On E-mail Providers
- Do not treat this page as a viable source in your own threat modeling.
- There will be no full explanation for the used abbreviations.
TL&DR
I decided to use Posteo as an email-provider as it:
- allows to set up OpenPGP and S/MIME
- does most of the hard work for me
- has a neat reputation in PSA world
- costs 1 €/month (and accepts cash)
- somewhat cares about ecology
Intro
The journey of thousand steps starts with a single stair or a single step. If you go up that is.
A few years back, I’ve decided to get better control of my own privacy, security, and anonymity. When came the moment of publicly exposing my website as a business card (I guess) and a little thoughts garden, I thought setting up a contacts page will be quite easy for a programmer with almost a decade of experience. And then I’ve spent almost a full-time week to compare several options when it came to email. I’ve also considered running my own instance. Probably Mailcow or Stalwart. Unfortunately, I’m not going to describe all the comparisons here, not as of now at least. However, I will gladly share my key takeaways and reasoning for choosing Posteo.de.
Reasons
If in 2025+ some people are still in doubt, I’m but to provide a few reasons why you should choose an email provider iff:
- your infrastructural scale doesn’t really scream for your own thing
- your threat model allows it
- and your tech savviness allows you to set up all the public-private-certificate shebang
- you are lazy and mortal
Time
The first reason I even considered email service providers is time itself. If I’ve spent a week just to compare 10+ services and tools, how much would it take to correctly set it up? Would there be no such services at all if it’d be so easy support one? In case you are a single individual (or a small team/family), you are better to go with a provider. I mean, most people already do it with Gmail, MS Outlook, Yahoo, Baidu, etc. The only difference is, alas, that they don’t care PSA.
Complexity
Speaking of “easy”, it’s not. Neither it’s simple. There are a number of aspects you need to consider. For example:
- have a reliable hosting [in a data-center] or take care of your own infrastructure with 99.999+% availability
- correctly setup all the policies/methods: SPF, DKIM, DMARC, DANE,
- correctly setup E2EE: [Open]PGP, S/MIME, etc.
- spam filter
- else you’ll end up in a heap of useless data
- and lose your storage space to it
- malware filter
Or are you going to force users to look at plain text?
- ads such as Facebook Pixel, Google Tag Manager, Yandex Counter, etc.
- phishing links
- executable attachments
- LLM jailbreaking
- backups!
Remember the 3-2-1 rule:
- 3 data copies
- 2 types of storage/media
- 1 offsite location
On Posteo
I’ve been reading Reddit, PrivacyGuides’ discussions, PrivacyTools, LLMs, marketing slogans, and trusting my own intuition ― and after careful and a bit stressful consideration, I’ve decided to stay on Posteo.
Pros
- it provides necessary level of privacy and anonymity [for me]
- it utilizes Open Source solutions, including OpenPGP
- it is recommended by FSF, alongside RiseUp and A/I
Those two will work even w/o JS.
But will also raise suspicions for state-funded adversaries, if you use them too openly like IT-work or purchases.
It’s a different beast.
P.S. I do not possess an invitation code for RiseUp.
- it’s ‘all green’ as in no real red flags + ecology-wise
- Internet.NL shows 83% (issues: none for DMARC and IPv6 unavailable)
- it’s really cheap
No Custom Domain?!
The first drawback I’ve noticed (just right after paying for the service) that there is no support for custom domain. It was odd, even considering it’s just 1 euro/month. A few questions came to my mind nearly in an instant.
- Why would a commercial company refuse an extra
buckeuro? - How will I look in the IT/business community with
<username>@posteo.de
near my git commits? - How long will it take till I get my money back? Or should I even revoke my account?
- Is it a lacking feature, or is it by-design? Why? WHY the Force not?
Long story short, it is problematic to keep the same level of privacy and security for custom domains. If you really need to set up your custom domain, you can still automatically forward. Check out Andy’s post on it!
Towards answering the questions.
- It would require extra work and doesn’t add up to Posteo’s goals.
- Like a person who made a well-weighted decision despite the “tradition”. Not to mention switching from
@gmail.com
. - It’s about 180 days, according to Posteo. But I’m not going to revoke my account.
- By design. Domains are usually purchased for a real (as in personal data) entity, with names, phones, and IDs. If your email service support custom domains, it is a link to your physical (vs. virtual) identity. Hence, it could help to compromise you.
DMARC Policy none
?!
Another aspect worried me.
Their DMARC policy is set to none
instead of reject
or quarantine
.
That was until I, firstly, understood it’s unlikely for someone to spoof my username.
- I’m not a company, I represent myself. There is no real benefit* of faking my personal-work address.
- SPF and DKIM still work, so it’s double unlikely to spoof my account.
And, secondly, setting more strict DMARC can cause delivery issues for forwarded, alias, and receiving emails alike.
Apparently, it is not a must to set DMARC for all email providers, says dmarc.org.
So, if I’m not going to receive or send any emails on my domain, then I will just set DNS records accordingly.
Services List
- ProtonMail ― a default choice if you don’t really want to get into PSA too much.
- supports PGP instead of OpenPGP
- custom domains
- E2EE email body and attachments ― doesn’t encrypt Subject line
- I guess they don’t encrypt meta-data as well
- Tuta (ex Tutanota) ― another namely Germany-based email provider
- I couldn’t Sign Up with my browser setup
- although their encryption covers the Subject line, it’s yet impossible to [safely] communicate with other PGP-users ― it’s a no go
- CounterMail ― super-
paranoidaware They even store the encrypted data on CDs instead of HDDs. (I love it!) and kind of pricey (to me), but I don’t have an invitation code. They still have a bunch of useful tool in the open. - Mailfence
- Startmail