Hey all, I’ve been taking my digital privacy and security much more seriously this year, but the one thing I’ve been stuck on and feels overwhelming to me is email. So I wanted to know what do you guys use or what practices do you follow? Do you keep a separate email or alias for every single account, or just compartmentalize, like one email address for online shopping, one for business, one personal correspondence, and etc.
What services do you use? Right now I have a free Tutanota and ProtonMail account but haven’t decided which one to pay for, if either. ProtonMail makes me iffy with the amount of controversy and debate that has come out of them in recent years even though it comes with a lot of other nice stuff like cloud storage and a vpn. Tutanota I just dislike the fact I can’t add it to third party mail apps like Thunderbird, but this might not be a deal breaker. I know there are others, so what do you guys use? I don’t need something to protect my emails from the NSA or organizations like that but definitely something more private and secure than gmail. Thanks.
I’m not aware of the controversies regarding ProtonMail, yet they’re my main email provider. I have one main email for everything, and an alias for public-facing email. ProtonMail has a free service called SimpleLogin that allows you to create on-the-spot email for a specific service (even comes with a browser extension). I don’t have anything else regarding emails, those two services really cover all my bases.
I’d be interested to know which controversies you’re referring to though?
Probably referring to these reports:
I think OP is going to have a tough time finding an email provider which won’t comply with court orders
There is always the option of setting up your own e-mail server. Have been using “docker mail server” for testing purposes and it’s relatively easy to setup locally.
Haven’t deployed it to a server yet though.
I set up my own email server and it’s hard, postfix was born in hell, fortunately there are guides to help.
Since email is federated, you need to comply with the biggest players to be accepted, but the requirements aren’t that bad. Sometimes hard to find every specific though, like having a domain older than 2 weeks.
I’m dating myself but I used to run qmail on FreeBSD and loved it. When I switched to Linux postfix config and documentation confused me forever and I gave up. FreeBSD docs were so much better at the time. 😬
Receiving mail doesn’t usually seem to be that difficult, sending mail tends to be the challenge. So if you only care about receiving mail it may be easier.
I tried it a few years ago and it was fine until some asshole impersonated my domain and a major spamlist decided to hate my guts. I’m not a professional email admin so updating to the latest and greatest standards wasn’t easy. At least at the time. If you’re okay with bounces and silently undelivered mail it’s probably fine. It’s probably also a lot easier nowadays with scripts and easy how-to guides about how to setup the domain authorization. But my experience really turned me off of the “hey it’s fun to run a mail server” thing. Particularly after Google and others came out with the ability to just use Gmail with your own domain.
I tried it a few years ago and it was fine until some asshole impersonated my domain and a major spamlist decided to hate my guts.
Ah, that sucks. Have been wanting to try hosting my own email at some point but this has got me scared. Will have to do my research beforehand for sure
That’s all fine and dandy until your IP address and/or email address gets blacklisted. Hosting the server is the easy part. Properly dealing with anti-spam measures so you don’t get flagged as a spammer or scammer is the hard part. And before you think that’s unlikely, one of the ways of getting flagged is to run an email service on a consumer ISP network (e.g. comcast).
Most if not all ISPs block the common ports for this reason. So it’s a given to host on bare metal servee with dedicated IP.
But if you are only sending and receiving for yourself, does it really matter? Might matter if you send bulk emails or manage an email dist. But for personal usage, I don’t think deliverability would be an issue
Fine, don’t believe someone that’s done it before. Google “why you shouldn’t host your own email server” and research before you say anything else.
Cool, have been wanting to setup an email server with docker, but mainly for fun/learning and not really to use as a serious email provider. I’ve heard in most cases it’s more trouble than it’s worth and most of the time your emails won’t even be received by the major providers.
Helm used to be one such service. They hosted the IP address and smtp gateway, but you hosted the actual email server. They had no data to hand over; it was in your home. Unfortunately, their service went offline last year.
