So, slight rant on why I ask. My provider, OpenMailbox, has pissed me off. Their service went down without any warning, and then was replaced by what was clearly a beta, and had reliability problems like one too. What really ticked me off though, was IMAP and SMTP were made paid features. Again, all of this was done without any warning to users. If they had warned, I may have considered paying, but with this bullshit, I’m likely never going to. (I at least backed up the mail after they yoinked IMAP though.)
So, now I ask - what reliable (and perhaps security/privacy oriented?) providers are out there, that I can trust to exist for a while? I’m open to paying as long as its reasonable and works well enough. (Providers like Gmail are out - I have an account on them, but I don’t use it as my primary email. Perhaps I might have to though…)
I am on fastmail for my domain. Works fine, does everything I need.
I am also a happy fastmail.com customer since about 2 years now. I used mailbox.org before, a german email provider, which is quite cheap (1€ per month) and allowed to use custom email domains but their spam filter sucked. Fastmail’s spam filter is also not perfect, in fact Gmail has still by far the best filtering, but their service is great and I can use custom email domain’s too. They also develop JMAP a JSON based IMAP replacement.
I’d say the fact that JMAP is JSON based is only marginally-relevant; it’s got several significant design improvements over IMAP - e.g:
It’s more than IMAP replacement too, possibly better described as an alternative to Exchange ActiveSync.
I’m with mailbox.org myself, with the 2.5EUR/month plan and a private domain. Mostly happy, I don’t have issues with spam. They seem to be quite opinionated on how to handle spam: https://www.heinlein-support.de/vortrag/spam-quarantaene-und-tagging-der-grosse-irrtum. But it seems classical spam tagging has been added recently, though I haven’t tested it: https://mailbox.org/update-des-webportals-bringt-nuetzliche-zusatzfunktionen-fuer-ihr-e-mail-postfach/
I’m not that happy with the web interface though, it seems to be https://en.wikipedia.org/wiki/Open-Xchange.
Is JMAP even supported anywhere? Does anybody use it? Last I checked, not even Fastmail actually used this for anything. Seems like the project started with some energy but is mostly dead now? What a shame, as I’d love to use it somewhere… Please do correct me if I’m wrong.
Hi, I’m some engineering guy at FastMail.
JMAP is currently going through the standardisation process at the IETF to become an RFC. Several companies have built or are building client and server implementations based on those drafts. We’re putting a lot of work into JMAP support in Cyrus.
At FM, we use it internally for some (but not yet all) of our UI-server interactions, and we’re working on converting the UI to use JMAP natively (once the standardisation work has stablised).
Finally, we’re just about to launch a new product that uses JMAP from top to bottom - Cyrus, Ix (a JMAP API generator) and Overture (a UI framework with a JMAP-backed storage layer).
So there’s lots happening on JMAP at FastMail and elsewhere.
That’s really wonderful to hear. Once a year I email FastMail tech support asking them if there’s a JMAP thing, but the answer is always something like “no, and we don’t know when if ever.” And then I’m sad. This here is the first positive confirmation I’ve received, and I’m quite happy to hear it!
Hopefully once you release a fully JMAP designed system, you’ll have auto-exporters from existing tag-based systems like Gmail? Something like this would probably net you a massive user base.
I switched to fastmail last month and I am very happy with it. Before that, I had been self-hosting for 10 years, but I started seeing my emails listed as spam after I switched VPS providers (despite correct SPF etc), and I wasn’t motivated enough to fight for my IP reputation again.
Also Fastmail, moved from Google Apps for domains 2 or 3 years ago. Besides the advantages others mentioned, subdomain addressing is also a cool feature. Some mail providers support plus addressing
me+foobarbaz@mydomain.com
subdomains addressing is a bit nicer. You can make disposable addresses in the form of:
me@foobarbaz.mydomain.com
makes it easier to write rules and to drop mail when the address is sold to some spammer.
Also their support is pretty good. I had a small feature/refinement request twice, in both cases they had the feature implemented in their beta site in a couple of days.
