Skiff Mail (Email Provider)

I simply wanted to point out that it’s a possibility for a US hosted email service. It doesn’t seem to be a possibility for a Swiss service.

Then again, it’s also a risk for Tutanota as we’ve seen in the past and I don’t think that’s listed anywhere on PG.

Perhaps most worryingly is that in the US with Lavabit they were given a gag order and very little opportunity to fight back against it.

They also didn’t settle for a one person backdoor like with Tutanota. Instead they wanted a backdoor for any and all incoming messages.

Just to add a note here: I can confirm Skiff Mail is still sending marketing emails to the address specifically designated as a recovery email.

From their privacy agreement:

We may use information to market and advertise our products to you directly if you have signed up for the services and/or provided us with your email address. This includes marketing via email campaigns and notifications within the Platform. You can opt out of direct email marketing messages from us by clicking the “unsubscribe” button included in the footer of the emails we send you. For more choices about use of tracking technologies for advertising more generally, please see “Your Privacy Choices” below.

I would like to point out a serious issue with Skiff Mail which I believe should be fixed. In particular, once you adjust the settings of Skiff Mail, under the security section, you could select block remote content. The first problem is that it is not turned on by default. The second problem is that once I selected to block the remote content, on the next day, on a new login session, it was again turned off, meaning it was reversed to the default state. Unfortunately, on every single new login, the setting to block remote content is disabled. For a privacy-respecting and a secure email provider, it is an issue.

Hi there,

We currently don’t sync settings as these preferences are stored locally. You’re likely using a private window so these settings are reset. We are about to launch an improvement to sync user preferences so they are saved into your account. This should be out within a few days if not sooner.

This has been resolved for about 6 weeks now. Any new account since then will not receive any emails to any non-Skiff email address. Note there has always been an option to unsubscribe.

FYI, these emails are weekly update emails are not marketing related. For example, we announced “Skiff Mail” and “Skiff Calendar” via the email addresses people used to sign up. As I’ve written above, these emails were required before Skiff was even an email provider.

PG team - does this complete the criteria you were looking for? We’d still love to be recommended (and would also definitely want Skiff Pages/Drive/Cal to also be on the list). This thread seems to have a lot of views but not much in recent updates.

Any updates?

Got it. Thanks for the detailed feedback! Chatting with the team about getting rid of the backup MX.

Alright, I’ve come up with another question lol

https://skiff.com/mail says “unlimited aliases”, but your pricing plans only let you create up to 15 (on business), so what is unlimited?

You can create unlimited aliases on any custom domain.

We removed the backup MX! Thanks for opening the draft PR. We appreciate all the feedback.

I am going to jump in this converstation again. Because in my opinion Skiff is a well marketing solution but in no way sells that they understand what privacy means.

I was called out by this @amilich for not understanding the GDPR. While I work with the GDPR on daily basis and have been studying this and working with this regulation before it was introduced. However, interestingly the website of Skiff is only spreading misinformation.

Some quotes from the website that are pure misinformation:

Under privacy laws like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States, websites are required to obtain explicit consent from users before collecting and processing their personal data, including information collected through tracking cookies. (What is device and browser fingerprinting? - Read more)

This is not true at all. The GDPR doesn’t even mention tracking cookies. Big misconception. All tracking methods are equally treated. It basically suggests that it may not be illegal, while it definetly is. This ‘privacy’ company just repeats bullshit arguments from the ad business.

The EU’s General Data Protection Regulation (GDPR) and California’s new Consumer Privacy Act (CCPA) both went into effect in 2020, establishing strict new regulations around data privacy.
(How to send anonymous and secret emails - Read more)

The GDPR came into affect in 25 May 2018 and was introduced 14 April 2016.

Yeah, we are GDPR compliant. Skiff collects no personally identifying information on signup (although you may optionally provide a backup email).
(Reddit - Dive into anything)

Impossible Skfif does not have an EU representation, which is required. Therefore they cannot be be “compliant”.

I believe I have seen simliar statements on the website before but I cannot find them anymore.
Only notably is that on Secure cloud storage—a buying guide and five providers reviewed - Read more other provides are mentioned to be ‘GDPR compliant’ but in the Skiff section nothing is mentioned about this.

It also might be good to point out that GDPR compliant doesn’t really mean anything:

I honestly hope you will take this up @amilich and I hope that your company will actually learn from this and keep improving. The changes made are positive and I do want to highlight that. I just personally think your business is not focussed on pure privacy unlike how you sell it. I hope this will change and Skiff has a cool product but I am sceptical of your intentions.

Also I received your latest product update spam on my recovery email this very night. So this still has not been fixed.

As I wrote above, it was fixed 6 weeks ago for all new accounts and we have not received a single report of an issue. For all existing emails, you have had the option to click unsubscribe since the first product update you received.

I don’t think a GDPR discussion will be productive here but note that the quote you stated as “misinformation” does not do anything you say it does. It says, as you state, “websites are required to obtain explicit consent from users before collecting and processing their personal data,” which is correct.

Once again shows you do not understand the problem. You still refer to opt out. I will not opt out of your emails, I never opted in so why should I opt out? You should just stop sending mails to people who did not consent. If you cannot differentate them you will imho have to ask everyone for consent and stop sending emails to those who did not ask for it.

I am also not going to reply to your other reply on GDPR any further. You comment on half of the few examples I gave and fully neglect the actual pointed out issues.

Also still other DNS issues appear with Skiff.

This one I did not see before, but may have missed it, but currently: dmarcdigests.com is used for RUA dmarc aggregate reports. Seeminglty this company didn’t mind to share this data with Active Campaign. Before they shared it all with easydmarc.us. But this surely is better ( sarcasm).
This probably will be once again a, suprise, new requirement for you @amilich, but other providers do not have these practises.

Old one: Skiff still uses ECDHE-ARIA256-GCM-SHA384 for SMTP

We use RUA reports to monitor for dmarc failures. These reports are sent as an opt in basis by recipients.

We ask the recipient inbox provider to send these reports to dmarcdigests to monitor for impersonations of skiff.com (someone trying to take our product down) and DKIM reply attacks, which we have experienced.

Thanks!

Recommended highly by external auditors.