I’d be interested to know which controversies you’re referring to though?
Mainly the reports @malloc was referring and other things about them misrepresenting how anonymous their email service actually is. Not that I need a totally anonymous email service or need to hide from the government, it just has given me second thoughts about going for them.
Are you satisfied with ProtonMail, do you use their other stuff like cloud storage and the VPN? Do you think it’s worth the extra cost? The VPN has also drawn me to them because I need a VPN that supports port forwarding. Thanks.
deleted by creator
I have one generic company-sounding domain, and use catch-all email address for it, so I can set up randomized name.surename@<randomcorp>.com combinations for every service I need an account for. While it probably doesn’t even make a difference with all the advanced fingerprinting methods that are around nowadays, it feels a little bit smoother than generating a random obviously throwaway email address with some of the disposable email services that are around, and for a fraction of a cost.
Then I have my work emails and one official domain with my name that I use whenever is something important enough that I want to use my real info for. And I also have an email for cases where I need to say my email out loud, which is just spam@<myname>.email. Efficient, and people usually get it right at first try. (But I did encountered a few cases where .email was not a valid TLD, since the filter was set up based on character count -.-)
I’ve been using ProtonMail, and I’m pretty happy with them. I have not heard about the controversies up until now, but I think that it’s understandable that they have to comply with court orders, and unless I’m mistaken they can’t hand over your actual emails, since they are encrypted at rest by your password, right? Since I’m not really worried about having to do anything with police, it’s not a threat model I need to take in consideration. But thanks for the info, I’ll probably find a different provider if something happens with our local political situation. For now, what’s the most important for me is that my emails and data are not used to teach any kind of ML bullshit about how to manipulate or impersonate people, and I think that’s what the ProtonMail encryption provides sufficiently.
Cool, thank you. Yeah I need to buy a domain for email at some point
unless I’m mistaken they can’t hand over your actual emails, since they are encrypted at rest by your password, right?
That is true I believe, they can use the address to identify you but if the email content is encrypted they can’t get the contents. The subject line though is not encrypted.
Same though, I’m not necessarily trying to avoid the police or government but mainly advertising/AI bullshit/ less reliance on google. Do you use proton’s other services, like the cloud storage and VPN?
I have my own NAS where I store most of my files that’s open to internet through a geoblocked Cloudflare Tunnel, and if I need to share something I just use the Synology Drive. I tried setting up Nextcloud, but my NAS is too weak for it and didn’t support it by default, and manual instalation didn’t really work properly so I gave up.
VPN I’ve never found the need for. I was thinking about Mullvad Browser+VPN, since I really like the idea they are going for, but I was too lazy to setup yet another browser. I don’t know how verified Mullvad is, since I haven’t heard much people talking about it and only found it on the new version of privacytools.io - I think it was something like https://www.privacyguides.org/en/. I don’t really know what happened between them and privacytools, or which one is more trustworthy - especially since they have mostly different recommandations.
But the main idea of Mullvad is that it’s I think a fork of Tor Browser for internet, that’s set up to work without needing any extensions and has the same fingerprint for every user, which stays the same since you don’t need a stack of privacy extensions. And it works in tandem with Mullvad VPN, which means that it’s really hard to fingeprint you based on your browser+VPN provider combination, because while you may have be one of the few users of i.e. ProtonVPN that uses Firefox with uBlock, Decentralyes and CookieAutoDelete, so you can still be eventually identified, all the users of Mullvad use the same browser with same origin IP and same fingerprint. And that idea actually makes a lot of sense on paper.
I’m actually a current Mullvad VPN customer, I know of their browser but I haven’t tried it. They’re very privacy friendly, no email required for sign up, and you can even mail them cash to pay. While I like what stand for and think they’re awesome, recently they decided to stop offering port forwarding for their VPN, so I need to find an alternative. My main use case for VPNs is torrenting, so port forwarding helps with that a lot. Proton VPN offers port forwarding which was why I was considering just using them for both email and VPN.