I went to fastmail two years ago when the server on which I’d hosted my own email for about eight years died. I was happy to give a great company about $60 a year to host my family’s email. I was probably spending $60 a month of my own time just to administer the damn thing.
I’m on Fastmail too, with my own domain, for about ten years. The web UI is focused and fast, and the iOS app is just a webview, but a decent one that’s quick. I use Fastmail aliases and inbox rules to send to multiple external addresses, like a basic private listserve. Tons of advanced features for mail users, DFA, and no advertising or shenanigans with your inbox.
They went through a purchase by Opera a while ago, then a few years later Opera sold the business back to the original Fastmail employees – not a single hiccup or business misstep the whole time. They are laser focused. They contribute back to the open source mail server community.
The only issue on my wishlist is that they still don’t support the full CardDAV protocol, which means I cannot fully sync my Fastmail addressbook with iOS, Mac, Windows, or *nix apps, but they’re working on it, and it’s due soon (early 2018?).
I think it’s cheap for what you get, if you’re into that sort of thing.
What exactly is missing from CardDAV support? I’m happily using it to sync contacts to my iOS/Android devices.
Same here. I use fastmail for every new domain that I need email for and it’s pretty great.
Another vote for fastmail. Been a user for several years now. Has by far the best webui out of any provider. Very stable, and quick restoration of backups if you ever need them.
Another +1 for Fastmail. I’ve used them for 3 years and have been pleased with all their services. Their documentation is clear, the system is not hard to use, and they answer questions promptly.
The only thing I’m waiting for is HTTPS support on their web hosting. But if you need serious web hosting, Fastmail probably shouldn’t be yout first choice.
Yep, fastmail here too, it’s superb.
I use ProtonMail. Cheap, easy, takes bitcoin, open source (iirc), basically as good as you can expect wrt privacy and security from an email provider. I’ve been very happy so far.
Another vote for ProtonMail - they also actively improve it, and you can (for a price) use it for your own small business/domain, but the free version is very good on its own.
Run your own server! People are terribly frightened of email, but it is only slightly more complicated than running an HTTPS server with some DNS jambalaya. I use Mail in a Box on a VPS for my low-traffic personal email addresses and it works great. It is an actively maintained project that comes down to a shell script you can read and execute on a clean Ubuntu environment. You get spam filtering and DomainKeys and Let’s Encrypt and webmail and iCal out of the box. You might do it to save money, to learn a little bit about how email works, or both! I use a pretty reliable VPS (Vultr), and although I know VPSes tend to fail at the worst opportune moment I only ever experienced downtime when I ignored the email from Mailinabox (it sends you notifications about the system through email, which I think is clever) about keying Y on the Y/n prompt for the new Let’s Encrypt terms of services.
It gets much more complicated once you setup DKIM, DMARC, POP3 and IMAP, spam filtering, etc.
and then you find your cheep arse vps ip has a dirty reputation and need to work out how to get yourself white listed (did it for hotmail, painful but effective)
mail in a box is magical. setup DKIM, DMARC, POP3 and IMAP, spam filtering in a few mins. highly recommend
i tried to write a playbook for this but gave up, its just to complicated. given a couple weekends can get it up manually but when shit breaks its painful.
If you want some modicum of security go with Tutanota, Protonmail, or StartMail. Or self-host.
Pretty much everything else out there is total crap in terms of security, but be forewarned: even these hosting companies will not provide you with perfect email security. They just do a much better job than the competition.
It’s best to treat email as insecure entirely. That’s what has been done for transport protocols since secure messaging was invented. Wrap the messages in something like GPG sending them over untrusted transports. Attempts to get away from that just resulted in more clever attacks with best providers now, privacy-focused or not, in countries doing mass surveillance of their backbones with teams of hackers firing exploits at popular combos of OS’s, browsers, and apps. Most privacy-focused providers use tech within the subset that the attackers focus on. Doesn’t inspire confidence. Best to assume anything even connecting to the Internet might get owned.
