Email provider recommendations? (Privacy-focused, paid-for)
I have self-hosted my email for many years, but am finally encountering some straws that may be breaking the camel's back. A few email providers are now rejecting my server's mail, Microsoft in particular (@hotmail, @outlook). (In case you're wondering, I already set up SPF, DKIM, DMARC, etc. and none of that is the issue.) Self-hosting was fine, and the technical admin work was never really an issue. I'm just tired of the external factors that are beyond my control, like belonging to an IP range that is scored badly by some random blocklist company.
So, I'm now shopping for a good email provider. Privacy and security are important to me, and I am more than willing to pay for email, so all the usual "free" email providers are out of the question. (Update) Also, client access (IMAP, SMTP) is a must.
For now, I am eyeing
Proton is looking to be my choice among those two, as I like the replyable email aliases feature. 16 times the storage doesn't hurt, either.
Any other recommendations in the same vein as these two, and in the same price range?
previous threads you may find helpful:
https://tildes.net/~tech/18vw/where_is_everyone_hosting_their_email_these_days
https://tildes.net/~tech/h8x/what_email_provider_do_you_use
I've used Fastmail for years and have been very happy with them. I like that they're singularly focused on email (including promoting standards like JMAP), rather than trying to be a sort of all-in-one provider the way Proton is doing (with VPN and password management options that are bundled in with the rest of the plan)
also, make sure you're comparing apples-to-apples with pricing - Fastmail is $5/mo billed month-to-month, but Proton is only $10/mo if you do annual billing. if you do month-to-month billing with Proton it rises to $13/mo, while if you do annual billing with Fastmail it drops to $4.16/mo.
I prefer Proton's all-in-one approach, but pretty sure they offer each service a la carte still...?
I want a VPN from a trusted source, and they've given me an additional 1 GB of cloud storage each year: https://proton.me/support/storage-bonus
Once they have their desktop apps fleshed out I'm hoping to move away from Dropbox
Throwing my weight behind Proton as well.
Their password and vpn absolutely blow Nord and Co out of the water for sheer ease of use. The email and Calendar apps are simply, quick and easy to use and Drive just does it's thing.
And you know what? Having it sit behind a login pass, decryption pass and 2FA means it feels absolutely bomb proof.
Hmm. You know, I've never looked at the desktop app side of Protonmail, so it's interesting to hear a bad review based on that. I've never considered I need the emails locally if I'm perfectly honest! Viewing on browser just gives me good feelings about where they're kept and encrypted.
But to each their own!
They do yes. I'm currently only paying for their pro email plan, which, if you pay 2 years ahead, costs 3,50 EUR/month.
@Pistos another similar recommendation that is cheaper than both (but offers literally just email) is https://purelymail.com/
I recently switched from Proton to Migadu. I got sick of Proton after 1) they left this bug unfixed for 2 years after calling it "critical"[1] and 2) seeing one too many bug reports with them rewriting people's email[2] for no good reason, most of them didn't directly effect me but they made me generally uncomfortable with the company.
Ended up deciding between Migadu and MXRoute, which both only charge for storage (i.e., not for aliases/mailboxes) and don't have external investors. Ended up going with Migadu, mostly because they're in Europe (also they seem more friendly, which isn't a hard requirement but I'm happy to pay a little extra for it)
[1]: also they never warned Bridge users of potential data loss even though they knew the issue existed
[2]: stripping the plaintext half of emails with both html+plaintext, deleting or rewriting headers, stripping the signature of externally signed email, removing trailing whitespace on plaintext emails
I'm on migadu for a while now. can only recommend. top price/service ratio. friendly and very fast support even on their cheapest option (which is very cheap)
That is/was a really serious bug. I read through a number of the thread's comments, as well as clicked through to some related bugs. I share your concern about the speed and frequency of the company responding at times, but it does look like they eventually made progress with it. Overall, though, it makes me quite wary of the proton-bridge server app if there's risk of write operations being done on the completely wrong emails.
