Forward Email (email provider)

@ph00lt0 Please read https://forwardemail.net/blog/docs/best-quantum-safe-encrypted-email-service as this contains all information about how the entire system works. The passphrase to your database is your IMAP password, which is only available to and stored by you. Everything is done in-memory, and your password is not written to disk anywhere.

Thanks will do

To anyone that discussed Skiff earlier in this post, they’re shutting down and turning off service for all users in 6 months. See https://skiff.com/data-migration.

Unlike Skiff, we’re not shutting down, and we’ve been true to our marketing messages since day one. Hopefully these two PR’s can get merged now:

• https://github.com/privacyguides/privacyguides.org/pull/2398
• https://github.com/privacyguides/privacyguides.org/pull/2358

I’m probably gonna hop in and try your service as, IMO, you seem like the best IMAP host.

Two questions though:

1. I noticed that you’re using CloudFlare for the login. Is this just to check if the user is a bot, or are you using it for the login and stuff as well? From what I’ve read, CloudFlare is essentially a MITM that breaks E2EE.
2. Any plans of making this article less… let’s call it, advertiser-like?

" We recommend Forward Email as the best private email service." - Written by the Forward Email Team

^ That comes off as unprofessional to me. Of course you would recommend your own service! Simple solution IMO is to just remove the “We recommend Forward Email” part. It’s also kind of superfluous seeing as you’re steamrolling everything else in the comparison list.

To make it less biased, maybe you’d want to add a field for when the services started? Which year I mean. If I’ve learned one thing from having used Criptext/Telios/Skiff over the years it is that trusting brand new services will result in disappointment.

Apologies if I’m blunt here, isn’t it a bit dubious to use the phrase “open source” to describe your project when it mainly uses the Business Source License, which is not OSI approved?

Apologies if I’m blunt here, isn’t it a bit dubious to use the phrase “open source” to describe your project when it mainly uses the Business Source License, which is not OSI approved?

If you read the BSL, it converts to MPL. The only stipulation with our license is noted in the disclaimer of it (can’t launch a competing service basically). We may entirely convert to MPL in the future (we have to use MPL right now due to EUPL used in some dependencies), otherwise we’d be MIT.

1. I noticed that you’re using CloudFlare for the login. Is this just to check if the user is a bot, or are you using it for the login and stuff as well? From what I’ve read, CloudFlare is essentially a MITM that breaks E2EE.

It’s just Cloudflare Turnstile! This is used to check if it’s a bot. We are not fans of hCaptcha nor reCaptcha, and all other alternatives were not privacy-focused or involved incredibly frustrating and non user-friendly AI-generated puzzles.

2. Any plans of making this article less… let’s call it, advertiser-like?

We don’t have plans to remove that (yet) because these pages are targeted for SEO traffic, where someone new visits and might think we’re recommending a competitor or a sketchy closed-source service; which we’d never do.

Since we haven’t posted here in a little bit, I’ll just note quick that @dngray and I are both currently testing out this service separately, and I’m sure if either of us have additional questions we’ll post them here

@forwardemail do you have free plan on your domains? AKA “shared domains” as Anonaddy or SimpleLogin provides?

do you have free plan on your domains? AKA “shared domains” as Anonaddy or SimpleLogin provides?

We don’t offer any domains for free as this opens up the door for abuse, spam, and a multitude of issues. However you can bring your own domain and use our service completely for free. For a comparison of the plans, see https://forwardemail.net/en/private-business-email?pricing=true.

Any user on a paid plan can access vanity domains we provide such as hideaddress.net, mailsire.com, secret.fyi, and hash.fyi. For example, you could get rocki@hideaddress.net.

Hi folks

We just made a coupon code that gives 100% off first-time customers for one month on any of our paid plans. Note that we already have an instant and automatic + no-questions asked 30-day refund policy

Try us out at https://forwardemail.net with coupon code PRIVACYGUIDES, which is applicable to any paid plan.

Thank you,

Edit #1: If this is not permitted in PG just let us know and we can remove this or take it down.

Edit #2: Also there’s a new and honest review posted on Trust Pilot from a customer we’ve had since 2020, see https://trstp.lt/I0yu1g8Rk.

Still looking at this, and so far the paid plans are looking good.

One of the biggest problems with listing this in my eyes is that the free plan does not adequately protect people’s privacy (which you know, since you sell “secure inbox privacy” as a separate feature). I would not want readers signing up for Forward Email’s free plan thinking that it provides equivalent privacy to an aliasing service like SimpleLogin or Addy.

Context for readers here: On the free plan, the email mailbox you are forwarding to is stored in your domain’s DNS settings. This means that if I forwarded alias@my-domain.com to my-mailbox@protonmail.com for example, anyone could find out my real email address is my-mailbox@protonmail.com with a DNS lookup.

One possibility is that we would add a warning to the recommendation about this issue and specifically recommend against the free plan. On the other hand, we usually require all product offerings from a company meet minimum standards. A point about bundled services where not all services qualify was recently brought up here: Avoiding the next Skiff - #123 by DaffyDuck

Interested in people’s thoughts.

I can only apply the code for subscription not one time which I of course understand if you are doing it for spam protection or plan continuation.

checking in with you just in case.

I think most people can invest 3$ if the service is GOOD. Addy provides unlimited domains and simple login provides unlimited bandwidth. Both are complementing each other.

We can list forward email as a “bonus” on the page and put a warning in red that you need paid plan and free plan gives you privacy against automatic tracking but 0 privacy against manual (though automatic systems may include DNS scanning in the future, hope nobody designing those reading this)

Unless automatic systems already have DNS scanning, that would be funny.

Privacy features should be standard. Only features should be restricted. If the free plan doesn’t meet the standards, then we shouldn’t include it, even if the paid plan meets the standards. At the end of the day, people are going to make a list of PG-recommended tools, so the nuance will be lost.

The simplicity of the service is plaintext forwarding (DNS-only, no signup required on our side, at all). This is what our service was originally built for (it was originally just a README on a GitHub repo that said “put the TXT and MX to this and that”, and you’re set.

That said, given this feedback, we will look into having a tool to encrypt a plaintext version using our public key.

You do require a signup now for the free plan though, don’t you? Or am I missing a registration-less option you offer as well?

Let us know what you decide to do, I’ll continue testing in the meantime.

No signup is required, you could follow along our FAQ and just do the following DNS changes for yourdomain.com:

MX records: mx1.forwardemail.net and mx2.forwardemail.net
TXT record: forward-email=jonah@gmail.com

Then any email address, e.g. foobar@yourdomain.com would get forwarded to jonah@gmail.com. It also supports foobar+somefilter@yourdomain.com too. There’s a ton of options/examples in our FAQ too, and we even support regular expressions and webhooks – on the free plan too.

That’s it, no signup required. We have an automated tool to verify DNS records and by signing up you also get our automated system to check routinely and ensure your DNS records are valid (e.g. in case you modify DNS or transfer registrars, etc. - there’s so many edge cases). We tried to dummy-proof even the free plan (for free) through a ton of automation. For example, if you sign up on the free plan and click Verify Records, behind the scenes our code (which you can view on GitHub), will automatically request Cloudflare to purge the DNS cache on their side for your domain’s NS, TXT, and MX records.

Will do. We will try to have this tool shipped by tomorrow.

I see, I didn’t realize the guides in the FAQ could be followed without signing up for the free plan first.