I’ve been doing an in-depth exploration of private email providers. My conclusion is that Posteo is the best.
There are 5 reasons in the links above for rejecting Posteo - None of which hold up. I shall respond one by one, and in doing so, demonstrate the advantages of Posteo.
- ‘Anyone can spoof posteo domain because it lacks DMARC policy’
This is not true. SPF/DKIM signatures prevent spoofing… DMARC seems like an additional, unnecessary, tool. Nevertheless, Posteo does have a DMARC policy of either “none” or in some cases “quarantine”.
(Edit: My mistake. Posteo actually has “none” policy except for its own mailing list domain. This is in contrast to the PrivacyGuides requirement of a “quarantine” or “reject” policy. However, they are following the recommendations published by DMARC which suggests (albeit in an incoherent way) that a DMARC “none” policy is appropriate for mailbox providers who prioritize their ability to identify misbehaving users over protecting outbound mail flow from fake emails. This makes sense because there’s no point in misbehavers sending fake mail when they can easily set up an anonymous account, and because DMARC protected mail doesn’t always survive forwarding, meaning users may not receive mail they should receive.)
I think the DMARC requirement of PrivacyGuides should be altered accordingly.
- ‘Posteo recycles email address’
It only recycles email addresses which were manually deleted by users, as it never automatically deletes email addresses. (See “What happens if I do not add credit in time” here.) Mailbox on the other hand, recycles all deleted email addresses, including those which it automatically deletes after users don’t pay.
- ‘They have no anonymous payment option’
Yes they do. Cash. Unlike Tutanota.
- ‘Posteo does not offer custom domain’
I find their justification absolutely valid. Custom domains cannot be owned (although they can be hired through a proxy, which defeats the purpose of using a custom domain for email) without disclosing personal information. Allowing custom domains would oblige Posteo to collect this information. Although this information can be hidden through MX record, Posteo would still need to store the domain assignment, which conflicts with its commitment to privacy
PrivacyGuides isn’t about recommending the most feature rich services - but to recommend the most private functional services, and equip readers with the information on what compromises are made when less private services are used. Custom domain is such a feature which requires compromising either anonymity or agency. This should be made clear to readers of the Guide, and the custom domain requirement should be dropped.
- ‘We have 4 excellent providers already. Posteo has no advantage over these other providers.’
I disagree.
Firstly, Skiff was removed and there was a call to prevent PG from recommending providers who lacked a long-term commitment [to privacy]. I think Posteo’s decision to not allow custom domains, and its strong commitment to transparency, demonstrate it to be the opposite of Skiff in this sense. Posteo is not interested in becoming the most feature rich provider and marketing itself as such, as all of the other providers try to do. Their marketing communicates one thing to me: “We promise a functional, secure and private email service. This is our sole focus. We have one job and we want to do it right.”
Secondly, Mailbox. Here, I think Posteo is most certainly the better option. As explained in a previous post, Mailbox not only seems to fall short of PG requirements for DMARC, but its policy and decision making seem obfuscated. Plus, their open PGP seems not to work for custom domains and aliases, and requires users to give them the keys. I say “seem” because their communications are too long-winded and messy to actually understand what they’re doing. In their forums, people complain of this, and have been dismissed by their unprofessional CEO who cares more about adding pointless features like video-calling support instead of fixing its crappy 2FA, web interface, and DMARC. If Posteo isn’t recommended, Mailbox has gotta go. I will die on this hill if I must.
Then there is Tuta and Proton, which are both fantastic. Nevertheless, Posteo has an advantage over Tuta in its IMAP support, though this comes with the usual IMAP (lack of 2FA) security risk. Proton mitigates this with the Proton Bridge. Posteo mitigates this by allowing users to disable IMAP support. Mailbox does nothing.
But what makes Posteo the best, as I said initially? Well, it’s the most economical. It does what it’s supposed to do without any baggage. I know PrivacyGuides values privacy over price, but when you compare their offer to the rest, it is clear to me that Posteo is a serious player with a proper ethical vision, valuing sustainability over growth.
Monthly costs (in euro as they are all Europe based)
Mailbox: €1 for 2GB and 3 alias’s | €3 for 10GB and 25 alias’s | €9 for 50GB and 25 alias’s
Tuta: Free for 1GB and 1 alias | €3 for 20GB and 15 alias’s | €8 for 500GB and 30 alias’s
Proton: Free for 1GB and 1 alias | €4 for 15GB and 10 alias’s | €10 for 500GB and 15 alias’s
Posteo: €1 for 2GB and 3 alias’s ||| €0.10 per extra alias & €0.25 per extra GB
Posteo is like the MullvadVPN of email. They adopt a logical ‘no bullshit’ approach.
This is buffered by the fact (as mentioned in point (2)) they do not automatically delete user accounts/data if subscriptions aren’t paid. They merely block the account from sending mail, meaning your super important incoming mail will still be received while you’re behind bars or lost in the desert, a deal none of the other providers can offer with their relatively profit-driven plans.
Maybe Proton or Tuta is better for businesses or for those who want more features. But I firmly believe Posteo is the service which most strongly aligns with the ethos of PrivacyGuides.
(Edited: typos, reworded minor things and added additional paragraphs for 1. and 4.)