Their browser sounds interesting though, from what I’ve heard it’s basically Tor browser but without the Tor network. The fingerprinting protection sounds awesome, I think one issue with my current browser setup is that I’m probably very unique and easy to fingerprint. So will look into that.
I’ve been on a very slow-burn transition from using gmail (and other google services). Email is hard, since that’s an address others contact you by, so you can’t easily switch providers on a whim. I kinda broke the problem down into steps:
First, buy my own domain, and have the registrar forward all email sent to it, to my gmail account. At this point, I could continue using gmail as the interface, and host, but I no longer had to use it as an address I hand to people/services, I would give them [servicename]@[mydomain.whatever].
Second, I purchased email hosting from the registrar. I continued with the setup, of having everything forwarded to gmail, using it as a host and interface, but used the alias feature to send replied back from any @[mydomain.whatever] address.
Third, I started investigating alternate email clients: thunderbird and fairemail are where I’m currently at, so that I’m only gmail as the email host, but no longer rely on it’s interface.
I haven’t taken the final step, of switching to a different provider (cause I’m a big wuss)… I might wind up doing something self-hosted, but at this point it’s easy enough for me to switch by re-pointing my forwards. Most email comes in/out of an address at my domain, and I don’t depend on gmail to be my email ‘client’.
So all that to say, not that I have an answer for you, but I have a recommendation, to buy your own domain, and give yourself the flexibility to switch around different providers.
I run my own email server(s), one address for personal emails and one business address.
I have a free Protonmail account i seldom use but like because they have a Tor address.
I have a paid Tutanota account to which i’m trying to migrate all my mail, from the free GoogleApps-based university account i used for years. I also have an alias i use as a throw-away-ish address.
I have a free GMX account i briefly used, also with a throw-away-is alias, i might just drop it since i’m on Tutanota now anyway.
I’d love to host my own mail server on a VPS with a domain i own, but it’s increasingly difficult. The big players came up with DKIM, DMARC, SPF and all these funky acronyms for the sake of fighting spam, but they’re also easy ways to make it harder for you to run your own server 'cos they’ll just flag you as undesirable. A form of embrace-extend-extinguish i guess.
And then there’s spam and actually avoiding it.
Still on my ever increasing TODO list, if nothing else for learning purposes.
It really depends on who you “fear”. I mostly use Forefox Relay and have chosen Google (Gmail, Android, etc) as the “devil I know”. If I end up in a state actor’s cross hairs (TLA, etc) I assume I’m a meat popsicle. Mostly I’m trying to thwart internet randos/vigilante and marketing firms that want to violate my privacy and I think Firefox Relay is enough to trip them up.
I don’t view Google as escapable and I think they are under a lot of scrutiny. My view of Google is they want to collect and keep data and sell access as a service without losing their own control of the data. I don’t see them having much incentive to sell raw data to others.
I have a custom domain name I now use for work-related contacts and societies. Currently it runs Google Apps since I don’t want to deal with spamlists etc. But I can easily move it elsewhere with minimal interruption. I almost did during the recent Google Apps drama. I recently changed jobs after being at my previous employer for about 8 years and learned it’s a real pain/time sink to chase down contacts otherwise when you move employers. And my new employer has draconian BOFH email retention policies that maybe make sense for employee email but are just hell for my professional but not employer-tied identity/activities. I don’t use it for work that belongs to [current employer], it’s for work networking things like society memberships, certification agencies, working groups, society committees, etc. Basically work that would apply at any of my employers and would move with me elsewhere.
I hate to admit it but I’m all-in on google, for mail, drive, calendar, meet/chat, Android, oauth. It’s all too convenient.
I have one personal account, one per long-term client/employer (w/their service), and one garbage (for sign-ups and low-priority web accounts). I often use the user+purpose@gmail.com pattern for creating special-purpose temporary addresses. We use sendgrid for sending user emails.
