Good morning, I'm curious what users of this forum use to send and receive email in daily life. A few months ago, I finalized my termination of my Google account and all related services, if not for the sake of my privacy and liberty, then for the sake of my sanity; I now use Proton as my only email provider. Unfortunately, I have learned that every single one of my sent emails has ended up in the recipients' spam filters or is silently blackholed outright. I send ordinary messages from an ordinary address, however according to my cursory review of user anecdotes, Proton's domains are widely blacklisted, allegedly due to large volumes of abuse, and apparently an association with "radical conspiracy theorists."
Clearly, I must switch providers again, but what are the options? My threat model is very permissive - I am not some sort of black hat hacker who only logs in via Tails, I am an ordinary student with ordinary needs - all I truly require is that I am not so brazenly spied on and interfered with as I was by Gmail and Outlook. Essentially, I am looking for an email solution which does not do anything to me that ought to be illegal, while of course ensuring that my messages are not universally marked as spam. (n.b. I do not currently have the resources to host my own private email server, but I would like to learn about this route nonetheless.)
Thank you for reading, and thank you in advance for sharing your experience.
I use a gmail account for receiving email. Thunderbird or the gmail website can be used for both sending and receiving email.
For programmatic email sending I use s-nail mailx with msmtp as the client interface to gmail. As a single user linux I can configure msmtp access to smtp.gmail.com in /etc/msmtprc. The arch wiki has good info on s-nail and msmtp.
I seem to recall having to allow a specific APP to access gmail.
For security there's always protonmail.com which can be used similarly.
Self hosting is the only way to go if you want control of your email.
opensmtpd + Dovecot is what I use on a little minipc. It doesn't require much in the way of resources computer wise. You could pick up something on ebay for aroung £30.
Unfortunately dynamic residential ip's get blacklisted entirely these days so I relay all outgoing smtp through a miniscule vps which costs $19 a year.
To reduce being marked as spam requires DKIM, SPF and DMARC set up correctly and time.
Time because until your sending IP gains reputation you'll experience messages marked as spam and more so delays in the recipient getting your emails (Many servers will deliberately TEMPFAIL your emails on the basis that that many spam bots won't try again. a proper SMTP server will keep trying to send the email. It gets through in the end and your IP gets whitelisted in the end)
Well done ditching the Google accounts. I did the same a few years ago.
I'd be lying if I said self hosting email wasn't complex at all but it's not as complex as many people think. Certainly not 'next to impossible' as I often see stated.
I would never use Proton. Maybe they've fixed a few things, but back when I tried them out, "full" features were available only after 1) installing their phone client, and 2) uploading your address book. They didn't mention this in their promotional material. Also, IIRC, they don't fully support POP3/SMTP using a local MUA.
I used COTSE (https://cotse.net/) for years (Church of the Swimming Elephant). They were better back in the old days, and their website has gone from being very informative to a pile of suck. But, they're very privacy focused, and have features such as VPN and proxy. They also offer web hosting. I had trouble with them failing to promptly renew their certificates nearly every year, and with billing - they stopped billing me, but didn't let me know, and I didn't notice it, then suddenly I got a notice of termination with just 1-day of advance warning. That said, there are good features. You get your own sub-domain, so on-the-fly aliases and filtering based on those is very easy. Their anti-spam and mail filtering are very good.
However, I ended up switching to Mailfence (https://mailfence.com/). Price is decent (appx $44/yr) with sufficient support for aliases, including +mode addressing. I chose them after surveying several pages on the web for "private e-mail service". They're in Germany, IIRC. So far, AFAIK, the only mail service which won't accept mail from them is CenturyLink. Why? I don't know. It's nearly impossible to contact them in a useful manner, even when I have DSL from them. Mailfence supports POP3/IMAP/SMTP just fine.
FWIW, I use Claws-Mail as my MUA. Very good program.
I like free proton, but I just use it as web email. you can set up container tabs and have all your aliases logged in, secure and for free.
and a couple moz accounts to use the relay masks.
