Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.xfsmail.com (Postfix) with ESMTPS id 348821446D7
It didn't send me an SMS after signup, or appear to have any method to stop a botnet signing up few thousand accounts and going on a spamming run. It happens to us all.
I do wonder how they are planning to fund their hobby if it gets popular.
(disclaimer, I've worked for FastMail for nearly 10 years - I have a decent idea what goes into running an email service)
At this point, I'm not really sure I can trust the "free" services, as there's always a "catch" or changes in TOS down the road when they want/need to make money.
I'm moving my main email to fastmail [1]. It's worth $10/year to not get ads shoved in my face or wonder who owns my data.
Its all about trust. Do you trust Google, Apple, Fastmail, the NSA? Do you trust them to not mine and market your data or metadata? Do you trust them to act responsibly in case of a catastrophic data leak? Do you trust them to not change their minds down the road?
Personally, I too have more faith in payed-for services than free ones. At least, they have some motivation to do the right thing.
An email address is for most people their single point of recovery for almost all of their online accounts, including services like Paypal. If you choose to trust an email provider, you are trusting them with access to your entire digital life, including finances. If you can't trust a service to responsibly manage your payment information (in the case of fastmail) how can they be trusted as an email provider? Someone could do far more damage to me with control over my email address than they could with access to my credit card details.
This is why you never use signle email for everything, this could end in chain-hacking. Also you should seperate your accounts as much as possible one email for banking/paypal another for shopping etc... But you can use email such as ZoHo for this if you don't trust XFSmail.
How many national spy agencies are currently planning to roll out "free" email services sold on being secure?
Much safer to assume that every such service has been compromised and keep your private messages private. I suppose the "bad guys" have plans of their own but historical events have shown that they do not in fact have to be all that careful as there is so much "noise" out there.
They use 256-bit with TLS 1.0 and support IMAPS, POP3S and SMTP which you can use with Thunderbird and also RoundCube web mail. Tested it my self works very well ^_^ In fact I found it better working for me then some premium services like HushMail.com or free service like Safe-Mail.net I'm very happy to find something that finaly just work without too many registration questions or phone activation.
every server passing email to the next server in the hop has the same problem..
The security is what controls exist not only in the severs between you and your email provider but also what controls are in place with the email provider.
True. That's why you should use end-to-end encryption for your mail.
There's a reason I'm sceptical about these things: over here in Germany, the government is trying to establish a nation-wide email service (DE-mail) that is supposed to be so secure that you can even use it for government interaction such as filing your taxes. They even argue that they are using encryption to protect your mail. However, they explicitly say that encryption of course only happens between servers and that your email can of course be read on the servers, making all security useless.
This might not be the same as xfsmail, but it doesn't feel secure to me. In general I'm less worried about some random attacker trying to hack into the providers' servers than into provider employees reading my email.
Received: from mail.xfsmail.com (MAIL.XFSMAIL.com [46.32.252.200]) by mx1.messagingengine.com (Postfix) with ESMTP id 68701F20E80
X-Spam-hits: BAYES_80 2, HTML_MESSAGE 0.001, RP_MATCHES_RCVD -0.473, LANGUAGES unknown, BAYES_USED user, SA_VERSION 3.3.2
At least it used TLS on the return email:
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.xfsmail.com (Postfix) with ESMTPS id 348821446D7
And noticed the DKIM and SPF on my email:
X-Spam-Status: No, score=-2 tagged_above=-999 required=6.31 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
----
It didn't send me an SMS after signup, or appear to have any method to stop a botnet signing up few thousand accounts and going on a spamming run. It happens to us all.
I do wonder how they are planning to fund their hobby if it gets popular.
(disclaimer, I've worked for FastMail for nearly 10 years - I have a decent idea what goes into running an email service)