10 posts were merged into an existing topic: Forward Email (new features)
Hi @forwardemail , thanks for providing this much information and quickly addressing the concerns. I didnāt know about your e-mail services until recently. I have created an account and started using it, and I must say I really like it. IMHO, itās much better than mailbox.org.
I have a couple of concerns that I would like to bring to your attention:
-
SMTP submission is by default disabled. You claim to be a full-fledged e-mail provider, and not just an e-mail forwarding service, however, this approach does more bad than good in making people believe that youāre not just an e-mail forwarding service. However, I do understand why itās important for you and people who use your service to have reputable IP addresses for e-mail deliverability.
The fact that SMTP submission is disabled by default is not mentioned anywhere that can be easily seen before/during the registration process. I only found out about it when I tried to send an e-mail, and the server threw an error about it. Maybe you could be more open/transparent about this BEFORE or DURING people make an account and pay?
-
I have uploaded my openpgp public key to your service for an e-mail alias of my domain, and activated the option for encrypting incoming e-mails using that public key. It works very well. However, that e-mail alias also forwards incoming e-mails to another e-mail address, and those forwarded e-mails are not encrypted using my public key. Is this by design? IT would make much more sense if you can also encrypt those forwarded e-mails, too.
Thanks a lot for providing such a great quality service at an affordable price!
Hi there @arandomduck - apologies for the unexpected delay in our reply.
We have plans to automate this (e.g. if the domain has an A record and working website or if previous domains added by the same user have been approved ā then auto-approve). It is noted on all necessary pages that we do a manual review process. Typically we approve in 2-4 hours during the week or quicker (usually within 30 minutes). On the weekends it might take a bit longer, but we will grow over time to expedite this to be as near instant as possible. Weāre focused on the most pressing/urgent/priority items right now, and any time a SMTP approval request comes through it is marked priority by default for our support team. Here is an example section where we state thereās an approval process: https://forwardemail.net/en/guides/send-email-with-custom-domain-smtp#smtp-instructions:~:text=Important%3A%20Please%20note,get%20marked%20as%20spam.
Yes! Forwarding will have OpenPGP/WKD support soon, weāre in the midst of consolidating some code (re-using the same functions for outbound SMTP/MX) so this should happen very soon this year. Most likely within the next month. The code for that is actually already completed! We have a few other things to do before we can confidently deploy this.
Appreciate your kind words, and weāre here to help if you need anything. Feel free to join our Matrix channel and directly DM / @ mention us there too for faster responses. 
5 Likes
Currently trying to gain some understanding of the backend, if I am understanding both the drawings at Quantum Resistant Email Service in 2025 and the code correctly, inbound emails are sent into a temporary mailbox with an encryption key the server controls if there is no active session (and it is a single key for the entire server as seen here forwardemail.net/helpers/get-temporary-database.js at d23f4fda6639d05d87d6fbfab976e4e93b131996 Ā· forwardemail/forwardemail.net Ā· GitHub).
As I am not yet familiar with the codebase, please correct me if Iām wrong because to me this seems like bad design.
The other big issue is one that has been brought up multiple times, and thatās how emails are stored into the persistent database for the recipient mailbox. The IMAP password is encrypted in memory and not stored, but it is decrypted several times (using the exact same key from above it seems) meaning an admin is able to access the full mailbox as long as a session is active (+ the temporary mailbox as mentioned in the previous part.)
Both of these issues can be resolved by manually setting up a public key, but by default a mailbox cannot be considered secure.
1 Like
Point here is: you are not wrong, this indeed IS not even bad, but horrible design.
True, yet there is no mention of this in the official docsā¦
Also true.
There were several other areas in the code that looked like they could be a problem, but I do not want to make accusations I cannot back up without investing tens of hours of my free time. Especially when that first look told me I should stay away unless I want to trust the other parts are miraculously perfectly fine.
That said, I still canāt help but think itās a shame because the value proposition is great. But the pushy (seemingly solo) team and the dangerously below average code quality are a bad sign that should prevent the inclusion on this site.
(Only tangentially related is also the fact that the author has tried surprisingly hard to remove their previous alias for some reason, only thing I could really find there is that they made an app called spontaneous at some point Spontaneous - Hangout with Friends & Family Nearby)
Yeah Iām not making a big fuss about bad UX or something, I am concerned about the general security practices of this project as they seem subpar at best.
As mentioned previously thereās multiple parts of the code (besides the ones I explicitly mentioned while talking about mailboxes) that seem sketchy and like they could be abused by an attacker, but I didnāt go into that because I do not want to make claims I canāt back up easily.
