With the recent thread on privacy in Chrome, I'm thinking of switching off Gmail. What email service is best for privacy? Or if you self-host, what email client do you like best?
FastMail. It's one of the few third party hosts to support push email on iOS with the native Mail app (it's a custom protocol based on APNS), since Mail doesn't implement IMAP IDLE [1].
They are also the main sponsors behind the JMAP protocol [2] and some open source projects such as the Cyrus IMAP server.
One thing to keep in mind about Fastmail is that all their servers are hosted in the US and they have no plan about changing this (I asked). Post-Snowden this means you can be quite sure that all mails will end up being analysed by the US authorities
First of all when making such a choice, you have to identify who the enemy is.
If you're talking about global enemies, like the NSA, then IMO without end-to-end encryption you're screwed. And if you're targeted directly, you're screwed regardless, given they have the capability to use whatever vulnerabilities they can find in your router, your phone, your OS, your browser, etc. If it's connected to the Internet, especially if you're being targeted, you're screwed.
Also many European countries have signed on joint cooperation agreements with US intelligence agencies. If for example you're using servers in the UK, it's in no way safer, see: https://en.wikipedia.org/wiki/Five_Eyes
So back to who is the enemy?
For me it's not the NSA or our local intelligence agencies. If I'm being wronged, I've got legal ways to fight back and I don't really care about the NSA.
What I care about is being _profiled_ by unscrupulous companies that may end up selling that data to other actors that may harm my well being. For example insurance companies could deny insurance if they discovered you smoked cigarettes 10 years ago. Or banks changing your credit score based on who your friends are. Or supermarket chains discovering that your daughter is pregnant before everybody else does. This shit is already happening!
I think the general discourse doesn't go in the direction that it should go. Organizations like EFF have been historically anti-government, but very pro corporate and private companies. Which is why I don't trust them fully.
Identify that enemy. If you're an European for example, that enemy is probably not the NSA.
I do prefer non-US alternatives btw, whenever I get that choice. I do so out of a desire to encourage competition and to reward EU companies that do well, as a "voting with your wallet" thing.
But choosing to reject non-US companies for the reason that some of their servers are located in the US, that's frankly childish. Servers located in the US are cost effective. Either provide better alternatives, or otherwise these services will not be able to compete on the global market from a price or latency perspective.
>Organizations like EFF have been historically anti-government, but very pro corporate and private companies.
I don't think I'd call EFF either anti-government or pro-corporate. Rather, they have a set of positions around surveillance, the public domain, etc. and side with or against governments or private companies based on those positions.
I donate to them, and in my experience they've been pretty consistent on their positions, but if you've noticed otherwise I'd be curious to know how.
I don't want to attack EFF, I think they are on the right side, but it's just a general feeling I've got.
For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing. Their reaction was late and with an article like "here's how to protect against Facebook tracking", advising people to opt out in their Settings and to install Privacy Badger, this happening when everybody else was freaking out and doing #DeleteFacebook pieces.
I donated to EFF modest amounts in the past and probably will do so again, because the fights they are fighting are good for us. Maybe they pick their battles, I don't know. But I'm seeing a general pattern in their attacks, which is that they go very light on companies, compared with how they deal with governments.
Maybe it has to do, as always, with their source of funding. I can imagine that they received significant donations from the philanthropists of Silicon Valley. I don't care much though. My general point being that there's too much emphasis lately on government surveillance and control from privacy organizations and less on Google/Facebook surveillance.
I'm glad that there's now mindfulness about it in this community though.
> For example when the Facebook and Cambridge Analytica scandal broke loose, that was the perfect opportunity for them to go out against private surveillance, guns blazing.
This is a very American thing which I can imagine our European counterparts not like, that is govt (USG) is treated as an enemy because it is the most powerful entity in the world. For Europeans, it would Govt AND these mega corporations (because the European govts do not have as much power as the US govt).
This is why in the US, corporations are ignored because they are insignificant on the US soil. And this isn't even a new thing, this opposition of the govt is as old as the founding of the nation.
This is why ACLU will not speak out against censorship of right wing media on Facebook and other companies. Keep in mind ACLU would not have any problem defending the latter against the govt, so it isn't about what the latter represents. It's simply, ACLU is a first amendment right based organization and their focus is preventing govt encroaching on our civil liberties (which is defined by what govt can't do, and not what a person is allowed to do in any circumstances).
Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.
> Similarly NRA wouldn't care if you got kicked out of a movie theater for being concealed carry, but if a local city tries to ban guns in movie theaters, then NRA would step in.
Well, this isn't entirely accurate. They definitely do chafe at even private restrictions on anything gun. While I don't have time to research this right now, a quick search of "concealed carry in businesses" certainly returns some people complaining that businesses shouldn't be allowed to restrict that. And, if you dug a little deeper, I imagine the NRA would be weighing in there somewhere.
They do see government surveillance as a greater threat than private surveillance, particularly if the private surveillance is disclosed. This makes sense as it is much harder to opt-out of your government than a contract with a private company.
I agree that the NSA is not _my_ enemy and I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.
In a way, by using these providers you shield those who need their services the most
People won't speak the truth or do the right thing if the environment makes it hard, or risky to do so.
>I am probably not being targeted. However, as more people start thinking like that, those that _are_ targeted (journalists, lawyers, activists etc.) will have less options to hide among users of more privacy-aware service providers.
If only child porn / drug peddlers, journalists, lawyers... use tor and other privacy tools at minimum, 3 things WILL happen.
1. Tor, fastmail, ipfs, pgp, full disk encryption... WILL become illegal
2. Anyone using encryption / privacy tools will be raided. Arrest first, find crime later
3. Authorities imprisoning lawyers, journalists... who reveal wrong doings will be too easy. "He used privacy tools" would be enough to pacify the public after-all, "Only criminals have something to hide."
Consequently:
We'll lose the right to keep pins/passwords. Because refusal - privacy = admission of guilt.
I'm a teacher and I know how difficult it is for a kid to speak the truth when the entire class is lying. Adults are not much different.
If people have to choose between their freedom, means of livelihood and doing the right thing, telling the truth or exposing wrong things by the government most wont.
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" -Upton Beall Sinclair, Jr.
>"Organizations like EFF have been historically anti-government ..."
Can you provide a citation or examples of this? Being pro-civil liberties does not imply anti-government. Those aren't mutually exclusive.
