domain and create additional addresses using that domain. Catch-all is supported, so custom addresses are only required for sending mail.

Custom addresses do NOT count towards your 10 addresses. (The support article [4] is incorrect.)

If you disable a custom address, but catch-all is enabled, you WILL still receive mail to that address. If you delete a custom address, but catch-all is enabled, you WILL still receive mail to that address. Custom addresses are only required for sending mail.

Note that addresses can’t be deleted while messages associated with them exist. Everything sent from that address must be moved to the trash and then permanently deleted.

SimpleLogin and Hide-my-email

All Proton Mail users automatically get an account at SimpleLogin, and can use it to create up to 10 SL aliases (@aleeas.com, @slmails.com, @silomails.com, @slmail.me).

Note that SimpleLogin aliases (unlike hide-my-email aliases) have no connection to Proton Mail or Proton Pass, except that you use Proton to log in and it uses Proton Mail as your mailbox.

Separately, you can also use Proton Pass or the Security Center in Proton Mail to create up to 10 Hide-my-email aliases (@passmail.net, @passinbox.com), in addition to any SimpleLogin aliases (20 total). Hide-my-email aliases sync with SimpleLogin, but only partially:

  • All hide-my-email aliases are shown in Proton Pass, in the Security Center of Proton Mail, and in SimpleLogin, while SimpleLogin aliases are only shown in SimpleLogin.
  • In SimpleLogin, hide-my-email aliases are no different from SL aliases, and you can use all the features of SimpleLogin with them.
  • Proton Pass and Proton Mail do not check the number of SimpleLogin aliases you have, but SimpleLogin includes all hide-my-email aliases in the total number of SimpleLogin aliases. This means you can have up to 20 total aliases, but only if you already have 10 SimpleLogin aliases before creating any hide-my-email aliases.
  • Sending an alias to trash in Proton Pass disables the alias in SimpleLogin, so all mail to it will be rejected. However, you can re-enable the alias in SimpleLogin and it will receive mail while still in trash in Proton Pass.
  • Disabling an alias in SimpleLogin means all mail to it will be rejected, but the alias will still be listed in Proton Pass.
  • Permanently deleting an alias in Proton Pass (after sending to trash) deletes the alias in SimpleLogin. All mail to it will be rejected, and the alias can’t be recovered.
  • Deleting an alias in SimpleLogin removes the alias in Proton Pass, but only after a delay. This is the only thing that has a delay; all other actions have an immediate effect.

Summary

On Proton Free, you can have:

  • 1 @proton.me or @protonmail.com address.
  • 10 SimpleLogin aliases.
  • 10 additional Hide-my-email aliases (SimpleLogin aliases must be created first).

On Mail Plus, you can also have:

  • 1 @pm.me address.
  • 9 additional @proton.me, @protonmail.com, @protonmail.ch, or @pm.me addresses (11 total).
  • Catch-all receiving and unlimited sending aliases for 1 custom domain.

On Proton Unlimited, you can also have:

  • Unlimited SimpleLogin and Hide-my-email aliases.
  • 5 additional @proton.me, @protonmail.com, @protonmail.ch, or @pm.me addresses (16 total).
  • Catch-all receiving and unlimited sending aliases for 2 additional custom domains (3 total).

Proton Calendar

I like it. It doesn’t have all the features of Google Calendar, but it’s (mostly) good enough for me.

Proton Drive

Ehh. It works. It looks similar to, but is nowhere near as smooth as, Google Drive. I don’t like how there are no keyboard shortcuts and I can’t click and drag to select multiple items. I really don’t like how there isn’t an API (which means I can’t sync, for example, a Strongbox database through it (the native iOS Files app doesn’t work properly with Proton Drive for me)).

Proton Pass

I didn’t like how hide-my-email aliases are shown in Proton Pass alongside passwords, but that can be mostly hidden by creating a second vault (2 allowed on the free plan).

Otherwise, I find the free plan much too limiting. It allows unlimited entries within your 2 vaults, but you can only have a basic title, email, and password. Almost everything else requires a paid plan.

Proton VPN

I don’t use it because I don’t like the Windows app or the harsh limitations of the free plan.