A while back I started on this journey, and as most people did, I’ve had my ups and downs and went through the learning curve, I’ve now reached the point of so much knowledge that I truly know, I dont know shit. People of Lemmy I come to you today because idk what to do, I recently made a free account with proton, their subscription is fairly cheap so idm paying the monthly tier of 15GB so I can have control over ending it whenever I please instead of being locked in for a year. Now, I heard about Tuta but never dived much into it, i know Proton has had its controversies (Don’t be shy of reminding me of what they were), but what are my options here truly for a proper FOSS email provider? I can negate the free part for a reasonable price, but truly private AND secure is a must.
Self Hosting isn’t an option yet for personal reasons unless it’s completely free.
I’m using Migadu and I’m happy with it. You need your own domain though.
While there is no way to completely protect your email I am big believer in minimizing vulnerability. It’s somewhat nice to know your email provider at least isn’t reading your direct emails. Most of my correspondence comes from auto reply emails. It’s the same I recommend to people still on Windows or MacOS. Use apps with no telemetry as much as possible. That to me would include email.
Just a week ago I wrote my impressions of diverse email providers so I put it here with a few corrections:
Proton gives me some no good vibe I cannot explain, but it works really good and they really have the human capital to make it work the best. A big criticism is hosting some many services under one roof… specially VPN, drive and email, but it is very convenient for customers. They do also have policies of no-refund that makes that bad sentiment grow… Why no refunding non-used portion or even with a penalty? Regarding its founder, Andy, he did made 3 statements that appeared to support Trump, but I think they were misinterpreted; Andy criticized more the Democrats unrelenting support for the Tech Giants than praising the Republican administration. Let’s remember that, at that time, Trump was the only voice that appeared that was going to favor more the small business vs the mega corporations. Of course, that was the promise that Trump, as with all others he made, were a complete lie. I don’t recall any other statements from Andy beyond that topic of small business vs big tech. After listening to many of Andy interviews, he does not seem to me like a typical Conservative, let alone MAGA supporter.
Mailbox, has been static for a while, but they do offer a good service and now they are attempting to modernize. No full privacy by default but that could potentially be with some effort, but okay for most people. Still a bit German-centric. I still would recommend them easily.
Posteo would have been my first choice since 5 years ago, but the lack of no being able to use your domain, sorry to say it is inexcusable. They say because your own domain brings some privacy up to light, very true! So advise it, “look, we suggest to use our domains for better privacy for you, but if you want the freedom to move to another provider in the future at the cost of a bit of privacy, you are welcome to bring your own domain”. I want to believe the decision was genuine because they think it is for better privacy and not to create a lock-in for its customers.
Tuta… oh Tuta. I like the people, I believe and trust them the most! Yet, they probably still need to grow a bit so they can have the resources to do better (maintaining an email service is it very hard nowadays, even more a privacy oriented one). Their android client does not share data with Google for the push notifications (hello Proton?!) and that should be a fundamental requirement. For just email, it is fantastic and for privacy it is the best, period… if you are OK with the lack of support on IMAP and POP3 protocols that is; They should do some bridge like Proton does and I would put in top among all in a instant.
Other privacy oriented providers can be okay since they have a low profile and less targeted by 3rd actors, but at the same time also less prone to keep with security updates. It is sad, but I would not use in a daily basics. Same with self-hosting, free or non-free, don’t! As mentioned, it is very complicated not only from a security concern but also many email will get lost in the void by picky providers like Gmail.
On the concerns of the change of political colors in Germany, first regarding privacy, you are more at the wimps of the people of the provider than the leader of the time. I don’t really see any country as safe today, not a single one! Now, a right owner is someone like Lavabit’s that choose to close shop rather than given the SSL keys to the US authorities, that is why trust is so critical; I would rather use a provider based in the US with the right owner, than one in Switzerland with one I don’t know much about. Your only protections are the technology and the owner!