1 Like
As of UX: its (probably) the only one thing that had been done well. UX of forwardemail.net is ok, very clean, easy to navigate, I like it.
1 Like
A post was merged into an existing topic: Forward Email (new features)
Hi @forwardemail, is there any progress on private payment methods?
Proton, mailbox.org, Tuta, and Posteo all have a way to privately pay for their services.
Hey!
Iāve quickly read through the loads of information provided here,
and I really like the approach of ForwardEmail. It seems to be headed in the right direction.
However I have a concern regarding the number of people behind it.
You speak as āweā, but how many people does the dev team consist of?
(one, two, a few?)
I donāt want to move to a service which dies as soon as anything happens to its single creator. (I know a startup doesnāt scale to hundreds of employees in a day, but it would be good to know where it stands and also what happens if the main maintainer can not or does not want to continue maintaining it)
And one more thing, has there been a security audit yet?
Folks, these comments are off-topic and we dislike coming here just to shut down the trolls and false information spread (which are clearly by new accounts most of the time).
Weāre not actively focused on an audit right now, as we have other more important and more urgent items to take care of.
Please keep your posts on topic and stop spreading misinformation, especially about a businessā finances. Speculative comments arenāt permitted on PG as far as we know.
3 Likes
Show us the data then? Please share insights as a public company and answer questions raised about employee count. I donāt think it is too much of an ask for a company that wants to be trusted.
It is not strange that people become suspicious when long outstanding promises are not met.
On misinformation, the accounts raising concerns here actually are long existing members.
2 Likes
For what itās worth ā Iām an ordinary customer (as in, I donāt know that much about the technology) looking for a more private alternative to Office 365. Forwardemail has been on my list of services that may be a good option for email. The things that have caused me not to move my email to you are the aggressive attitude toward other legitimate services, the ongoing absence of an external audit, and having no information at all about who you are and who the āteamā is behind your service. It looks like a potentially great service, from what I have seen trying it out, but these points mean that I canāt trust youā¦yet.
You are highly overestimating the cost. Audits vary in prices but this is a huge overestimatation.
3 Likes
Can you please elaborate on what you guys view as more important than verifying your claims of security and privacy? How does an audit impact your ability to take care of these items? Wouldnāt it make it easier on you guys since it may discover flaws youād overlooked?
They are probably working on their product and servicing their existing customers needs. They may not have the resources to give 100% to an audit. Iād rather them wait and give 100% focus to an audit so they donāt half ass it for a checkbox, but that means we will await a bit longer.
And tbh, itās not clear what they need to do to be recommended. No one said āif you do an audit, we will add youā, or at least what I recall. Even if they do an audit, it doesnāt guarantee a spot on PG, so yeah Iād also understand why they arenāt hopping on top of it personally. As to them being recommended, Iād say an audit is a pre-requisite, not a guarantee.
It should be noted tho that on finances we require public ownership. Now it does a take an expert to find out who owns the company and I cannot call this public ownership.
To clear up confusion, weāll answer a few topics/related questions:
How much does an audit cost?
Between 5K to 25K+ USD. It varies by provider, but most are around the 5-10K range. This cost is NOT a reason why we havenāt conducted one yet. We have a few items on our own security checklist to do before initiating the audits ā and as mentioned we have some other more important and urgent items to be done in the interim. To make most use of the audit, we want to be 100% focused on it with the audit/pentest team conducting it, so we need as much of a clear plate as possible.
Public ownership?
We have publicly stated who we are a few times. Forward Email LLC is a Delaware-based company in the United States. We have < 5 employees and weāre solely owned by its founder (me - āNickā; Nicholas Baugh), writing this message. Others have found some of my old past projects in this thread above (which was nostalgic!). Forward Email has been my full-time sole focus since soon after inception. Weāre not hiding anything, and because of the sensitive nature of our service = email) weāre not going to give you our home addresses. Weāre focused on product, not marketing right now.
Do you satisfy criteria for PG inclusion?
Yes, we do satisfy all the criteria for inclusion, as stated above (scroll up in this thread please) ā we went bullet by bullet point in the PG guide/criteria:
- We also opened a PR so that mods didnāt have to do the write-up on their own.
- We also made changes as requested in the PR as well over time.
- We implemented requirements such as WKD and ability to export as MBOX/EML, as well as other requests in this thread to meet criteria.
9 Likes
This thread has been temporarily locked due to high activity.