That said, I might consider just using their web interface.
Yeah my worry with them is that they're happy to provide Bridge to gain a few users, but they barely consider it a supported usecase (they often say things like "why would you want to do that?" with Bridge-related bugs/feature requests). I've also been making an effort recently to go with companies that don't want or need to scale/advertise, so the shift to Migadu was definitely part of that too.
I only found myself seriously wanting to leave Proton when I needed to use plaintext email with a client, their webmail is fantastic and I never had any trouble. I think they're absolutely worth the money (especially considering Drive+VPN+calendar) if you're looking at a Gmail replacement, just ended up a bad fit for me.
Fastmail, while I am not with them anymore, was by far the best managed mail service I've ever had the privilege of using. Great price, singular focus, great features.
One I would be extremely cautious is Tuta (Tutanota) there have been some ramblings that they are not as secure as they seem (potentially a "honeypot" or storefront for The Five Eyes), and they don't support IMAP/POP/SMTP access. You can only access them through their applications. Proton handled that by supplying a connector app for external applications, but Tuta does not.
Agreed on Fastmail. Been using them forever and it’s truly set and forget once it’s set up.
They also have an excellent feature for 1Password users where you can link your accounts and create a throwaway email right from the signup page on 1Password.
My favorite feature imo, is the unlimited(?) domain setup. I have a a lot of domans, so that was nice + with a catch all. Most other services either cap you at one or two, or force you to pay more for no other reason than they can.
Wow, i somehow didn't hear about that! I use tutanota.
I won't stop using it just yet. The encription part is open source, so not clear what use tuta would have as a storefront. And the dude saying it's a storefront doesn't sound completely coherent, maybe he just doesn't understand what he said.
Also, what would a gov agency do if it couldn't infiltrate a mail provider ? --> discredit it!
So either tutanota is a storefront for the secret service (in which case the damage is acceptable as i mostly want to escape Google), or tutanota is so good that the agencies try to drive us away from it...
Wait and see I guess
I’m a loyal user of https://mailbox.org/en/
Been using them for 5 years without issues.
Happy mailbox.org customer here too. European, privacy focused and cheap were the main factors for me to subscribe, but now that I am using it for a while I must say I also like that they provide a complete suite of applications and services, like an online office and cloud storage that playt nice with standards as webdav, caldav, etc.
It is really handy for that one time you want to send someone a big file and you don't have Dropbox or similar. Just upload it to mailbox.org, add a password and send a link, for instance.
As downsides I must mention:
Also using mailbox.org for work related mails with a custom domain. If you don't need a custom domain I can highly recommend posteo.de which I am using for personal stuff.
I also managed my own self-hosted email server for many years until it just wore me down so I understand where you're coming from. For the past several years, I've been happy with Zoho's premium email service at USD $4/mo.
Zoho also offers a full online office suite but I'm not interested in that. Still, the email service does include calendar and contacts. It also allows for domain mapping, extensive filtering, and S/MIME.
I personally use Fastmail and am very happy with it. I prefer it over Proton (which I’ve used in the past) since it works better with standard email clients and doesn’t limit domains or aliases as aggressively (mostly because I have an irresponsible number of domains). I have a wildcard set up for every domain and make up an email address whenever I’m signing up for a site I’m not confident in protecting my email address or respecting my unsubscribe requests - if they don’t, I can easily bounce messages sent to that name by creating an alias for it. You can even integrate it into 1Password and have it auto generate masked email addresses when signing up for accounts.
I pay every 3 years, so it works out to only $3.89/mo.
I use Purelymail and wholeheartedly recommend it.
You can mitigate the bus factor somewhat by using your own domain. I also archive all my mail locally.
This is insanely cool, and a great price. And while they are 'purely mail' they also feature calendar and contact sync.
Me too, no idea about privacy but it works and is super cheap.
