For me, email is the 'master key' for most of my online accounts (because password resets are done via email so if your email account is compromised an attacker can quickly leverage access to other services) and email security is top priority. I didn't see anything about using two-factor authentication with this service - is it available?
Also, your site only supports obsolete HTTPS protocols. TLS 1.0 and SSLv3. You should drop SSL 3 and enable support for TLS 1.2. Here's a test you can run with feedback and resources to learn more about secure configurations: https://www.ssllabs.com/ssltest/analyze.html?d=migadu.com&s=...
We'll add 2FA in the near future. We were unaware of the great demand for it. :)
Bruteforcing is not realistic with even medium password strength.
If by "rubber hose", you mean physically coercion, what would forbid the attackers to coerce you for your email or your phone as well?
I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
Or maybe I am missing something obvious?
Yes. Google and Facebook aren't the only ones.
> I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.
Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.
- A physical device that you need to plug in
- A physical device that generates a token
- It could also be a token that gets sent to your phone or email and you input (like Facebook, Google, banks)
- An action you need to perform on another device (another bank)
- Google Authenticator (and other authenticator apps)
- I have also seen a message encrypted with your GPG public key that you decrypt and submit.
I have seen all of the above in different circumstances. The only one I have never seen is biometrics and it's usually because of the cost. Also, you can't change chop your finger of so it's harder to recall if there are issues unlike the rest.
> most people are not referring to this when they are talking about 2FA.
I only know what I have seen and have worked with.
I use Authenticator for SSH'ing into servers. My banks send me a code or I need to launch their app (CapitalOne) on my phone. My business account had a physical device that generated a token that I had to input in order to login. I have used software in the past that required a key. GPG I have seen in some questionable sites when crawling them.
AWS is using TOTP (Time-based One-time Password) as specified by RFC 6238. Off the top of my head, the same protocol is supported by Google, Lastpass, Dropbox, Fastmail, Github, Wordpress, Evernote and Outlook.com. So it stands to argue that this is, in fact, one of the schemes most people are referring to when they are talking about 2FA.
An ephemeral TOTP value is almost useless to them in this case.
As for rubber hose: if your 2FA smartcard/token/device isn't carried after you leave the office (for example), attackers getting your password via a mugging out the street is less useful.
TLS 1.2 and Yubikey support are necessities, IMO.
> Until the end of November, you can use the discount code NOVEMBERRAIN to get 50% off any Migadu plan, permanently. Offer is valid only for new upgrades.
$2 per month is pretty good, or it makes the 'standard' plan roughly the same as non-discounted 'mini'.
Not entirely sure yet where you enter this code so I sent them a question.
Very quick response from the team.
You have to upgrade once first, then apply the code via Account > Coupons. So, upgrade to a monthly mini, apply the code, then upgrade to the plan you're after (the initial $5 will be subtracted from a yearly code if you select one). The code should apparently remain active no matter what once it's applied.
Sign up for the monthly version of the mini plan. You will be charged $5. Then enter the coupon code in the coupons tab from the left pane. You can then immediately upgrade to the annual version of the plan. You will be charged $19 brining the total to $24 for one year (the half off price). It should save the trouble of paying full price for a year and sending an email for the manual refund.
I just noticed that the support email was marked as spam by outlook.com (weird, since I'd already marked the invoice and other emails from Migadu as "Not Spam").
Just upgraded to paid though, hoping it'll sort itself out in time.
Everyone is quick to jump and blame the small guy. :) Our reputation score is actually better than some of the largest email providers because of our low volume and individual verification.
I agree with you, but in the end, if all of those are correct on our side, it simply can be the spam filter on the other side. It is not only the sender who decides the deliverability :)
We do not use any tracking pixels.
Btw. Any suggestion is more than welcome and highly appreciated! Thank you for looking at Migadu!
It's not a case of blaming the small guy, its a case of being careful who I trust with the deliverability of my email, and if you can't get your own email into my inbox, you're making me ask questions of your capabilities before I've even finished the sign up process. That's not a good start.
I was surprised actually. I do usually see this in some FOSS projects, but never in a commercial project.
It was actually quite refreshing.
> We do not count your domains, mailboxes, gigabytes or teeth.
yet the pricing page says:
> up to 100 outgoing emails per day
Even the most expensive plan says 2000. I'm not saying it's unreasonable, but it's certainly not unlimited in that respect.