Some good free options could include Mail.ru (but you might need to know a bit of Russian to navigate the site), Yandex, which is also Russian in origin but is now based in Europe last I heard, and has a wholly English (and other languges) interface, and GMX, a German provider, as good general purpose options. I've gained the impression that Yahoo has weak spam filters, it seems to receive more than others.
There's a table here:
https://en.wikipedia.org/wiki/Comparison_of_webmail_providers (https://en.wikipedia.org/wiki/Comparison_of_webmail_providers)
But some of the info on there is wrong or incomplete, like it fails to mention Yandex offers a free account, and I think you can have more than 2 alias addresses on free GMX.
@gripped Hi again, thank you. This information is useful to me, especially about TEMPFAIL. I'm not sure I understand the purpose of the mini PC if everything is routed through the VPS (does the $19/yr plan not afford enough power to run a mail server?). I can't afford a domain and a host at this time, so I'm tempted to (extremely reluctantly) go back to using Gmail for now.
I feel just a little bit discouraged from taking email privacy seriously, because any email I send that isn't a support request will be going to a Gmail address, where Google's webmail client AI can scan and profile whatever I send, can't it?
@just_jed Hello and thanks. I think everything you mentioned about Proton has changed, except that they do give you an un-dismissable prompt to complete a list of chores, with the reward being a doubling of the "500.00 MB" of storage afforded to free users. One of the chores is to set up forwarding with Gmail (specifically Gmail), which I find perplexing for a company to do when a large part of their
de facto business model is to give one the freedom to terminate their Google. (Ironically, about a decade ago, Google offered me an extra 2 GB of storage for submitting to a security procedure.) One of the other chores is to install the (almost unusable, another thing that hasn't changed) mobile application, another requirement I find perplexing to come from a company that claims to sell privacy.
Mailfence's fees... wouldn't the monthly cost of self-hosting an email address be about as much? I assume that using the custom domains from the "Entry" personal plan is necessary to prevent emails from being sent to spam by Google
et al.
Hi, how are you getting aliases on a free plan? I am prompted to buy a
Mail Plus subscription when attempting to add an alias.
@####### Hello, thank you. I like Yandex Image Search but I don't know how trustworthy they are as a company. It's worth noting that people who live in the USA, such as myself, may face real-life discrimination for openly using Russia-affiliated internet services, whether or not this affiliation is factual or current. It's starting to feel like it's the 1950s all over again. In America, even applications to renew passports now require a valid and reachable email address (not a telephone number, though ???)!
Hi, how are you getting aliases on a free plan? I am prompted to buy a
Mail Plus subscription when attempting to add an alias.
Perhaps aliases means something different to you? I mean you can be logged in to several accounts at once, one per container tab.
And Mozilla has a free relay for 5 addresses per account.
I have Betterbird (https://www.betterbird.eu/index.html). It's a fine-tuned version of Mozilla Thunderbird, Thunderbird on steroids. I have 4 email account logged onto it using IMAP, and I have had no issues with it so far.
The vps could manage it except for the storage side. I have a lot of old emails! The vps has 20gb. Not quite enough.
I prefer to have the main server in my home. The vps, in this instance, is really just providing me with a static, non-residential, IP address.
The minipc also has webserver and a nextcloud server on it.
Yandex had an office in California at one time but closed it in recent years. Yandex.ru is based in Russia while Yandex.com moved to a European HQ as a separate company to be able to continue providing services as normal to avoid sanctions a couple of years ago. I've not had any problems in the UK although not many other people seem to use it here. It's probably one of the best free accounts, although in recent years the option to choose slide show themes showing photos of Russian landscapes in the background was removed, and it now has only more normal static graphic themes. The current political situation is temporary and calming down at present. Perhaps due to the history of Communist ideals, Russian society and government is often kinder and more generous to others, valuing the idea of helping each other for the common good, so more trustworthy and inclined to give better free deals than money and power grabbing big tech? And you did say you were trying to get away from Google!
GMX is also good and is quite like Gmail, if you were looking for something similar, but has no inbuilt "disk" feature which can be useful for transferring large files, you'd need to find some other website to do that separately.
