Privacy oriented email service suggestion other than Proton, Tuta, and Posteo

Ok, all, a whole new plot twist in this tale of domains and separate email hosting, so I’m starting a new thread to more closely align with this new line of questioning.

A couple of days back I hit up the help desk at Posteo about if/how to have them handle third party domain email, and this is the bulk of their reply:

“We understand your desire to have an all-in-one solution for both your emails and domain. In Germany it’s unfortunately not entirely possible to offer this without saving data. There have always been explicit exceptions for providers that exclusively offer email services regarding storage obligations that other types of providers are subject to. For example, there is an exception for email services in TKG (German Telecommunications Act) but also with the retention of data. Because of this, we only offer services that can be realised without collecting and saving personally related inventory data or traffic data. This includes email addresses with Posteo domains as well as an address book and calendars. As a matter of principle, we do not save any personally related data or traffic data to accounts in order to protect our customers (from data theft among other things). However, it is usually required for you to provide personally related data when registering a domain. If you were able to use own domains with us, we would need to save inventory data to your account and create a respective interface for automated queries from the authorities. This goes against our concerns for privacy and security. Because of this, we can not support own domains and focus on private customers. Because of regulatory provisions, there are only conventional providers in Germany (that store data) for the usage of own domains. If a service explicitly advertises with “data economy” or “with as little data as possible”, it’s recommended to have a look at their privacy policy. The term is unfortunately often used incorrectly with misleading advertisements. Usually it means that data is collected and saved regardless - even if on servers located in Germany, for example. Nevertheless, we have a few tips for you: If you would like to use an own domain, you should make sure that security features like DNSSEC (and therefore also DANE) are taken care of. Usually the maintenance of various security relevant components like SPF, DKIM, DMARC or other delivery functions with own domains are usually left to the user. These can not/should not be exclusively guaranteed by the provider. Admittedly, maintaining these technologies is generally not possible for most users. For example, DANE is very important. This technology exists since 2014 and it effectively prevents man-in-the-middle attacks. Without DANE, attackers (like secret services/hackers) can easily intercept the transport route encryption of your connection and read your emails. DANE is also the basis for a directive of the BSI (German Federal Office of Security in Information Technology) for secure mail transportation, of which we were the first provider to be certified."

Ok… so… that’s a no. A totally justified one, and one I totally agree with their stance on. And a far more detailed one than I was expecting. But ultimately, a no, they can’t host my third party domain email.

SO… I’ve left Proton, I’m leaving Tuta, and Posteo seems great in the brief time I’ve used it but is evidently out as far as a privacy/security-focused email service to use as a base to channel a new domain’s emails through.

What other services can you suggest?

I tried Fastmail briefly, but then found out – on a site I can’t recall, but a highly text-based site one where the owner does deep dives into email service EULAs – that they seemingly make exceptions to their privacy policy and say they may share data with third parties? Does anyone have any takes on if that’s the case (since these days I’m reluctant to assume that any one person’s take is necessarily entirely correct).

Thanks!

There are probably plenty of “feel Good for Privacy” email providers. The problem is that if they don’t implement E2EE, and do it well, it’s no more than a pinky promise.

Look for open-source, audited and E2EE providers. I guess maybe forwardemail.

You (maybe?) could use SimpleLogin to handle custom domain addresses forwarded to a Posteo inbox. Though this thread suggests that that might not work for some reason.

Have you tried AliasVault? Its developer lanedirt posts here.

Thanks for the feedback, all.

An interesting discovery when I’ve been looking around for yet another alternative for email service: I understand that both Tuta and Mailbox.org can handle custom domains.

Yet – and here’s the head-scratchy bit – both are based in Germany, like Posteo, which says they can’t/won’t handle custom domains.

Being told by one company that basically they can’t handle custom domains because it goes against their privacy standards combined with German law, but then finding that (as I understand it) two other privacy-oriented Germany email services WILL handle custom domains, is confusing.

