With the recent thread on privacy in Chrome, I'm thinking of switching off Gmail. What email service is best for privacy? Or if you self-host, what email client do you like best?
FastMail. It's one of the few third party hosts to support push email on iOS with the native Mail app (it's a custom protocol based on APNS), since Mail doesn't implement IMAP IDLE [1].
They are also the main sponsors behind the JMAP protocol [2] and some open source projects such as the Cyrus IMAP server.
One thing to keep in mind about Fastmail is that all their servers are hosted in the US and they have no plan about changing this (I asked). Post-Snowden this means you can be quite sure that all mails will end up being analysed by the US authorities
First of all when making such a choice, you have to identify who the enemy is.
If you're talking about global enemies, like the NSA, then IMO without end-to-end encryption you're screwed. And if you're targeted directly, you're screwed regardless, given they have the capability to use whatever vulnerabilities they can find in your router, your phone, your OS, your browser, etc. If it's connected to the Internet, especially if you're being targeted, you're screwed.
Also many European countries have signed on joint cooperation agreements with US intelligence agencies. If for example you're using servers in the UK, it's in no way safer, see: https://en.wikipedia.org/wiki/Five_Eyes
So back to who is the enemy?
For me it's not the NSA or our local intelligence agencies. If I'm being wronged, I've got legal ways to fight back and I don't really care about the NSA.
What I care about is being _profiled_ by unscrupulous companies that may end up selling that data to other actors that may harm my well being. For example insurance companies could deny insurance if they discovered you smoked cigarettes 10 years ago. Or banks changing your credit score based on who your friends are. Or supermarket chains discovering that your daughter is pregnant before everybody else does. This shit is already happening!
I think the general discourse doesn't go in the direction that it should go. Organizations like EFF have been historically anti-government, but very pro corporate and private companies. Which is why I don't trust them fully.
Identify that enemy. If you're an European for example, that enemy is probably not the NSA.
I do prefer non-US alternatives btw, whenever I get that choice. I do so out of a desire to encourage competition and to reward EU companies that do well, as a "voting with your wallet" thing.
But choosing to reject non-US companies for the reason that some of their servers are located in the US, that's frankly childish. Servers located in the US are cost effective. Either provide better alternatives, or otherwise these services will not be able to compete on the global market from a price or latency perspective.
>Organizations like EFF have been historically anti-government, but very pro corporate and private companies.
I don't think I'd call EFF either anti-government or pro-corporate. Rather, they have a set of positions around surveillance, the public domain, etc. and side with or against governments or private companies based on those positions.
I donate to them, and in my experience they've been pretty consistent on their positions, but if you've noticed otherwise I'd be curious to know how.
I don't want to attack EFF, I think they are on the right side, but it's just a general feeling I've got.
For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing. Their reaction was late and with an article like "here's how to protect against Facebook tracking", advising people to opt out in their Settings and to install Privacy Badger, this happening when everybody else was freaking out and doing #DeleteFacebook pieces.
I donated to EFF modest amounts in the past and probably will do so again, because the fights they are fighting are good for us. Maybe they pick their battles, I don't know. But I'm seeing a general pattern in their attacks, which is that they go very light on companies, compared with how they deal with governments.
Maybe it has to do, as always, with their source of funding. I can imagine that they received significant donations from the philanthropists of Silicon Valley. I don't care much though. My general point being that there's too much emphasis lately on government surveillance and control from privacy organizations and less on Google/Facebook surveillance.
I'm glad that there's now mindfulness about it in this community though.
> For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing.
This is a very American thing which I can imagine our European counterparts not like, that is govt (USG) is treated as an enemy because it is the most powerful entity in the world. For Europeans, it would Govt AND these mega corporations (because the European govts do not have as much power as the US govt).
This is why in the US, corporations are ignored because they are insignificant on the US soil. And this isn't even a new thing, this opposition of the govt is as old as the founding of the nation.
This is why ACLU will not speak out against censorship of right wing media on Facebook and other companies. Keep in mind ACLU would not have any problem defending the latter against the govt, so it isn't about what the latter represents. It's simply, ACLU is a first amendment right based organization and their focus is preventing govt encroaching on our civil liberties (which is defined by what govt can't do, and not what a person is allowed to do in any circumstances).
Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.
> Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.
Well, this isn't entirely accurate. They definitely do chafe at even private restrictions on anything gun. While I don't have time to research this right now, a quick search of "concealed carry in businesses" certainly returns some people complaining that businesses shouldn't be allowed to restrict that. And, if you dug a little deeper, I imagine the NRA would be weighing in there somewhere.
They do see government surveillance as a greater threat than private surveillance, particularly if the private surveillance is disclosed. This makes sense as it is much harder to opt-out of your government than a contract with a private company.
I agree that the NSA is not _my_ enemy and I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.
In a way, by using these providers you shield those who need their services the most
People won't speak the truth or do the right thing if the environment makes it hard, or risky to do so.
>I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.
If only child porn / drug peddlers, journalists, lawyers... use tor and other privacy tools at minimum, 3 things WILL happen.
1. Tor, fastmail, ipfs, pgp, full disk encryption... WILL become illegal
2. Anyone using encryption / privacy tools will be raided. Arrest first, find crime later
3. Authorities imprisoning lawyers, journalists... who reveal wrong doings will be too easy. "He used privacy tools" would be enough to pacify the public after-all, "Only criminals have something to hide."
Consequently:
We'll lose the right to keep pins/passwords. Because refusal - privacy = admission of guilt.
I'm a teacher and I know how difficult it is for a kid to speak the truth when the entire class is lying. Adults are not much different.
If people have to choose between their freedom, means of livelihood and doing the right thing, telling the truth or exposing wrong things by the government most wont.
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" -Upton Beall Sinclair, Jr.
>"Organizations like EFF have been historically anti-government ..."
Can you provide a citation or examples of this? Being pro-civil liberties does not imply anti-government. Those aren't mutually exclusive.
In the US civil liberties are basic freedoms identified in the Bill or Rights and the Constitution. And the Constitution is what established the government in the first place. How is it possible to be pro-civil liberties and anti-government?
The Bill Rights are amendments "to" the Constitution, the very document that establishes the legitimacy of the government in the first place. How can you accept the legitimacy of the government and be anti-government at the same time?
Even the Anti-Federalists, the group that advocated for the establishment of a Bill of Rights were not anti-government.
I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government. One can believe that a government is legitimate, while also believing that the government's power should be limited. One might argue that this idea is one of the core ideas of American government.
>"I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government."
That's silly, by that definition everyone would be anti-government then. Nobody agrees with the actions the government takes in all situations, not even within the same political party.
I'm not your enemy. I don't even know you. So please send me your passwords to your online accounts. And I'd like to take a look at your home computer. So please install VNC and open your ports on the router so we don't waste too much time setting it up.
While you're absolutely right, details that are sensitive in nature should be encrypted using end-to-end encryption. Otherwise you won't be safe regardless of email provider, as the other correspondents will often be using a US email provider anyway.
If your threat model includes an actual threat from organizations like the NSA, then I'd say you have bigger problems than the choice of email provider.
Interestingly, as a self-hoster your email is much more prone to metadata analysis than anybody who is hosted at one of the big providers and has most of their email transferred to other big providers down TLS-protected port 25 streams.
Absolutely! Everyone has their own usage case, and one has to adapt accordingly -- even me! :)
My point was that simply selecting an email provider outside the US does not make email safe in any way and that end-to-end encryption is the only way to prevent providers from accessing the content.
Absolutely. Our argument (and to be fair, we are a provider) is that if you don't trust your provider then they're basically just a dumb blob transit pipeline. There's not much value add you can do there.
So we have focused on building the best thing we can for people who _do_ trust their provider, and also on having a business model which means that we can be a trustworthy provider because we have no secondary "customer" who is actually paying the bills. We don't have split loyalties.
They're not cleanly separable. You can tell a lot about a person by simply looking at what's written on the outsides of the envelopes in their mail. No need to actually open them up and read the insides.
Quite simple:
If someone were to sniff the encrypted traffic between Hotmail and Gmail then they wouldn't have any idea who was talking to whom.
If someone sniffs the traffic between Hotmail and my server, it's trivial to see that a Hotmail user talked to me or one of the few others using my email server.
Why isn’t it actually possible to just encrypt saved emails on server? So that government does not have access. Couldn’t one use a hash of the password as key for the data for the data and not save that hash to check password but another one. This way (practically), at least if the password is not eavesdropped and saved by the mail provider, it would be much harder to give away emails.
Apart from the "users lose their passwords all the fricking time" problem (seriously, before we implemented https://fastmail.blog/2017/12/06/security-account-recovery/, lost password was always in the top 3 most common support requests of the week report)
Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.
That and people's devices are basically always on these days, and fetch new email immediately on a push when messages arrive. So if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted.
Finally, we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done.
(extra finally: phishing protections and antispam solutions are in pretty much direct opposition to the idea of the server not being able to see the content of emails)
Thanks; it's very helpful to know the ins and outs from a practitioner. I am confused by a couple of them:
> if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted
If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.
> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done
What is an "app password"? If it's just a password stored in an app (and then what is a non-app password? one in a text file?), why wouldn't it be as vulnerable to device hacking?
.....
Also, a couple of genuine questions about what's possible:
> Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.
Email messages arrive in the clear, unavoidably; new messages are always vulnerable. Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages, and give endpoint/user the only means of decryption.
> users lose their passwords all the fricking time
> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices
How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?
> If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.
Oh yeah, sure - if you only decrypt on your device, then that's reasonable. We could encrypt to a public key on delivery. There's services that do that, but FastMail isn't interested in being one of those services. The tradeoffs mean we could do very little. Certainly not a webmail service.
It's a password that's created by the server and used on only one app. So if you lose your device, you can disable that one password only. Also, there's no chance that you'll reuse it across sites, so it can't leak from other services because you won't be using it there.
It's also limited to just the protocols that are used on that device, so can't be used to reset your password or payment details or install forwarding rules, etc.
> Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages
If you can search for keywords and find maching message blobs, that's nearly as good as having plaintext access. If was encrypted to only the endpoint, the usual issues of "you need to download the entire database to search your email" apply, and of course we're doing very little.
> How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?
They're not designed to be your long term memory, which simplifies things a lot. You basically lose access to your history. Which might be find if you don't care about the past, but that's not how I see email. Email is your electronic memory, and encryption+lost password means that nobody can get at your memories, not even you!
I like that, because it at least feels more secure to have a password that can only be used once, combined with the ability to go into the settings and shut off any device if it gets lost.
Yeah, it's by far the best of the options that use standard username/password authentication support. Basically make the password be another server-provided factor rather than user-chosen.
Without saving a hashed password, you can’t authenticate users. End to end encryption like what you really want requires the data to be decrypted by the recipient (using a key or password).
Because the service provider receives the unencrypted email and can choose to save a copy, encrypt it to a different key, etc. This was the scam Lavabit pulled, and the government called them on their bluff and asked for a copy of the key and Lavabit had no legal ability to refuse.
If the threat model does not include a government with the ability to use legal process, it needs to be defined more precisely. In general the US government can use legal process in the US and just straight-up hack into things elsewhere (who's going to raise a diplomatic incident over it? Russia is literally poisoning people, nobody cares, and their military is less powerful than the US's). If your threat model is other governments or just unrelated attackers like advertisers, there are more straightforward approaches.
