On E-mail Providers

Disclaimer
  1. Do not treat this page as a viable source in your own threat modeling.
  2. There will be no full explanation for the used abbreviations.

TL&DR

I decided to use Posteo as an email-provider as it:

Intro

The journey of thousand steps starts with a single stair or a single step. If you go up that is.

― somebody, sometime, probably

A few years back, I’ve decided to get better control of my own privacy, security, and anonymity. When came the moment of publicly exposing my website as a business card (I guess) and a little thoughts garden, I thought setting up a contacts page will be quite easy for a programmer with almost a decade of experience. And then I’ve spent almost a full-time week to compare several options when it came to email. I’ve also considered running my own instance. Probably Mailcow or Stalwart. Unfortunately, I’m not going to describe all the comparisons here, not as of now at least. However, I will gladly share my key takeaways and reasoning for choosing Posteo.de.

Reasons

If in 2025+ some people are still in doubt, I’m but to provide a few reasons why you should choose an email provider iff:

Time

The first reason I even considered email service providers is time itself. If I’ve spent a week just to compare 10+ services and tools, how much would it take to correctly set it up? Would there be no such services at all if it’d be so easy support one? In case you are a single individual (or a small team/family), you are better to go with a provider. I mean, most people already do it with Gmail, MS Outlook, Yahoo, Baidu, etc. The only difference is, alas, that they don’t care PSA.

Complexity

Speaking of “easy”, it’s not. Neither it’s simple. There are a number of aspects you need to consider. For example:

On Posteo

I’ve been reading Reddit, PrivacyGuides’ discussions, PrivacyTools, LLMs, marketing slogans, and trusting my own intuition ― and after careful and a bit stressful consideration, I’ve decided to stay on Posteo.

Pros

No Custom Domain?!

The first drawback I’ve noticed (just right after paying for the service) that there is no support for custom domain. It was odd, even considering it’s just 1 euro/month. A few questions came to my mind nearly in an instant.

  1. Why would a commercial company refuse an extra buckeuro?
  2. How will I look in the IT/business community with <username>@posteo.de near my git commits?
  3. How long will it take till I get my money back? Or should I even revoke my account?
  4. Is it a lacking feature, or is it by-design? Why? WHY the Force not?

Long story short, it is problematic to keep the same level of privacy and security for custom domains. If you really need to set up your custom domain, you can still automatically forward. Check out Andy’s post on it!

Towards answering the questions.

  1. It would require extra work and doesn’t add up to Posteo’s goals.
  2. Like a person who made a well-weighted decision despite the “tradition”. Not to mention switching from @gmail.com.
  3. It’s about 180 days, according to Posteo. But I’m not going to revoke my account.
  4. By design. Domains are usually purchased for a real (as in personal data) entity, with names, phones, and IDs. If your email service support custom domains, it is a link to your physical (vs. virtual) identity. Hence, it could help to compromise you.

DMARC Policy none?!

Another aspect worried me. Their DMARC policy is set to none instead of reject or quarantine. That was until I, firstly, understood it’s unlikely for someone to spoof my username.

  1. I’m not a company, I represent myself. There is no real benefit* of faking my personal-work address.
  2. SPF and DKIM still work, so it’s double unlikely to spoof my account.

And, secondly, setting more strict DMARC can cause delivery issues for forwarded, alias, and receiving emails alike.

Apparently, it is not a must to set DMARC for all email providers, says dmarc.org.

So, if I’m not going to receive or send any emails on my domain, then I will just set DNS records accordingly.

Services List