In the US civil liberties are basic freedoms identified in the Bill or Rights and the Constitution. And the Constitution is what established the government in the first place. How is it possible to be pro-civil liberties and anti-government?
The Bill Rights are amendments "to" the Constitution, the very document that establishes the legitimacy of the government in the first place. How can you accept the legitimacy of the government and be anti-government at the same time?
Even the Anti-Federalists, the group that advocated for the establishment of a Bill of Rights were not anti-government.
I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government. One can believe that a government is legitimate, while also believing that the government's power should be limited. One might argue that this idea is one of the core ideas of American government.
>"I take "anti-government" to mean that one is opposed to the actions that the government takes, in some situations, rather than being against the idea of the government."
That's silly, by that definition everyone would be anti-government then. Nobody agrees with the actions the government takes in all situations, not even within the same political party.
I'm not your enemy. I don't even know you. So please send me your passwords to your online accounts. And I'd like to take a look at your home computer. So please install VNC and open your ports on the router so we don't waste too much time setting it up.
While you're absolutely right, details that are sensitive in nature should be encrypted using end-to-end encryption. Otherwise you won't be safe regardless of email provider, as the other correspondents will often be using a US email provider anyway.
If your threat model includes an actual threat from organizations like the NSA, then I'd say you have bigger problems than the choice of email provider.
Interestingly, as a self-hoster your email is much more prone to metadata analysis than anybody who is hosted at one of the big providers and has most of their email transferred to other big providers down TLS-protected port 25 streams.
Absolutely! Everyone has their own usage case, and one has to adapt accordingly -- even me! :)
My point was that simply selecting an email provider outside the US does not make email safe in any way and that end-to-end encryption is the only way to prevent providers from accessing the content.
Absolutely. Our argument (and to be fair, we are a provider) is that if you don't trust your provider then they're basically just a dumb blob transit pipeline. There's not much value add you can do there.
So we have focused on building the best thing we can for people who _do_ trust their provider, and also on having a business model which means that we can be a trustworthy provider because we have no secondary "customer" who is actually paying the bills. We don't have split loyalties.
They're not cleanly separable. You can tell a lot about a person by simply looking at what's written on the outsides of the envelopes in their mail. No need to actually open them up and read the insides.
Quite simple:
If someone were to sniff the encrypted traffic between Hotmail and Gmail then they wouldn't have any idea who was talking to whom.
If someone sniffs the traffic between Hotmail and my server, it's trivial to see that a Hotmail user talked to me or one of the few others using my email server.
Why isn’t it actually possible to just encrypt saved emails on server? So that government does not have access. Couldn’t one use a hash of the password as key for the data for the data and not save that hash to check password but another one. This way (practically), at least if the password is not eavesdropped and saved by the mail provider, it would be much harder to give away emails.
Apart from the "users lose their passwords all the fricking time" problem (seriously, before we implemented https://fastmail.blog/2017/12/06/security-account-recovery/, lost password was always in the top 3 most common support requests of the week report)
Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.
That and people's devices are basically always on these days, and fetch new email immediately on a push when messages arrive. So if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted.
Finally, we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done.
(extra finally: phishing protections and antispam solutions are in pretty much direct opposition to the idea of the server not being able to see the content of emails)
Thanks; it's very helpful to know the ins and outs from a practitioner. I am confused by a couple of them:
> if your provider get a subpoena or gets hacked, then a push request will make your device connect with the password, and boom - access granted
If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.
> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices, so we require people to create app passwords. This would be in direct opposition to many of the other safety things that are done
What is an "app password"? If it's just a password stored in an app (and then what is a non-app password? one in a text file?), why wouldn't it be as vulnerable to device hacking?
.....
Also, a couple of genuine questions about what's possible:
> Impementing per-message-encryption would turn us into a dumb blob store. The whole point of FastMail is the value add - fast search, ability to deal with a lot of email quickly, etc.
Email messages arrive in the clear, unavoidably; new messages are always vulnerable. Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages, and give endpoint/user the only means of decryption.
> users lose their passwords all the fricking time
> we don't let people store master passwords on their devices any more, because they get leaked due to hacked devices
How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?
> If the message is decrypted only on my device, then that wouldn't matter. I'm guessing endpoint decryption is not what you (or maybe the GP) are talking about, but I don't know what you mean.
Oh yeah, sure - if you only decrypt on your device, then that's reasonable. We could encrypt to a public key on delivery. There's services that do that, but FastMail isn't interested in being one of those services. The tradeoffs mean we could do very little. Certainly not a webmail service.
It's a password that's created by the server and used on only one app. So if you lose your device, you can disable that one password only. Also, there's no chance that you'll reuse it across sites, so it can't leak from other services because you won't be using it there.
It's also limited to just the protocols that are used on that device, so can't be used to reset your password or payment details or install forwarding rules, etc.
> Why not do the processing then - spam filtering, build a search index of hash values, etc.? Then permanently (from the server's perspective) encrypt the old, stored messages
If you can search for keywords and find maching message blobs, that's nearly as good as having plaintext access. If was encrypted to only the endpoint, the usual issues of "you need to download the entire database to search your email" apply, and of course we're doing very little.
> How do the end-to-end secure messaging applications, such as Signal, handle those issues, if anyone knows?
They're not designed to be your long term memory, which simplifies things a lot. You basically lose access to your history. Which might be find if you don't care about the past, but that's not how I see email. Email is your electronic memory, and encryption+lost password means that nobody can get at your memories, not even you!
I like that, because it at least feels more secure to have a password that can only be used once, combined with the ability to go into the settings and shut off any device if it gets lost.
Yeah, it's by far the best of the options that use standard username/password authentication support. Basically make the password be another server-provided factor rather than user-chosen.
Without saving a hashed password, you can’t authenticate users. End to end encryption like what you really want requires the data to be decrypted by the recipient (using a key or password).
Because the service provider receives the unencrypted email and can choose to save a copy, encrypt it to a different key, etc. This was the scam Lavabit pulled, and the government called them on their bluff and asked for a copy of the key and Lavabit had no legal ability to refuse.
If the threat model does not include a government with the ability to use legal process, it needs to be defined more precisely. In general the US government can use legal process in the US and just straight-up hack into things elsewhere (who's going to raise a diplomatic incident over it? Russia is literally poisoning people, nobody cares, and their military is less powerful than the US's). If your threat model is other governments or just unrelated attackers like advertisers, there are more straightforward approaches.