So, that leads us back to the old days of using high-assurance guards or best FOSS equivalent you can build. Untrusted server hardened as possible connects to email service to bring the emails in. They run through a guard that is an embedded computer with literally just enough code to pull files in, maybe integrity check them, and send them to your computer on inside of network. Optionally IOMMU, non-DMA links, or hardware you had source to (FPGA-based solutions do this). Guard only pulls things in when you tell it to via plugging in the actual cords and authenticating with something attached to it (i.e. trusted path). Such a design is called a Mail Guard. They were mandatory for bridging classified and non-classified links in DOD for a long time.
Although it can be just FSM’s on a micro-controller, here’s an example of a high-assurance, mail guard from the past to show some basic considerations:
https://cryptosmith.files.wordpress.com/2014/10/mailguard.pdf
Whereas this SAGE paper shows what a full-fledged guard would do in government or enterprise setting. This kind of complexity is dangerous, though, where you’d want to make the implementation as safe as possible. The TCB itself is small, though.
https://webcache.googleusercontent.com/search?q=cache:oOyYDOu3rfEJ:citeseerx.ist.psu.edu/viewdoc/download%3Fdoi%3D10.1.1.133.4225%26rep%3Drep1%26type%3Dpdf+&cd=1&hl=en&ct=clnk&gl=us
This determination isn’t up to an individual, though. Email is considered a secure fallback for resetting authentication on nearly all websites.
True. However, it is up to the individual which provider they choose and how they connect to them. A lot of the lay people reading Krebs on Security follow his advice of using Puppy Linux LiveCD’s to do their banking and/or email. They try to check for the HTTPS, use good passwords, and so on. Some used security-focused solutions like Hushmail with ProtonMail being popular recently.
So, one can still treat email as insecure with extra protection even when forced to use it. Even lay persons are doing that. The technical folks should be able to do even better.
Yep.
Exploits? To what end?
They can read your emails, forge emails from you, get your contact list, any personal info provider has, and (as pushcx noted) possibly use the account to change or acquire passwords to other services.
If you want free SMTP and IMAP access, as well as unlimited storage and your own domain, take a look at Yandex Mail for Domain. https://domain.yandex.com/
They even have API (e.g., for moving your domains between another provider). In addition to mail, you also get XMPP, too; and they have a bunch of apps in all the app stores.
They’re obviously a yuge and profitable company — https://yandex.com/company/ — so, if you deploy this, it won’t be gone the next day (plus, using your own domain means you could switch in a jiffy). They also have free email support, unlike Google.
Doesn’t Russia have even worse privacy protection than the US? Yandex is based on Moscow, and I can only imagine that any email the government feels like looking at, they probably can.
US certainly has strong free speech rights, but privacy?!
Besides, are you Russian? Do you even have any Russian connexions? If not, then for you the service may as well be as offshore as it gets.
The same applies in every first-world country, at least. Putin is much less likely to give a fuck about you or what you’re doing than your local rulers.
This inspired me to dig up a Swiss e-mail service provider I remembered seeing on Hacker News.
Here it is: https://www.migadu.com/en/index.html
I’m not a customer (nor affiliate), but it seems like it could be a good service.
I set up Migadu for one of my customer and it was worth it.
[Comment from banned user removed]
Seconded, although I disagree about it being hard. The majority of the difficulty is in knowing that you need SPF and DKIM. Setting them up isn’t rocket science.
https://www.bettercloud.com/monitor/spf-dkim-dmarc-email-security/
This is often repeated as truth and rarely challenged, but in my experience running an e-mail server is not hard at all compared to many other system administration task. I’d put it about average. Any competent person should have no problem doing it.
Implementing LDAP+Kerberos in an enterprise setting where it needs to interact with Windows clients is hard. Compared to that, running a mail server is a piece of cake.
I’m interested, If you don’t want to post here, care to send me a private message? Thanks.
[Comment from banned user removed]
Postfix is not the only game in town though.