Calling Lavabit a scam is a bit of a stretch. They, by all appearances, genuinely tried to offer email as secure as it could be, given the limitations of the protocol, and when pressured to give up the keys chose instead to inform their users and fold the business.
They made promises that they should have known were impossible to keep. In my books, that's a scam. Sure, they tried very hard to keep them, but that doesn't change the fact that they could not deliver on their promises and anyone could have told them that.
Also, no, they did not inform their users. They handed over the key and waited for users to notice court documents.
What a sad news. I was expecting more servers in EU in a near future and maybe an option to select the location of our primary DC (US or EU). I've been a happy customer since 2013 and for the first time since I joined I'll be considering other options.
Basically the problem was datacentre network reliability, power reliability, and the pointlessness of having one EU datacentre which isn't reliable enough to run production out of. We'd still need to replicate to a second datacentre for multi-site safety.
At that point, why bother? We'd have to run two EU datacentres to have data only in EU, and we'd still be under the same actual legal jurisdiction (Australia) either way, so it would be security theater rather than an actual change in risk. We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.
In summary, having servers in the EU is 99% security theater, and the other 1% is pointless unless we had two datacenters who were as reliable as NYI have been for us. We haven't found such partners.
We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.
The EU is outside the jurisdiction of FISA courts, whereas New York is not. I am definitely not an expert or lawyer, but I would think this is not just security theater.
I was always hoping that Fastmail offer hosting that is fully in the EU. To me being affected by the Australian, EU, and US jurisdictions is worse than just the Australian and EU jurisdictions. Of course, I would prefer EU-only.
I am extremely happy with Fastmail. But if there was an EU e-mail provider with feature parity, I would probably switch. Not that I expect that that'll happen anytime soon (subdomain addressing and iPhone push notifications are killer features).
For sure if we had two separate EU datacentres and no US datacentre contained a copy of the emails that would be not security theater. While there's copies in both jurisdictions, having a copy be outside the US really is security theater though.
The financials of running up two full EU-only datacentres don't make sense for us at the moment given the demographic distribution of our customers. And we haven't had any run-ins with the FISA courts in the nearly 20 years we've been operating.
Of course the past isn't a 100% predictor of the future, but US authorities have always been happy (or at least willing) to accept that our data is under Australian jurisdiction.
But fastmail and the admins are under Australia law. This makes all attempts to do anything an international incident. FISA cannot do anything directly, they need to contact Australia for help. FISA can order NYI to put in a wiretap - but why bother when we already know there are wiretaps in all the major peering points on the internet.
I dont think this is true. I don’t believe there is any evidence that the US government is analysing all emails hosted by all US companies.
Rather, if the US government asks for a particular individuals emails the provider must grant the request provided there is a valid (possibly secret) warrant.
Post Snowden I wouldn't safely assume that the govt/three letter agencies don't do something just because there is no evidence. Snowden was years ago, the NSA surely didn't sit on their hands in the meantime, especially now with SSL being deployed everywhere. "Oh right what we did was evil and wrong, let's stop everyone"
The claim made was that they do. You don’t get to say that without providing evidence. You can say they might be, but that’s a different claim.
Also, capabilities matter. I have no doubt if they could they would. The Snowden revelations mainly revealed partnerships between service providers and gov agencies. Simply existing in the US does not mean your data is automatically available to 3 letter agencies. It could, but there is no evidence to suggest that it is.
> You don’t get to say that without providing evidence
Put a parakeet in a windowless room and close the door. I can reasonably make the statement that the parakeet is perching, looking around, and/or preening its feathers, because that's what parakeets do. I wouldn't need direct observational evidence to make this statement.
Panopticon-level spying is what intelligence agencies do. It's what they've striven to do, as much as possible, without getting caught. The Binney and Snowden leaks corroborate this, and there's no reason to believe they've suddenly stopped trying to. OP doesn't need evidence to make the reasonable claim that intelligence agencies spy on us, and likely do it by hoovering up our data for analysis.
Yes agencies like to spy. Do they have a camera in every house in America?
Again, I’m not saying they wouldn’t or wouldn’t like to. But saying “they do EVERYTHING post-Snowden” isn’t a very good argument, and definitely isn’t a fact.
And if the claim is “spy agencies spy” then the country of origin for your data probably doesn’t matter. Invoking “post-Snowden” usually relates to Prism, which was a partnership with specific providers.
The US government doesn't need a warrant for emails older than 180 days that are still on the server.
Emails older than that are considered abandoned[0] and treated the same as an abandoned storage unit, due to an old law from the time when email was regularly downloaded and purged from the server by local email clients.
IIUC, no judicial order is required for collecting. Only for looking at collected data; but agencies get creative around these processes, so I wouldn't count on legal protection from snooping.
Unless you're sticking to countries that hang their hat on digital privacy, hosts outside the USA are also likely to be snooping with varying levels of competency. "Not USA" isn't a good enough filtering criterion.
Many countries have reciprocal agreements for sharing intelligence. Unless you go to a country that is known for its privacy values at the highest level then you're likely not going to maintain you privacy from the government of your country or most other powerful governments.
How is their security? Maybe people like to forget, but security breaches are a thing, and when they occur you get the privilege of opening up your data to the entire world, not just to the NSA.
Google, for whatever else you want to say about them, have first-class security.
Correct, but since the reason this question popped up is due to privacy concerns regarding Chromium, I think it's even more important for people to know about these things to make an informed choice.
By the way, I really like Fastmail - they are very competent. But mail/calender is such an important part of online identity and life, I think people should be careful about who to trust
My problem with FastMail is that if you stop paying for your email address, they recycle it. This means that someone else could potentially buy your old email address (if you migrate away) and use it for nefarious purposes.
I do this and make a new alias for everyone I give an address to (such as hn@domain.com). It can be interesting to see who leaks/sell your email address. You can also shut down alias that get out of control.
Indeed! This is why I stopped using it. I love Fastmail, but who knows if I feel that way in 5 years. The entire point of Fastmail + own domain is never being locked in again. Using subdomain addressing locks you in once again.
I'm with @rb666; Don't rely on it as most will support plus+ addressing but not the the fast mail subdomain addressing as I am now in the process of migrating to Migadu.com and I need to go and unsubscribe and resub using the plus+tag. It's a PITA... lesson learned, stick with best industry practices even if there is an easier method because you'll thank yourself later.
catchalls are great. In addition to allowing the use of arbitrary custom addresses on a whim they make it really easy to identify spam and train spam filters. Anything that arrives on multiple random/unused addresses at your domain is spam.
I do this too but sometimes companies reject my replies because the from address isn't the same address they have on record. Maybe there's a way to make the "reply's from" the same as the "original's to" but idk.
With FastMail, you can select your wildcard as your "from" address on their web app, and just directly edit the `*` to be `<whatever>` and it will work fine :)
FastMail lets you change the from: address on the fly if you’ve set up a catch all.
And if you are not with fadtmail, there’s are several “multiple identities” add-ons for thunderbird (and recently a built in one, though it is still buggy) which let you add from addresses on the fly.
Huh, I haven't had that problem in about 7 years of using a custom domain name. Maybe the distinction is that mine is a .com? I feel like enough businesses themselves use custom domain names that dropping unknown .coms would break a ton of legitimate B2B traffic, but perhaps .me less so.
I use a .me domain myself but I haven't had any spam problems. Although I share it very very sparingly and have a catchall on another domain that I use for signing up with any service / sharing with non-trusted contacts. Even there, the spam problem isn't bothersome.
Surprisingly difficult for a personal-professional email if you have a somewhat common name. Nearly everything under the main TLDs was bought up ages ago. The issue can be mitigated with some creative branding work, but that’s arguably not any easier.
I've used .io and other "unusual" TLDs for a while and never had an email bounce or flagged as spam.
As someone else pointed out, make sure you setup spf, dkim, and all the other jazz. Some providers will host and setup the dns for you but its always best to use your own dns provider as the records are relatively easy to setup.
I haven't had any issues with my personal domain in years, ever since I moved it from random web host to GApps, to deal with IP reputation issues, and have SPF+DKIM setup. (but my domain is a .net one)
Agreed 100%. After losing multiple emails addresses in the past due to ISP changes, having an email on your own domain is nice. You can then even switch email providers as you wish and your address will follow.
Well, my Gmail account dates to 2004 but my personal domain dates to December 2000! I've lost domains that I continued to pay for, in fact I'm pretty sure that Zoho was paying for their domains as well.
Huh I haven't even thought about that. That's really bad, especially since I have a popular fastmail.com address where every other month I get an email asking for the account
Switched to Fastmail many years ago when self hosting became too time consuming for me. Never looked back. I had to use their support only very occasionally and even then their reaction time and competence were outstanding.
They do just one thing - email - and do that very, very well.
Yes, I use their calendar web app on Desktop (the one next to Mail). For mobile, I sync individual calendars into my Android Calendar ("CalDAV-Sync").
My biggest issue with the Google Calendar was the syncing rate of 24 hours for iCal feeds. On Fastmail, new events appear quite fast (and I can force the update manually, if I need to).
This seems like a really common use case that ought to work well. I switched to Fastmail a few months ago (I still haven't fully committed to sticking with it.)
Did you contact support?
Did you solve the problem by switching to another calendar provider?
I use their calendar with various apps like Fantastical or Timepage. It's standard CalDAV and should work with any decent calendar app, including defaults like Apple calendar.app.
Does Fastmail provide any kind of "bundling" or "priority inbox" features?
Since using Inbox on Android, I can't imagine going back to being notified about every single email. Automatic bundling of messages and the custom rules that you can then set on those bundles is a killer feature. If nobody comes along with a decent alternative before Inbox is shutdown then I don't know what I'll do!
I don't know if fast mail provides it out of the box but I have started to test out spark: https://sparkmailapp.com/ as a replacement for Inbox. While it is a bit from as good as Inbox it can get the job done, and has bundling.
I simply set it up to archive when swiping (which is what Inbox seems to be doing). However, it's notifications are far from as good and you can't archive straight from the notification, which, to me, is a let down.
Furthermore, on iPhone 8 there is an actual loading screen when opening the app. Like, why? Everything is already stored in the phone and it should just look for new mail in the background?
So far from perfect, but what can one do when Google is killing stuff off.
One issue though: you have to be in the apple ecosystem as they do not support, anything but iOS/Mac OS.
This would be my complaint having had a quick look at Fastmail. Their mail client provides only the most basic of email functionality - folders, filters, contacts etc. It seems like you're paying a monthly subscription for privacy when you may as well host your own if you don't need any features beyond what IMAP offers as standard.
I've been using https://www.sanebox.com which does a pretty good job of the bundling, leaving you with just the important stuff in your inbox. It's not as well integrated as Inbox could be, but I find it very usable, and even better in some ways as the 'bundles' don't end up back in your inbox, they are always in other folders by default.
Just to provide some balance to the feedback: I've been using FastMail for 2 years and am mostly "meh" on it. My issues are with the web interface (which is largely why I use them instead of running my own server):
- No delay send/undo send. Allegedly in the works for ages
- Very buggy editor. Randomly slows to a crawl while composing, scrolls up and down erratically
- Cannot handle very long threads very well. (since unfortunately the business world uses top replies with Html email) E.g., undo can pin a core and crash the page.
