Posteo.de or Mailbox.org - Struggling to find an alternative to Proton
Hello everyone! I have been currently debating switching email providers. I have been with Proton for a few years now (free user), but I have become increasingly disappointed. Firstly, I am not exactly a fan of the “we have apps for everything” model, particularly the integration of a password manager is just strange and the crypto wallet feels a bit nauseating, as I have my reservations about cryptocurrency. Consolidating all of my services in a company such as Proton feels misguided if the goal is to avoid walled gardens from the tech giants. There are also some other more recent things that have come up in relation to Proton that just make me question the legitimacy of Proton's “guiding moral imperative” as a privacy focussed company.
Moving on from that, I have mostly settled on two options due to their
- low cost
- generally adequate security (I understand email's limitations on this front, I just want something to be secure enough)
- transparency reports
- location of operation
The main thing I am struggling with here are the pros and cons between the two platforms.
Posteo seems to be less ideal of an email provider because they do not support ARC and lack a good DMARC policy. BUT they claim to support encryption with their calendars, but does this even matter if you are accessing the calendars with CalDAV (which I do not beliece is an E2EE connection)?
I think I trust Mailbox.org more when it comes to security, but I think their contacts / calendar situation is somewhat worse, and their French translation seems … lacking in spots (not that it matters to me much, but still is somewhat jarring for me).
I could just ignore the contacts/calendar problem, and use something like EteSync, but that would become just another thing to pay for, and another app to operate (if I need to use the WebDav bridge).
Any feedback on this would be greatly appreciated, I am really hoping this inspires some interesting conversations! And of course, feel free to tell me about better options if I have overlooked something. Have a lovely day :)
Commenting to recommend Fastmail. An incredibly mature and feature-rich platform that doesn't seem to be run by assholes. You own your data and are fully in control of your experience.
I have been using them for probably close to a decade now since I switched away from Google apps.
Edit: FWIW I am using around ~10 custom domains with Fastmail and I use both their IMAP/*DAV severs as well as their web suite.
They are significantly more expensive than Posteo and Mailbox.org though
Are they? I pay $6/month for Fastmail, I think Proton is actually more expensive?
Proton isn't Posteo nor Mailbox.org though ;)
Mailbox has a plan starting at €1 per month and if you want to use custom domains you are looking at €3. Fastmail starts at €5 per month (if you go for annual, otherwise it is €6)
So yeah, Mailbox.org is cheaper. Though fastmail does offer more storage in their plans, but that might not be relevant for everyone.
Even better, SimplyMail is $10 per year, or Migadu is $20 per year, though both are bring-your-own-domain solutions.
I suppose, I am not that familiar with either of those but they don't seem specifically privacy focussed. One thing that also drew me to mailbox.org is that it is a German company that has been around for a while with a clean track record.
If all someone is after is the cheapest option then yeah, those you suggest might make sense.
Both are as privacy focused as mailbox.org is, which is to say, as privacy focused as the fundamentally flawed set of protocols behind email allows. Both say they dont analyze or track your emails, which is the same thing mailbox.org says. The reason they are cheaper is they are only email, nothing else.
https://purelymail.com/docs/security
https://www.migadu.com/privacy/#introduction
As I was curious:
Purelymail is based in the US.
Migadu is based in Switzerland.
Not that I think it makes too much of a difference (Swiss vs EU privacy laws are not my forte at all so I am possibly wrong) but Migadu's mail servers are located in France
Posteo and mailbox.org start at €1/month.
What seems particularly of interest to me is their support of the JMAP protocol, a seemingly good new option (at least in terms of how fast email protocols change). Notably better support for push notifications on mobile clients, and an alternative to existing solutions for contacts / and soon to be calendar sync. Given the state of clients right now, I doubt I would use it as of now, but it is nice to see them working towards better open protocols for the future.
Thank you very much for the suggestion :)
Just to point it out: Fastmail does not provide zero-knowledge encryption, while Proton and Mailbox.org (and Tuta) do. Nor is Fastmail end-to-end encrypted. That may or may not matter for you, but good to at least know before deciding.
The lack of zero-knowledge encryption is a little disappointing and definitely renders them a worse option, the lack of E2EE however is not a big deal to me as I can just use PGP in my email clients and not have to depend on a server implementation. At the end of the day however, email is quite flawed, and I don't use it really as a primary or essential means of E2EE communication. I would much rather use an app built from the ground up for encrypted communication (e.g. Signal among others) or an app built from the ground up for encrypted file sharing (to replace email attachments)
FastMail is based in Australia which means they are required by law to comply with Australian police requests (they list annual results of police requests on their website) but interestingly, they’re also required by law to not comply with international requests.