Once said that, unless you are a high targeted individual, maybe you should not only focus on privacy, besides, sometimes, the best defense is to blend-in among the no-so-top-notch-privacy providers. In any case, I trust the most Tuta, but recommend Mailbox for most people and Proton to those a bit concerned about normal privacy. I think there is room for a new player here that covers all the shortcomings, but it is not here yet.
Self Hosting
Thank you so much, based on what I understand, your top 2 would be posteo and Tuta, putting the “using your own domain” problem aside, how would you compare them side by side if you had to pick one? Multiple people said Tuta is missing important privacy features like PGP and other stuff
From Posteo I cannot say much more since using my own domain is critical.
Tuta, it is indeed missing PGP and that is a problem if you are trying to communicate with someone that uses PGP. Now, Tuta’s encryption although no as universal as PGP, you could say it is better implemented since the subject is encrypted (unlike with PGP’s). The shortcoming is is that Tuta’s encryption only works seamless between Tuta accounts, or the recipient is offered a web link where he/she has to enter a password. In real life, a handful full know to to work with PGP.
So at the end depends on who you intend to send emails to… are part of them PGP users? If yes, get Proton, if not, either Proton or Tuta will be OK, use other criteria to choose between them.
I still need to properly learn what PGP is beyond an encryption and learn how to use it haha 😅
I recently switched to Proton, mostly to get out of Gmail and Hotmail.
I did this firstly to get out of the yankee services, not because I trust Proton: their claims of private mail are mostly bullshit, and they do clearly behave like a CIA honeypot, so I don’t trust them (as I didn’t trust the other two), so I use the free account (also there are increasingly fewer and fewer free options nowadays) just to get emails that I’m more than okay being known, or where my domain emails don’t work.
Everything else goes to an assortment of addresses on my webstorage with my domain, running on a national server outside of all the cursed 9/14/etc eyes. Even still I expect them to be fully visible under a court order. But I get no one actively profiting off their info, and get no spam there. So I’m very happy with the change.
Proton has come with some not outright lies, but misleading advertisements. I understand the thin line that privacy companies have manage between appealing to a larger audience to get economies of scale but not mislead at the same time to achieve that. It is hard for them since we expect prices of other non-privacy oriented providers but with far more complex systems that required far more RAM, more storage, more audits, more special expertise, etc. Proton is a success at Privacy but Tuta I respect more.
but truly private AND secure is a must.
Remember that email is none of that, unless both people use encryption.
Tuta and Proton both are encrypted, which is great, but the moment you exchange with someone that is not using encryption (aka, the vast majority of people), they’re not anymore.
I always considered email like sending a good old postcard: something anyone could read without being invited, just by looking at it.
so I can have control
Be it Tuta or Proton, or any other commercial offering, you won’t have real control without owning your actual domain name. Owning it means you can change email provider if/when you wand (and if you don’t feel like using your own).
How can I own my domain name?
Your purchase it from some registrar.
I’m from France so it probably won’t be the same as you, it will cost you a small yearly fee. Like, for example I do own the domain ‘thefoolwithapen.com’ (my blog) among a few other domain names. So I can use libb@thefoolwith… with either my own email/hosting or most third-party provider, I don’t have ti use their own name/domain. Sorry for the lack of specificity in my explanations, I’m everything but an expert ;)
Edit: clarifications
Okay so whenever I buy a domain name, I now can use that domain name on any emai regardless of the email provider (google, proton, etc.) Can the domain name be taken away from me somehow?
I have a domain and I use email aliases, they’re addresses that redirect everything they receive to another address. That way you could for example redirect all emails from John@Doe.com to John.doe@proton.com
When you send emails from John.doe@proton.com, if you want to show the alias’ address as the sender, your provider must have support for identities, many do, Gmail does, proton I don’t remember.
Btw you don’t PURCHASE a domain, you rent it. Usually the basic plans can include limited hosting space for a website, and actual e-mail accounts with storage, but while most also offer webmail portals, they aren’t as good an experience as Gmail.
Yes, thanks alot, proton does offer email aliases aswell.