- Notifications randomly show up twice and then freeze on screen
Thanks for the feedback - I've passed that to the product team. We're busy working on the JMAP replacement web interface, which has a fair bit rewritten.
Our search is built on top of the Xapian search engine. We blogged about the underlying tech a while ago. You can sign up a free trial and have a play pretty easily.
Search works decently, but they index the whole message, including quoted text. So a search term shows up in the original message, as well as all the replies downthread.
Yeah, we're working on identifying whether something is in quoted or non-quoted text. That one is quite tricky to get 100% right, so we err on the side of matching more messages.
I second this. Their service was exceptional for 3+ years I've been with FastMail. Got many small businesses I've worked with to migrate.
Only thing which annoys me is that their push-enabled iOS app does not support multiple accounts. It has been like that for years, I've heard that a new app was in the making, but nothing came out yet.
+1 for FastMail — I've been using it for the last 2 years and I've got nothing but praise for them.
ProtonMail seems to be another popular alternative, but their E2E encryption claims sound like snake oil to me, but snake oily as it is, it's still a better choice than Gmail.
1. if it's encryption in the browser via a web interface, then it's not secure; the moment a web form asks for a password that can be used to decrypt your data, that's the moment your alarms should go off, because in spite of the claimed E2E encryption, their security might actually be worse than Google's
2. with email you're communicating with the world and the email world is not encrypted; what this effectively means is that ProtonMail keeps your email encrypted only while it is at rest; maybe it's better than what Google does, but they can still see whatever comes in or goes out in plain text and you're still relying on their promise to do no harm
3. ProtonMail needs to use a "bridge" in order to be compatible with email clients; this means that access to ProtonMail is non-standard (e.g. SMTP, IMAP) and therefore you still have the lock-in of Gmail, only it's now worse
4. It creates a false sense of security. If you want real information security, better tools are needed; various chat apps are much better, plus actual GPG ... because the PGP model requires a "chain of trust" that you have to maintain yourself for actual security
> if it's encryption in the browser via a web interface, then it's not secure
Ehh…
The big difference from native apps is that native apps are often signed by the developer. While with web apps, there's normally only a more "temporary" form of signing, that is, the TLS session.
Assuming the app developers are better at securing their offline signing keys than TLS server keys, native apps with signatures are indeed more trustworthy. (But are they actually better at this??)
Also, you might be more likely to get malware browser extensions than OS-level malware. Maybe??
On the upside, the web is more auditable by default (of course you can obfuscate JS and WASM just like you can obfuscate anything, but "view source" is still much easier on the web).
> ProtonMail keeps your email encrypted only while it is at rest
IIRC it's also end-to-end between ProtonMail addresses or something?
The problem is that the web page loads on every request. This means that you, @floatboth, can be targeted with a broken client that leaks your keys next Wednesday between 13:00 and 14:00 and you'll never know it.
A native app is not something that loads every time you open it. And the binary you get is the same binary that everyone else gets and if you suspect something fishy, you still have that binary later for inspection. Compromising an app binary is not impossible mind you, as we could see with fake Apple XCode fooling Chinese developers into submitting infected apps to Apple's store, but it's much, much harder with security conscious users.
Also there's not much difference between highly compiled and obfuscated JS code and binary code. In both cases people start inspecting such apps by sniffing the outputs. Or otherwise it's not such a big jump from JS to assembly for people that do this for a living (e.g. I'm guessing anti-virus companies).
> IIRC it's also end-to-end between ProtonMail addresses or something?
It might be, but encryption that only works between ProtonMail accounts is no longer _email_. It's either a standard, or it's not email and I'm not interested in communicating only with ProtonMail users.
1. ProtonMail implements the OpenPGP standard and is fully interoperable with other OpenPGP email systems.
2. The web app is a single page application so it does not reload on every request.
That said, you are correct that the web app is not appropriate when the threat model includes ProtonMail itself (though you can run the web app locally and thus sidestep the problem). The native clients are better suited in that case.
It's surprisingly responsive for large email accounts too. I had ~100K emails imported and marking all as read would take about 10 seconds. I can't complain with that all things considered.
FastMail is good, but it's very expensive. I'm waiting for more competition in this space. I think, as people turn away from Google (and thus Gmail), more competition will arise and we'll finally see fair prices.
I don't feel like FastMail is that expensive for most people.
Obviously, compared to free, it's expensive. But in real terms, I pay $70 every 2 years for it - works out about £25 a year for me, which is about the price of a meal out. I think that's worth it for secure and powerful email. I've never found it to be expensive.
This is a clear case of a price being judged differently depending on where you live. 25$ is luxurious expensive meal out for me or 5-7 fast food meals.
It's also expensive compared to rolling my own. Using the standard plan, I'd be paying 200$/y for just a single address for each of my family members. Personally, I want at least 2 myself.
Compare that to the ~120$/y I pay for my main VPS which has plenty of spare resources to handle not only my family's email, but also for some clients AND, since I make the rules, I also don't need services like Sendgrid for sending email from my websites.
All well worth the 5-10 afternoons a year spent maintaining it.
That is really great if you don't have any outbound deliverability issues due to IP reputation on a VPS host! Under those circumstances, that sounds like a great arrangement.
I think that is not quite the norm, lots of these hosts (and home internet connections) tend to have rather bad reputations, and chasing down the various RBLs can get really old really fast, especially since the most common response is to silently blackhole so you don't get a bounce.
This might be what you mean, but I believe they charge by inboxes, not by addresses. I have lots of addresses, but a single inbox (which I use rules to file within), and that is relatively cheap.
I used to run my own email server, but found it difficult to get things like push email working reliably, and had a couple of issues with deliverability of emails.
I might be wrong, but I also think it is expensive. When I can have a 5 family plan from office365, including, word, excel, powerpoint, outlook, etc, with 1TB per account, 60 minutes of skype calls per account, etc, for 10 per month, 25 per month (for 5 people) only for email seems too expensive to me. The only thing lacking is custom email address.
The basic is $3 though. I have migrated all my private emails I've ever sent or received (some tens of thousands, starting from 90s) to Fastmail. Still well under the 2GB limit of the basic plan.
FastMail appears to be $50/year if you want your own domain. --Maybe there's a discount for multi-year signups, but I can't find it in their pricing details.
Honestly, at that price point I would go with Exchange Online for $48/year. --Virtually the same price and yet I would get double the storage and native integration to Outlook on the desktop and mobile.
There is competition. It’s just that many people don’t know or haven’t tried them. Here are three providers on par with Fastmail but are way cheaper if you need multiple mailboxes — Posteo (posteo.de), Mailbox (mailbox.org) and Runbox (runbox.com).
But I do believe that even these cheaper ones are expensive for what they provide in terms of storage capacity, number of aliases, etc. Costs are supposed to go down over time, and prices too.
There's also development and maintenance costs? Someone needs to build that web UI, android and iOS apps, kick those servers when they misbehave, answer the phone or reply to your enquiry?
Except for the apps, cloud hosting providers already give you all of that for a better price. I also don't want an app... IMAP is a standard, you know.
It's cool you spend your time and money doing things you like (regardless of whether those RFCs will be implemented by email servers and clients) but don't make your customers pay for it. Set up donations or something.
This 1-XS server costs 2€ every month and it could perfectly handle the email of hundreds of users. They are charging you more only for yourself, and that's not even factoring in the economies of scale.
Well, think about the VPS you're proposing. Two euros a month is 24€ a year. Even if you're only paying yourself 6€ an hour, I'm skeptical that running an email server for 100 people would require less than four hours per year.
Fastmail can get quite expensive when you need more than a few mailboxes (not aliases, but mailboxes). Cheaper options are Posteo, Mailbox.org and Runbox.
but the problem is that fastmail only offers mail and calendar, while gsuite offers, word processor, spreadsheet, presentations, online forms, and photos...
Fastmail has a photos/files/website feature so it isn't just email. I use G suite now for my side business and I've never used any of the features besides email since I have Office on my machine.
It obviously depends on your use case, your personal situation, etc. But for me it is very hard to justify $5 per user per month (we are 5 so that is $25), when I can pay $10 to Microsoft for Office 365 for 5 users, and get, besides email, chat, and drive, word, excel, powerpoint, and skype with 60 mins of international calls.
FREE PLAN - Up to five users. 5GB/User, 25MB attachment limit.
This is to have all 5 users in one "organization".
ZOHO offers full G-suite replacement, free. They have many more applications too.
I used the free plan for a few years, then started paying $24 per year for more storage. What you get for $24 per year is amazing. What you get with the free plan is amazing. Their business model is to impress you with their products enough for you move to a paying plan. They do NOT make money harvesting your personal information and selling it third-parties.
I’ve been using Fastmail for my personal email for the past four years, and love it. Really reliable, fast, and allows me to keep a personal email without all of the Google Apps stuff.
Same here. FastMail with a custom domain name. First I was planning to self host. But I thing mails are quite touchy and doing it myself may be a risk.
That's fair enough (and I am using gmail precisely because I have no way to pay another service provider -- banking while living in a country that you are not a permanent resident of is tricky). However, the entire thread is about what service should you use if you are worried about privacy.
Although available in Japan where I live, there is literally no way to transfer money out of my bank. You may think it odd, but getting a bank account in a foreign country is actually hard. The bank I use is not my choice, but the choice of my former employer -- that's how I got the account. When I set up my own consulting company, I ended up using the same bank. I'm trying get out of it. I have an account with an offshore bank, but going through the paperwork to actually deliver my pay cheque into it is rather daunting (even though I own the company that pays me!). It will be dramatically easier when I get permanent residence status (which I probably can get whenever I get around to applying for it -- and I should do it sooner rather than later).
But anyway, there are other people in the same situation, where they literally can't pay for things online. I just wanted to indicate that I understood the situation. But thanks for the pointers. It looks pretty useful if I ever get in the situation where I could use it.
I would somehow have to get money into the account... It's the same problem all over again ;-) I suppose I could put the BTC that I mined heating my house when CPU mining was a thing in there...
I don't understand how am I paying for Gmail. I never noticed any ads there (I know that there are ads, but it's hard to find them unless you're searching for them specifically), actually I'm rarely even using web interface and Gmail doesn't add any ads to IMAP-served mail. For me Gmail is absolutely free. May be it uses mail information to target ads for me, but I'm not even sure that I should consider that as a payment. I prefer targeted ads over untargeted ads anyway.
For the privacy, quality, and features it offers at the reasonable price of $50/year, I would say that it's a fantastic alternative. It'd be hard-pressed to find anything free that is on par.
Privacy wise, you're paying for the service so there's a reasonable expectation that they're not mining your emails to build a profile of you. Unlike Google they have no ads to serve you.
> all your personal emails are stored in [someone else's] servers.
Well, yeah. That's true for everything except for hardware you actually own.
They're saying it's better than storing it on Google's servers, not that it's bulletproof.
There really isn't a way to have impenetrable email. It's all about what type and level of risks you're willing to take.
E.g. are you concerned more about rubber stamps or software exploits? Are you more concerned about usage pattern profiles or someone actually reading the content of your messages?
Different people have different priorities and there is no one single best option.
In my 6+ years of being forced to use Office 365 for one of my accounts - it is a flaming POS. Plagued by poor performance, regular (unexplained!) outages and has series issues with data consistency and don’t even get me started on it’s terrible rules system.
