Secure and Private E-mail: A Provider Overview

The current state of e-mail services that provide encryption and privacy.

(2017-06-16) Due to time constraints (kids, work, life, etc), the feature matrix is no longer actively maintained. To get up-to-date information, I suggest you visit one of the many other similar sources on the internet. Good starting points are privacytools.io, prism-break.org, and That One Privacy Site.

It’s been almost two years now since I started to move my online presence away from the big, closed source, tech behemoths to open and more privacy focused companies. I’m now using Firefox (open source) for browsing, DuckDuckGo for anonymous internet searches, I’m syncing all my bookmarks to a private Firefox Sync Server, and I’m using a private OwnCloud server for online storage. You can read about how I did all that in my PRISM Break series of posts.

But I’m still stuck with Gmail. The main reason is that there are few, perhaps no, other companies that can provide the same kind of service Google does for free. But you know the saying: “If you’re not paying for it; you’re the product.” So I’ve realized that I have to pay a few bucks a year for a similar service somewhere else. And I’m fine with that. The upside is that I can start using an e-mail provider that focuses on encryption and privacy, something that might not be Google’s top priorities.

To get an overview of which providers are currently available and what kind of services they provide, I found six e-mail providers that on the surface seemingly can deliver what I’m looking for. All information in the table is provided to the best of my ability and is based on what I could dig up on the various provider’s sites. Pricing has been omitted because the different providers offer very different packages and the table would have grown way too large if I was to include all that information. All information should be correct as of the “last updated” date below, but always consult the latest information from the service provider. Note that some of the features only are available with paid premium accounts.

(2020-04-13) I have removed the feature matrix. It’s now so terribly outdated that keeping it online should be considered misinformation. Instead, use one of the better maintained sources mentioned in the first paragraph above.

Some words on trust

As long as you don’t self host, encrypted and private e-mail is a matter of trust. You basically have to trust that the provider is actually running the service in the manner that they advertise. Do they encrypt like they say? Are they servers indeed located in a country out of reach of overzealous government agencies? If they state that their software is open source, is the code you see really the code running on their servers? All this might sound somewhat paranoid, but if you want true encrypted and private e-mails, and not just the illusion of it, you have to be a bit paranoid and look at the possible scenarios.

Self-hosting

The only way to be absolutely sure that your e-mail stay encrypted and private is to self-host, that is to host your own e-mail service on a server that you control physically, and encrypt with keys you control. For most people, that would mean on a server located where they live, but setting up something like that is not for Average Joe. You also have to use an ISP that allows privately hosted mail servers and in a world where most of us only have one or two ISP operating in our area, that might not be possible. If you’re tech savvy enough to set up and maintain an e-mail server, and your ISP allows you to host it on their network, you’re still at the mercy of your internet connection’s uptime and availability. Some times your internet connection will go down, and in my experience, ISPs don’t actually scramble to get it fixed. An e-mail server being offline can be a major inconvenience when you’re trying to check in at the airport and your ticket is in an e-mail on your unavailable e-mail server.

If you want to give self-hosting a try, though, the Mail-in-a-box project might be something you should consider having a look at.

Other great sources for privacy tools and information about how to opt out of global data surveillance programs are privacytools.io, prism-break.org, and That One Privacy Site.


Feedback

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.

Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.