- Depends the email provider, I 'm not sure (quite certain they’re not) all are offering that.
- Yes. The moment you stop paying as it will most likely be sold for cheap. One of the oldest domain I owned (from the 90s) and got rid of a few years ago is now used by someone hosting porn… Which is kinda funny. Maybe one can also lose it in a trial? But that would be very specific… Say, you own StarWarsSucksHard.com you won’t probably own it for long the moment Disney’s armies of lawyers focus their attention on you ;)
Everyone telling you email isn’t private is right.
Don’t use it for things you don’t want to be public knowledge.
This might be an unpopular opinion in this community, but here it goes.
Privacy doesnt really exist with email. Yes, Proton does support encryption, but nobody but Proton uses it. When your bank sends you an email, its plain text, and its pretty much guaranteed its sent from an outlook or gmail server. If they want your data they can get it whether youve got proton or not.
As for me - I actually still use my universities email. Its on outlook, but, hardly anything is sent to it, it never gets flagged as spam, and it doesnt cost me anything and will hopefully be there forever.
Your opinion is not unpopular here.
For those that don’t know, yes, when Proton or Tuta sends an email to an unsecured provider, it is on the open… if you want it to be that is. You have the choice to tick if you want to send the mail and attachments encrypted or not. If you choose to send it encrypted, they have a link they have to introduce a password to get in. I use this multiple times with somehow sensitive data. At least their email provider won’t have the data… now, the recipient may place then that data in Google Docs and that is game over; but that is your party’s fault, not your email provider.
Came to say the same, the only benefit I see in proton and other providers is not having my email monitored by Google but that’s it
Google alone is enough reason for me haha
Nah that’s a pretty common (and correct) take. Never email something you wouldn’t want to see come up in a court case. Secure email can limit exposure somewhat though. Unless it’s the government it may be impossible or at least harder to put things together about you from other email addresses. At the very least every email is not being scanned by Gemini and used to train it. And the more people that use privacy respecting email the more private it is.
Yeah, as long as it’s not Google, it works. The real trick is to find a good email aliasing service (I use Addy.io) so when email are exposed in a data breach you can just turn it off and avoid spam. Also good for when your trying different emails out because you just have to update what the aliases send to.
Never actually thought of it that way, like how no matter what you do, since most of your family uses META, you’re indirectly hit by the crossfire
Right ya. You’re best bet if you want to achieve privacy is to pretty much stop using email as much as possible. Proton is fine, and it is better than say using outlook or gmail, but barely.
Privacy doesn’t really exist in what way? In a sense that the layperson should be concerned or just a person of interest in a diplomatic position?
Honestly use whatever you want and use pgp, or gnpg. Encrypt all your messages using ecc.
Okay now i need you to explain how to do any of that, and what each one is for
Alright, I’ll write something up and post it.
You mind tagging me?
TL;DR: Stick with Protonmail. There is, based on what you told us, no reason for you to switch to another provider.
I wouldn’t recommend Tuta at the time of writing, due the lack of OpenPGP (no, their own EE2E does not act as a solid replacement) and JMAP/IMAP support.
Hmmm ? Has Proton introduced imap support ? I was going to migrate to them a few years ago until I realised that was missing. Not keen on getting locked into their proprietary app.
No it hasn’t, but with the Proton Mail Bridge you can get close, as it creates a local IMAP server that you can use with any email client - it’s far from ideal though and it has plenty of glitches
Thanks for the response, yeah that is better than nothing, but if OP hasn’t migrated yet then better to choose a provider that isn’t locking them into an apple-esque walled garden. If they decide to stop supporting the bridge then you’re stuck.
I like proton but they make a few too many weird decisions. I mean imap has been around for a long time, why not use the open standard.
Take it easy on me with the big boy terms haha, you mind explaining them? Except E2E, I know what end to end encryption is, tho idk if EE2E is another thing or just a typo by you
Another user said mailcow, thoughts?