We have to deal with spammers, phishing attacks etc. We diversify based on the actual, realistic needs of the organisation. For instance, a startup of 3 would not need to send 500 emails a day, that is a clear red flag. In practice we have yet to have a case of a user reaching those limits. Thanks again!
> For instance, a startup of 3 would not need to send 500 emails a day, that is a clear red flag.
There are many startups that do cold outreach, via cold emailing, that could do roughly 500 emails per day. I am not sure how typical this is, but as someone that has started doing sending cold emails as a direct sales tool, it seems to me that you just haven't had any customers like that yet.
If you do though, don't assume they are spammers.
For me, the bigger red flag is the response you got - I would expect a reputable mail provider to make it abundantly clear that the behaviour you describe is not welcome on their service.
Either way, the fact of the matter is sending cold emails is actually a powerful way to build sales -- there is a simple reason so many people do it, it works.
Like it or not, many startups do it.
So I was simply pointing this out for the OP's benefit.
We do have sales teams using Migadu. However, they simply estimated how much they would send and signed up for the higher plan. It's straight forward I believe.
I fear you will not be in the email business for long.
Sending sales emails is not the same as spam, at least not in the lines of business using Migadu. We are not judging what people do for living, but rather try to aid them with a worthy advice if there is a better way. Working hand in hand with users pays off and we both enjoy it. We're tired of being nobody to some wise Google(rs)....
If sales stop, the world would stop. Everyone sells something to somebody.
I'm sure your approach works for the customers you have right now, but if you consider the above to be an acceptable use of your service, then I stand by my statement that you won't last long in the email business.
They're charging based on something that actually has an impact. Sending emails incurs in a load as well as receiving one back (you probably are getting a response) and work that the emails may incur. The more emails you send, the odds of needing a clean IPs in case something happens (blacklist is the first thing that comes to mind) on the amount of emails they send, dealing with blacklists is something that statistically will happen the more emails are sent as well. So they charge you by the impact each email sent has and for the cost of hard drives.
I guess they're charging more on a probability of the time they need to work on it the more emails are sent. There is a cost associated with developing the code, sure, but the more people, the less it is per person and once it's developed, it's only new features and maintaining.
It seems they've set it up to scale and it seem they have a lot automated. I'm assuming this based on this:
According to our trials, it would take us up to 30 minutes to setup a completely new infrastructure and get all clients back live.
It seems very well structured and organized. I'm testing it out. Paid for a year. If I transfer everything (a couple of domains, but only a handful of accounts. Maybe I will end up setting them via aliases...) I may upgrade just to give back. I had been looking into OVH, Rackspace, FastMail, Google Apps, etc and hadn't switched because they charge for everything...
Can anyone more "in the know" compare this product to Fastmail for a simple personal email solution?
Note i don't care about most features, including custom domains. In fact, i'm not even sure i'll use a custom domain since that just increases the attack vector to my email. I just primarily want simple, reliable, and secure email.
Not that the pricing is likely to ever be an issue (knock on wood), but i'm a planner.. of sorts.
- Use my domain providers 1GB mailbox.
- IMAP on the phone, POP3 on the PC.
- I'm currently not subscribed to any high-volume mailing lists, and won't unless I'm a very active contributor. The only lists I follow is the announce lists from GNU, OpenBSD and FreeBSD. You don't need to subscribe in order to post to many email lists.
- Pop my mail into my computer, use procmail to check for spam & virus (spamassassin, clamav), sort likely spam into spam mailbox, non-spam into inbox, rest to /dev/null (spamassassin score>5 and/or clamav virus check positive). If I'm on any moderate-or-high-volume lists, sort them into different mailboxes (most the content there is not sent to me, so no need to have them in front of me every time I look at my inbox).
- My inbox receives many updates from services and newsletters I'm subscribed to. I delete most mail from those if I won't have to return to them (e.g. a message about an event next week, I add the event to my agenda if I'm participating, and delete the mail; copy the relevant text to my agenda if necessary).
- Report to spamassassin and delete any message that escaped it and made it to my inbox.
- Check spam every-so-often, report ham and move to inbox, delete the rest.