[Comment from banned user removed]
I don’t think so. All the information is exposed, I don’t think anything is hidden, it’s just exposed in a way that at least some people consider easier to understand. You certainly need to understand how e-mail operates both with Qmail and Postfix, it’s just that with Qmail it’s easier to get a good, safe setup while postfix is confusing. At least to many people it is.
I also heard good things about OpenSMTPD, but I haven’t had a change to actually work with it yet. To be fair, I also heard bad things from someone who migrated to OpenSMTPD from Qmail. We’ll see, I’m certainly interested in giving it a spin.
Another happy fastmail user here, besides all things already mentioned here they have yubico support for 2FA.
I run my own email server for 15+ years using Postfix, Dovecot and lately Rspamd. Additionally some close friends and a few small companies I administrate use my email service. I never had any trouble being blocked or appearing on any DSBLs.
Though the initial setup can be a bit cumbersome, especially for non-sysadmins, it’s certainly doable and highly rewarding once the emails come in. :) I suggest you occasionally check if your IP/domain is blacklisted in the bigger lists. Also periodically check that you’re not an open relay due to some misconfiguration or configuration error because of updates. Add SPF records to your domains. Use valid and up-to-date certificates. Keep an eye on the logs and of course most importantly - generate backups!
Are you looking to host your mail on your own domain? If so, I’ve had pretty good experience with zoho, which has servers both in the US and the EU which I find convenient. Also great is uberspace but it’s more involved — you create an acount, you pay as much as you like (minimum 2€ per month), and you get an SSH login (pubkey based), they have scripts to automatically set up a mail server with your own credentials, IMAP/SMPT, spam filter enabled, and they take care of updates and all that. Great service. Uberspace is hosted in Germany, you can hook up your own domain to both sites, and I think they have like 10GB each of mailbox storage.
Oh, I also use zoho. Mostly because of the catch-all functionality. If anyone could recommend a more privacy-focused host with that thing available I’d be grateful.
I use uberspace as well and really like it! The setup is easy enough and is documented quite well (if you know German…). They use qmail which makes custom rules for retrieving and processing incoming mail quite easy.
The 10 GB storage they offer is for the entire account that is on their server, so it’s shared across all accounts that are served on that server.
They also offer a trial month where you do not have to enter any personal data and the payment model is pay what you want, which I personally really appreciate.
I run my own mail server hosted out of DigitalOcean. I have backups running on a weekly basis in case the VM crashes for whatever reason. The mail server itself wasn’t tremendously difficult to set up and I have full control over my stack, so I’m able to easily make changes if need be. Recently I’ve been meaning to get around to replacing my common email address with aliases per service, e.g. amazon@example.com, lobsters@example.com, etc., which would all redirect to my primary mailbox. This would help to filter out spam, which I get very rarely. (About 1-3 emails a day.)
I use fastmail (on my own domain) and gmail (work uses it on their domain, plus I have a personal gmail account).
(* with proportionally high variability. I’ll get three junk messages in one day and then nothing for a month.)
Fastmail. The webmail is really nice, really nice.
Only downside I ever had was when you create calendar entries with invites, it does not actuall invite anyone as you would expect.
That does work for me just fine. Did you open a support case?
It was about three years ago at
$ORK[-1]when I last used it. Those that cared at the company we just gave them an O365 account and let them slum it there :)I switched to AWS Workmail about a year ago. It’s been great. I use their Exchange support, which works with all my i-devices.
I didn’t expect to be the first to mention Autistici/Inventati.
I have a grandfathered plan on GMail (used to be called “Google Apps for Your Domain”).
I’ve used Pobox for around 10 years, and have friends who have used it for longer. Their reliability is fantastic , their customer service is great, and the features are solid for a good price. They’ve been in business for 22 years, and a couple years ago they became a subsidiary of FastMail, which as you can see is also recommended by the people here. Given the history of both companies, I think that the result of the acquisition will be that both of them just get better — for instance, FastMail had the better webmail interface, but that’s now available to Pobox customers as well.
