Hi there folks!
As far as we can see, the only concerns regarding our service in this thread for the expressed Privacy Guides inclusion criteria having been met are the following:
- An independent security audit
- How the free plan did not encrypt your forwarding configuration (privacy even on free plan was requested)
- Export as EML/MBOX
Rest assured, we’ve resolved (2) and (3) completely — and have plans for an audit… keep reading!
Criteria Concerns
1. An independent security audit
Regarding the audit: no service out there (other than us) is 100% open-source. Others advertise as open-source, but they aren’t. Take Skiff for example, they advertised as open-source, but only their front-end was. And then they shut down.
Another is Proton Mail, and yet again, only their front-end is open-source.
Other providers advertise as having an audit, but if you look closely, either it’s never been published (e.g. Skiff) or they only have listed vague information on their website about the audit.
These “other providers” are already listed in Privacy Guides too. Additionally, the top recommended provider of Proton Mail has yet to publish an audit of their back-end. This was already discussed previously in this thread:
It’s one thing to audit front-end apps, it’s entirely different (and should give some serious concern) to not publish back-end source code nor an audit of the back-end infrastructure, and claim to be privacy-focused and open-source when it comes to user’s email and private data. Here is Proton Mail’s page on being open-source (front-end only).
Mullvad is a perfect example of this done right. We take a lot of inspiration from them with everything they do (and we’ve read every one of their audit whitepapers). We’ve even used them as inspiration for our ansible scripts through these published audits and their related blog posts.
Note that we do have plans to conduct an audit. We’re trying to complete some other more pressing items right now in advance of one – and as mentioned earlier in this thread, we’ve already prepared this list of security audit and penetration testing companies we’re looking at. We’ve already reached out to some of them including Cure53 to obtain pricing and more information.
Lastly, it’s simply not part of the criteria to have an audit. See the discussion at https://discuss.privacyguides.net/t/forward-email-email-provider/13370/30. This isn’t going to deter us from obtaining one though – and we hope that isn’t a reason for exclusion from being listed on PG’s recommended email services.
2. How the free plan did not encrypt your forwarding configuration (privacy even on free plan was requested)
As of July 2024 we now support TXT encryption even on the free plan. Throughout our website, FAQ, and guides, there is an “Encrypt” button (even on the free plan) and a dedicated page at https://forwardemail.net/encrypt which goes into detail on this. All users, regardless of how much they pay (even $0), can hide and mask their email forwarding configuration and email addresses/webhooks/ports/domains/regular expressions.
Additionally we’ve published our GDPR and DPA pages at https://forwardemail.net/gdpr and https://forwardemail.net/dpa respectively. We took a lot of care (and time) to publish these and be sure to list all of our sub-processors (we only have 5):
Cloudflare (US; DNS, networking, and security provider), Vultr (US; hosting provider), Digital Ocean (US; hosting provider), Stripe (US; payment processor), PayPal (US; payment processor)
Unlike others, we don’t even use any third-party tracking/analytics software (e.g. we don’t use Plausible Analytics, Google Analytics, or anything similar for telemetry). We even built our own logging system using our tools Axe and Cabin, our own job scheduler called Bree, our own DNS over HTTPS layer called Tangerine, and our own Spam Scanner. Our goal is to have as few SPOF as possible, all open-source.
3. Export as EML/MBOX
One criteria/bullet point that this thread didn’t give any attention to yet that we wanted to bring up was exporting as an EML/MBOX file:
- Export capability as Mbox or individual .eml with RFC5322 standard.
We already did support this (in a sense, albeit not the easiest) – but at anytime a user could export their mailbox using Thunderbird (e.g. set it up in Thunderbird, download their message over IMAP, and then export).
We have a migration guide as well and users could already download their raw encrypted SQLite database file at anytime as well (or a backup) and open it with SQLite Studio for inspection.
BUT we just went one step further and just now deployed a new feature to production!
You can now export EML files directly in Forward Email for any of your mailboxes. MBOX is coming soon. At no point in time is your encrypted database leaked on disk during this export process. We use in-memory streams and AES-256 encryption with your password on the ZIP file, which is only available for download in Cloudflare R2 for 4 hours with the download link provided over email.
Here’s a few screenshots:
Source code: https://github.com/forwardemail/forwardemail.net/blob/1798cab7e78270b9f4dd4b93d04bcca9298eb7b7/helpers/worker.js (see backup
function)
In conclusion
All other criteria listed has been met. We’ve already established in earlier comments that we’ve met them; see these comments https://discuss.privacyguides.net/t/forward-email-email-provider/13370/24 (and before/after comments).
Our pull request is still available at https://github.com/privacyguides/privacyguides.org/pull/2358. We’re happy to make any changes necessary or update/rebase it as needed.
Hopefully this post gives you the confidence in our service (and our participation over the past year+ too here on PG)!
If there is anything more we can do to get your support for inclusion, or anything we’re missing, please do let us know!
For your consideration!
Edit: Also – we’re only 3 years younger than Proton Mail / mailbox; been running since 2017.