Yandex has a disk but no alias addresses, Mail.ru only allows these if you provide a mobile number for verification, while free GMX gives you up to 10 and you can delete them and create new ones. You can also link email accounts together so the mail from one is forwarded to another. I've found that although you can get some idea what to expect from research, online info can be outdated and incomplete, the best thing is to create an account and take a detailed look at promising candidates.
Tutanota is another free account, but apart from the unusual ability to send securely encrypted emails to other Tutanota users, it's pretty basic with minimal features.
Which is part of the point. They talk a big game, but then try to get you to do things that suck.
Nope, no need to do a custom domain. In fact, self-hosting your own e-mail comes with the need to do things to avoid being treated as a spammer, such as SPF and DKMS, and making sure you have proper reverse DNS.
I could self-host e-mail. Spin up a cloud host somewhere, do all the work, but why? I've played at being a sysadmin, even worked at being a sysadmin a bit. I don't need the extra chore, when it's under $5/mo to let someone else deal with all the tasks.
I have correspondents who use Google, and no troubles with mail coming from mailfence.com to them. Same with Outlook users.
I don't know what terminology they use for alternate accounts, but "alias" to mean alternate addresses/identites under the
same account is standard in Proton's documentation (https://proton.me/support/creating-aliases), as well as that of all other webmails I've used.
I'll try it myself too, but would you say that it's extensible enough to easily configure use with a keyboard only?
Thanks again, it sounds good and educational and I might go down this path, but I don't know enough about email to know what to do when things go terribly awry (which they always do on my computer ;)). For example, if the email server has downtime, will incoming emails to be lost to the void? I don't know the answers to these types of questions or how to find them myself, and while I don't like to be ignorant and do think it's worth knowing, there are things much more important and interesting to me to learn right now. The media server I could barely manage to set up for my family's TV is rather lousy, so I can't imagine what it would be like to run a mail server. Do you think someone like me could self-host email despite this?
P.S.: Asking sincerely and non-judgementally, what is the purpose of storing over 20 GB of old emails? I discard most of what I receive (besides personal correspondences, which get archived), and I always wonder if there's a better way to do what I'm doing.
Yandex holds nearly 74% of the search marketshare and over a quarter of the browser marketshare in Russia. Their annual revenue is in the hundreds of billions of rubles and rapidly growing. If Yandex isn't big tech, what is it?
I have no personal experience representative of Russia or its people, nor any formal education in their politics and economy, so I don't know if what you've said is true, and I couldn't use it to judge the integrity of their corporations anyway. At least concerning the internet, the professed values of the average America could not be more different from the demonstrated values of Silicon Valley, could they?
I do want to get away from Google, but I can't deny the realities of where I live, nor neglect my compatibility with the status quo, as I do need to make a living :( Americans trend superficial with regard to strangers, so I can't wager my employability on whenever the cyber-McCarthyism (present nationwide since
c. 2015) will expire.
OK, I'm almost sold, thank you for this. Familiarity in technology is not important to me, so things not need be similar to Gmail, as long as my dentist's receptionist doesn't shoot me a weird look when I list it as contact information :P I will register and give it a good look if I can determine their integrity.
I've used Tutanota as a disposable email for mandatory signups before, and my impression was that that's all it's good for. I don't know if things have changed or if I was ever right in the first place, but I can see that Tutanota users still have issues with their emails being filtered or blackholed by official institutions (and apparently all of Outlook).
Unfortunate, since they seem to have a cultural near-monopoly on privacy-oriented webmail in the USA.
Thanks, good to know.
I will register with GMX and Mailfence and compare them for now, and perhaps one day I will switch to self-hosting if it seems right to do so.
Thank you all for reading and replying. I'm learning loads.
EDIT: Um... they are both suspicious. gmx.com mandates for more information on signup than Gmail did back when I first registered. Why would my details such as my gender be important to a webmail provider for anything but targeted marketing and data brokerage? Why do they bill themselves as having "state-of-the-art security" when their minimum password length is 8 characters?