I've been using purelymail as the MX server for my personal domain for around 2 years maybe? It's a great service and perfect for my needs. It's incredible value, especially with multiple addresses.
I've been extremely happy with the full Proton suite which comes out to $8/month buying it two years at a time.
I also use and love the included services: ProtonVPN (pretty much the best available VPN right now for a lot of reasons I could ramble about), SimpleLogin (I'll never go back to exposing my real email addresses), and ProtonDrive (true E2EE cloud storage is awesome, I still miss being able to edit sheets and documents without downloading them though).
There's a calendar and a password manager on top of that that I don't use but it's a phenomenal value to get all of that for $8 and it made degoogling so much easier.
The bridge application might get cumbersome depending on your SMTP/IMAP needs and will likely still require some light selfhosting if you need that for any sort of automation.
Be aware that they do not support auto forwarding emails from ProtonMail so that would also have to be selfhosted through a client under the bridge.Edit from the future: Forwarding has been added.Otherwise the only comparable service for high threat-model privacy with E2EE that I know of is Tutanota but I've never used it.
What advantages does ProtonVPN have over Mullvad?
I really like Mullvad too, choosing between them really depends on specific circumstances and Mullvad is actually why I added the qualifier "pretty much".
Proton has some more features like limited port-forwarding, connection methods to bypass blocks or hide the fact that you're using a VPN on a managed network (stealth protocol), multi-thread support for all protocols for a sizeable day-to-day speed boost (vpn accelerator), and a couple other small things with their company structure that make me like them a lot.
That being said, Mullvad works well and not everyone cares about that stuff as it's not always critical to a VPN's core purpose. It's my usual recommendation for people who want a standalone VPN as ProtonVPN is lacking if you don't pay for the pricier "Unlimited" plan, but if you can bundle it and you're going to use the Proton suite any way I personally prefer it and it's a great value.
You reminded me I wanted to share this. For Proton users looking to setup their server with VPN port forwarding without a GUI, here's the script I ended up with to keep the port forward alive, and update Transmission when the port changes. The secret sauce is
natpmpc, wireguard config, and figuring out ProtonVPN doesn't let you change the 60s timeout. The next evolution of this would probably be to have fallback wireguard configs.VPN-keepalive.sh
I use mxroute.com -- it's basically one guy in Texas who is an old school, no-nonsense sysadmin. They focus on deliverability and aggressively manage their servers with respect to blacklists. I've never had a message not get through. They also have support for unlimited accounts and domains (you just pay for space). 50gb of space is $69/year.
The expectation is that you know how to set your services up -- there's very little handholding, but if you have a problem they are responsive on Discord.
Also, it sounds like you have given up on self-host, but if IP reputation is the issue, you could try proxying your outbound email through Amazon SES before abandoning it entirely. It was a fee years ago, but I set this up at a startup where we had to self-host email to meet regulatory requirements, and we never had a problem with deliverability.
I can also recommend mxroute for anyone who is willing to spend the tiny bit of effort required to set everything up. After that it takes care of itself. Great spam filtering and IP reputation just to name a few neat things. I am also a huge fan of jarland's work and approach so buying the lifetime 10GB plan for $100 last year was a no brainer. I am expecting to get more than my money's worth out of it.
MXroute's black Friday deals if someone has been waiting for them: https://mxroute.blackfriday
In our case, we had to comply with ITAR regulations, so we were using the AWS Govcloud to self-host email, JIRA, Gitlab, and other applications. We relied on the fact that the AWS Govcloud met the ITAR requirements to meet the requirements as a small startup.
Now there are many other offerings like Microsoft GCC high and Zoom's Zoomgov that also meet these requirements. There has been a lot of work done in the last few years in this area. That is all for the US of course.