Let's not forget that with slightly more money that Fastmail or Protonmail are asking for just one mailbox, MSFT is offering you a whole office suit plus 1TB of storage.
Your criticism regarding functionality might be true, but there is no reason for competitors to charge more.
I'm just a simple email user -- 50 emails per week -- and I don't keep them in my inbox. As soon as I'm done with them, I delete them. A simple 50MB inbox is sufficient for me. I just need an ad-less mail box. For me anything beyond 5$/year is expensive as hell.
I'm using my own domain, so it's $5 per month. Considering that I'm using VPS for less than $1 per month, that price seems absurdly high. I would consider paid mail for $5/year with 25GB storage and fastmail features, otherwise free mail looks much better.
Even $5 is not bad, I’m guessing most HN readers wouldn’t miss $5 a month.
Anyway services like Facebook extract around that amount from you via targeted ads, I’m happy to pay if it allows to me to isolate myself from that a bit.
https://mailcow.email/ - dockerized, works with multiple domains, sogo for groupware. Compared to mailinabox's single disk, it has 6 docker volumes to keep track of.
https://mailu.io/ - dockerized, it has a section on kubernetes deployments, which i find weird, but I guess could make sense for companies
https://mailinabox.email/ - no docker, no multiple domains, roundcube, nextcloud for groupware. Main disadvantage or advantage, depending on your perspective is that you need a mailinabox server per domain.
And then this is the more hands on version, which I guess would be sovereign as ansible deployment.
This might be obvious and not need to be mentioned, but if you're self-hosting, don't forget the obvious and often most flexible option: A Linux box directly running plain old Exim (or Postfix, etc.), Dovecot (or Courier, etc.), Spamassassin. No containers, no abstractions, no meta-configuration.
I've had this setup for a couple of years now and it's not failed me. Support TLS, SPF, spam checking, DKIM, can support multiple domains and aliases. Basically anything you can imagine. And, despite the FUD you might hear about not using a cloud service, my mails don't get magically lost into people's spam filters. The initial configuration/learning is steep, but I pretty much never have to touch it once it was working.
Mostly online searches and reading the software's documentation. Unfortunately there appears to be no site that walks you through the entire process. You'll find "how to set up exim" tutorials and "how to get dovecot working with exim" but so far I have found no overall soup-to-nuts guide that matches my exact configuration.
1. You need your own domain
2. If you're new to Linux, I'd set up something simpler first, like a web server just to familiarize yourself with your domain tools and your distribution's configuration.
3. A good half-way solution for migrating from Gmail is to set your own server as MX for your domain and forward received E-mail to Gmail. That way you can get familiar with setting up your MTA without worrying about delivery. And, you can start encouraging people to start sending mail to your @domain.com address rather than @gmail.com address. I had this set-up for years before taking the plunge and hosting everything myself.
Be warned, Gmail applies very aggressive filtering to your incoming forwarded mail, even before it reaches your "Spam" folder. This was one of the primary reasons I decided to self-host: I was finally able to compare the list of E-mails I received, through looking at my logs, to the E-mails that ended up making it to Gmail. Gmail's (presumably) spam-filtering was filtering out an unacceptable amount of false positives.
4. Set up your host to deliver locally. You'll be able to verify it's working by using standard unix mail tools running on your host.
5. Set up something nicer for delivery like IMAP, and get your favorite mail client to work. I use Dovecot, but there are plenty of options.
6. Any bells and whistles you want. TLS, SPF, DKIM, Spamassassin, multiple domains. I found at first I was getting a massive amount of spam (thanks for fixing this for me for years, Gmail!) but after a few months of training, Spamassassin is very good and I'm back down to not seeing much anymore.
Hope that helps. To your other question. I spend $5 a month for my VPS, and I can host a lot more than E-mail there.
> https://mailinabox.email/ - no docker, no multiple domains, roundcube, nextcloud for groupware. Main disadvantage or advantage, depending on your perspective is that you need a mailinabox server per domain.
Are you sure? I am running mailinabox and have multiple domains and accounts with no issue.
> And then this is the more hands on version, which I guess would be sovereign as ansible deployment.
I used to run a Sovereign box.
It served me well for 2-3 years, but it got too cumbersome to maintain: they changed their approach to various configuation things (for the better, I'm sure), and threatened to break my setup in the process.
All told, it felt like it had missed the sweet spot between pre-configuration and flexibility, in the end not quite giving you either.
> IMHO sovereign puts too many attack vectors on a single machine.
I turned off most of the attack vectors (I didn't need all the bells and whistles). But yes, they tried too hard, and over-complicated the setup as a result.
There is also https://cloudron.io/ to self-host, which provides a complete email solution based on dovecot and haraka plus a couple of webmail apps to use, like rainloop and roundcube.
It deploys mail server based on modern software stack on your box and you can customize it to fit your demands using recipes suitable for well-known software.
Most important thing is to buy a domain so you can port your email address from provider to provider. I’ve had the same email address and several hosts over the years.
I’m currently on Fastmail and find the service good.
Fastmail has worked well for me with custom domains. It's nice being able to create custom aliases for when an address is publicly visible e.g. GitHub so I know through what funnel emails are coming from.
Like others have said, the Android app is not worth installing unless you're okay with limited and, in some cases, poor functionality.
I suppose you can set it up with the Gmail or Outlook Android apps? I've never tried, as this defeats the purpose of not having those companies as your email provider :)
- IMAP Idle support: e-mails appear instantly, configurable on a by-folder basis.
- Mature and stable: it's been around forever, updates are infrequent, it just works.
- Free software: apache license
- No fanciness: it is very traditional-email oriented. The only "fancy" feature is a unified inbox (showing mails from all your folders), and it can be turned off.
If your e-mail is "complicated" you'll have to spend a bit of time setting everything up. For instance, my server classifies e-mail as it arrives, and I setup different synchronization schedules and notification preferences for different folders. Best time investment of my life.
I use K-9 Mail too, and while I think it's great (fast and customizable) I think it could use some gestures or more in general a UI revamp to reflect the fact we are not using Ice Cream Sandwich anymore :)
Co signed on Aquamail - the original author was very receptive to feature requests and fixing bugs (It was nice when he eventually added scheduled outgoing emails). The software has since been acquired but developement appears to be continuing.
Other clients that caught my eye also were Bluemail or Nine, depending on the need.
I've been using Aquamail on my tablet for years, it's a nice mail app and they continue to support is. I use it on my tablet for the swipe feature especially.
On my smartphone I'm using MailDroid Pro. Like Aquamail, I'm using it for several years now, steady updates and good support. The reason I use MailDroid on my smartphone is the anti-spam plug-in (they charge extra for that though).
I use AquaMail as well, it's one of the few apps I pay for. I paid so I could attach more inboxes though the limit is quite relaxed. The only fancy feature they've added really is a unified mailbox, other than that it's the only android mail client I've used for the past 4-5 years now. I'm a big fan!
You can funnel mail with Gmail, too using extensions. Although some online forms incorrectly reject this. Looks like this: notmyaddress+github@gmail.com
Another vote for fastmail. They even do a pretty decent job being a DNS host as well. Simple setup to add subdomains if you're already using them as your primary/sec NS.
This is exactly what I did a few years back. And exactly for the same reason — so I can easily migrate to different provider with low cost of swiching. So far I’ve used gmail as provider but I’m considering switching now.
Although I like the control and portability of having my own domain, as a less technologically-proficient user on a shoestring budget, I've found it more challenging to set up and configure on shared hosting services. There's a need to get your head around things like DNS records, reverse DNS, DKIM, SPF, SpamAssassin, cPanel etc. to stand a reasonable chance of successful delivery and low-maintenance inboxes. I've been through a few hosts and fortunately seem to have settled with a reliable provider now (Squidix), but it's not always been so easy.
Fastmail allows you to set them as the DNS provider and they take care of all DNS records for you. Just buy a domain, set their nameservers, and you're good to go.
There are so many threads like this and the answers usually boil down to the self hosting group and the other group who believes that paying someone to do the job is the right thing to do. I’m in the latter group and always recommend Fastmail. I migrated all of my families accounts there with multiple domains and couldn’t be happier. For something I use hours every day it’s well worth paying someone to keep it secure and online.
I think paid email services are a great idea, but $50 a year and 2 GB of storage for Fastmail seems expensive to me. Why not something closer to five or ten bucks a year? Can someone explain to me why this type of pricing makes sense?
Pricing 101: Price has nothing to do with the cost of providing the service, and everything to do with the value the customer puts on what they're buying.
The value you put on email is $10/year, so Fastmail doesn't represent good value. Other people obviously think its worth more. Fastmail are providing their service to those people.
I need to respectfully disagree with you here. In a free market, pricing does have something to do with the cost of providing a service because companies that overcharge would quickly lose market share to competitors, especially in a wildly competitive space like email.
Also, ten bucks a year has nothing to do with how much I'd personally be willing to pay for email. It is just my estimation of the amount you could charge people while still keeping healthy profit margins in this industry, however I don't have much domain knowledge regarding email and that figure could be very wrong. I'd love to hear from an expert.
...companies that overcharge would quickly lose market share to competitors
This is only true for companies offering equivalent products, and that is never the case in tech because there are so many intangible factors.
In this case, one of Fastmail's intangible benefits is that they're not Google. Maybe Fastmail's customers think that's worth $50 ... but it has zero impact on Fastmail's costs.
Bzzt. Notice how everyone recommended fastmail and nobody else? It's not a highly competitive free market. It's "hi, can anyone recommend a MacBook cheaper than the one apple make" time.
Free markets reductionism not useful with no serious competitive pressure
Email seems like more of a free market than most things considering the incredibly low barrier to entry. You can even host your own email server, you can't reasonably do that with a lot of the software that you use every day.
Just because a particular provider is good and cheap and has a lot of satisfied customers doesn't make it any less of a free market.
It just feels like a truism. Absent a formal regulation oversight any market is free in these terms. Were not comparing Japanese gold plated apples and trader Joe floor dropping oranges with mould on, were looking for competition in the sense BMW competes with Mercedes and Lexus. Google is giving away some thing of huge value, which is highly reliable spam free email. They "charge" your privacy which is beyond price. If you seek equivalent functionality the software cost alone for the one I regard as comparable is 350 dollars which as a purchase amortised out is $10 a month over three years but I have to spend another $10 a month to host it, and I still have a single point of failure. So price wise fastmail may be enormously good value or expensive depending how you feel: there are not a heap of competent competitive alternates. Maybe five? Sure, that's a competitive market in Herfindahl Hirschman Index maybe? But in practice it's not far off a duopoly. Google or o365, fastmail or proton. It's a pair of competing entities not one market.
As long as you don't want deliverability to Gmail or Outlook addresses. Though you can pay for Outlook deliverability it seems. They're very pinickety about allowing mail through from self-hosted or even low-traffic shared hosting IME [albeit limited].
Unused IP, set PTR (seems important) and MX, SPF and DKIM, although I'm not sure how relevant the last one was.
I can imagine that Gmail will block you if you try to send mail from an IP that was previusly used to spam.
Couldn't really work out why Gmail wanted to block me, yes obvs using SPF/DKIM/etc. - long trusted domain (15y), never any spam, whitelisted on client side. MS blocked it according to their third-party system because it was associated with another IP address [ie other IP was once used by same ISP] that had once had spam on it (wasn't currently blacklisted in any SBL).