- Use a combination of mpop, msmtp, procmail, spamassassin, clamav, Rmail, Org-Mode and mairix to get all this going (K9 mail on Android for IMAP there). Sounds complex, but isn't, nowadays I've tuned my setup to be pleasing. The only thing I'd like to do in future is to do POP, SMTP, sorting and search in Emacs instead of through all those programs.
One shortcoming of my setup is that once I pop my mail, I can't view it on mobile anymore. That's something I can fix (maybe there's an app for Android that can read local mail in the SD card), but I haven't had a problem up until now. And no, I'm not a unix-vintage-guy or whatnot, this setup is practical and pleasing to use (at least in my case), and I own all my mail the moment I pop it from my server, and nobody has a copy of it. If it's not on your disks, you don't own it.
I'm intrigued by the idea of IMAP on the phone though. Are you able to sync sent mail this way? If you send mail from mobile, will the PC client get a copy of it?
Nope, I use phone mostly to browse mail, and send from there if and only if inevitable. And if the sent mail is too important to keep, I BCC myself and sort it out on the PC later. If your mail provider saves sent mail, I guess you could just fetch that; mine doesn't. Also I guess depending on your phone MUA, maybe you could fetch it from its storage. WRT IMAP, I just use it like POP3 w/ keep on, used it b/c was easier to set up. Phones are incredibly inconvenient for typing anything that's not a whatsapp blurb, so I mostly use it that way.
It seems smart to keep the mail on the server for a while, I'd be glad to know how you do that.
As for keeping on the server, it's a setting in the client. In K9, for example, Settings > Account Settings > Fetching Mail > When I delete a message.
K9 only provides "delete" or "don't delete" options. Outlook has "delete after X days", but I assume others must as well.
Have you given a try to mu4e? I've been using that for more than 5 years now and it is really great :).
Edit: I also don't really use tags etc. to classify my mail, and don't have a plethora of email as I delete most of it after reading, so a list of all I have is the best interface for me, which Rmail provides.
This depends on your use-case. For running a single account, yes. For one intended use-case of Migadu (managing multiple accounts across multiple domains), then no.
I just wanted to add the card and then go to another page to sign up for the very small $4 a month plan, but ended up being charged $17 immediately.
Love the service concept, love their FAQ and apparent expertise, but hate that they did that.
Also, thanks for pointing out that GMail also has a daily cap on sending emails out. I've never ever come close to it, but never realised there is a cap on their service.
I used to try and run them all under one email client, but it got messy to try and keep replies separate and coming from the correct domain address (for support and marketing queries etc.). Also, trying to run one inbox on mobile was achievable, but tricky.
I like having each web app domain in a totally separate, sandboxed inbox. Occasionally I delegate the handling of a particular inbox to another team member for a week or two while I am either away or working on a project, so it is nice to be able to attach/detach an Inbox from my conscious management whenever I like.
I can't imagine switching to an email provider that didn't use 2FA for that very reason.
A motivation to Migadu as a service would be the ability to attract more enterprise customers. I know that at my company, MFA is required for all email accounts. Offering MFA would be very attractive to companies wanting to move their email over to Migadu.
Nevertheless, thank you guys for all the suggestions, we will work to get 2FA in ASAP.
It's slowly being adopted by major players, Google, Github and LastPass to name a few.
Having the ability to integrate TOTP or U2F (or both) would make this my go to recommendation for, well, everyone.
Also, when you open up a link in the menu as a new tab (via middle mouse button) the current tab becomes unusable due to the loading icon you overlay. Very annoying!
And finally - it'd be good to have a demo of the web client without having to register. Because that's essentially what most people will be paying for since email plumbing is pretty standard across providers.
The mail going to junk is an unfortunate reality, there are never any guarantees with any mail service, and especially with new services. We've already had the big ones play muscles on us several times.
Thank you for reporting the new tab bug, will be fixed!
The webmail / ui demo is coming up too. Thank you for suggesting it!
> We've already had the big ones play muscles on us several times.
Without calling names, can you elaborate on that?
I typically don't send more than 40 emails a day. But have several domains I would like to have email for... paying $10/address is a bit steep to say the least for that use case.
You are paying for convenience here.
This pretty much breaks the entire usecase, as you cannot build an IP reputation.
