Ask HN: Secure email provider
Countermail allows to upload your public key so that any non-encrypted incoming email es encrypted in the inbox. A few others also looked good for one or another reason including some in offshore locations for extra privacy/anonimity. Then I tested them on Qualys SSL tool and some other tools and the rating of most was terrible. Countermail had a C rating, what a dissappointment.
PFS = Perfect Forward Secrecy DANE = DNS-based Authentication of Named Entities
My findings where: - Germany based posteo.de has an A+ SSL rating, incuding PFS and DANE, can encrypt incoming email with your public PGP key, problem is you can't use your own domain, although they do have many domains you can choose from. - Germany based mailbox.org has an A+ SSL rating, including PFS and DANE, can encrypt incoming email with your public PGP key and you can use your own domain. - Belgium based mailfence.com has an A+ SSL rating including PFS, but no DANE. Can encrypt incoming email with your public PGP key and you can use your own domain.
Please note both Germany and Belgium are 14 eyes countries. They have good privacy legislation but if a court warrant was served to give information about a user they would have to comply.
Posteo.de claims that they don't provide possibility of using your own domain so that they don't know anything about you, so they have privacy in mind. In my case it was for a business email so I wanted security and being able to use my domain.
Mailfence donates to Electronic Frontier Foundation and Digital Rights Foundation but doesn't support DANE for now. Is DANE that important?
Any other service on par with these that you know? What are your thoughts?
9 comments
[ 3.1 ms ] story [ 32.3 ms ] threadhttps://blog.fastmail.com/2016/12/20/dnssec-dane/
It's certainly a bit of work but it may be worth your effort.
Check out https://mailinabox.email
The biggest downside I've run into with MIAB running on DigitalOcean is being being blacklisted by AOL. Other services like Gmail and Outlook might send emails to a users spam folder until they mark them as "Not spam". It took me a bit of fine tuning on my end to get my "Spam Score" down to less than a point or two but that was really a good exercise to go though.
There were other benefits I hadn't considered though, like the built-in DNS server that comes with MIAB. I ended up moving the DNS records for most of my sites over to it. And it manages SSL certs automatically for domains running on it, or that use its DNS server.
It was time consuming to get it set up right though. I went through the process 3 times before I began to understand what was needed.
There is a reason most secure providers don't use DANE.
https://sockpuppet.org/blog/2015/01/15/against-dnssec/