There's no way to check before you build out the system, so unless you have an easy way to change IP and ISP then I'd be cautious.
Email is a highly competitive market with a low barrier to entry and thousands of companies offering similar services. It is nothing like hardware, so your comparison is bizarre.
By the way, I was asking for the point of view of an expert. If you are not an expert on email services, then I have no interest in hearing you speak condescendingly to me.
So, there are two separate-but-related products here.
The first is e-mail.
The second is an extremely hard-to-validate promise of future work, such that (a) cutting-edge security and privacy protections are maintained; (b) properly designed regular backups and redundant infrastructure ensure your e-mails won't be lost; (c) staff ethics, training and oversight will protect against insider threats; (d) protection against spam and phishing will be effective - but will not block legitimate e-mails; (e) e-mails you send will get delivered and not marked as spam or silently discarded, even when sending to the likes of gmail; (f) no e-mails sent to you will be silently discarded or otherwise lost; (g) if issues do arise, that they will respond promptly and competently; and (h) as webmail technology advances and market conditions change, they will keep up-to-date and stay in business.
There's no way for me to validate most of these things. Instead, we rely on a supplier's "reputation" - an amalgamation of their past performance, their visibility and their marketing.
There are many e-mail providers. There aren't many e-mail providers widely known as reputable.
In other words, Fastmail doesn't face much price competition within the market of "e-mail services recommended by users of Hacker News" even if they do within the market of e-mail services generically.
Once you add the words like Gmail or replace Gmail or instead of Gmail then no, it's not thousands of companies offering similar services. Running a service in Port 457 is the least of the offerings. It has to have spam detection as good as Postini, sieve, IMAP, utf-8 support, tls certificate management, a web portal, DNS and related domain management.
The killer is five nines availability. That's pricey.
I used to run mailsystems and maintain mailsystems code in the 1980s. I don't do it now because it has too many moving parts. I got a grandfathered domain into hosted by Google and it's worth a damn sight more than the apparent market force bottom price.
Hardware or software or service your competitors have to be comparable or at least bearable to apply price pressure. I do not judge fastmail as price competitive because they (like apple) are competing in quality. Not price.
The Fastmail pricing tiers are $3, $5, and $9 per month which is $36, $60, and $108 per year respectively. If you look at their primary competition their prices are on par or slightly better. Here is a sampling...
Google G Suite: $5, $10, and $25 per month per user.
While they are on par for email, with Fastmail being superior in certain ways, you do get a deal more value from the Google G Suite as you get a lot more besides email incorporated in the price, i.e, cloud drive, the applications themselves etc.
Thinking though this for a project I'm working on with a tight budget I concluded for money related reasons I'd probably have to go with Google even though I'd prefer not to.
FastMail is more than just email. They include a drive like feature with the ability to make a basic website.
I use G Suite for my side business and while it seems like a great deal because you get all these other apps, in practice, I have never used them, not once.
Five or ten bucks a year is impossible to attain. The monthly cost of a hosted GB is about a cent. At 25GB, in a service with fast search and, I imagine, regular snapshots and backups, you'll be using up to 200% overhead. Assume that most accounts are not at 100% usage and, in the spirit of a Fermi estimate, set a typical usage of 50GB. You get to an yearly cost of $6.
At $6 cost of hardware per account, now you have to factor in other costs and your profit margin. Support alone will bring you above $10. Marketing will also bring you above $10 on its own. At a decent scale, you can keep the marginal cost of engineering low (as it does not scale linearly), but on a mid-sized operation expect it to bring you above $10 on its own.
All in all, $50/year is high but not stratospheric.
It does seem expensive when you've been exposed to free (or heavily discounted) prices your whole life. This is because the others still charge this much, except the difference in revenue is made up by selling your data and pushing adverts (rather than charging you extra). Suddenly the extra $30-$40 per year doesn't seem so expensive any more.
I have to say: I like to be charged as much as FastMail charges. It gives me some sense that they will not be out of business or quit in a year or two. I like FastMail to still exist in 50 years.
I'd like to switch to Fastmail, but I have a handful of seldom-used secondary accounts (e.g., for family members), and it doesn't make sense to pay $5/mo/each when they're free on G Suite. Their pricing structure is designed for organizations or single users, but somehow my use case falls in between.
It seems a bit off that my household can stream as many movies as we want for $11/mo, or have unlimited access to an enormous music catalog for $15/mo, but e-mail service costs more.
ProtonMail looks about the same, actually more expensive, though they have a more attractive $30/mo plan for 6 users that it includes VPN access.
"Have as many email addresses on as many domains you need, anytime. No extra costs. All your projects, ideas, employees, family members and IoT devices are welcome. Pets too.
Migadu is a radically different, independent email hosting from Switzerland. We do not count your domains, mailboxes, gigabytes or teeth."
I've been using migadu for nearly two years now. I've got multiple domains hooked up with no fuss. Their service is reliable, I've only had 1 down-time issue I can remember with their service going down but it only seemed to last 20 minutes and I don't believe I lost any emails during it.
The only downside I've seen is they don't have 2FA for individual mail accounts. They do have it for the top level account management UI though which is the most important thing for me.
The support team is also great, I've not had many issues but when I have I often end up emailing the same few people and they respond very quickly (I am in an EU timezone though).
I'm incredibly happy with their quiet and high quality service.
As an ex-customer (with Migadu for about a year), I have nothing but good things to say. Customer support was always very quick and knowledgable. It's not a huge team so it has that "I'm a regular" kinda vibe when you chat with them. Obviously I left but it was to try out Fastmail's JMAP (?) format because I had a lot of emails that web UIs struggle to handle. That's maybe the only improvement I could suggest?
I'm just browsing their website and it seems a bit too good to be true... The only drawback I see are daily sending limits (which I'm very happy with).
I've been using them for 2 years now, I'm a big fan of the service. I thought it was a bit too good to be true at first but I was slowly transitioning from a gmail address to my own domain so it wasn't a huge issue if it fell over or something. Turns out to be pretty rock solid and I'm a very happy customer now.
I'd highly recommend it, I've been a customer for about 2 years now I think. As per my comment above, I've found them to be rock solid so far. I also can't speak highly enough of their customer service either.
> and it doesn't make sense to pay $5/mo/each when they're free on G Suite.
It is a matter of perception. Your family members probably pay that $5 for a random coffee at starbucks. If you value your time and privacy, you'll be able to put that $5/month aside.
maybe https://posteo.de/en (Berlin based) would make sense for you or your family accounts ? It's just 1 EUR/mo for basic accounts and they focus on privacy, security and being sustainable.
>Those are the guys that don't let you use special chars in passwords "in order to prevent unintentional wrong password entries".
is that really an issue? using all the special characters (assuming uniform distribution) gives you ~33% more entropy[1] for the same amount of characters, at the expense of increased input time (especially on touch keyboards) and being much harder to remember. why not just make your passwords 33% longer instead?
I would recommend Posteo, like kayoone did. Another alternative that may be even cheaper for you would be Runbox, which has lower prices for secondary accounts.
I'd love to switch away from Gmail, but its security is so compelling that, afaik, nobody else comes close. How many other companies have Tavis Ormandy's on staff to do security audits for their users, let alone free users? Is there a single other email provider that gets security right to the extent Google does?
Yeah I completely agree this is something that needs consideration. I do have an email address with my own domain but for security reasons any accounts I create are tied to my gmail address. I've known too many people who have had personal domain email addresses intercepted, particularly through compromised domain/DNS settings. One simple MX record adjustment could mean every single bank account, social media profile, etc. all can be taken over.
> I do have an email address with my own domain but for security reasons any accounts I create are tied to my gmail address. I've known too many people who have had personal domain email addresses intercepted, particularly through compromised domain/DNS settings.
If your Gmail account is lost or compromised, good luck getting any help from Google; while G Suite support is decent, free Gmail account users are basically on their own.
To be fair here, two of these are obvious user error.
In the Etherium case, he deleted the email and wanted to get it back 2 full years later. The only way he would have recovered from this would have been to take meticulous backups (and test them regularly). I would expect any 3rd party provider to honor my wish to delete data, especially 2 years down the line (and, in fact, they are probably legally required to do so).
In the "lost in the Google void" situation, the user set up 2fa but lost all access to their 2nd factors. I don't see any reasonable recourse to this, as any "solution" Google implements would undermine the entire purpose of 2fa.
The remaining two are obvious issues with Google's service. The "gender pronoun" one is a bit odd because gender pronouns don't seem to have anything to do with the account closure (there's speculation that he was mass-reported to exploit their abuse response systems).
Is it more likely that your DNS host or domain registrar could be compromised or that Google might shut you out of your account? There's risks with either decision, personally I put more trust that my Google account will be there than in my registrar's security.
How does using gmail address compromised DNS? I mean if they compromise your DNS it doesn't matter who is hosting your email, they just point the MX at a different service.
Sorry, you're probably talking about using the @gmail.com domain where you wouldn't have to worry about DNS. I was thinking about custom domains in G-Suite.
DNS as well as registrar, which may be two different entities. You can either change the MX with the DNS host, or you can change the nameserver with the registrar.
Their "end-to-end" encryption claims as well as their schtick about being hosted in Switzerland make it abundantly clear that I will never trust their security. I would go so far as to use almost any other major email provider over ProtonMail.
Could you be more specific about these 2 issues you have?
I mean, of course the actual transit of the email from the sender to your inbox is out of their control, but after that client-side decryption is entirely feasible.
And what is wrong with hosting in Switzerland? Switzerland has very strong privacy laws.
No OP, perhaps one could think they make such a big thing about security to try to attract lucrative accounts, which they then have backdoors into.
As you can't verify their claims, all you can do is trust. If you want end-to-end encryption you should be gpg encrypting every mail, not relying on the unverifiable word on a provider. Any provider worth its salt will know that, thus wouldn't actually advertise an insecure (as verify can't be done) system as a secure one.
You don't have to trust any of their server code - you only have to trust that the JavaScript blob they send you is actually the same as the open source version. This is the same threat model as trusting Signal from the App store instead of side-loading it yourself.
As has been frequently pointed out, they could choose one account and serve that account a different webpage just once, and harvest their password in order to decrypt all their email in perpetuity. This would be a trivial change that would certainly go unnoticed.
I fail to see how this is any worse than any of their competition, which does server side encryption. At least with ProtonMail there is the chance of them being caught serving backdoored client-side pages - with server-side you would never know.
I feel like the hate is a case of people thinking not being perfect is worse than being average or bad.
If protonmail is billed as a pgp replacement, then people will think it is reasonable to use protonmail's encryption instead of 'offline' encryption, when that's not the case at all.
I don't really like them anymore (for similar reasons), but I don't know as I would put all other providers over them. Certainly, I think they're miles better than gmail.
Neither Tavis Ormandy nor Google have a good track record when it comes to pragmatic security. Google's business model is incompatible with proper security. Chances are that you know Tavis from him being arrogant on project zero so everyone who runs old versions of something, like all the millions of insecure android handsets, can get owned by script kiddies. People have been listing alternatives, but the whole point of giving something like gmail away for free is so there won't be any real alternatives. It isn't like it is going to make a difference either way, since Google's position in the market mean most people won't switch.
Zoho Mail is a strong option. Comes with mobile apps, supports all standard protocols (IMAP/POP/ActiveSync), includes Calendar and many other modules. Zero tracking. Zero ads.
