
Ask HN: Secure email provider - drKarl
I was looking for a secure email address. After some research, Protonmail, although it looks good, and has a A+ SSL rating, can&#x27;t be used with POP3&#x2F;IMAP, only with their proprietary API with their web client or mobile client, and that is a deal breaker for me.<p>Countermail allows to upload your public key so that any non-encrypted incoming email es encrypted in the inbox. A few others also looked good for one or another reason including some in offshore locations for extra privacy&#x2F;anonimity. Then I tested them on Qualys SSL tool and some other tools and the rating of most was terrible. Countermail had a C rating, what a dissappointment.<p>PFS = Perfect Forward Secrecy
DANE = DNS-based Authentication of Named Entities<p>My findings where:
- Germany based posteo.de has an A+ SSL rating, incuding PFS and DANE, can encrypt incoming email with your public PGP key, problem is you can&#x27;t use your own domain, although they do have many domains you can choose from.
- Germany based mailbox.org has an A+ SSL rating, including PFS and DANE, can encrypt incoming email with your public PGP key and you can use your own domain.
- Belgium based mailfence.com has an A+ SSL rating including PFS, but no DANE. Can encrypt incoming email with your public PGP key and you can use your own domain.<p>Please note both Germany and Belgium are 14 eyes countries. They have good privacy legislation but if a court warrant was served to give information about a user they would have to comply.<p>Posteo.de claims that they don&#x27;t provide possibility of using your own domain so that they don&#x27;t know anything about you, so they have privacy in mind. In my case it was for a business email so I wanted security and being able to use my domain.<p>Mailfence donates to Electronic Frontier Foundation and Digital Rights Foundation  but doesn&#x27;t support DANE for now. Is DANE that important?<p>Any other service on par with these that you know? What are your thoughts?
======
tptacek
If you care about security in the sense that the EFF does, you should _not_ be
seeking out providers that rely on DANE for security. DANE is a tree-
structured PKI, like the SSL/TLS web PKI, where world governments have de
facto control over the tops of the tree. The overwhelming majority of email
domains we see on HN every day are in DNS zones controlled by Five Eyes
governments.

There is a reason most secure providers don't use DANE.

[https://sockpuppet.org/blog/2015/01/15/against-
dnssec/](https://sockpuppet.org/blog/2015/01/15/against-dnssec/)

~~~
drKarl
Very good read, thank you!!

------
rendx
[https://runbox.com/](https://runbox.com/) from Norway has been around for
quite some time. Don't know if they meet your requirements.

------
oblib
Have you looked into building your own mail server?

It's certainly a bit of work but it may be worth your effort.

Check out [https://mailinabox.email](https://mailinabox.email)

~~~
drKarl
I know about self hosted solutions like mailinabox and mailpile, and sure, it
would be fun to set them up to try them out, and they're much easier than
going low level with dovecot or postfix and put all the pieces yourself, it
still requires maintenance, update the os and the software, keep your server
secure from intrusions and so on. I could do it, and I understand the reasons
why someone would do it, but I think it's time consuming, and I'd probably not
do such a good job in keeping the server secure as a dedicated team.

~~~
oblib
MIAB installs OS updates automatically and the Admin tools alert you when
updates have been installed and prompts you to restart the server. You can
configure it to auto install updates to the MIAB install, or not. I've set
mine up to not install them. This allows me to make a snapshot before
installing them in case they break something.

The biggest downside I've run into with MIAB running on DigitalOcean is being
being blacklisted by AOL. Other services like Gmail and Outlook might send
emails to a users spam folder until they mark them as "Not spam". It took me a
bit of fine tuning on my end to get my "Spam Score" down to less than a point
or two but that was really a good exercise to go though.

There were other benefits I hadn't considered though, like the built-in DNS
server that comes with MIAB. I ended up moving the DNS records for most of my
sites over to it. And it manages SSL certs automatically for domains running
on it, or that use its DNS server.

It was time consuming to get it set up right though. I went through the
process 3 times before I began to understand what was needed.

------
steanne
fastmail blog post on dane from last december:

[https://blog.fastmail.com/2016/12/20/dnssec-
dane/](https://blog.fastmail.com/2016/12/20/dnssec-dane/)

~~~
drKarl
I heard good things about fastmail too but it's hosted in a five eyes
country...

~~~
steanne
wasn't suggesting it, just pointing you at an article about dane.