Calling Lavabit a scam is a bit of a stretch. They, by all appearances, genuinely tried to offer email as secure as it could be, given the limitations of the protocol, and when pressured to give up the keys chose instead to inform their users and fold the business.
They made promises that they should have known were impossible to keep. In my books, that's a scam. Sure, they tried very hard to keep them, but that doesn't change the fact that they could not deliver on their promises and anyone could have told them that.
Also, no, they did not inform their users. They handed over the key and waited for users to notice court documents.
What a sad news. I was expecting more servers in EU in a near future and maybe an option to select the location of our primary DC (US or EU). I've been a happy customer since 2013 and for the first time since I joined I'll be considering other options.
Basically the problem was datacentre network reliability, power reliability, and the pointlessness of having one EU datacentre which isn't reliable enough to run production out of. We'd still need to replicate to a second datacentre for multi-site safety.
At that point, why bother? We'd have to run two EU datacentres to have data only in EU, and we'd still be under the same actual legal jurisdiction (Australia) either way, so it would be security theater rather than an actual change in risk. We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.
In summary, having servers in the EU is 99% security theater, and the other 1% is pointless unless we had two datacenters who were as reliable as NYI have been for us. We haven't found such partners.
We haven't ever given data to US authorities directly, we point every single request from anyone to the Mutual Assistance Treaty with Australia, and that would be the same regardless of where servers are.
The EU is outside the jurisdiction of FISA courts, whereas New York is not. I am definitely not an expert or lawyer, but I would think this is not just security theater.
I was always hoping that Fastmail offer hosting that is fully in the EU. To me being affected by the Australian, EU, and US jurisdictions is worse than just the Australian and EU jurisdictions. Of course, I would prefer EU-only.
I am extremely happy with Fastmail. But if there was an EU e-mail provider with feature parity, I would probably switch. Not that I expect that that'll happen anytime soon (subdomain addressing and iPhone push notifications are killer features).
For sure if we had two separate EU datacentres and no US datacentre contained a copy of the emails that would be not security theater. While there's copies in both jurisdictions, having a copy be outside the US really is security theater though.
The financials of running up two full EU-only datacentres don't make sense for us at the moment given the demographic distribution of our customers. And we haven't had any run-ins with the FISA courts in the nearly 20 years we've been operating.
Of course the past isn't a 100% predictor of the future, but US authorities have always been happy (or at least willing) to accept that our data is under Australian jurisdiction.
But fastmail and the admins are under Australia law. This makes all attempts to do anything an international incident. FISA cannot do anything directly, they need to contact Australia for help. FISA can order NYI to put in a wiretap - but why bother when we already know there are wiretaps in all the major peering points on the internet.
I dont think this is true. I don’t believe there is any evidence that the US government is analysing all emails hosted by all US companies.
Rather, if the US government asks for a particular individuals emails the provider must grant the request provided there is a valid (possibly secret) warrant.
Post Snowden I wouldn't safely assume that the govt/three letter agencies don't do something just because there is no evidence. Snowden was years ago, the NSA surely didn't sit on their hands in the meantime, especially now with SSL being deployed everywhere. "Oh right what we did was evil and wrong, let's stop everyone"
The claim made was that they do. You don’t get to say that without providing evidence. You can say they might be, but that’s a different claim.
Also, capabilities matter. I have no doubt if they could they would. The Snowden revelations mainly revealed partnerships between service providers and gov agencies. Simply existing in the US does not mean your data is automatically available to 3 letter agencies. It could, but there is no evidence to suggest that it is.
> You don’t get to say that without providing evidence
Put a parakeet in a windowless room and close the door. I can reasonably make the statement that the parakeet is perching, looking around, and/or preening its feathers, because that's what parakeets do. I wouldn't need direct observational evidence to make this statement.
Panopticon-level spying is what intelligence agencies do. It's what they've striven to do, as much as possible, without getting caught. The Binney and Snowden leaks corroborate this, and there's no reason to believe they've suddenly stopped trying to. OP doesn't need evidence to make the reasonable claim that intelligence agencies spy on us, and likely do it by hoovering up our data for analysis.
Yes agencies like to spy. Do they have a camera in every house in America?
Again, I’m not saying they wouldn’t or wouldn’t like to. But saying “they do EVERYTHING post-Snowden” isn’t a very good argument, and definitely isn’t a fact.
And if the claim is “spy agencies spy” then the country of origin for your data probably doesn’t matter. Invoking “post-Snowden” usually relates to Prism, which was a partnership with specific providers.
The US government doesn't need a warrant for emails older than 180 days that are still on the server.
Emails older than that are considered abandoned[0] and treated the same as an abandoned storage unit, due to an old law from the time when email was regularly downloaded and purged from the server by local email clients.
IIUC, no judicial order is required for collecting. Only for looking at collected data; but agencies get creative around these processes, so I wouldn't count on legal protection from snooping.
Unless you're sticking to countries that hang their hat on digital privacy, hosts outside the USA are also likely to be snooping with varying levels of competency. "Not USA" isn't a good enough filtering criterion.
Many countries have reciprocal agreements for sharing intelligence. Unless you go to a country that is known for its privacy values at the highest level then you're likely not going to maintain you privacy from the government of your country or most other powerful governments.
How is their security? Maybe people like to forget, but security breaches are a thing, and when they occur you get the privilege of opening up your data to the entire world, not just to the NSA.
Google, for whatever else you want to say about them, have first-class security.
Correct, but since the reason this question popped up is due to privacy concerns regarding Chromium, I think it's even more important for people to know about these things to make an informed choice.
By the way, I really like Fastmail - they are very competent. But mail/calender is such an important part of online identity and life, I think people should be careful about who to trust
My problem with FastMail is that if you stop paying for your email address, they recycle it. This means that someone else could potentially buy your old email address (if you migrate away) and use it for nefarious purposes.
I do this and make a new alias for everyone I give an address to (such as hn@domain.com). It can be interesting to see who leaks/sell your email address. You can also shut down alias that get out of control.
Indeed! This is why I stopped using it. I love Fastmail, but who knows if I feel that way in 5 years. The entire point of Fastmail + own domain is never being locked in again. Using subdomain addressing locks you in once again.
I'm with @rb666; Don't rely on it as most will support plus+ addressing but not the the fast mail subdomain addressing as I am now in the process of migrating to Migadu.com and I need to go and unsubscribe and resub using the plus+tag. It's a PITA... lesson learned, stick with best industry practices even if there is an easier method because you'll thank yourself later.
catchalls are great. In addition to allowing the use of arbitrary custom addresses on a whim they make it really easy to identify spam and train spam filters. Anything that arrives on multiple random/unused addresses at your domain is spam.