And Mailfence will not let me proceed without a non-Mailfence recovery email address. Doesn't this defeat the purpose? They aren't the only mail I've known which mandate a recovery address, or at least endlessly pesters you to add one after you register. It seems as though nearly every email, privacy-oriented or otherwise, not only accepts that everyone will cling on to their old Gmail for one little thing, but actively enable the fact. Even Proton asked me for a non-Proton verification email address when I tried to log in from a different IP address and user-agent.
That's depends on the settings of the sending SMTP server but proper ones keep trying to send it to you for 4-5 days.
Maybe. But you'd have quite a bit to learn. There are solutions which set it all up for you. iRedMail (https://www.iredmail.org/) is one example but this use postfix+mysql (or did) not opensmtpd and is far more complex than my setup which is worse if things go wrong[/quote]
I'm too lazy to sort and delete them and access to a years old email has saved the day more than once. When I deleted my google accounts I did a google takeout on the emails and keep them as well. Call me Mr Email Hoarder ;)
I'm not necessarily saying you SHOULD self host your email.
Only that this is the only way to have full control over them. imho.
I don't trust the providers of email services in many senses so prefer to host my own.
GMX can't be suspicious, it's German! Dependable or well engineered would be more appropriate. German's are also reputed to be methodical, presumably why they want to know these details. Think BMW, Mercedes, or Artoo - Artix has a significant German input.The requirements for opening email accounts do seem to increase as time goes by.
Mail.ru is the only email provider I've come across that sends me a birthday email, by the way, so how thoughtful and kind is that, given that most want to know my date of birth, but then never do anything about it? ;D
That depends on your purpose. I'm certainly privacy-oriented, but this specific thing doesn't bug me. I mean, what are they going to do, post a cross-reference on their website?
In my case, I have another e-mail I use for keeping certain correspondence off in it's own sort-of container, which is just one part of my overall privacy strategy. So I used that one. Hasn't caused me any trouble.
Sincerely, I don't want to force the issue, but I think it's important I make a point for future readers of this forum. My personal experience has brought me to expect only the best from German technology, both tangible and intangible, but that is no reason for me to give any web company (German or otherwise) the benefit of the doubt, or spin it in a positive light of being meticulous, when they mandate submission of more data than they legally or operationally require. And I don't think that GMX deserves to take credit for the merits of Artix just because their people were born within the same borders.
A chain is only as strong as its weakest link, and their policies don't reflect well on how seriously they take their customers' wellbeing. I measured the
zxcvbn entropy of an 8-character ASCII password (completely random, to be generous) to be 53 bits at the very most, with some having as low as 30 bits of entropy. It doesn't matter how dependable or well-engineered the rest of the service is if a cracker only needs the power of ordinary desktop hardware to break in.
Oh, Gmail might've wished me a happy birthday a long time ago, I don't remember, but such a minute automated gesture from a technology company is not particularly meaningful to me with regard to kindness. For instance, Facebook and Twitter/X celebrate user birthdays, but have publicly admitted to engineering their algorithms to make people miserable and angry and to sow discord, and they infamously abuse their power to skirt accountability for the very real tortures and deaths this causes in less stable and more authoritarian parts of the world.
My fault, I was unclear. It's not exactly an issue of privacy, but of tidiness and security. Mailfence's website makes it clear that their target market is users with security in mind, so why then force them to use the presumably inferior security (and privacy) of another email provider as the recovery method of all things? Not to mention the inconvenience of choosing, registering with, and maintaining access to an entire other provider - I'm already forced by civilization to have a telephone number, so why can't they use that instead like almost everyone else?
I know that I am nit-picking, and that I am overthinking this, and that things requiring this much privacy and security shouldn't be sent over email anyway, but the apathetic insistences of school, work, housing, medicine, insurance, government, etc. are not up to me, and if I am going to get wet (by rejecting Google) then I might as well swim, I think.
I think I have completely run out of other options :P Does it matter what kind of mini-PC I set up for this, or will any old thing off eBay work? (And what do I need to consider besides price when choosing a domain registrar and VPS provider? What do you use, and can you recommend them?)