If you’re worried about the Australian government raising requests then they won’t do much to protect you, but if you’re worried about any other government, then ironically they’re a much stronger defender than many US tech giants which have a reputation of handing details over to all sorts of organisations without so much as a warrant.
Also, while they currently don’t use your data for harvesting and profiting on the side, they’re also bound by Australia’s Privacy Principles and therefore will have a much more difficult time in future switching to that kind of model if they decide to in future. Still not encrypted, but these other points are what swayed me in their favour recently.
Fastmail are the people who created the JMAP protocol. Their official client is pretty good and uses it. There are also a few nice third party JMAP clients for Android if you only need basic features.
I myself switched over from Proton to Mailbox.org on my two main email accounts. I really enjoy how to the point and convenient Mailbox.org is. I have a custom domain which is what ultimately let to me choosing them over Posteo.
I have always wondered if it is worth getting a custom domain, but I just don't know what I would use as a name on my more "professional" things (resumes, banking, etc.) . I don't have a small business, so I can't just use the business name, and ideally I would want something that works in English and French, which further complicates things.
Given your experiences with them, do you have any thoughts on what I could use instead of just cycling_mammoth(at)business-name.com?
I have something not exactly like, but similar to:
firstname@lastname.tldfor the “normal” address to give out to friends & familyfl@lastname.tld(or e.g.f.lastname@whatevercustom.tld) for job applications and bank accounts/insurances/other important stuffnewsletter@lastname.tldfor the obvious oraccounts@for any non-critical logins (think Spotify, Anki, Obsidian, etc.), you could even dosocials@for Big (& small) Tech logins, one for orders/purchase receipts on- and offline, and so on.Back when I set this up, I got a deal for 25 mailboxes (and addresses) for basically the same price as like… 2? or 5 or something, so I took it for being able to offer addresses to my family alone, the pre-sorting by address is just a rather nice bonus. :P
Of course, if you don’t plan on sharing the domain with other users, you can always do
info@firstlast.<any tld of your preference>, since the likelihood of that still being available is usually higher.Also still, you could set up a generic catch-all to hand out to potential spammers/untrustworthy sources à la
hello@firstlast.tld(although spam within the EU has gotten better compared to 10-20 years ago due to regulation, I’ve been told). Or you set upfirstname@firstlast.tld. Orfirstname@pseudonym.tld. The possibilities are endless. :Dinfo@cyclingmammoth.com maybe? I got my firstnamelastname.com TLD and I use it often. I have a catch all mail, so depending on the use case I put something else before the @
So I name all of my networks, devices, and domains off of Greek Gods. Maybe you could use something similar or something like cycling(at)mountmammoth.com and such.
The real reason to get a custom domain is that you don't have to change your email address when switching providers. I wrote more about this and the names I use here in this post.
For catchall, you'll get a lot of spam because people will just spam (anything)@example.com, so I recommend setting up a subdomain, like biz.example.com. Then use a different name@ for each account, amazon@biz.example.com, hilton@biz.example.com, etc.
I run the catchall rule into a separate real mailbox (ads@example.com) that I never send email from. That mailbox has all spam filtering turned off. If I start getting spam from one of the name@biz, I just block that one address.
The provider I use probably doesn't meet your needs, but it's mxroute.com. The operator is based in Texas but I believe the servers are all Hetzner in the EU. Email only, no frills, you are expected to know how to configure your mail. Support is very good for reasonable requests, but he is ruthless about locking down any spam-related activity to protect server IPs. I never have a problem with email delivery, which is my number one requirement as the big providers (gmail, outlook, etc) get more and more strict about their spam/reputation rules.
Personally I use my self-hosted radicale server for calanders and contacts, and will be setting up either purelymail or migadu for email on my own domain.
I use purelymail. It is incredibly convenient and very low cost. I am spending about 12CAD per year.
What about Tuta or Zoho?
Tuta at this point is a tertiary option for me if I decide against these two, but still desire to move away from Proton. My main qualms with Tuta would be
However, I do appreciate that it would allow me to keep encrypted calendar / contacts which I have with Proton. It would definitely be more of a "drop-in replacement" in those regards.
I will have to get back to you on Zoho, as I have not heard of it (and I need to get back to some work right now), but I really appreciate you suggesting a service I have not come across before.
No problem! Here's two more: Purelymail and MXroute. Please let us know know what you decide!