Beyond Mail, Zoho offers several apps that can replace most of what Google offers. From Docs to office suite, note-taking to chat and many more.
I know a couple of friends who work there and they frequently mention having access to raw email contents with minimal supervision. That's now how I want my email to be treated by the company hosting my email services.
I am Radha Vembu, the product manager for Zoho Mail and would like to clarify the process we follow:
For troubleshooting issues, we generally refer to email delivery status and activity logs of the user to help us understand the sequence of steps involved for a reported issue.
There are special cases related to spam/abuse for which we request the user to share the email headers/content whichever is applicable to the issue.
There are even rare instances of issues with mail parsing and to debug those cases, we ask our users for the complete original content of the email to simulate the problem.
You can also see our support team asking the users to share the original content of the email for debugging some of the issues, as seen in the links below.
Most email providers have some sort of ability to seeing raw data. That's the problem with email protocols, not the company. When necessary it's largely used for legal purposes (i.e. think subpoenas or court evidence in general), virus tracking (finding who got the first one or first to open "that email"), technical issues, etc.
I can personally say I know how sift through probably 5 or 6 different email systems or providers for this kind of data. It may seem "creepy", it did to me at first, but after awhile you realize, in business at least, there's really nothing of interest. Probably only like 99.999% of emails exchanged will have nothing incriminating, embarrassing, or even worth reading. It's kind of like being the key holder for a safe. Someone's gotta be the keyholder and be able to access the data for when necessary. Sometimes there's an inherent level of trust required and usually they just dgaf what's there.
It's kind of like a virtual manifestation of the "IT Closet" that almost all companies have. A bunch of places I've worked there's a office or closet where all the old PCs, laptops, and hard drives get stashed away. All the IT staff get access, and yes the could go rummaging around looking for personal pics, old tax records, etc, most of the time it's just not a valid concern worth anyone's time to steal or protect.
I will add that we use Zoho at work and have issues with emails about weekly. Their web interfaces are not very well designed although they do work OK.
I use their completely free service for all my custom domains and I find the webmail pretty good. The web applications, in general, are pretty actively maintained, with new features every few months. Only had one bigger issue over the years and they resolved it within 24 hours.
They also have a native dark theme on webmail that is pretty decent.
Parent comment just states facts, why even bother suggesting they're affiliated somehow? Meanwhile I'm not affiliated with Zoho in any way, and can confirm their free service is awesome. I've got 2 custom domains on it and couldn't be happier
Does everyone who mentions iPhones work for Apple?
I'm not affiliated with Zoho in any way except being a customer. Yes, the topic of email hosting comes up from time to time and I mention the host I use.
Can anyone expliain why G Suite (the paid version of Gmail) is not considered safe for data privacy? From the site it says they are encrypted, regularly audited by 3rd parties and not used for ads.
" This encryption happens as it is written to disk, without the customer having to take any action. Google encrypts data with distinct encryption keys, even if they belong to the same customer. Data is encrypted using 128-bit or stronger Advanced Encryption Standard (AES).
Google encrypts core G Suite data while it is “in transit” as well, whether it is traveling over the Internet between the customer and Google, or moving within Google as it shifts from one data center to another. We encrypt this data between Google and our customers using HTTPS with forward secrecy. "
The truth nobody knows but it seems that they encrypt with their own keys so that means they can open the data and read it.
G Suite isn't private because Google isn't in the privacy or productivity business. It's an advertising company that happens to have a product line which looks like a productivity suite. Charging money for it is just a nifty way to defray the costs of collecting data for advertising purposes.
For one, it's just a bad business decision, opening yourself up to an incredible legal liability for relatively little benefit.
For another, just because they have more funds and a larger legal team doesn't mean they can devote the same quantity of resources to that specific case. Google is huge and might have resources dedicated to legal ~100x more than any other single entity, but if Google is party to ~1000x more cases than the other party, they'll still have a tough time matching resources.
My recommendation is posteo.de. It’s a lot cheaper than Fastmail if you need multiple mailboxes. Browse through the site and read through the company’s values. A bonus is its focus on being better for the environment.
One point to note about Posteo is that it doesn’t allow custom domains (but there are plenty of Posteo domains to choose from). I don’t see this as a disadvantage for my use though.
Other recommendations are Runbox and mailbox.org, both being near the price of Posteo while also allowing custom domains for certain plans.
Posteo, Runbox and Mailbox.org provide IMAP support. So you’re not stuck with the provider if you want to move your mails out (unlike ProtonMail, which has an IMAP bridge only for paid accounts and is a bit more cumbersome to install/use than the alternative of just picking any email client of your preference).
There's no simple answer, because it comes down to your threat model.
What do you want to keep private? Just content? Or also metadata, including your identity and the identities of your correspondents?
And who are your adversaries? Random cybercriminals? Competitors? The email provider? Criminal investigators? Foreign intelligence agencies? Your government's intelligence agencies?
> With the recent thread on privacy in Chrome, I'm thinking of switching off Gmail.
OK, so the email provider is considered an adversary.
If that's the case, the only prudent option is end-to-end encryption, done locally, and not using the provider's services. But that's barely workable. Most correspondents won't cooperate. Configuring clients correctly is nontrivial, to avoid attacks like Efail. Also, there's no forward secrecy, and metadata is not encrypted.
For privacy at that level, you ought to be using something with forward secrecy, like Signal. And if anonymity really matters, you ought to be using something that does P2P via Tor .onion services, such as Briar or Ricochet.
But anyway, you could use email with end-to-end encryption, use pseudonyms, and minimize metadata with some mix of VPN services and Tor. And then use providers with better reputations about privacy and security. Such as Autistici, CounterMail, Posteo, ProtonMail, Riseup, ScryptMail, Tutanota or VFEmail.
However, there's no guarantee that any of them will refuse "lawful" access. For example, Autistici acknowledges that they might "lose control" over their servers, perhaps through seizure by police, or that their servers could "run into accidents that could undermine [their] security".[0] And Riseup redefined their warrant canary policy to exclude investigations of individual users, or groups of users, that don't put Riseup users generally at risk.[1]
Even so, you're arguably OK as long as they can't decrypt messages, don't know who you or your correspondents are, or where y'all are located.
> > With the recent thread on privacy in Chrome, I'm thinking of switching off Gmail.
> OK, so the email provider is considered an adversary.
I don't think Gmail is considered an adversary, it's just that you can now no longer log in to Gmail without also logging in to the same account in Chrome, which is a stupid non-user-friendly feature.
Why is that an issue if you trust Google? Indeed, in that case, they're doing something that is user-friendly. Because stuff arguably works more reliably if you're logged in to both Google and Chrome.
And if you don't trust Google, they're at least effectively an adversary. In the most favorable light, that they're doing something that might compromise your privacy.
I'm not as usually concerned about this as some are, but I appreciate that others are. As much as I enjoy Google products, I want there to be 50 other options out there that work great and have their own advantages. I wish there was more competition, in general, for most things on ye ole information super-highway.
I've found no search service that does a better job than Google. Plus Google Books, Google Scholar, etc. I'm just an anonymous coward when using them ;)
Outlook.com (free) and Office365 (a few $/month/user on your own domain) are both great options. I personally much prefer both the web client and the various app clients to gmail's equivalents.
I personally use hosted Exchange for $4/month¹ and think it's the best option out there. What matters to me is support is good, your email won't get detected as spam, they support push on iOS and they have datacenters in Europe, USA and Asia.
MS built Win10 to spy on you and build a business from data mining. Why would they not do that for email? (Or, more likely, change Outlook's ToS to allow it once you are hooked.)
You could say that of any email provider, but ProtonMail is under GDPR so it makes it a safer alternative.
I still have a hotmail account from like 20 years ago and like it. Good thing is you can convert it to an @outlook.com alias if wanted, as that might look cooler. But I don't mind the hotmail name. Who knows, maybe one day it might be cool again. I pretty much skipped gmail entirely because of the personalized ad business. I also have a protonmail account which is good, but am not using it as much.
I had one of their email account but after chaning my Skype profile, it somehow released it and had to register @outlook.com address and I had no way of getting back the old address which made a few web accounts inaccessible including Google which asked me to check my email for accessing it from a new device. All previous emails are inaccessible too. Unbelievable.
Does anyone know a (preferably self-hosted, but can be commercial) mail client that is as as good Gmail for power users? I always found it rather straightforward have a custom domain and even operate my own mail server, but haven't been able to do the same for the client.
The features most important to me are:
- Gmails speed and accuracy in search, especially on large mailboxes (100k+ emails) - this one is usually the deal breaker
- easy & powerful automatic filter rules
- web client
- calendar integration (optional)
- app for easy access to emails and search on mobile (optional)
I like fastmail personally because aside from being a fast experience, I like their well written guides and articles. It helps me set stuff up without feeling like I'm just following instructions and helps me understand what I'm doing and why I'm doing it.
I can't recommend them because they recycle email addresses when you stop paying for them. Not really something I can take seriously. They should just hold your email hostage until you start paying them again. Instead, they leave money on the table and create an amateur security failure.
We do have plans to stop recycling email addresses quite so quickly. Having said that, if you have your own domain (recommended by most people so you can move providers) you also don't get the namespace reserved forever if you stop paying. Domains get recycled too.
On this matter, Runbox is clear that it will not release/recycle the email address ever. Posteo, which I like and use, has a policy of recycling addresses after six months, which is quite harmful.
Your comment says — essentially — “every email company shares with their host country”. If I take that at face value, I would take the USs and Australia’s rule of law and due process and concern for my privacy many many times over Russia’s current government’s.
> I would take the USs [...] rule of law and due process and concern for my privacy many many times over Russia’s current government’s.
I find this somewhat laughable given that we already have solid proof (Snowden) that not only does the US slurp up emails en-masse but it considers non-citizens to have zero privacy rights (this fun EO: https://www.schneier.com/blog/archives/2017/01/new_rules_on_...).
The reason Russia is less of a problem is that even if I give Russia all my email, it has an order of magnitude less data because it doesn't have access to data from Facebook, Google, Twitter and the like like the US does. It also has less power over my life. I have investments in US securities that could theoretically be taken from me if the US government wished. Russia has no power over me.
ProtonMail. Definitely ProtonMail. You can live off it for free as long as you delete old stuff but paying better for I think $5 a month (maybe more or less). Free is perfectly adequate for me personally though, I made the switch a couple months ago and haven't looked back. Might wanna set up auto forwarding though:
https://support.google.com/mail/answer/10957?hl=en
They are based in Germany, are very privacy conscious (anonymous payments and registration) and offer full encryption support. With k9mail as mobile app I've been very happy so far
I'm self-hosting my mail server using mailcow[0] for little over a year now and everything works fine. It comes with a admin interface to manage accounts and the SoGo webmail client[1].
Getting it up and running was also pretty easy. Create some DNS records as described in the documentation, cloning the repository and starting everything using docker-compose.
What I mean is, what a person would honestly consider a service (such as e-mail, a website, a git server), not a technical definition of a service (a database, dovecot, php).
- dovecot + postfix + opendkim + opendmarc + bogofilter + rainloop if you like tinkering and you have a small/personal setup. Drop in radicale with imap auth for calendar/contacts, and prosody with imap auth for jabber, and you're good for life, unless people want shiny web interfaces, in which case consider nextcloud for contacts/calendar.