I’m assuming it’s something in the nuances of what data they’ll accept managing, along the lines of one carrier saying they won’t handle your letters at all in order that there can be zero possibility of ever seeing their contents, and another carrier saying sure, they’ll handle your letters and just assure you they won’t look at the contents. Or something like that?

Anyway, I’ll be looking hard at mailbox.org today.

… and of course all of this is without having even looked at booking a new domain name.

*sigh

Before thinking about using mailbox.org. Please consider the points made in this discussions: Mailbox.org with severe authentication vulnerability through password reset

Thanks for that.

So then I’m back to hunting around. Any suggestions? Because here’s the summary of issues I’ve found with other options via looking through a ton of reviews:

Protonmail - Left them for political reasons.

Tuta - Currently with them and it’s flawed in various ways that are driving me nuts.

Posteo - Great service, it seems, but they don’t handle custom domains.

Mailfence - Based in Canada (yay Canada, but I’d really prefer something in the EU for data protection rights, also apparently has some security issues?

Hushmail - Canadian

Runbox - not encrypted at rest

Countermail - lacks decent customer support and some reports of problems with ease of use

Zoho Mail - geared more for businesses than individual use

Startmail - expensive, issues with limits on custom domain allowance

Fastmail - expensive, no e2ee, some servers based in the U.S. (which, again, I’m trying to avoid where possible)

There is the “new” (2020) Soverin:

There is also Disroot.org

Edit: Soverin doesn’t seem to have E2EE. Maybe Infomaniak?

Also, isn’t Mailfence Belgium based?

You beat me, I found this and was coming here to report it.

@Reay

What are the issue with Tuta? Is it something that maybe someone from Tuta that visits this forum could help address? @Tuta_Official

Mailfence is based in Belgium.

Runbox is now encrypted at rest, but it’s not zero-knowledge encryption.

Countermail is closed to new registrations at the moment, has been for a while.

I left them because they block registration via Tor Browser and because they delete your email account if you haven’t logged in at least every 6 months. Also, about 5 years ago, a German court ordered them to create a backdoor, but I don’t think Tuta ever actually ended up having to do that.

Thanks for these other places to check out. I’ll take a look.

See, this is why it’s good to do more research. I swear I read an article that said it was based in Canada, but now two of you have mentioned Belgium, so shows what I (and evidently that article writer) know. Thanks for correcting me on that.

The problems I’ve encountered (though I don’t know if it’s exhaustive), somewhat chronologically listed as well as my crappy memory can offer, and in increasing severity of issue:

• The browser template can’t be changed at all and isn’t laid out in a way that’s comfortable for me. It has the usual various folders in a column on the left, emails within the chosen folders in a column to the right of that, and then the email body itself to the right of that. But that ends up with your primary focus – the email itself – being permanently squeezed over well to the right (not even half the screen). Which is, for lack of a better way to put it, digitally ergonomically weird for me, having to have my eyes always looking to the right instead of more (or ideally totally) centred in order to read emails.
  Replying to emails opens a popup window right in the middle of the screen, which is much better, but that causes a new minor issue: I have my taskbar set to stay up permanently, but the reply window is so big the bottom of the window always tucked under the taskbar and I can’t, for instance, resize it without having to hide the taskbar to get at the bottom of the reply window.
• The email body being over on the far right of the screen also causes some issue with body text sometimes getting cut off on the right side of my screen. Very much as though the body copy field was somehow wider for the sender than it is for me as the recipient. This tends to only happen with newsletters, so it’s perhaps something the senders could fix on their end, but I didn’t have this problem ever with Protonmail, which has a more centred body copy view/wider window as you select individual emails. The only solution to this seems to be to reduce the zoom of my browser screen as a whole, which isn’t ideal as it of course affects everything else I do in the browser.
• The connectivity with their iOS app (the only one I’ve tried) is dodgy at times when no other apps have an issue with it. I’m sometimes told within the app that it’s disconnected and have the apparent option to click on Reconnect in the app, but that doesn’t always have any effect. Meanwhile, other apps will connect to the same data signal often without problem or at worst slower than usual but still faster than Tuta does.
  When I have that issue and tap on Reconnect, as often as not it simply doesn’t. I end up having to, as was suggested when I contacted the help desk, close down the app completely and load it again. Which does (usually) do the trick, but isn’t something I should have to do every time I want to check email, plus why the disconnect in the first place?
• Related to that, I recently discovered a disconnect issue on my browser version of Tuta as well. I took a quick video of it as evidence it case it was needed, which showed me clicking on the Reconnect link on the Tuta browser screen, and zero happening as a result. It ended up being the better part of a minute, all in, that I was clicking on that before anything finally reconnected/reloaded.
  I know I could’ve just reloaded the page within the browser tab to see if that worked instead, but I was trying to underscore the point that there’s a recurring disconnection issue happening with Tuta’s service that’s affecting both their app and evidently sometimes their browser as well.
• Recently I was trying to download some tickets from an email attachment, and it opened them as images instead of saving them to a download file somewhere. I contacted the help desk about it twice: The first reply was literally the person telling me that that’s not how the app should be behaving.
  That was it for the reply. Which we can all agree isn’t terribly helpful.
  When I politely (always politely) explained that very point, a second help desk person replied and explained that that’s how iPhones handle attachments, that it has nothing to do with Tuta at all. Which I then verified to be 100% correct, and so great, yes, thanks for making me aware of that. But one wonders why the original help desk response was anything but helpful and forced a user, already with a growing list of problems with the service, to do another lap around the help desk.
• The latest issue is that I took a quick video on my iPhone and tried to attach it to an email on the phone and Tuta said that it was larger than the allowed 25 meg size limit. I was surprised, as this was a pretty quick clip, so I checked on its specs and confirmed it was something like 8.2 or 8.4 megs. Shouldn’t have been an issue, I thought. But for good measure I converted it to a version with cut quality, so now it was just over 4 megs. Tried to attach it in a whole new thread, and was still told that it was over 25 megs.
  When I mentioned this issue to them, a help desk rep got back to me and said that they were able to recreate the problem and weren’t sure why it was happening but were working on it. That’s now several weeks ago at this point, and so far no update.
  I dug a bit deeper and found that iPhones default to record videos in HVEC format, which is a higher compression format than MPEG. And since this issue cropped up, I’ve learned there are email services that automatically convert HVEC to MPEG format before sending it, I assume for the convenience of the recipient receiving the more common video format. So I thought that Tuta may have converted it in the same way and that maybe it inflated to a pretty sizable file, but a quick poke around online suggested that HVEC is, yes, up to 50% better at compressing data that other modern formats, but that means that even as an MPEG, the original (let’s call it) 8.4 meg file would still be way under the 25 meg limit.
  All of this has left me with finding workarounds for sending any (non-iPhone) recipients my videos.
• [EDIT] Oh, and Tuta’s spam folder is pretty wonky. It picks up things sometimes that other times go to my inbox, and even when I’ve tried to add individual senders to a whitelist, they still seem to routinely get put into spam. Another thing I haven’t had to do with other email services – I think ever? – is routinely check spam for various messages from various senders that shouldn’t be there and keep moving them back to my inbox.

And to be clear, none of these are necessarily deal breakers for sticking with an email service (although for some, kinda…), but I’ve almost never had these myriad problems in decades of using various email services, let alone one place having all of them. Hence the looking for another service.

Thanks for the correction.

Runbox is now encrypted at rest, but it’s not zero-knowledge encryption.

Well… better, of course, but not ideal. Still, I’m learning that there doesn’t seem to be a perfect solution for what I’m hoping for, so a good one may have to do. At least for now…

Thanks again.

Are there any other providers who can have custom domains AND automatic zero knowledge encryption with PGP?

I’m aware of:

• Mailbox.org
• Protonmail (note: forced to use their app on mobile)
• Forwardemail
• Disroot
• Wölkli