To answer your original question, the easiest thing for a small business to do is to find a service that meets the regulatory requirements that they are subject to wherever they operate. Since you're not in the US, I have no idea what those would be, but whatever they are, you can probably find a service that meets them, because you re surely not the only business subject to the requirement. If you don't find one, then you have to do what we did and look for a lower-level service like AWS that meets the requirements that you can build on by deploying things in that environment. The very hardest thing would be to meet the requirements for yourself with your own hardware and your own restricted environments which is usually not something a small business can do.
Fortunately with all the cloud stuff these days that's pretty rare. When you get bigger you may find that you can more cost effectively run the services yourself then pay for a service but that's almost never the case for a small business, especially if your talking about security around web services.
Edited to add: in addition to regulation, you should also think about business risk. Even if you are not subject to any particular regulation, having your servers get hacked may damage the reputation of your business. So it may be worth paying for a service that can secure your servers better than you can secure them for yourself.
The tough thing about that is that you never really know how secure someone's practices are, just how secure they claim to be. And since you're going to them because you're not an expert, you may not know the right questions to ask. Even compliance with standards may not mean that much, unless they are audited for compliance by an independent third party, which probably means they are very expensive.
It doesn’t work for everyone, but personally I’ve been very happy with using the SDF as my email host for the past several years. To become a sustaining member, it is only $9 per every 3 months, which, among other things, gets you 800 GB of cloud storage you can use however you see fit (including just using it for your email). You’re also supporting a nonprofit that exists exclusively for the public benefit and not to make money, something I don’t think any of the other suggestions can say.
I think it’s important to consider that the number 1 reason for mail providers do bad things to people’s mail is because they want to make a lot of money really fast. And even “privacy focused” for-profit businesses only really have an economic incentive to be “privacy focused” so long as it offers them some kind of comparative advantage in the marketplace. And since for-profit businesses are in general not subject to routine audits or financial disclosure requirements, there’s literally not even a way to know if such a business decides to pivot hard and sell you out. If any of these privacy focused email providers actually managed to achieve a level of market dominance that allowed them to treat customers with relative impunity, the only way the business owners could continue being “privacy focused” is by them accepting some level of personal sacrifice and leaving money on the table simply because they’d feel bad about taking it. Otherwise it’s perfectly within their rights.
I pretty happy with Proton, can't say anything about security because, honestly, how can I, myself, verify it, but at least I'm quite sure that my account will not be blocked without reason and without possibility to appeal.
I'm really enjoying Proton (I'm using the bundle which includes all their services). Loving the feature which lets me create email aliases which I use for sites/apps that require registration. Proton currently has Black Friday discounts.
Not a user, but Tuta might interest you: https://tuta.com/pricing
Skiff has 15GB (shared between cloud storage, like proton) with 10 addresses and 1 custom domain for $3/month. There's a couple higher pricing plans if you need more domains, storage or addresses.
I still self-host but proxy out via Amazon SES. Now it is on an AWS account that is sending out mails for another domain (in the thousands) but I think the most I've spent is $0.50 per month on my personal email being routed out.
Looks like the price probably scales depending on how much you're using it. Looking at their website they're targeting big companies that are sending out a bunch of emails... verification emails as an example.
Also they're still using their own person email server and just routing it through AWS
Yup
Have both Fast mail and Proton (almost no downtime in last few years been with them ). Spam filters work mostly.
I'm curious why you have both. Could you expand on that?
Fastmail is paid, its been my primary email for both personal and work. Was able to get the name i wanted as well.Gmail accounts for mailing lists and use as email for promos or login to various shopping , entertainment sites which arent important.
