Secure and Private E-mail: A Provider Overview
The current state of e-mail services that provide encryption and privacy.
(2017-06-16) Due to time constraints (kids, work, life, etc), the feature matrix is no longer actively maintained. To get up-to-date information, I suggest you visit one of the many other similar sources on the internet. Good starting points are privacytools.io, prism-break.org, and That One Privacy Site.
It’s been almost two years now since I started to move my online presence away from the big, closed source, tech behemoths to open and more privacy focused companies. I’m now using Firefox (open source) for browsing, DuckDuckGo for anonymous internet searches, I’m syncing all my bookmarks to a private Firefox Sync Server, and I’m using a private OwnCloud server for online storage. You can read about how I did all that in my PRISM Break series of posts.
But I’m still stuck with Gmail. The main reason is that there are few, perhaps no, other companies that can provide the same kind of service Google does for free. But you know the saying: “If you’re not paying for it; you’re the product.” So I’ve realized that I have to pay a few bucks a year for a similar service somewhere else. And I’m fine with that. The upside is that I can start using an e-mail provider that focuses on encryption and privacy, something that might not be Google’s top priorities.
To get an overview of which providers are currently available and what kind of services they provide, I found six e-mail providers that on the surface seemingly can deliver what I’m looking for. All information in the table is provided to the best of my ability and is based on what I could dig up on the various provider’s sites. Pricing has been omitted because the different providers offer very different packages and the table would have grown way too large if I was to include all that information. All information should be correct as of the “last updated” date below, but always consult the latest information from the service provider. Note that some of the features only are available with paid premium accounts.
(2020-04-13) I have removed the feature matrix. It’s now so terribly outdated that keeping it online should be considered misinformation. Instead, use one of the better maintained sources mentioned in the first paragraph above.
Some words on trust
As long as you don’t self host, encrypted and private e-mail is a matter of trust. You basically have to trust that the provider is actually running the service in the manner that they advertise. Do they encrypt like they say? Are they servers indeed located in a country out of reach of overzealous government agencies? If they state that their software is open source, is the code you see really the code running on their servers? All this might sound somewhat paranoid, but if you want true encrypted and private e-mails, and not just the illusion of it, you have to be a bit paranoid and look at the possible scenarios.
The only way to be absolutely sure that your e-mail stay encrypted and private is to self-host, that is to host your own e-mail service on a server that you control physically, and encrypt with keys you control. For most people, that would mean on a server located where they live, but setting up something like that is not for Average Joe. You also have to use an ISP that allows privately hosted mail servers and in a world where most of us only have one or two ISP operating in our area, that might not be possible. If you’re tech savvy enough to set up and maintain an e-mail server, and your ISP allows you to host it on their network, you’re still at the mercy of your internet connection’s uptime and availability. Some times your internet connection will go down, and in my experience, ISPs don’t actually scramble to get it fixed. An e-mail server being offline can be a major inconvenience when you’re trying to check in at the airport and your ticket is in an e-mail on your unavailable e-mail server.
If you want to give self-hosting a try, though, the Mail-in-a-box project might be something you should consider having a look at.
vegard at vegard dot netwith your input. You can also use any of the other points of contact listed on the About page.
I’ve updated the storage encryption feature in the matrix based on the information provided on the mailbox.org page about encrypted mailboxes.
Some inaccuracies regarding mailfence:
- Users can import their existing mail in Mailfence (from .eml or through imap)
- We will be launching 2FA very soon as well as openpgp encryption through the webbrowser
- Storage encryption is in our roadmap
If you get in touch at [e-mail removed] , we’ll be happy to give you more info.
I’ll update the feature matrix based on you comment above, but also mentioning it on your website would probably be of a lot of help to potential users.
You’re right we need to add this information on our site.
Mailbox.org would probably benefit from making this information easily available on your website. Right now, I can’t find it anywhere, not even in the blog post "At last: Comprehensive browser-based PGP encryption for e-mails and files" (https://mailbox.org/en/at-last-comprehensive-browser-based-pgp-encryption-for-e-mails-and-files/), which clearly states that you are open source, but which doesn’t provide a link to the actual code.
2. All data is stored on fully encrypted drives see https://www.fastmail.com/help/technical/architecture.html)
3. We also have servers in Amsterdam as well as the US.
4. We don’t have a warrant canary, as we have yet to see any sound legal basis for these (the main legal advice we’ve had is that using a warrant canary would essentially be violating any law prohibiting disclosure of a court order).
5. We use (and contribute) an awful lot of open-source software (for example we are the major contributors to Cyrus, one of the two big open-source email servers), however we have proprietary software as well.
2. I’ve upgraded the feature matrix accordingly.
3. How can I make sure my e-mails are stored in Amsterdam and not in the US?
4. I’ve added this information as a footnote.
5. I’ve added this information as a footnote.
^ Although many on the list above I had never heard of before
@vegardskjefstad: As a follow-up to my previous post, I would like highlight following updates.
Built-in E2EE: Yes
Transparency report: Yes
Warrant Canary: Yes
Bitcoin payment: Planned
For more details, you can contact us at firstname.lastname@example.org, and we’ll be happy to address any of your further queries.
Thanking you for your time.
- Mailfence Team
Under the same notion - this to inform you that we now support bitcoin payments as well (https://blog.mailfence.com/2016/06/14/mailfence-accepts-bitcoins-for-payment/) and request you for an update.
- Mailfence Team
Kindly change their respective status’s as planned in your feature-matrix.
We want to know if your email provides calendaring which can be shared between team members?
Can one team member see the others calendar or be able to invite them?
Also what do you mean by groups in your offering? What is a group and why does one need multiple groups?
1) Support of OpenPGP/GPG - I know you have a box about not having to have this but actually supporting this is quite crucial. Email providers that do support this allow e2e encryption between two different services. Protonmail for example can only receive and not send, Tutanota doesn’t support this at all whereas users of Mailbox.org and Posteo could do this.
2) Support for symmetric encryption. Protonmail, Startmail, Tutanota and Mailbox.org allow users to send links to a message whereby the recipient inputs a password
3) You have a lot of providers here but possibly KolabNow could be added to?
4) In addition to POP and IMAP, how about adding those that support ActiveSync? For those users that wish to move away from Gmail etc, they may find the lack of push email a disappointment if not supported by some of the above providers.
Will your own list be available online? I’d like to link to it if possible.
(I’m not related to that service)
Please take a look at Fossa Guard provides S/MIME support on top of Gmail supplied with free X.509 certificate. Does it fit your survey?
We try to build a solution with a focus on usability and a minimal possible security compromise for our users.
I found this interview of their founder pretty interesting: https://anonymster.com/mailfence-patrick-de-schutter/
apparently runbox now supports 2fa (https://blog.runbox.com/2017/03/new-account-security-features-launched/)
MsgSafe.io was also listed on this comparison chart which might provide you with more of what you’re looking for: https://thatoneprivacysite.net/email-comparison-chart/
I use their service and they are great.
Sorry to add to the work load but your info seems to be the most detailed and complete of any available .. Could you consider adding u/i … Many many people seem interested to be matching out of big bizz email traps. Your efforts are really commendable!
open source. Tor ready. easy encryption. import certificate option. disposable adresses. Really like it.
mailbox doesn’t have half of the green squares.
digitalenvelopes doesn’t seem to exist.
It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.
The Contra Chrome comic explains why this is bad, and why you should use another browser.