I think they meant E2EE (End-to-end encryption)
OpenPGP is an encryption standard
JMAP/IMAP iirc lets you use other clients like Thunderbird (you won’t be able to use 3rd party clients with proton unless you pay for it so take that into account too)
Isn’t PGP what they say to always encrypt any message you send with prior to sending it? Especially on Dread and DNM Bible, never understood how to actually use it though
yeah it is used for encryption, in this case mails between proton users can be encrypted using OpenPGP
i recommend to research a bit yourself on these topics and your use case for privacy in this context. email is not private by design.
The real answer isn’t don’t use email for private communication. It’s like asking what’s the most private way to shout into a crowded room
Others have already said similar, but it depends on what you mean by “private” and “secure”. Yes, proton is e2e but that only is true if you’re emailing another proton user. And yeah, Proton can’t read your emails, but as soon as you email someone else outside the ecosystem, it’s as good as public.
I’m not saying thou shalt not use proton! But I had a subscription and cancelled. One part because the CEO vocally supported Trump and the doubled down when called out. Another part because I got tired of the proton ecosystem being inaccessible outside its own walled garden because of the e2e.
So I switched to Fastmail and couldn’t be happier. Is it perfect, no, but what is? It works well, it’s reasonably priced, they’ve been around forever, and I can use it with apps/programs outside of what they provide.
When it comes down to it, your email will never be truly private unless you only communicate with people who are just as concerned about privacy.
Could you tell me why fastmail, like pros and cons
Pros, it just works the way I’d expect it to. What really makes me happy with it is how they enable you to use it outside their ecosystem if you want to, so like caldav, SMTP, etc. Those either don’t exist or are much harder to do in proton because of the encryption.
They have a mindset of enabling you to use your data the way you want to: recently they added an api for interfacing with LLMs, which lets you plug one into your email/calendar but only if you want, and then it’s something you have to turn on. If you never want to have AI near your data, that’s the default. In this era of “we made email better by integrating AI into it that you didn’t ask for” Fastmail gives you the option, but doesn’t force you.
Not unique, but they have a great masked email creation that can be generated from elsewhere. Currently I have them generated in Bitwarden when I create a new login (Bitwarden problems are a different thread).
Cons, it is hosted in Australia which does have better protections than the US, but is still part of Five Eyes. Your data isn’t encrypted on disk, but is encrypted in transfer as is standard these days. They are transparent about the fact that they could see your data if they wanted, but they state their principal is to have a very food reason to do so, otherwise they say they’ll respect your privacy. They also say their business model depends on not scanning your data and selling it because people would jump ship if they did (true) but all of that is taken on faith.
Ultimately, unless you self host, you’re going to have to trust someone. And the headaches of Proton’s ecosystem being so locked down just so I could say they couldn’t read my email, but gmail could as soon as I sent it, didn’t add up for me, which is why I switched. I like the convenience and it works well, and the price is reasonable.
Thank you so much.
Mailcow is great and is completely free
this one looks cool for selfhosting
Got thoughts on it?
Im listening
I self hosted email for years and it did take a fair bit of maintenance. Since moving to Mailcow all I have to do is keep it updated (subscribe to their telegram channel for updates) and that’s it. It’s never broken or needed maintenance other than that.
Can you tell me about mailcow’s pros and cona based on your experience?
Cons: some knowledge of Docker is required A static IP is helpful but not a requirement If your ISP uses gcnat then that’s a problem. Using a residential IP isn’t great for reputation
Pros: It’s a very well thought out system Very few bugs Excellent documentation Includes spam protection, webmail and a bunch of other features itjustworks
I’ve kind of given up on the concept of email as a whole. Nobody emails anymore. Nobody in my family uses email, I’ve never had a friend who emails me, I’m the weirdo for asking for an email address so I can email you a calendar invite because I’m a weirdo for using the calendar…
Maybe it’s just been my experience but does anyone actually use email? And if so what about everyone else’s security?
Nearly every account one can make requires email. You may not use email for communication but you do use email.