I do this too but sometimes companies reject my replies because the from address isn't the same address they have on record. Maybe there's a way to make the "reply's from" the same as the "original's to" but idk.
With FastMail, you can select your wildcard as your "from" address on their web app, and just directly edit the `*` to be `<whatever>` and it will work fine :)
FastMail lets you change the from: address on the fly if you’ve set up a catch all.
And if you are not with fadtmail, there’s are several “multiple identities” add-ons for thunderbird (and recently a built in one, though it is still buggy) which let you add from addresses on the fly.
Huh, I haven't had that problem in about 7 years of using a custom domain name. Maybe the distinction is that mine is a .com? I feel like enough businesses themselves use custom domain names that dropping unknown .coms would break a ton of legitimate B2B traffic, but perhaps .me less so.
I use a .me domain myself but I haven't had any spam problems. Although I share it very very sparingly and have a catchall on another domain that I use for signing up with any service / sharing with non-trusted contacts. Even there, the spam problem isn't bothersome.
Surprisingly difficult for a personal-professional email if you have a somewhat common name. Nearly everything under the main TLDs was bought up ages ago. The issue can be mitigated with some creative branding work, but that’s arguably not any easier.
I've used .io and other "unusual" TLDs for a while and never had an email bounce or flagged as spam.
As someone else pointed out, make sure you setup spf, dkim, and all the other jazz. Some providers will host and setup the dns for you but its always best to use your own dns provider as the records are relatively easy to setup.
I haven't had any issues with my personal domain in years, ever since I moved it from random web host to GApps, to deal with IP reputation issues, and have SPF+DKIM setup. (but my domain is a .net one)
Agreed 100%. After losing multiple emails addresses in the past due to ISP changes, having an email on your own domain is nice. You can then even switch email providers as you wish and your address will follow.
Well, my Gmail account dates to 2004 but my personal domain dates to December 2000! I've lost domains that I continued to pay for, in fact I'm pretty sure that Zoho was paying for their domains as well.
Huh I haven't even thought about that. That's really bad, especially since I have a popular fastmail.com address where every other month I get an email asking for the account
Switched to Fastmail many years ago when self hosting became too time consuming for me. Never looked back. I had to use their support only very occasionally and even then their reaction time and competence were outstanding.
They do just one thing - email - and do that very, very well.
Yes, I use their calendar web app on Desktop (the one next to Mail). For mobile, I sync individual calendars into my Android Calendar ("CalDAV-Sync").
My biggest issue with the Google Calendar was the syncing rate of 24 hours for iCal feeds. On Fastmail, new events appear quite fast (and I can force the update manually, if I need to).
This seems like a really common use case that ought to work well. I switched to Fastmail a few months ago (I still haven't fully committed to sticking with it.)
Did you contact support?
Did you solve the problem by switching to another calendar provider?
I use their calendar with various apps like Fantastical or Timepage. It's standard CalDAV and should work with any decent calendar app, including defaults like Apple calendar.app.
Does Fastmail provide any kind of "bundling" or "priority inbox" features?
Since using Inbox on Android, I can't imagine going back to being notified about every single email. Automatic bundling of messages and the custom rules that you can then set on those bundles is a killer feature. If nobody comes along with a decent alternative before Inbox is shutdown then I don't know what I'll do!
I don't know if fast mail provides it out of the box but I have started to test out spark: https://sparkmailapp.com/ as a replacement for Inbox. While it is a bit from as good as Inbox it can get the job done, and has bundling.
I simply set it up to archive when swiping (which is what Inbox seems to be doing). However, it's notifications are far from as good and you can't archive straight from the notification, which, to me, is a let down.
Furthermore, on iPhone 8 there is an actual loading screen when opening the app. Like, why? Everything is already stored in the phone and it should just look for new mail in the background?
So far from perfect, but what can one do when Google is killing stuff off.
One issue though: you have to be in the apple ecosystem as they do not support, anything but iOS/Mac OS.
This would be my complaint having had a quick look at Fastmail. Their mail client provides only the most basic of email functionality - folders, filters, contacts etc. It seems like you're paying a monthly subscription for privacy when you may as well host your own if you don't need any features beyond what IMAP offers as standard.
I've been using https://www.sanebox.com which does a pretty good job of the bundling, leaving you with just the important stuff in your inbox. It's not as well integrated as Inbox could be, but I find it very usable, and even better in some ways as the 'bundles' don't end up back in your inbox, they are always in other folders by default.
Just to provide some balance to the feedback: I've been using FastMail for 2 years and am mostly "meh" on it. My issues are with the web interface (which is largely why I use them instead of running my own server):
- No delay send/undo send. Allegedly in the works for ages
- Very buggy editor. Randomly slows to a crawl while composing, scrolls up and down erratically
- Cannot handle very long threads very well. (since unfortunately the business world uses top replies with Html email) E.g., undo can pin a core and crash the page.
- Notifications randomly show up twice and then freeze on screen
Thanks for the feedback - I've passed that to the product team. We're busy working on the JMAP replacement web interface, which has a fair bit rewritten.
Our search is built on top of the Xapian search engine. We blogged about the underlying tech a while ago. You can sign up a free trial and have a play pretty easily.
Search works decently, but they index the whole message, including quoted text. So a search term shows up in the original message, as well as all the replies downthread.
Yeah, we're working on identifying whether something is in quoted or non-quoted text. That one is quite tricky to get 100% right, so we err on the side of matching more messages.
I second this. Their service was exceptional for 3+ years I've been with FastMail. Got many small businesses I've worked with to migrate.
Only thing which annoys me is that their push-enabled iOS app does not support multiple accounts. It has been like that for years, I've heard that a new app was in the making, but nothing came out yet.
+1 for FastMail — I've been using it for the last 2 years and I've got nothing but praise for them.
ProtonMail seems to be another popular alternative, but their E2E encryption claims sound like snake oil to me, but snake oily as it is, it's still a better choice than Gmail.