- zimbra as an all-in-one solution
- exim + cyrus if you want mail only for a large company and you want it open source
I've been with Zoho Mail for a few months now and have had a great experience with them so far! Great security features, calendar support, as well as DNS management. I've also heard good things about FastMail and Proton mail.
Compare and find out which service best suites your needs/budget.
Same here! I moved my company email from google apps to Zoho a couple of months ago, and I'm not coming back. Reasonable pricing, plenty of features, quick (and human!) responses to support tickets.
If you need strong privacy, then go to ProtonMail.
Otherwise, try https://yandex.com. For personal domains you can use https://connect.yandex.com, which is free (with ads) for unlimited users or $3 per user per month (available in several countries) without ads.
I've been using Yandex Connect for quite long time (free and paid). They are very good.
Yandex Connect goes with Email (fully unlimited), Cloud Storage, Wiki and Simple Messenger. There is also an option to control domain's DNS, but it's optional.
Yandex offers an excellent free email service indeed.
What I really like is their free support for custom domains which you need if you later want to move to another email provider later or if you want to create many user email accounts within your domain (say, info@mydomain.com and user@mydomain.com): https://connect.yandex.com/
I tried signing up for yandex a few months ago. I made an account, and I was able to gain access to their email service. However, I couldn't actually receive mail or send mail that went anywhere. From what I can tell, there's no guarantee they will actually activate your account when you sign up.
Let's be honest: Any company must comply with local authorities in any country they work in.
I'm pretty sure, that we can find such article about any major US based service and FBI/NSA/etc, for example. Same for major services from Europe. Because of this I pointed to ProtonMail before going further.
By the way, this article is about "Yandex's online payment service" (this service can be compared to PayPal), which is owned by Yandex only for 25%, other 75% is being owned by the biggest bank in Russia, which is owned by governance (just to clarify: Yandex is not).
Be careful, Russian secret services have an official access to all communication on their servers. If your threat model includes bad actors from Russia — it's a no go.
Regardless of which provider you choose, consider getting your own domain name. Then your email address its not linked to the provider, and you can easily change again in the future.
Threads about email providers seem to be a prime target for astro turfers on HN. There are so many different providers, yet weirdly its always the same company with the most comments.
This seems pretty easy to prove or disprove based on the comment history of said accounts. The few I've checked out seem perfectly legitimate.
Unless FastMail are paying people to spend all day maintaining perfectly normal HN accounts for the odd occasions that a discussion about email comes up... dons tinfoil hat
This has been going on for over a year now. A lot of astroturfing coupled with misinformation criticizing predominantly US-based incumbents. I think there are a few mods with a political agenda who are pushing this. Often the advertised replacement is an inferior product that doesn't even provide better privacy or securty than Google or whatever is being criticized. Interesting time to live in.
I'm not much of a conspiracy theorist but it's true that there are rather weird voting patterns in this thread. I self-host my email so I don't really have a horse in that race but I don't quite understand why all mentions of protonmail are downvoted while everything about Fastmail is at the top. Is there some context I'm missing?
This is not a recommendation but rather an inquiry.
I’m currently using roundcube [1] on my server but have no clue if that’s the right choice for me. It works but I only use it because my hosting company recommended it and I just stuck with it. It seems to be open source so that’s a big plus imo.
If anyone here has some experience with roundcube I’d like to know what you think about the software. Are there any flaws I should be aware of? Anything other projects are doing better?
I value privacy over functionality and am willing to try out something new.
I went with Outlook 365. I've been using it for the last 2 years at my office and really like the rules options. It's been really pleasant and the Office web compatibility is nice.
I use ProtonMail and I am quite satisfied so far. Servers being in Switzerland is a huge plus in my book, compared to Gmail and fastmail which seems to be suggested so often.
Can definitely recommend FastMail - I migrated from Gmail around 4 years ago and haven't looked back
It has a clean, powerful UI with good shortcuts. DNS management and basic site hosting (with automatic Let's Encrypt support), great calendar and contacts support.
Had some problems with some senders getting rate limited a while back, but worked with support to get it fixed up.
Surprised Migadu isn't on here. Cheap, use your own domains, IMAP. I can't recall the security/privacy provisions off hand, but my threat model doesn't include nation states or warrants. As long as I keep my domain and I have offline backups of my email, I'm happy.
Oh, and it works! Never had emails get lost due to bad mail server configs.
Filters for putting emails in folders are pretty common. I use sieve[1] since I run my own server, but many clients and hosted services have their own mechanisms.
I'm on Exchange online (~5$ per user/month) and rather happy. The Outlook Web App online interface is regularly updated, I can use a custom domain, have plenty of storage and adding my wife as well as alternate domains was rather easy. Add to that support for shared calendars and great support for push features (using Exchange Active Sync) on almost all systems.
The main problem is that it is Microsoft and thus rather complicated: I now have a private Microsoft 'work' account for Exchange Online + a private Microsoft 'home' account for Office 365 Home Edition. So when I want to log into the online services (Mail, OneDrive, etc) I always have to think twice about which login to use :-(
My company uses Gandi for email and I don't think I'd recommend them. They often have outages and as ngrilly points out they don't implement all the best practices when it comes to anti-spam. I don't have a lot of experience with competing services (I self-host myself) but surely there are better alternatives out there.
I love Gandi, but their email service is still unable to sign outgoing emails with DKIM, which is almost mandatory nowadays to avoid being flagged as spam.
I saw that too, but they add the following on their FAQ page
`If you use Gandi’s DNS however, you are free to add the TXT zone file record needed to add the necessary “_domainkey” TXT entry for your domain. You would then need to see with your outgoing email provider concerning the configuration of their mail server for the service.`
I administer all my domains on eurodns.com. They offer a decent service for a good price. Bonus: They use open-xchange as their mail backend, so you profit from a great web client.
An account with 10GB for mail plus 10GB for cloud storage with unlimited aliases costs about 3€ per month.
I mainly use their service for family mail. The only downside is that passwords of mail accounts cannot be changed individually in the web client i.e., I -- who has the account at eurodns -- as administrator have to set the passwords.
I'm not affiliated with them. While the solution is not perfect, pricing is OK and domain service provider plus email hosting is done in the EU, which is the most important point for me.
Another happy user here, but I think they deserve much more credit than simply being a cheap offer.
They're big on both security and privacy (you can even sign up anonymously and send them cash through the mail), have some pretty cool PGP features, they strip the IP address from outgoing mail (underrated feature) AND they run a fairly updated XMPP server along with a Tor exit.
For €1 a month you get 2GB of storage, 3 aliases (includes catch-all for custom domains), CalDAV/CardDAV sync, along with 100MB WebDAV storage for their office suite (which I've admittedly never used.)
Good service, great price, pretty cool company. More people should check them out.
Tried that. However, because they refuse to let their spam filter look at mail contents, it’s worthless. Other than that, it’s acceptable and custom domains are possible, too.
Many of my mail addresses have been around for decades and receive substantial amounts of spam. Google correctly deals with that. Mailbox.org does not. In fact, during the week I experimented with it, their filter didn’t clear away a single spam mail.
I'd like to add I've been using Mailbox.org for about two years now and haven't personally had a problem with spam, although I actually didn't know they had a policy to not look at the content of the email.
I switched from Gmail too a few months ago, setting up my own domain as well.
I went with Mailfence, it's slightly cheaper than proton mail (€2.50 per month, but there's also a free tier), and still privacy focused. I think a few things could be improved (no catch all email address available, for example), but for that price I don't think I can complain.
I use both ProtonMail and Zoho Mail.
- If you go for better security, ProtonMail. I use this for my personal email.
- If you need better UI/UX & some other utilities, use Zoho Mail. It's free though.
I've been using mailbox.org with a custom domain for over two years now. Although it's not free, the plans are quite cheap(starting from EUR 1/month). Have not had a single issue with it.
I moved to Runbox from GMail earlier this year after the AMP-in-mail debacle. I wrote up my criteria and a bunch of different suppliers[1] and Runbox was the pick. I’ve been mostly happy with them, although their uptime hasn’t been brilliant recently.
I've been using GMail/Google Inbox for awhile and thinking about switching. Now that Google's announced they'll be shutting down Inbox next year, I want to finally make the switch.
It seems like there's some consensus around FastMail for email. How's the calendar functionality with FastMail? Is there another good non-Google calendar alternative?
I also made heavy use of the task/notification/snooze feature in Inbox. Is there anything like that in FastMail? Is there another good task management app that anyone would recommend?
Since yours is a new account here, I have to ask. Are you part of the team there or are you just a user? How’s the support? Whenever I, as a non-customer, contacted Migadu, it seemed like nobody read the emails.
I also find the pricing logic a bit like it’s too good to be true, and am wary of providers who cannot sustain themselves.
I'm just a user and I'm pretty happy with Migadu as well. I only contacted them once, and got a reply within a few hours. And a real reply, with technical details, written by someone who obviously understood the question very well.
The webmail is really basic though: it's basically Rainloop (https://www.rainloop.net/) without any plugin.
I like the way that you can have regex based email address filters, so for example you could have name.youtube.com@example.com forwarding to name's inbox, this is similar to gmail's "+" feature.
Without evidence, just observation, can someone here explain to me why it seems every top comment and their child comments have sort of a corporate shill objective?
I recently switched from GSuite to MXRoute.com after being recommended the service here on HN.
Unlimited accounts/subdomains and 5GB space for $30/year.
I’m using ProtonMail with the free plan for more than 6 month now, still have some husk from Gmail being auto fowrorded to it.
And for work I use gsuite for now.
ProtonMail only did one thing wrong lately. They’ve added a payers feature a @pm.me short domain and allowing for the free users to only receive emails with this address. That was irritating and absurd, so I’m still thing if I want to move to move completely.
I found that what’s even harder is dealing with commercial entities who can’t propagate the email address change throughout all their systems. So don’t release your existing accounts soon.
Google Inbox - best thing ever to happen to email. Unfortunately they have announced that they plan to shut it down in March. GMail really is a horrible experience in comparison.
Using FastMail on my own domains. One account covers all the domains. Having more domains costs the same as one. They support several different kinds of address aliasing/wildcarding (including Gmail style '+' wildcards and multiple recipient). Their DNS is absolutely great with useful defaults.
Other than supporting the company that is the reason you are leaving gmail (free), what are the thoughts on just paying for gsuite for $5/$10 a month since the privacy statement on gsuite is clearly stated?
I'd like to avoid google, but the email service is pretty damn good (spam filter especially)
Another happy customer of Fastmail here, and these are my opinions why you should give it a try:
1. They often express their opinions on topics like security and privacy. Like how things impact their users, where they stand, and how they plan to do. As a user I am happy to see a company actively talk about hard topics like these.
2. While they are not the most stable software service I ever use, but they always provide timely update. They also write postmortem to explain what happened technically, what did they do, and their future plans. As a developer, I am appreciated when a software company spent extra effort to acknowledge and explain issues of their service.
3. Their business model is simple. I pay money, they provide service.
I use AWS WorkMail and I'm moderately happy with it. It's pretty barebones, but works and hasn't given me any problems. I went with it because I use Route53 for my domains, and host most of my stuff on AWS anyway, so it was one less account/service to manage. The web interface is really basic, but I mostly access it through emacs/gnus or the android email client. My only complaint is that some of the documentation is wrong. It tells you to use an exchange setup for android, but that breaks. The plain IMAP setup works fine though.