We used Zoho for the business I used to work for and their email was very, very good. I think their web client is actually better than gmail these days, too. They've got really nice features built into it if you think you'll need it.
But that being said, I don't know if I could vouch for things like their security models and ethics except to say it was good enough for medium sized business. For what it was worth, it was extremely reliable; of all the Zoho apps we used it was the one we never had issues with.
I used Tuta, but always having to use their slow app with their slow search was too much for me. I then changed to mailbox for 1€ a month with a custom domain. They then increased the price to 3€ a month - so I cancelled that and went for iCloud mail which I am paying for anyways
+1 for Fastmail. Awesome service. It supports CalDAV and CardDAV for contacts and calendars (I also sync my to-do lists with it through CalDAV, but they're not displayed in the Fastmail UI) and also has built in WebDAV cloud storage, though I haven't used that.
I also highly recommend using an email aliasing service, like SimpleLogin. Alternatively you can use the aliasing service built into the email provider, but that would mean that you can't easily switch providers and will be locked into a specific one.
I mean, unless you need to reply with the alias you can often simply setup a catch-all and have an unlimited amount of aliases. It's how I use mailbox.org and whenever I do end up needing to reply with a specific alias I just create it at that moment.
But for logins that really isn't needed 99% of the time
In that case your addresses won't be anonymous though, since they'll all be tied to a single domain.
It's also harder to block/disable specific aliases when using a catchall.
Logins are actually where I use aliases the most, since I create a new alias for every single website I sign up to, like
tildes.y32j1@slmail.meThis is the first time I have seen forward mail addresses being referred to as aliases. Anyway, I want them to be tied to my domain as I don't want to be beholden to yet another services to be able to request password resets, etc. It is the whole reason why I moved away from gmail in the first place. Using SimpleLogin does kind of defeat that purpose.
Yeah, that makes sense. That's why the alias I use for Bitwarden is on my domain, and the rest isn't
Don't have much to add to the comments already posted but since you specifically mentioned location of operation and talk about posteo and mailbox I'm assuming you want EU based services. There is an EU page with EU hosted email providers that might interest you, if you haven't seen it already.
Can you elaborate? I don't really follow them but they seem to be a big player in the privacy space so I am interested.
I don't know much myself, but here's the Tildes discussion about the Proton CEO randomly tweeting support for Donald Trump. Which is... Um... yeah.
Except he was applauding Trump's pick for the position, nothing else. He's far from a Trump supporter. If you want details, read this: https://medium.com/@ovenplayer/does-proton-really-support-trump-a-deeper-analysis-and-surprising-findings-aed4fee4305e
If that's all that was happening there's no need to tag Trump and continue to claim it wasn't "political" when it explicitly showed support for one party.
I'm going to trust the mountain of evidence in the article I shared rather than a single tweet based on Trump being tagged. I suggest you read it yourself as well.
I use a VPS hosted NextCloud instance for all my calendar, photo and storage needs, and my email is hosted with Runbox.
I couldn't put up with anything that required a custom app and didn't just allow me to use imap.
I have been a happy use of mailbox.org for a few years now and have no complaints. Though I don't really use the calendar function myself so I can't comment on that. But as far as service stability goes I never experienced any issues with outages, mail sending or receiving.
I used to use Migadu but switched over to purelymail at the end of last year. Both are very good but purelymail worked out cheaper for me even when using the advanced pricing model, otherwise it's $10 a year normally. I also have another domain through mxroute which I have because I got a good deal for it.
Im trying to decide between Migadu and PurelyMail, my main concern with PurelyMail is that it has a bus factor of 1.
I'm also a happy customer of Purelymail (switch from Migadu too). To @Toric's point there is a bus factor but if and when the time comes that Purelymail shuts down, it's easy enough to switch providers. Worst case scenario is self-hosting.
Another one to consider: https://privateemail.com/ via Namecheap. It's what I use. Not sure if it meets all your requirements.
Namecheap went hard into promoting cryptocurrency and Web3 in years past. Any of that come up while using their email service? I didn't even know that was something they offered. I use Porkbun and I guess they offer it too now that I'm checking. I think I just subliminally ignored it as another upsell attempt
Oh I did not know that at all. I just registered my domains and setup email. Never saw anything about crypto or anything. Honestly that would have made me stop doing business with them.
About Posteo's DMARC policy, I wrote to them and they pointed to this page.
I'm personally using Mailbox and I've been overall pretty happy with it. It's easy to add new aliases with my custom domain and I had no trouble configuring K-9 Mail as a mobile client for my email.