1. if it's encryption in the browser via a web interface, then it's not secure; the moment a web form asks for a password that can be used to decrypt your data, that's the moment your alarms should go off, because in spite of the claimed E2E encryption, their security might actually be worse than Google's
2. with email you're communicating with the world and the email world is not encrypted; what this effectively means is that ProtonMail keeps your email encrypted only while it is at rest; maybe it's better than what Google does, but they can still see whatever comes in or goes out in plain text and you're still relying on their promise to do no harm
3. ProtonMail needs to use a "bridge" in order to be compatible with email clients; this means that access to ProtonMail is non-standard (e.g. SMTP, IMAP) and therefore you still have the lock-in of Gmail, only it's now worse
4. It creates a false sense of security. If you want real information security, better tools are needed; various chat apps are much better, plus actual GPG ... because the PGP model requires a "chain of trust" that you have to maintain yourself for actual security
> if it's encryption in the browser via a web interface, then it's not secure
Ehh…
The big difference from native apps is that native apps are often signed by the developer. While with web apps, there's normally only a more "temporary" form of signing, that is, the TLS session.
Assuming the app developers are better at securing their offline signing keys than TLS server keys, native apps with signatures are indeed more trustworthy. (But are they actually better at this??)
Also, you might be more likely to get malware browser extensions than OS-level malware. Maybe??
On the upside, the web is more auditable by default (of course you can obfuscate JS and WASM just like you can obfuscate anything, but "view source" is still much easier on the web).
> ProtonMail keeps your email encrypted only while it is at rest
IIRC it's also end-to-end between ProtonMail addresses or something?
The problem is that the web page loads on every request. This means that you, @floatboth, can be targeted with a broken client that leaks your keys next Wednesday between 13:00 and 14:00 and you'll never know it.
A native app is not something that loads every time you open it. And the binary you get is the same binary that everyone else gets and if you suspect something fishy, you still have that binary later for inspection. Compromising an app binary is not impossible mind you, as we could see with fake Apple XCode fooling Chinese developers into submitting infected apps to Apple's store, but it's much, much harder with security conscious users.
Also there's not much difference between highly compiled and obfuscated JS code and binary code. In both cases people start inspecting such apps by sniffing the outputs. Or otherwise it's not such a big jump from JS to assembly for people that do this for a living (e.g. I'm guessing anti-virus companies).
> IIRC it's also end-to-end between ProtonMail addresses or something?
It might be, but encryption that only works between ProtonMail accounts is no longer _email_. It's either a standard, or it's not email and I'm not interested in communicating only with ProtonMail users.
1. ProtonMail implements the OpenPGP standard and is fully interoperable with other OpenPGP email systems.
2. The web app is a single page application so it does not reload on every request.
That said, you are correct that the web app is not appropriate when the threat model includes ProtonMail itself (though you can run the web app locally and thus sidestep the problem). The native clients are better suited in that case.
It's surprisingly responsive for large email accounts too. I had ~100K emails imported and marking all as read would take about 10 seconds. I can't complain with that all things considered.
FastMail is good, but it's very expensive. I'm waiting for more competition in this space. I think, as people turn away from Google (and thus Gmail), more competition will arise and we'll finally see fair prices.
I don't feel like FastMail is that expensive for most people.
Obviously, compared to free, it's expensive. But in real terms, I pay $70 every 2 years for it - works out about £25 a year for me, which is about the price of a meal out. I think that's worth it for secure and powerful email. I've never found it to be expensive.
This is a clear case of a price being judged differently depending on where you live. 25$ is luxurious expensive meal out for me or 5-7 fast food meals.
It's also expensive compared to rolling my own. Using the standard plan, I'd be paying 200$/y for just a single address for each of my family members. Personally, I want at least 2 myself.
Compare that to the ~120$/y I pay for my main VPS which has plenty of spare resources to handle not only my family's email, but also for some clients AND, since I make the rules, I also don't need services like Sendgrid for sending email from my websites.
All well worth the 5-10 afternoons a year spent maintaining it.
That is really great if you don't have any outbound deliverability issues due to IP reputation on a VPS host! Under those circumstances, that sounds like a great arrangement.
I think that is not quite the norm, lots of these hosts (and home internet connections) tend to have rather bad reputations, and chasing down the various RBLs can get really old really fast, especially since the most common response is to silently blackhole so you don't get a bounce.
This might be what you mean, but I believe they charge by inboxes, not by addresses. I have lots of addresses, but a single inbox (which I use rules to file within), and that is relatively cheap.
I used to run my own email server, but found it difficult to get things like push email working reliably, and had a couple of issues with deliverability of emails.
I might be wrong, but I also think it is expensive. When I can have a 5 family plan from office365, including, word, excel, powerpoint, outlook, etc, with 1TB per account, 60 minutes of skype calls per account, etc, for 10 per month, 25 per month (for 5 people) only for email seems too expensive to me. The only thing lacking is custom email address.
The basic is $3 though. I have migrated all my private emails I've ever sent or received (some tens of thousands, starting from 90s) to Fastmail. Still well under the 2GB limit of the basic plan.
FastMail appears to be $50/year if you want your own domain. --Maybe there's a discount for multi-year signups, but I can't find it in their pricing details.
Honestly, at that price point I would go with Exchange Online for $48/year. --Virtually the same price and yet I would get double the storage and native integration to Outlook on the desktop and mobile.
There is competition. It’s just that many people don’t know or haven’t tried them. Here are three providers on par with Fastmail but are way cheaper if you need multiple mailboxes — Posteo (posteo.de), Mailbox (mailbox.org) and Runbox (runbox.com).
But I do believe that even these cheaper ones are expensive for what they provide in terms of storage capacity, number of aliases, etc. Costs are supposed to go down over time, and prices too.
There's also development and maintenance costs? Someone needs to build that web UI, android and iOS apps, kick those servers when they misbehave, answer the phone or reply to your enquiry?
Except for the apps, cloud hosting providers already give you all of that for a better price. I also don't want an app... IMAP is a standard, you know.
It's cool you spend your time and money doing things you like (regardless of whether those RFCs will be implemented by email servers and clients) but don't make your customers pay for it. Set up donations or something.
This 1-XS server costs 2€ every month and it could perfectly handle the email of hundreds of users. They are charging you more only for yourself, and that's not even factoring in the economies of scale.
Well, think about the VPS you're proposing. Two euros a month is 24€ a year. Even if you're only paying yourself 6€ an hour, I'm skeptical that running an email server for 100 people would require less than four hours per year.
Fastmail can get quite expensive when you need more than a few mailboxes (not aliases, but mailboxes). Cheaper options are Posteo, Mailbox.org and Runbox.
but the problem is that fastmail only offers mail and calendar, while gsuite offers, word processor, spreadsheet, presentations, online forms, and photos...
