FastMail, Aliases, PGP, Custom Domains, Privacy

Hopefully I can make this simple and understandable. I currently use FastMail as my provider and they’re rock solid except my email at rest is not encrypted. I’m looking for a way to add this using some different approaches.

If I use Addy.io, I can add my public PGP key and have my incoming alias emails encrypted when it hits my FastMail inbox (encrypted at rest). When I download my email to Thunderbird, it gets decrypted. If I reply, the email gets encrypted using Addy.io public PGP key in Thunderbird, and decrypted when it arrives at Addy.io before sending it on to the sender. Perfect for what I’m looking for except some websites don’t accept aliases from Addy.io.

Could I use a registrar custom domain with Addy.io to do the same thing? If I can, then this would solve the issue with some websites not accepting aliases from Addy.io, correct?

I don’t care if anyone knows who I am. For complete privacy, I can always use PGP directly when receiving or sending email with the sender. I just want to be able to secure regular email incoming and outgoing from FastMail staff, employees, anyone else who may have access to their servers from reading my email.

Yes, your thinking seems sound and should theoretically work.

You should however be aware of the following:

(You can’t have name@last.tld in fastmail if you want to use last.tld for Addy.io.)

I don’t understand why this janky solution would be superior to just switching to Proton which includes SimpleLogin with a much nicer UX.

So using a custom domain through Addy.io would work because the custom domain email (TXT and MX record) would be setup for Addy.io. Fastmail would just receive and send email that was forwarded by Addy.io. The keyword is ‘Forwarded’ by Addy.io since Addy.io and the registrar are the ones with the TXT and MX records needed to work properly, correct?

***I understand the whole Proton eco system but currently the plan that would fit for me at Proton is $120 a year. That’s $360 in three years. Fastmail which is rock solid and reliable is $84 for three years. Add Addy.io ($12 year) and a custom domain (average $12 year), and my total cost would be $156 for three years. Yes it’s a little extra work to do, but I’m also saving $204.

Yes, it should all work as you have imagined.

Can’t argue with that.

Ha! Thanks for your time! It helps a lot and I hope others will find this post useful in the future. Thanks again!

Another option will be, Proton Mail Plus and SimpleLogin Premium. If you plan to use all of your custom domains for alias then Mail Free and SL Premium.

Also, how did you get Fastmail that cheap? 3 year Individual Plan costs 168 USD according to their own page Pricing | Fastmail

@Bhaelros - Proton Plus and SimpleLogin still would be around $234 for three years. I am exploring some other options price wise to get the most bang but as the saying goes, 'You get what you pay for." Kinda hard to cheap out on an email provider.

As for the price at FastMail. I think I’m grandfathered in. Originally there was only three plans to chose from. That became their business plans and they introduced crazy individual/family plans that are overkill. You can still save by getting the same plan I have but it’s just a little more now. To see the current pricing, go to Pricing | Fastmail and click ‘Business’ and select 36 months. That will bring you down to $100.80 for three years. At the end of the three years, you may get a lower price for the next three years to stay with them.

Thanks for starting this topic. I’m definitely gonna try this with my Fastmail. How did it work out for you in the end?

I switched to Tuta for a couple months, and I’m switching right back to Fastmail because I can’t get past the insane usability downgrade and the constant bugs. And the hefty price tag. Like okay, I would actually consider paying 3x more, but man, it’s kinda like a stick house next to a castle lol

I’ve tried Proton and I just don’t like it. It’s a personal thing. There’s something about their corporate behaviour that doesn’t sit right with me. No objective criticisms here, it’s just not for me.

First off, change is hard. You get comfortable with what you know. Sometimes you have to take a leap and dive into something new to get the benefits.

I ended up using Proton Mail. I wanted the extra security, like encryption at rest, Fastmail is a great company and the best email provider you can find but the security/encryption features seem to be lacking. This may not affect you though if you just want great reliable email.

To go a little further, I tested different email providers by using the following: Check your cyber security - NCSC.GOV.UK

I entered the email domains like @proton.me (you can find more at their website What is the difference between Proton’s email domains? | Proton ). I also tried @tuta.com and @fastmail.com. Fastmail caught my attention because it failed two tests. This pushed me over to Proton which seemed like a good fit after of course learning how to get around and adjusting the settings to fit my style. I did explore mailbox.org and others, but if I had to pick a second choice, Tuta would probably be it. Don’t forget I’m going for more privacy and security. Otherwise, Fastmail is outstanding and has been around for a while with great reliability.

