I am currently using Mailbox.org with my own domain. However, 3 euros a month is a bit high. what about Migadu?
I don’t think they do zero knowledge encryption. What makes you think they’re a “private” mail provider? Except their marketing saying “We do not access1, analyse2, scan or share any user data.”. But the same is true for many other providers, e.g. Startmail, Runbox, Infomaniak, Fastmail, Cock.li, and so on.
2 Likes
What do you think about Migadu?
what do you think about Migadu?
Or more accurately what made you bring them up here? They are rather unknown afaik, tell uswhat makes them stand out to you and deserving of your consideration more than the many dozens of other alternatives out there?
2 Likes
Personally, I love Migadu and have returned to them multiple times after trying out other providers. The usage-based billing model is unique and slightly expensive if you want something beyond the Micro plan, but I think it’s worth it.
As the others mentioned, they’re not really an E2EE provider so you would need to consider the privacy of the data at rest, if that’s a concern for you. They do use TLS/SSL connections, so the data is encrypted in-transit at least.
Aside from the privacy considerations, I love that the provider is “bring your own domain” focused, as that’s exactly what I need and have been disappointed with providers who provide their own domain and let you bring yours as an afterthought. Specifically, domain/mailbox aliases, catchall addresses, sender catchalls, IPV6 support, SMTP/IMAP support, & unlimited addresses are all killer features for me.
Above all, once I set up a domain with the DNS guide provided by Migadu, it just works and all of my email clients always recognize the login and sync fairly immediately.
Drew DeVault recommended it, and his Sourcehut team was contracted to work on the simple web interface. If I didn’t host my own email, they would be top on my list of providers to consider.
The recommendaiton page is gone now: https://drewdevault.com/2020/06/19/Mail-service-provider-recommendations.html
But here’s an archive: Email service provider recommendations
Why did he remove the post? I can think of a few reasons but I won’t speculate. That was probably where most people heard about Migadu.
migadu can get above 90% at internet.nl, which is impressive but practically useless (lol
encryption is done with email client but not email provider, afaik. you can use openpgp to encrypt your message with whatever provider.
i know 3 eur is a bit high, but it has more storage, migadu costs 19 a year and you can only send 20 emails a day with 5gib quota tho it isnt hard limit. if u want something more than that gets 9 eur a month, pretty steep pricing policy…
Unless you’re running a really popular free software project over on Sourcehut, most individuals will never hit the 20 emails out/day limit. I probably wouldn’t send more than 10 emails a month…
The 200 emails in/day is something I’d expect would feel more limiting for people.
Bringing your own custom domain is an absolute must feature, though. I don’t know if this is a popularly-offered feature on email providers.
1 Like
Migadu support responded promptly to an email I sent after I read this thread and confirmed they encrypt the data both in-transit and at-rest.
Here’s their full response to my email questions around encryption/security of data, if anyone is interested:
The storages are fully encrypted at rest and in motion. Also, the datacenters we use have strong ISO certifications in security and data management and disks retiring processes.
Agree with thickness though, full privacy through encryption is more of a GPG issue than an email provider issue, unless you’re intent on using a service like Proton Mail with a custom encryption product.
Encryption in transit and at rest is provided by anyone, really. Also, when attacker get an access to the server, encryption at rest doesn’t protect your emails like E2EE does.
I’d tend to disagree, but it really depends on the company’s setup. I perform audits, SOC reports, and certs professionally and I never assume encryption at-rest is a given anymore with how many companies I see without it. I always make sure to look for something at least stating they provide it, if an audit/report isn’t available to confirm that fact.
On the other hand, encryption at-rest can be useful if the company has the decryption secrets elsewhere like CyberArk or Vault, as that would require the attacker to breach both the production server with the data AND the location with the secrets. Definitely not as good as E2EE, since the company itself can use their own secrets to read data, but the likelihood of an attacker gaining access to enough information to decrypt production data is unlikely for mature orgs (still a risk, but would unlikely enough for the average threat model).