Fastmail has a photos/files/website feature so it isn't just email. I use G suite now for my side business and I've never used any of the features besides email since I have Office on my machine.
It obviously depends on your use case, your personal situation, etc. But for me it is very hard to justify $5 per user per month (we are 5 so that is $25), when I can pay $10 to Microsoft for Office 365 for 5 users, and get, besides email, chat, and drive, word, excel, powerpoint, and skype with 60 mins of international calls.
FREE PLAN - Up to five users. 5GB/User, 25MB attachment limit.
This is to have all 5 users in one "organization".
ZOHO offers full G-suite replacement, free. They have many more applications too.
I used the free plan for a few years, then started paying $24 per year for more storage. What you get for $24 per year is amazing. What you get with the free plan is amazing. Their business model is to impress you with their products enough for you move to a paying plan. They do NOT make money harvesting your personal information and selling it third-parties.
I’ve been using Fastmail for my personal email for the past four years, and love it. Really reliable, fast, and allows me to keep a personal email without all of the Google Apps stuff.
Same here. FastMail with a custom domain name. First I was planning to self host. But I thing mails are quite touchy and doing it myself may be a risk.
That's fair enough (and I am using gmail precisely because I have no way to pay another service provider -- banking while living in a country that you are not a permanent resident of is tricky). However, the entire thread is about what service should you use if you are worried about privacy.
Although available in Japan where I live, there is literally no way to transfer money out of my bank. You may think it odd, but getting a bank account in a foreign country is actually hard. The bank I use is not my choice, but the choice of my former employer -- that's how I got the account. When I set up my own consulting company, I ended up using the same bank. I'm trying get out of it. I have an account with an offshore bank, but going through the paperwork to actually deliver my pay cheque into it is rather daunting (even though I own the company that pays me!). It will be dramatically easier when I get permanent residence status (which I probably can get whenever I get around to applying for it -- and I should do it sooner rather than later).
But anyway, there are other people in the same situation, where they literally can't pay for things online. I just wanted to indicate that I understood the situation. But thanks for the pointers. It looks pretty useful if I ever get in the situation where I could use it.
I would somehow have to get money into the account... It's the same problem all over again ;-) I suppose I could put the BTC that I mined heating my house when CPU mining was a thing in there...
I don't understand how am I paying for Gmail. I never noticed any ads there (I know that there are ads, but it's hard to find them unless you're searching for them specifically), actually I'm rarely even using web interface and Gmail doesn't add any ads to IMAP-served mail. For me Gmail is absolutely free. May be it uses mail information to target ads for me, but I'm not even sure that I should consider that as a payment. I prefer targeted ads over untargeted ads anyway.
For the privacy, quality, and features it offers at the reasonable price of $50/year, I would say that it's a fantastic alternative. It'd be hard-pressed to find anything free that is on par.
Privacy wise, you're paying for the service so there's a reasonable expectation that they're not mining your emails to build a profile of you. Unlike Google they have no ads to serve you.
> all your personal emails are stored in [someone else's] servers.
Well, yeah. That's true for everything except for hardware you actually own.
They're saying it's better than storing it on Google's servers, not that it's bulletproof.
There really isn't a way to have impenetrable email. It's all about what type and level of risks you're willing to take.
E.g. are you concerned more about rubber stamps or software exploits? Are you more concerned about usage pattern profiles or someone actually reading the content of your messages?
Different people have different priorities and there is no one single best option.
In my 6+ years of being forced to use Office 365 for one of my accounts - it is a flaming POS. Plagued by poor performance, regular (unexplained!) outages and has series issues with data consistency and don’t even get me started on it’s terrible rules system.
Let's not forget that with slightly more money that Fastmail or Protonmail are asking for just one mailbox, MSFT is offering you a whole office suit plus 1TB of storage.
Your criticism regarding functionality might be true, but there is no reason for competitors to charge more.
I'm just a simple email user -- 50 emails per week -- and I don't keep them in my inbox. As soon as I'm done with them, I delete them. A simple 50MB inbox is sufficient for me. I just need an ad-less mail box. For me anything beyond 5$/year is expensive as hell.
I'm using my own domain, so it's $5 per month. Considering that I'm using VPS for less than $1 per month, that price seems absurdly high. I would consider paid mail for $5/year with 25GB storage and fastmail features, otherwise free mail looks much better.
Even $5 is not bad, I’m guessing most HN readers wouldn’t miss $5 a month.
Anyway services like Facebook extract around that amount from you via targeted ads, I’m happy to pay if it allows to me to isolate myself from that a bit.
https://mailcow.email/ - dockerized, works with multiple domains, sogo for groupware. Compared to mailinabox's single disk, it has 6 docker volumes to keep track of.
https://mailu.io/ - dockerized, it has a section on kubernetes deployments, which i find weird, but I guess could make sense for companies
https://mailinabox.email/ - no docker, no multiple domains, roundcube, nextcloud for groupware. Main disadvantage or advantage, depending on your perspective is that you need a mailinabox server per domain.
And then this is the more hands on version, which I guess would be sovereign as ansible deployment.
This might be obvious and not need to be mentioned, but if you're self-hosting, don't forget the obvious and often most flexible option: A Linux box directly running plain old Exim (or Postfix, etc.), Dovecot (or Courier, etc.), Spamassassin. No containers, no abstractions, no meta-configuration.
I've had this setup for a couple of years now and it's not failed me. Support TLS, SPF, spam checking, DKIM, can support multiple domains and aliases. Basically anything you can imagine. And, despite the FUD you might hear about not using a cloud service, my mails don't get magically lost into people's spam filters. The initial configuration/learning is steep, but I pretty much never have to touch it once it was working.
Mostly online searches and reading the software's documentation. Unfortunately there appears to be no site that walks you through the entire process. You'll find "how to set up exim" tutorials and "how to get dovecot working with exim" but so far I have found no overall soup-to-nuts guide that matches my exact configuration.
1. You need your own domain
2. If you're new to Linux, I'd set up something simpler first, like a web server just to familiarize yourself with your domain tools and your distribution's configuration.
3. A good half-way solution for migrating from Gmail is to set your own server as MX for your domain and forward received E-mail to Gmail. That way you can get familiar with setting up your MTA without worrying about delivery. And, you can start encouraging people to start sending mail to your @domain.com address rather than @gmail.com address. I had this set-up for years before taking the plunge and hosting everything myself.