I've been self-hosting my own emails for >5 years now with opensmtpd+dovecot stack.
For the hardware part, I've been using OpenWRT-capable routers in the past, then jumped to thin clients. They are power-efficient and provide crazy amount of computing power for hosting needs. Most of them are cooled passively, so completely silent. Used ones are dirt-cheap. One of my tiny servers was running on an Igel M340C (https://www.parkytowers.me.uk/thin/Igel/ud/ud3/M340C/). You can even put a SATA SSD inside after disassembling its external casing and make it function as a NAS.
As for the software stack - opensmtpd+dovecot do work quite well, but management may come as somewhat clunky. You can try the upcoming stalwart-mail. It combines all the functionality of an SMTP, IMAP, JMAP and POP3 server, has a civilised, browser-accessed configuration GUI and if configured for a specified domain name, it will even spit out all DNS records that you need to put into your zone to make it work.
For the domain registrar - personally I went with the one that had a track record of the cheapest
renewal (not purchase) fees out there. My email has been working fine without reverse DNS, though DKIM, SPF and DMARC had to be set up properly, or otherwise Google servers would blackhole everything coming from my side.
There's little point me telling you the vps providers I use as it's highly unlikely you'll find the offers on their webpages at this time.
If you go to https://lowendbox.com/ you can find providers offering short-lived deals you will only find there (or on similar such sites?)
That's how I found mine, but it's been a while now so I can't promise this hasn't changed?
As it's bargain basement I have sort of expected them to disappear overnight at some point. I take nightly incremental backups of them all. But I've been lucky and never had one fold on me.
Another thing I'll add is that for Webmail access to the email servers I use Roundcube.
Password security is only a practical issue when you can have multiple tries or access the hashed password, if you only get a limited number of attempts before the account is locked it's not a problem. And that's a minimum number, if you want more characters you can have them. Perhaps it's rather that they have implemented their security policy in a way such that they take care of it and make it unobtrusive and simple for users, rather than placing the responsibility on you, knowing that vast numbers of their non-technical users are going to put "mypassword123" on all their internet accounts or something equally silly. They could monitor IP address locations and machine ID for suspicious activity. Asking extra questions help to ensure you are who you say you are, and even if it's used for targeted ads, you'll never see any with an ad blocker.
GMX Privacy policy:
https://www.gmx.co.uk/company/privacypolicy/ (https://www.gmx.co.uk/company/privacypolicy/)
Content data - in the context of user surveys, for example, socio-demographic information such as age and gender is requested, but this information is evaluated in pseudonymized form
Total security and privacy is a lost cause, when serious criminals or terrorists are caught they can recall and view their entire internet history, news reports will describe how they tried to conceal their activities using encrypted methods. Those same encryption algorithms were 'donated' for web use by Government secret service agents, and all your internet data is routed through someone else's servers, even if you host it yourself, although you would avoid sharing it with the email providers themselves, but not the authorities and your ISP. There are numerous semi-secret facilities devoted to monitoring the internet and other communications, most countries have places like this:
https://www.gchq.gov.uk/section/mission/overview (https://www.gchq.gov.uk/section/mission/overview)
They have bases which intercept the undersea data cables where they arrive, it really doesn't seem worthwhile to try and argue with that level of technological superiority to me.
GMX has been around since 1997 and is one of the most popular and trusted providers in Germany, there's nothing to worry about and I think they offer one of the best free email services, but if you want to do something else, that's fine by me, I applaud your choice whatever it is, as it's for your use and no-one else, go for it!
I want to follow up on this topic with what is currently working for me: I ended up using Migadu with a domain I purchased for my personal mail server. I tried to self-host, but the VPS provider sent what appeared to be bots to refuse the opening of my SMTP ports. I'll try again once I have a better grasp of cyberspace and a need for a website, but so far I like Migadu; it's been fast, reliable, and unblocked+unfiltered by Gmail, and I've had a rather generous free trial to validate all this before committing to payment. However, the restrictions on the cheaper tiers are a bit snug. They're nothing that would get in the way of my ordinary activities, but perhaps a little too tight for comfort.