Edit: I had to re-read the thread and wanted to add to this by saying that yes, what I was trying with Fastmail and using a PGP key on Addy.io does work. Simplicity is why I chose Proton which has what I wanted to do built in. I also switched from Thunderbird to their own desktop app to also simplify the process.

Thanks so much for your reply! Also for the link to the UK NCSC tool, it looks quite handy. You’re right, Fastmail domains (and the ones I host with them) do return errors, albeit minor. Tuta’s don’t though, which is quite nice.

I kind of get Fastmail’s position, which is to make everything as user-friendly and risk-averse in terms of usability, as possible. Although sometimes I think they overdo it. Like come on, fixing one syntax error in the SPF record makes no difference to the end user but boosts scam protection.

I would have to keep my compromise solution and stick with Fastmail for now, but at some point will have to bite the bullet and go for Tuta again.

Interestingly, FM’s page on their approach to security, Security with substance, states:

Adding end-to-end support in our webmail also provides little extra security against server compromise, as the code doing the decryption is itself deployed from the server. Meanwhile, the trade-offs are severe: if the server can’t access the contents of the email it can’t offer fast, full text search. It can’t show message previews efficiently in your inbox. Spam checking can’t analyse the content. If you lose your private key, we can’t help you recover access to your email history.

Ultimately, if you trust the server then end-to-end encryption doesn’t add any extra security (as emails are already encrypted at rest and in transit)

I unfortunately agree with them that the search experience with E2EE server is excruciatingly painful (or at least it is with Tuta). Their other argument about losing the encryption key also makes sense for their target audience, although it’s not a concern for me personally. The rest of the arguments (about encryption at rest) are pure fluff.

Anyway, thanks a lot bro, all the best to you !

Yes, about what you mentioned about using PGP with Fastmail not being able to search and losing your key. I forgot to mention that. Fastmail is as good as it gets when it comes to normal email for normal things. They don’t support PGP so you would be responsible for setting it up and maintaining the keys along with expiration dates, renewels, etc.. Kinda a pain in the ass, but it all depends on how far you want to push the boundaries, sometimes beyond the capabilities of what Fastmail can do. That’s why some features Fastmail has cease to work properly after using PGP through its servers.

As for Tuta, they don’t and can’t use PGP key encryption because they incorporate their own which is just like PGP but actually a little better. This is a plus and Tuta has designed their email platform to work with security in mind but may or may not have some features Fastmail uses due to Fastmail not using PGP encryption. By the way, Fastmail does use in house encryption on their servers for encryption at rest but employees/engineers working or doing maintenance on their servers do give them access to your email but that doesn’t necessarily mean they read it. I personally wanted a zero access of my email when it’s sitting on the servers which is why I switched to Proton. Tuta is the same as well.

Speaking of Proton. They provide the PGP keys for you so you don’t have to worry about anything. It’s taken care of for you. It has true encryption at rest and allows you to share/exchange your public PGP key with anyone not using Proton for encrypted email both ways. You can also use your PGP key with an alias email service like Addy.io which I use. I also find using their own desktop/mobile app to be extremely good. You can still use Thunderbird but you would have to install a bridge which Proton provides to use it.

Solid advice, cheers. Question: how do you find the search function on Proton? On Tuta, you have to define the time frame for the search term (between this and that date) and if you define a large one like several years, it can take a very long time for their server to decrypt all the emails in that time frame in order to then search in them. One of my recent searches took 20 minutes to find something from 2021.

Obviously, this is a necessity for encrypted data. If anything, it shows that encryption works, which is good news. I’m just curious of your experience with Proton with this

What about Addy staff?

You’re right! You solve one point of failure but move it to another. So a couple of things to point out. You are putting trust into the alias service just as you put trust into your email provider. From what I know, Addy.io only has one person (I’m sure I read it on Addy’s website) running the service compared to hundreds at your email provider. Less eyes but there’s that trust to worry about. I doubt one person has time to sit and read literally thousands of emails flowing through the service every minute of the day. He/she may not be able too if the email is already encrypted using SSL/TLS. Adding PGP through the alias service adds an extra layer of encryption so now your email provider can’t unencrypt it anymore and only you can decrypt it, which in my case would have been Thunderbird (the final destination) which has the private key to decrypt the email.

Once you log into Proton, you’ll see a search box at the top. You can search date, name, email addresses and subject line. Below that, you can search folders your email may be sorted to using email filtering/rules such as inbox, drafts, sent, personal folders or all folders/locations. Below that is the advance search where you can also search to, from, sender, recipiant, etc..

This slightly reminds me when I was choosing an email provider to combine with Addy, but I ended up using Disroot when they started using Lacre. With Lacre, all incoming emails are encrypted with PGP.