Be warned, Gmail applies very aggressive filtering to your incoming forwarded mail, even before it reaches your "Spam" folder. This was one of the primary reasons I decided to self-host: I was finally able to compare the list of E-mails I received, through looking at my logs, to the E-mails that ended up making it to Gmail. Gmail's (presumably) spam-filtering was filtering out an unacceptable amount of false positives.
4. Set up your host to deliver locally. You'll be able to verify it's working by using standard unix mail tools running on your host.
5. Set up something nicer for delivery like IMAP, and get your favorite mail client to work. I use Dovecot, but there are plenty of options.
6. Any bells and whistles you want. TLS, SPF, DKIM, Spamassassin, multiple domains. I found at first I was getting a massive amount of spam (thanks for fixing this for me for years, Gmail!) but after a few months of training, Spamassassin is very good and I'm back down to not seeing much anymore.
Hope that helps. To your other question. I spend $5 a month for my VPS, and I can host a lot more than E-mail there.
> https://mailinabox.email/ - no docker, no multiple domains, roundcube, nextcloud for groupware. Main disadvantage or advantage, depending on your perspective is that you need a mailinabox server per domain.
Are you sure? I am running mailinabox and have multiple domains and accounts with no issue.
> And then this is the more hands on version, which I guess would be sovereign as ansible deployment.
I used to run a Sovereign box.
It served me well for 2-3 years, but it got too cumbersome to maintain: they changed their approach to various configuation things (for the better, I'm sure), and threatened to break my setup in the process.
All told, it felt like it had missed the sweet spot between pre-configuration and flexibility, in the end not quite giving you either.
> IMHO sovereign puts too many attack vectors on a single machine.
I turned off most of the attack vectors (I didn't need all the bells and whistles). But yes, they tried too hard, and over-complicated the setup as a result.
There is also https://cloudron.io/ to self-host, which provides a complete email solution based on dovecot and haraka plus a couple of webmail apps to use, like rainloop and roundcube.
It deploys mail server based on modern software stack on your box and you can customize it to fit your demands using recipes suitable for well-known software.
Most important thing is to buy a domain so you can port your email address from provider to provider. I’ve had the same email address and several hosts over the years.
I’m currently on Fastmail and find the service good.
Fastmail has worked well for me with custom domains. It's nice being able to create custom aliases for when an address is publicly visible e.g. GitHub so I know through what funnel emails are coming from.
Like others have said, the Android app is not worth installing unless you're okay with limited and, in some cases, poor functionality.
I suppose you can set it up with the Gmail or Outlook Android apps? I've never tried, as this defeats the purpose of not having those companies as your email provider :)
- IMAP Idle support: e-mails appear instantly, configurable on a by-folder basis.
- Mature and stable: it's been around forever, updates are infrequent, it just works.
- Free software: apache license
- No fanciness: it is very traditional-email oriented. The only "fancy" feature is a unified inbox (showing mails from all your folders), and it can be turned off.
If your e-mail is "complicated" you'll have to spend a bit of time setting everything up. For instance, my server classifies e-mail as it arrives, and I setup different synchronization schedules and notification preferences for different folders. Best time investment of my life.
I use K-9 Mail too, and while I think it's great (fast and customizable) I think it could use some gestures or more in general a UI revamp to reflect the fact we are not using Ice Cream Sandwich anymore :)
Co signed on Aquamail - the original author was very receptive to feature requests and fixing bugs (It was nice when he eventually added scheduled outgoing emails). The software has since been acquired but developement appears to be continuing.
Other clients that caught my eye also were Bluemail or Nine, depending on the need.
I've been using Aquamail on my tablet for years, it's a nice mail app and they continue to support is. I use it on my tablet for the swipe feature especially.
On my smartphone I'm using MailDroid Pro. Like Aquamail, I'm using it for several years now, steady updates and good support. The reason I use MailDroid on my smartphone is the anti-spam plug-in (they charge extra for that though).
I use AquaMail as well, it's one of the few apps I pay for. I paid so I could attach more inboxes though the limit is quite relaxed. The only fancy feature they've added really is a unified mailbox, other than that it's the only android mail client I've used for the past 4-5 years now. I'm a big fan!
You can funnel mail with Gmail, too using extensions. Although some online forms incorrectly reject this. Looks like this: notmyaddress+github@gmail.com
Another vote for fastmail. They even do a pretty decent job being a DNS host as well. Simple setup to add subdomains if you're already using them as your primary/sec NS.
This is exactly what I did a few years back. And exactly for the same reason — so I can easily migrate to different provider with low cost of swiching. So far I’ve used gmail as provider but I’m considering switching now.
Although I like the control and portability of having my own domain, as a less technologically-proficient user on a shoestring budget, I've found it more challenging to set up and configure on shared hosting services. There's a need to get your head around things like DNS records, reverse DNS, DKIM, SPF, SpamAssassin, cPanel etc. to stand a reasonable chance of successful delivery and low-maintenance inboxes. I've been through a few hosts and fortunately seem to have settled with a reliable provider now (Squidix), but it's not always been so easy.
Fastmail allows you to set them as the DNS provider and they take care of all DNS records for you. Just buy a domain, set their nameservers, and you're good to go.
There are so many threads like this and the answers usually boil down to the self hosting group and the other group who believes that paying someone to do the job is the right thing to do. I’m in the latter group and always recommend Fastmail. I migrated all of my families accounts there with multiple domains and couldn’t be happier. For something I use hours every day it’s well worth paying someone to keep it secure and online.
I think paid email services are a great idea, but $50 a year and 2 GB of storage for Fastmail seems expensive to me. Why not something closer to five or ten bucks a year? Can someone explain to me why this type of pricing makes sense?
Pricing 101: Price has nothing to do with the cost of providing the service, and everything to do with the value the customer puts on what they're buying.
The value you put on email is $10/year, so Fastmail doesn't represent good value. Other people obviously think its worth more. Fastmail are providing their service to those people.
I need to respectfully disagree with you here. In a free market, pricing does have something to do with the cost of providing a service because companies that overcharge would quickly lose market share to competitors, especially in a wildly competitive space like email.
Also, ten bucks a year has nothing to do with how much I'd personally be willing to pay for email. It is just my estimation of the amount you could charge people while still keeping healthy profit margins in this industry, however I don't have much domain knowledge regarding email and that figure could be very wrong. I'd love to hear from an expert.
...companies that overcharge would quickly lose market share to competitors
This is only true for companies offering equivalent products, and that is never the case in tech because there are so many intangible factors.