I can't really speak to privacy aspects, but I'm assuming that since I'm actually paying for the service, it's a little better than if I were using a free service like gmail.
I'm super happy with mailbox.org, it has a feature that I've never seen in other place which is disposable addresses so that you can make accounts wherever you want without fear of spam! You just deactivate that email when you want or it will expire in 30 days.
I’ve been paying for a Mini account at Runbox for 2 years.
I think they’re hosted in Norway or some other “safe(r)” location. The UI definitely needs some polish, including their marketing pages.
Functionality-wise it’s top notch. I’ve no complaints to log so far. I also use them for CalDAV, CardDAV, and host a domain with a sub-account my wife uses.
I’ve needed their customer support twice, and it was the best possible service in both accounts. This last time it was about 2FA after I locked myself out of my account. Really good service.
That’s that. I’ve used Proton and Tutanota before. A long way back I was a very happy customer of Lavabit. All of these are privacy-conscious.
Read the privacy policies, try to make sense of them. I would avoid Gmail like the plague, but I’m morally opposed to Google.
Which service is best? The one you roll out on your own, in your rack, on your own servers in the basement. Unfortunately, configuring a complete end-to-end e-mail solution in 2018 is an incredibly complex affair. The hardest part is the SPAM filtering.
On the command line, I use pine with the maildir patch; in the browser, I recommend the open source version of "eGroupware", a complete replacement for Microsoft Outlook:
Is there a good turnkey solution for this, and other services? I mean not with my own physical servers, but I'd pay to have an image with mail all set up and other services, like remote storage, etc, all ready to go and plop it on ec2 or something.
I don't like how this question is phrased. It should be
"Good alternativeS to Gmail?"
Yeah. Please be it to multiple choices, for availability reasons and monopoly concerns. Sadly there aren't many good competitors in this arena (anymore), which always makes me nervous.
If you want to get your hands dirty https://mailinabox.email/ - The downside being no iOS push email as long you can put up with with that or you jerry-rig something else for push (say a simple a simple Slack bot to say "Hey you got mail from XYZ" and you then open mail.app yourself) or just live with the 15 min pull you will be fine. Have auto updates enabled and hosted on AWS with an RDNS record and not had any issues with it since.
If you don't want to get your hands dirty or you can't live without iOS push email then FastMail - Downside being $50/year (if you want to use your own domain).
I'm doing the same thing, and I chose FastMail. It was easy to set up with a custom domain, and I've been making heavy use of aliases and plus addressing which I like. At least for my purposes, the web client is every bit as capable as the Gmail interface. I haven't tried to import mail from Gmail yet, but it looks straightforward.
The big drawback I think is that Gmail was the interface for Hangouts/Voice, so I either need to find good alternatives for those things, or keep my Gmail account around for that purpose.
I guess it feels a little weird to be paying for a personal email account, but for a single user it's not awful, and I end up owning the entire address. I think it's worth it.
The most important thing is having your own domain. Then whatever provider you choose, the address is easily portable.
I've no idea what your requirements are, but I've used office 365 small business premimum plan for years (£9.40 per month). It comes with a hosted exchange server which gives you loads of flexibility for very little effort. And for my purposes, I really like outlook as a desktop client. Not everyone agrees though. And as I want the desktop office apps anyway, the extra money for the plan with exchange included is minimal.
There is also a cheaper 'essentials' plan which gives you the server stuff without the desktop office apps if you don't need/want/like them.
It is worth noting that these don't support IMAP and Contacts/Calendar like most email services do. (They say that it has to do with how they handle their encryption)
Thanks for noting that. Strictly speaking, email doesn't include contacts and calendaring, but it completely slipped my mind and I had already shortlisted Tutanota.
If you have your own domain, and self-host or have a small reliable provider host for you, client doesn't matter so much. You can pick your mix of clients for various devices. This is how I've done it for over 20 years now.
For your self-hosted email, I recommend Courier MTA with Courier IMAP which is available on Debian GNU/Linux and other VPS/Server solutions: http://courier-mta.org/
It also offers pretty nice, secure webmail SQWebMail system.
I self host using hMailServer (open source) and Thunderbird. It's so user friendly, if you are capable of installing software generally, you'll also manage this with no problems (maybe some reading up if you don't know the difference between IMAP and POP3, but that's about it).
The issue is that HMS is Windows-only, but the ease of use is superb compared to anything I've seen on Linux. And it's open source so I'm moderately happy keeping this legacy system running in a VM until it's ported or a manageable alternative comes along.
+1 hMailServer; Deployed it for a few clients who needed it to work with SQL Server. It was rock solid and hosted hundreds of domains and a ton of email accessed over various devices.
It's not glamorous software as its pretty basic but if all you need is basic, it will not disappoint you, and usually most of the needs of many folks is pretty simplistic.
Stay on GMail, but don't log-in to the web interface. Instead use Thunderbird. That way you can read your mail without being forced logged-in to search or video.
Google has been making this harder and harder though (now calling Thunderbird insecure, and requiring you to allow insecure app's in the options), but it is a good canary in the coal mine: Once I can't avoid this unified/universal log-in, I'll know Google turned me into an adversary.
With this setup I deem Gmail to be the best service for privacy and security.
I recently migrated to staying on GMail but using offlineimap and a program called notmuch to view and send mail. In this world I have all my mail locally, GMail is just an IMAP endpoint to store my mail.
You can use a standard email client hooked to Gmail to stop Google from getting your browsing data.
You can relay your Gmail to another account with read-only access, replying from a VM with only email use (I do this on my phone). Or, only get/send your email from a VM that does nothing else.
Because it seems like there's two issues here: Google gaining intel from your email itself, and Google gaining intel from your browsing data, gained from your use of Gmail in a browser. What I've suggested addresses browsing data.
However I have recently switched to a self-hosted solution, after years on gmail, because I wanted to be in control of my personal data, and because I can't be a proponent for privacy while being on a service like gmail. Time will tell ;)
If you are willing to run your own, have a look at.
https://poste.io/
I'm currently evaluating and running this myself for about 2 Months now. Really working great so far. The guys have very quick response to error reporting. Everything run via docker on a aws small instance.
I’ve had a very good experience with Fastmail (as others have commented as well I see) for heavy email use, calendaring & contact syncing across 7~ iOS and macOS devices.
It is mentioned but does indeed not show up in the top comments. I use it now for a few weeks and I’m happy with it. It’s not cheap for having 3 custom domains: €90 or so, but I’m okay with paying for privacy.
In EU at least you can switch mobile operators and keep your number; also there is some bank account porting system (not sure if you keep your number). Same way E-mail porting should be also required, so I can keep my gmail address. If mobile operators could forced give up "their owned" number prefixes, and create (pretty expensive) technical solution, then why email domain holders cannot be forced to do same?
It depends on why you are seeking an alternative service.
Since you mentioned privacy, Proton Mail is, in theory, good for those with privacy concerns. Why in theory? Well, can't really trust anyone these days, can we?
I mean, trusting a convicted perp or an unknown entity? Well, the unknown might be clean still, so it's better than nothing.
But in the end, for privacy, the best is definitely self hosting.
I've been wanting to switch from Gmail for a while, just to try something new.
I like the concept of ProtonMail (that my email is supposedly encrypted at rest and accessible only by me) but honestly the conversation here steers me away from it. Also the interface is fairly slow.
The top recommendation here seems to be FastMail, which I'm doing a trial run of now.
For personal mail, Zoho is hard to beat. Free up to 5GB and $36/year for up to 30GB. They also communicate very well about any downtimes, disruption, which is extremely rare. Also, there is real customer support. I've accidentally deleted spam messages and they recovered it within hours after shooting one email.
I agree. I have been hosting my mail on Zoho for almost 2 years now and it's been pretty solid. The cool thing is you can use your own domain with their free tier if you don't need a lot of space. Also, using exchange active sync protocol, you get push email on iOS.
If you do not need custom domains, I can remain posteo (https://www.posteo.de/). They charge one €uro per month for a 2GB mailbox, but on the upside, the servers are located in Germany, and they are completely ad-free.
I've just gone the other way. Having recently moved from macOS to Windows, I couldn't find a single mail client that I am willing to use daily. I'm now forwarding my hosted IMAP to a gmail account, simply in order to use the gmail web client. I do admit this is kind of sad.
Never heard of Mailinabox, and I don't want to buy or subscribe to Office (AFAIK the only way to get Outlook). I've tried the others you mention, as well as a bunch of alternatives. Windows software in general is much poorer than that available for macOS, and this seems particularly true of mail clients. The built-in UWP one is particularly hilarious (does Microsoft really think anyone will use it?)
If I switch from gmail and I set up automatic forwarding of my emails to my new service, does Google still read my mail? Is there any easy migration path from gmail to another service that doesn't involve updating my email for every service I've ever used?
I'd like to add https://soverin.net/features here as well. It's similar to Posteo but offers unlimited aliases and more storage. Servers hosted in the Netherlands.
I was a Soverin customer for a year but recently made the switch to Fastmail. I really wanted to like them, but sadly it seems like Soverin is content with their product being in a (barely) beta state. During the year that I used them, there were no improvements to spam filtering (which is abysmal), single sign on (nonexistent), reliability (poor, particularly for caldav) or filtering rules, to name just a few pain points. Their customer service was super responsive, but usually just to tell me that whatever I was asking about (flagging false positives, filtering mail based on an address pattern) wasn't supported.
Soverin, please look at what Fastmail is doing and try to get at least 80% as good. The world needs more fastmails.
1. Reminders together with emails in same inbox.
2. Can change Reminders text.
3. Bundling.
4. Snooze Repeat.
5. Snooze Location (RIP).
6. Google Keep Reminders.
Not sure how i'll manage my life back after March 2019.
I like to extend the question: Which online mail provider has many or just some third party integrations, in particular those offering mail merge and per recipient email tracking.
Gmail is here unfortunately by far the leading product.
As for email clients, the happiest I've ever been was using nmh with some scripts and aliases. Setup was sufficiently not out-of-the-box that I haven't replicated it very often over the years.
Protonmail. It is a free service from a company in Switzerland with end to end encryption. To add your own domain it charges few bucks a month. I used to self host but have moved to it completely.
I am switching to outlook.com + cock.li (for anonymous emails).
Keeping Gmail only for my Youtube addiction...
There are better alternatives out there, but outlook.com offers what I need for free.
I know it's not a very privacy friendly platform, but with many of my contacts on Gmail, there is no point in going full privacy like with Protonmail IMHO.
I am evaluating Runbox and Migadu right now; My only nitpick with Runbox is their pricing page, they need to clean it up and simplify it. Its information overload. I can always ask/click for more details but present me with the most basic info up front and centre.
Do not just consider Google to release your data like that. The news may be broadcast that third parties will have access to your data now. Google had always been keeping data for long. Switching to another platform may not be the best because those ones too never secure data. Then why should switch, except you have another aim of switching.
None come with $0/annum, spam filtering, deep search, state of the art 2FA, large amounts of storage, large collection of plugins, cross OS native clients, ....
They are also the main sponsors behind the JMAP protocol [2] and some open source projects such as the Cyrus IMAP server.
[1]: https://fastmail.blog/2016/12/21/what-we-talk-about-when-we-... [2]: https://jmap.io