Skiff Mail (Email Provider)

I completely understand the marketing articles issues you cited. This is a weakness for most companies overall and is below our standards. I will see what we can do, but please know for sure that the marketing writers are not the ones writing or determining any policies - they are tasked with making complex topics digestible.

I will see what we can do on ciphers.

We did change the policy for marketing/product updates, and we added a setting in-app to fully opt-out as well! That should have been clarified above a few times as well. You can go to settings → notifications and toggle off.

I can also see what we can do on the dmarc policy monitoring. I think this point is still debatable because dmarc violation uses public data, but it is worth a conversation.

Overall, thank you for taking the time to help us out! This thread has inspired a ton of technical changes on our team, as well as many upcoming positive updates - and even hiring a new team member.

3 Likes

I’m going to propose removing this criteria. The criticism of the ECPA is that it doesn’t protect email communications enough, but we already consider unencrypted communications stored with service providers to be unprotected anyways, so I’m not sure why we care whether the ECPA protects emails stored on a remote server or not. With mandatory zero-knowledge encryption, we don’t have to rely on laws protecting that data.

5 Likes

yes fully agree.

2 Likes

Yes, this is from before we had a requirement that all providers must be zero knowledge. It’s also why I put in Remove Startmail, as it's not zero-knowledge by dngray · Pull Request #2166 · privacyguides/privacyguides.org · GitHub

1 Like

One minor question. I can’t find anything about your site about what a “short alias” is. Everything else on your “Pricing” page is pretty self explanatory. I don’t suppose you could put a question mark that shows a hover with some info or something like that?

1 Like

Good idea, can do that. It’s a 4-5 character alias (like john@skiff.com). Those aliases are much more sought after, so we don’t want them to just go to bots or people who might try to resell them!

1 Like

I’ve been skeptical of the Skiff service too, and I’ve been following this thread since the beginning, and honestly, I think the company is doing it’s very best to improve and fulfill all the requests, thus learning and improving their product each day. The main dev seems rational and to be fair, I don’t understand why this thread is being dragged out so much, shouldn’t it be approved already? The patience @amilich is showing and willingness to keep improving has earned my trust, I’m migrating to Skiff and see how it further goes. I hope everyone keeps being objective regarding this thread aside from their personal feelings, also i’m not a professional, but I’m learning from everyone their perspective and information that is being shared not only here but on the whole platform, so thank you all for that.

Just my humble opinion.

5 Likes

There’s already a PR on GitHub to add it:

4 Likes

I appreciate your feedback on this, didn’t know it was already on the pull-request in GitHub, great to hear that! :tada:

5 Likes

I do think we meet the criteria now… anything else you want us to post or clarify? We’ve fixed the marketing email issues (see screenshot).

We also put up an annotated security model to make it more easily digestible: Skiff – Security Whitepaper - Read more and are working on a lot more documentation.

1 Like

English is not my native language. Therefore, if my speech seems aggressive, arrogant, or obscure, I ask you to forgive me.

When I created the account I received the marketing emails containing what I believe are tracking links from Sendgrid. This frightened me, because my own private and secure encrypted email provider, at first contact, sent me a marketing with opening-click tracking.

For me, it is “okay” to receive marketing about the product, as long as my click IS NOT tracked in any way.

See, the product offers protection against tracking external content (image), but sent me a tracking “pixel”.

I’ll check it out soon. In any case, in the first place, Skiff must ask for permission to send the marketing emails, rather than offering a opt-out option.

Preferably without suspicious link in the images, or overlapping some button related to another Skiff product, which is being shown within the email.


Another point I want to address is this tracking protection and blocking external content. I searched the site, despite this, I did not find enough information.

What happens when I activate the automatic loading of external content? What does the proxy protect me from, exactly? Does it take out tracking content, such as Proton, and hides my IP address? What security do I have when not blocking the loading of external content, when I received an image with tracking from Skiff?

I want to reiterate that I am a lay user, without technical knowledge, but concerned with security and privacy on the internet. Therefore, it is impossible for me to follow his advice, unfortunately. And I didn’t find any information accessible on the site about how this proxy works.

I did the research without being connected in an active session on my account in order to test what a possible future customer would see. But even in active session, when searching for the proxy, the information was insufficient for me.

As a customer, I would like to see something similar to that, direct information about how the resource works.


Finally, I found this. How does it work? What data is sent - and where is it sent? What is the source of leaks? This resource needs transparency.


Finally, a possible request for appeal: Plans for universities, schools, non-profit institutions, and others.

I believe there is some potential for gain in this, whether it’s marketing, users, or money.