Definitely respect your decision to move away from self hosting, and you're probably just done thinking about this and debugging it, haha. That said, I host my own e-mail so I'm curious what's going on! In my experience outlook is really picky about rDNS, which is one thing you didn't explicitly mention. Also curious if you had signed up for SNDS, I'm signed up for it myself and I've heard it can make a difference, but don't have any real world stats on that. Anyway, don't feel like you need to do a deep dive or anything on my behalf, I'm just personally curious how bad the outlook problem really is. Many people cite outlook as the reason self-hosting e-mail isn't viable, and it's really hard to get a good sense of whether or not the self-hoster can do anything about it. Because e-mail is so fiddly it's hard to tell how much of the problem's people have experienced are due to Microsoft just blacklisting IP ranges, and how much are due to server misconfigurations, and how much are due to outlook being a little pickier about certain things like rDNS that other providers like gmail don't care about quite as much. You sound like you know what you're doing, so I'm not accusing you of this, but I've seen people complain about this with no SPF / DKIM / whatever, and others complaining who have had broken DKIM signing (usually due to a large key that didn't fit in their TXT records in DNS). It's rare that I get the chance to look, but when I have I've always found configuration issues that Outlook doesn't like. I'd really love to actually know the proportion of issues caused by Outlook banning an ip block, because I think it makes a big difference for the viability of self-hosting e-mail.
You mention you want IMAP / SMTP for your e-mail, you should know that Protonmail does not really support either protocol. Protonmail provides a bridge application that speaks their protocol and provides IMAP / SMTP locally so you can use your mail client of choice, but you should be aware that it's a slight barrier and AFAIK you're stuck with the Protonmail app on mobile devices.
(Okay, if you really wanna try and help ;) )
You're right, I didn't mention it, but I do have reverse DNS set up for the IP and domain. I have also done the dance with outlook/hotmail support for their error code, etc., more than once (different incidents). It's worked in the past, but this most recent issue was not resolved that way. I have also done the SNDS lookup stuff.
The current issue is:
S3140 basically means my IP is part of an IP block with a bad reputation, particularly on the UCEPROTECTL block list. (You can do a websearch for S3140 to learn more.) Lots of people have complained about this problem (e.g. at linode.com, at microsoft.com), with no reliable, long-lasting solution.
The point is, though, that the world has changed somewhat in the last 15+ years, and your own technical knowhow and tenacity is not enough to get you reliable self-hosted email. There are factors which are totally beyond your control (e.g. Microsoft relying on UCEPROTECT) which can make your email break, even if just partially.
(Minor update: Today, I noticed I was off the blocklist, and so I contacted MS Sender Support, and they lifted the block on their side. However, I will still go ahead and sign up with a provider, because I don't have any confidence that the same kind of problem won't happen again in a few months.)
Yes, and for this reason, I am actually about to pull the trigger on Fastmail. If Protonmail had a reliable (i.e. normal) IMAP+SMTP offering, I'd probably have gone with them. I have enough technical chops and daring to run a daemon like proton-bridge, but I don't see how anyone can live with uncertainty about whether write operations are going to do the right thing.
Ah, bummer :(. I've heard people have particularly bad luck with linode for some reason. As far as I know I haven't had problems with my mail servers yet, but who knows if my days are numbered! I thought Microsoft just silently dropped e-mails (which is what most people who complain say), I wasn't aware they would spew an error message at you over SMTP. That seems helpful, at least... The worst thing about e-mail is that figuring out why you have delivery issues can be painful, so I guess it's nice that you have something conclusive, at least...
I'm still going to tough it out, but I totally get not wanting to put up with it anymore. I recently heard of somebody who still self hosts their e-mails but uses a relay service just for outlook, lol. I thought it was amusingly spiteful.
I'm very curious how e-mail is going to evolve in the coming years. SPF / DKIM have been a big change, and there's still a number of security and privacy issues with e-mail that need to be fully resolved (like the STARTTLS issues that mta-sts and DANE try to resolve). I feel somewhat optimistic that things can get better :). I probably shouldn't, but despite its (many) flaws I really like e-mail and what it represents. I feel like it's one of the last bastions of the older internet and I really appreciate the openness of it... There's something really nice about it that I hope we can preserve going forward!
I’ve used HEY for a few years now. It’s $100 a year and is privacy focused while providing a unique take on an inbox where the only stuff that ends up in it are things that you probably need to see.