To the other point, if you have a problem with spam scores, you are probably sending too much mail for this sort of solution (consider Mailgun 10,000 emails/month for free). For an individual it is fine, not for use as a mailing list. A clean IP address (every IP I've ever tried was clean), DKIM, and SPF will allow you to hit pretty much anybody. It might take a few people pulling you out of spam on gmail before you can send to them, but I think that's true of any new mailserver.
I can't say email limits are ever something I've thought about.
I got Google apps when it launched and was a great free option. Now they're removed free accounts, and even on the grandfathered free accounts, they don't let you add new domains anymore... I really just have 1 important account, and unimportant ones for hobby domains, so this is a great option for me. I considered PO Box for my important account, but for now, I'll just try this for all my domains.
I really like the simplicity. I sent some test emails: Google and my work's exchange correctly get the email. outlook.com flagged as spam. I only have 2 concerns. 1, they need 2FA ASAP (which they've acknowledged), and 2, how long will these guys be around. How many employees are there, how much investment. It would suck if 12 months from now they shut down. It would be a scramble to move something as important as email. Rather than shutdown, most companies in these types of businesses up the price, remove features from the cheaper plans etc...there's no promise of price lock-in here, but since that's their market, I suspect they're aware of the effect a price increase might have.
Just signed up for the mini plan and if it does in fact give me about 15 somewhat reliable email mailboxes for just 48$ a year I'll be a happy customer. With the 50% off it's a steal compared to other services, especially with my number of mailboxes.
And Zoho has too many features I wouldn't use, I really just need a few (hopefully) reliable and (somewhat) secure IMAP capable inboxes which can be accessed by 10 different stationary and mobile devices.
- You have to have a lot of subscribers to make $4/month amount to real money. Also, churn is higher. My SaaS service Cronitor used to offer a $6.99-turned-9.99 plan targeted at individuals and churn rates on that plan is literally 10x higher than our $25 tier.
- If being cheap is your thing, and I'm willing to spend $50/mo for business email, do I feel comfortable going with the people who are competing primarily on price?
As a datapoint, We use Pobox.com for Cronitor.
We used to use Google Apps for multiple domains for our starup projects, ideas etc. Switching between these multiple accounts was becoming ridiculous and complex. Then, they made it $5 per account. We actually had many addresses but only two users. Our total cost of that would be measured in hundreds of $ which def would not be worth it.
What I personally dislike regarding other services is that they claim storage as one of the most important selling points but then do not account for the price drop per GB. Since GMail for work launched (2006?), the cost per GB dropped more than sixty fold: http://www.mkomo.com/cost-per-gigabyte-update
Any update in price? Nope.
And then, the price of Google Apps (Gmail) are global. We have clients in Zimbabwe for instance. $5 per month per account is not the same as it would be in the US. Yet if a company from Zimbabwe uses a @gmail address, it won't be taken serious.
Migadu is profitable since a while ago, and real money is relative. We're not after exits and TechCrunch, just doing what we like and hacking at it daily. :) Pays the bills. Ironically, we are also in Switzerland, where living expenses are among the highest in the world.
Thanks for the assertions though! :)
And I totally understand you're not trying to "Tech Crunch", I think a SaaS is a great side business -- i've done this myself -- but also the only way to ensure stability of a project over long term is for it to provide financial rewards inline with effort.
Also, I definitely should've added: Congrats on shipping.
Are you planning to implement that feature?
There should be more independent email providers out there, not just google, ms,yahoo,apple and behemoths alike.
AGPL is pretty viral, even for a web app.
I'm happy with Fastmail, but Migadu's pricing is very appealing...
If you have a domain where those drawbacks aren't showstoppers, you might also look at Yandex hosted email. Can't beat the price (free), it has decent storage (10GB) and the limit for sending is 500/day.
The difference is just that Migadu is honest about it.
I'd classify Migadu in a different category. If you run multiple projects or just need extra addresses fast at no extra costs, you'd probably not go for FastMail. I can clearly see using them both.
Does anyone know if forwarded e-mails count as outgoing e-mails?
Not very comforting.
You must delete all other SPF TXT entries (so if you were previously on google hosted, delete the Google SPF record.
We do not accept PayPal in the interface, but will accept payments for yearly plans on individual basis. So if you wish to use PayPal, please just get in touch for now.