In this case, one of Fastmail's intangible benefits is that they're not Google. Maybe Fastmail's customers think that's worth $50 ... but it has zero impact on Fastmail's costs.
Bzzt. Notice how everyone recommended fastmail and nobody else? It's not a highly competitive free market. It's "hi, can anyone recommend a MacBook cheaper than the one apple make" time.
Free markets reductionism not useful with no serious competitive pressure
Email seems like more of a free market than most things considering the incredibly low barrier to entry. You can even host your own email server, you can't reasonably do that with a lot of the software that you use every day.
Just because a particular provider is good and cheap and has a lot of satisfied customers doesn't make it any less of a free market.
It just feels like a truism. Absent a formal regulation oversight any market is free in these terms. Were not comparing Japanese gold plated apples and trader Joe floor dropping oranges with mould on, were looking for competition in the sense BMW competes with Mercedes and Lexus. Google is giving away some thing of huge value, which is highly reliable spam free email. They "charge" your privacy which is beyond price. If you seek equivalent functionality the software cost alone for the one I regard as comparable is 350 dollars which as a purchase amortised out is $10 a month over three years but I have to spend another $10 a month to host it, and I still have a single point of failure. So price wise fastmail may be enormously good value or expensive depending how you feel: there are not a heap of competent competitive alternates. Maybe five? Sure, that's a competitive market in Herfindahl Hirschman Index maybe? But in practice it's not far off a duopoly. Google or o365, fastmail or proton. It's a pair of competing entities not one market.
As long as you don't want deliverability to Gmail or Outlook addresses. Though you can pay for Outlook deliverability it seems. They're very pinickety about allowing mail through from self-hosted or even low-traffic shared hosting IME [albeit limited].
Unused IP, set PTR (seems important) and MX, SPF and DKIM, although I'm not sure how relevant the last one was.
I can imagine that Gmail will block you if you try to send mail from an IP that was previusly used to spam.
Couldn't really work out why Gmail wanted to block me, yes obvs using SPF/DKIM/etc. - long trusted domain (15y), never any spam, whitelisted on client side. MS blocked it according to their third-party system because it was associated with another IP address [ie other IP was once used by same ISP] that had once had spam on it (wasn't currently blacklisted in any SBL).
There's no way to check before you build out the system, so unless you have an easy way to change IP and ISP then I'd be cautious.
Email is a highly competitive market with a low barrier to entry and thousands of companies offering similar services. It is nothing like hardware, so your comparison is bizarre.
By the way, I was asking for the point of view of an expert. If you are not an expert on email services, then I have no interest in hearing you speak condescendingly to me.
So, there are two separate-but-related products here.
The first is e-mail.
The second is an extremely hard-to-validate promise of future work, such that (a) cutting-edge security and privacy protections are maintained; (b) properly designed regular backups and redundant infrastructure ensure your e-mails won't be lost; (c) staff ethics, training and oversight will protect against insider threats; (d) protection against spam and phishing will be effective - but will not block legitimate e-mails; (e) e-mails you send will get delivered and not marked as spam or silently discarded, even when sending to the likes of gmail; (f) no e-mails sent to you will be silently discarded or otherwise lost; (g) if issues do arise, that they will respond promptly and competently; and (h) as webmail technology advances and market conditions change, they will keep up-to-date and stay in business.
There's no way for me to validate most of these things. Instead, we rely on a supplier's "reputation" - an amalgamation of their past performance, their visibility and their marketing.
There are many e-mail providers. There aren't many e-mail providers widely known as reputable.
In other words, Fastmail doesn't face much price competition within the market of "e-mail services recommended by users of Hacker News" even if they do within the market of e-mail services generically.
Once you add the words like Gmail or replace Gmail or instead of Gmail then no, it's not thousands of companies offering similar services. Running a service in Port 457 is the least of the offerings. It has to have spam detection as good as Postini, sieve, IMAP, utf-8 support, tls certificate management, a web portal, DNS and related domain management.
The killer is five nines availability. That's pricey.
I used to run mailsystems and maintain mailsystems code in the 1980s. I don't do it now because it has too many moving parts. I got a grandfathered domain into hosted by Google and it's worth a damn sight more than the apparent market force bottom price.
Hardware or software or service your competitors have to be comparable or at least bearable to apply price pressure. I do not judge fastmail as price competitive because they (like apple) are competing in quality. Not price.
The Fastmail pricing tiers are $3, $5, and $9 per month which is $36, $60, and $108 per year respectively. If you look at their primary competition their prices are on par or slightly better. Here is a sampling...
Google G Suite: $5, $10, and $25 per month per user.
While they are on par for email, with Fastmail being superior in certain ways, you do get a deal more value from the Google G Suite as you get a lot more besides email incorporated in the price, i.e, cloud drive, the applications themselves etc.
Thinking though this for a project I'm working on with a tight budget I concluded for money related reasons I'd probably have to go with Google even though I'd prefer not to.
FastMail is more than just email. They include a drive like feature with the ability to make a basic website.
I use G Suite for my side business and while it seems like a great deal because you get all these other apps, in practice, I have never used them, not once.
Five or ten bucks a year is impossible to attain. The monthly cost of a hosted GB is about a cent. At 25GB, in a service with fast search and, I imagine, regular snapshots and backups, you'll be using up to 200% overhead. Assume that most accounts are not at 100% usage and, in the spirit of a Fermi estimate, set a typical usage of 50GB. You get to an yearly cost of $6.
At $6 cost of hardware per account, now you have to factor in other costs and your profit margin. Support alone will bring you above $10. Marketing will also bring you above $10 on its own. At a decent scale, you can keep the marginal cost of engineering low (as it does not scale linearly), but on a mid-sized operation expect it to bring you above $10 on its own.
All in all, $50/year is high but not stratospheric.
It does seem expensive when you've been exposed to free (or heavily discounted) prices your whole life. This is because the others still charge this much, except the difference in revenue is made up by selling your data and pushing adverts (rather than charging you extra). Suddenly the extra $30-$40 per year doesn't seem so expensive any more.
I have to say: I like to be charged as much as FastMail charges. It gives me some sense that they will not be out of business or quit in a year or two. I like FastMail to still exist in 50 years.
They are also the main sponsors behind the JMAP protocol [2] and some open source projects such as the Cyrus IMAP server.
[1]: https://fastmail.blog/2016/12/21/what-we-talk-about-when-we-... [2]: https://jmap.io