As a user, a remark. While the discussion here was useful for product improvement, manifestations like that in the Notesnook post can be harmful to the company’s image. I was able to read before she was hidden by moderation.

Andrew Milich, you did a good job of keeping this post alive. However, in the case of the Skiff Page, the requirement is simpler to be met - and simply was not, and the product could already be approved.

Other than that, I leave my thanks for the improvement in the product. I want there to be other private product options and Skiff has my vote in every way. Thank you for your willingness to improve the product by listening to feedback from members of this forum.

Given the removal of this criterion, with votes from other members of the Privacy Guides team, I believe there are few obstacles for Skiff Mail to finally be recommended as a private service. Good news! Good news!

1 Like

Thanks for the detailed comment - a few clarifications:

  • There is no auto opt-in. You’ll receive product updates to your newly created Skiff Mail inbox that are opt-out. This is standard for every email provider I have tested. The backup email updates have been changed to be opt-in. If you scroll up, we had fixed this for new accounts a few months ago, which was a good change.
  • SendGrid rewrites images and link URLs but we never add tracking of any capacity. No image/link tracking has ever been done.
  • Yes, image proxying blocks your IP address and any other personal information, exactly how the Proton feature you linked to works. This is quite standard and important, or your IP could be shared with a third party.
  • Blocking external content fully would shield the fact that the content - which could be an image, a GIF, a font, or a style sheet - was loaded at all. Often, loading an asset happens when opening an email, which makes this feature useful for hiding the fact that an email was opened.
  • We actually do have a thorough blog on this: Block trackers and remote content on Skiff Mail - Read more
  • The have-i-been-hacked page uses public breach data, mostly from https://haveibeenpwned.com. This was discussed on Twitter, and that site is an incredibly well respected resource among security researchers. No data from this page is ever collected or stored, which is clear in our privacy policy.
  • We actually do have 50% discounts for students. We had this on our old website.

On Skiff Pages, I don’t know what you mean. Skiff has been audited 3 times and will be audited for a 4th time at some point in the next year. See: Skiff – Transparency - Read more. I was responding to incorrect information that has always been incorrect. We did not launch our products without a complete security audit of our codebase, infrastructure, dev practices, and more. Given the customers we have, releasing an unaudited product would be against my personal ethics.

I think we are now the most viewed, most replied, and potentially the most voted-for thread on the forum - so I’m happy to keep clarifying any questions but also would like to know what impediments might exist!

1 Like

That’s great!

No problem with the marketing email of the product itself, it was just an unpleasant surprise to pass the mouse to see another Skiff product and have “sendgrid click” with an extensive hash, etc.

It only happened in the Skiff and it was my first bad experience. I felt betrayed.

I have been with the discussion since the first post. My account does not use backup email.

Perfect, perfect!
It is valid to make a specific mention of this site feature in the privacy policy or on this same page, with this same explanation that you gave me. It is a shield of law that protects you.

I am thinking more about partnership with Universities and other institutions, something great. But, I believe this will come in the future, with the growth of the site and better location in other languages.

I disagree with a few things, and consider that the comment on the Notesnook page was unpleasant and unnecessary. You are doing well here and the service is improving. About Skiff Pages, just one requirement - open source.

Clients must be open-source.
Any cloud sync functionality must be E2EE.
Must support exporting documents into a standard format.

The audit is excellent. But the least is just open-source. I believe that Skiff Pages could have been being recommended long ago if it had been fulfilled.

Thanks for the answers, you have restored my trust in Skiff services.
I will return to use and recommend the product among my partners.

2 Likes

Yes, I completely understand the open-source requirement. I think Skiff Pages will be open-source very soon. We fully open-sourced the editor here: skiff-apps/libs/skiff-prosemirror at main · skiff-org/skiff-apps · GitHub

3 Likes

@amilich I’m currently switching from ProtonMail and looking for an alternative. What I’m looking for is an email service that cares enough to let me download Android app without the Google Play Store and receive notifications without the Google Play Services. So I want to ask if Skiff would work for me.

1 Like

On the topic of notifications, how are notifications currently handled on android? If using google’s push service, is google able to read the notifs? @amilich

1 Like

Not sure about Skiff, but at least Tutanota checks both of your criteria.

1 Like

No notifications without google services for skiff and proton. Only Tutanota works.

1 Like

This is something we hope to work on. You can download our APK from skiff-org.github.io/assets/apk at main · skiff-org/skiff-org.github.io · GitHub (we need to update for the last 2 releases) but it does not have full notification support yet.

1 Like

Note this is now up to date.

1 Like