I use https://soverin.net/ Nice to have an email provider within Europe + one that focuses on privacy and the core feature rather than at a million other things
I’ve used fastmail before and was generally quite happy. These days I run my own mail server. There are lots of resources around on how to setup a mail server on a VPS, if you like to go that path. You should check out Mailu too.
What you’re going to find looking for a reliable, long-term service is you have to go for the market-leader or one of the also-rans that have been around a long time. You’ll have to put up with whatever crap is standard for them since the better ones will come and then poof be gone. That’s for most online services. Fortunately, one of the also-rans, FastMail, gets incredible reviews everywhere I see it. I’d go for that if you want a Gmail alternative. I also saw many successful transitions from Gmail to FastMail in various forums.
For personal stuff, I run my own server (exim etc). The technical side of things is fine there.
These days I have my own company, and one consideration is “how much proof is it, if I have an email record of something and there’s a dispute”. If I ran the mail-server and the logs, there’d be a high bar to prove something is a truthful record. As a one-person shop, I don’t have the staffing for it to be otherwise. By outsourcing my email, to people I presumably can’t influence to fake logs, I gain the ability for third-parties to trust that if I have evidence that it’s a truthful record.
So I’m using Fastmail for my LLC. I’m happy with the service. There was some hinkiness around account types and 2FA because they shoe-horned support into existing auth protocols “strangely”, but they’ve gotten past that. Their public IMAP is excellent, the web-browser works well enough to handle the bulk of stuff conveniently and the iOS app works well enough for my needs. My biggest issue is the number of folks assuming Google Calendar and the more limited interop with sharing calendars between accounts, so I ended up creating a gmail-less Google account and eventually enabling Google Calendar on that too.
Is there a specific procedure for that? My cursory search didn’t bring up anything noteworthy.
I just went to accounts.google.com in an incognito window, saw
More options, clicked that, and the first item in the pop-up isCreate account.You’ll need a working email account elsewhere, and the Google account will be tied to that address. If it’s in a domain which later transitions to Google Apps then there will some reconciliation work needed by the domain admins to handle stuff like Calendar, I don’t know what’s involved these days (and don’t recall what was involved back when I did know).
I use Fastmail too, for ~5years (on Gmail before). It is too cheap and reliable to bother hosting it myself. Emails are so crucial and such a basic need that I cannot afford spending time on it.
I tried switching to ProtonMail for a while but I’m back on Gmail.
What led you to switch back to Gmail?
Ultimately, it was because protonmail take a long time to load while Gmail is nearly instant.
Switched from GMail to protonmail last year, pretty happy so far. Using my own domain so I’m a paying customer.
If you own a domain name, your registrar may provide e-mail too
They are expected by companies to work for automated mail, so it may be reliable enough for personal use.
For my new business account (with custom domains), I’m using ProtonMail. I had used FastMail in the past, and it was fine, but I wanted to support the FOSS aspect of ProtonMail (pretty much the same price for both). I thought about running my own email server on Digital Ocean, but even at $5 a month, that’s more expensive than ProtonMail’s “Plus” plan ($48/year) or FastMail’s $50/year.
The Fastmail folks are the de facto (if not now de jure) maintainers of Cyrus IMAP and have open sourced their work there. They’ve been quietly supporting OSS right for years.
Good to know! I guess ProtonMail’s web site/marketing is oriented more towards techies, e.g., OSS is a “feature” for them. So nice to know that either company is a good option for supporting OSS.
Fastmail :)
Using fastmail and very happy with it, protonmail looks like a nice alternative too.
Another vote for Fastmail, spent a long time on gmail but decided to stop relying on google for almost everything except maps and youtube.
Tried rolling my own email box, but thats way hard
Another happy Fastmail user. It even supports push email on the default iOS mail app, if that’s what you’re using. Junk filtering wasn’t great initially but it quickly caught it to what I had before after a few weeks of using their spam training system.
I’ve been using runbox for over a year now, and it works quite well. The web UI is nothing special, but I primarily interface through IMAP, and I haven’t had any significant problems with them.
I’m in the US, and they’re in Norway, and they’re very conscious of legal issues around privacy, which is a feature I appreciate.