116 comments

[ 3.1 ms ] story [ 200 ms ] thread
Services like Proton do a good job of keeping the body of the email private, but is there anything they can do about protecting the header information?

Metadata can reveal a great deal.

There's a lot they can do, but then it makes it impossible to search your inbox for old emails by subject, from, to etc fields.

You can reduce what an adversary sees by not including anything useful in the subject line and the only thing you can't protect is who you're speaking to and when.

Security / convenience tradeoff.

Not being able to access the email body already makes full text search impossible, among other things. It is one tradeoff for using Protonmail instead of, say, Gmail.

Encrypting header data would make most operations impossible unless you download your entire inbox first.

STARTLS usage is over 90% these days. So the email server(s) get your metadata but passive network observers do not.

So the providers can work to get that to 100% and mandatory to foil active attacks.

Unfortunately it's rather hard to open an account on Proton Mail, probably for reasons of fighting spam, but it still doesn't help. They e.g. require already existing email, which defeats part of the purpose.
>They e.g. require already existing email, which defeats part of the purpose.

That's optional.

It is optional now, but used to not be until very recently.
Only if you are using their vpn or other free ones. If not, you can create an account with captcha option. Seems fair to me.
>They e.g. require already existing email, which defeats part of the purpose.

purpose of what? being fully anonymous? If all you want is a mail provider that doesn't scan your emails for marketing purposes, it shouldn't make a difference. If you really want to be anonymous, you can always use a burner email (no, not the disposable kind) to sign up.

Gmail stopped scanning emails for ads personalization in 2017. https://blog.google/products/gmail/g-suite-gains-traction-in...
There's no reason to trust Google. Plus even if they don't scan e-mail content, using Gmail still requires a Google account which means 1) you give them your personal information when registering for an account and 2) you are likely to remain logged in while browsing other sites and that is data that they can indeed collect for advertising purposes.
I don't trust Proton Mail.

There's nothing stopping them from sending your browser Javascript that completely compromises your keys.

They've admitted as much when I asked them about this years ago.

I use proton mail just for the privacy guarantees enforced by social pressure on their brand. They hold your PGP keys (you can't give them a subkey of your own private master key) so there's no reasonable security there. In general, I don't think PGP encrypted emails provide much security anyway. If I need to send a message securely, something like Signal provides better cryptographic properties like forward secrecy.

All I know is, I would hear about it very quickly as soon as Proton Mail is discovered to violate my privacy, and that's all I can expect of email. To be honest, the fact that their API is not open sourced and I have to use their web client or mediocre IMAP bridge would make me seek alternatives if I were to reconsider email providers. It would have to be one that has as strong of a privacy-conscious brand, or self-hosting.

>... something like Signal provides better cryptographic properties like forward secrecy.

Forward secrecy only works up to the point your end point gets compromised and only for messages you have not kept. So for the vast majority of people it provides very little value.

It provides no protection against someone who breaks your encryption and something like the Signal Protocol's much greater complexity provides more opportunities to do that.

PGP isn't any better on the first point and on the second point, I would bet the money in my pocket that GPG (being the most dominant implementation of PGP) is far more complex and bug-ridden than Signal's cryptography or implementation are unsound.
GPG is an implementation of the OpenPGP standard. Signal Messenger is an implementation of the Signal Protocol quasi-standard. Comparing like to like, OpenPGP is much less complex than the Signal Protocol. GPG is much less complex than the Signal Messenger.
Depends on where you live and who is your potential adversary.

For someone from Belarus and opposing Lukashenko, ProtonMail is fairly secure service. For Edward Snowden, probably less so.

I avoid ProtonMail, and encourage others to do the same, because of the reasons you stated. They have all the keys. It's security theater, just like pre-2013 Lavabit used to be. Unlike pre-2013 Lavabit, the fact that they have the keys doesn't even result in usability benefits like, you know, being able to use plain old IMAP with my favorite email client.

ProtonMail has been dragging their feet for so long in the interoperability department, it almost feels like they're aiming for vendor lock-in. If they truly were serious about interoperability, they've had plenty of time to create an open standard around their protocol (like FastMail and post-2017 Lavabit has done), or release patches to make their protocol available in widely used open-source email clients like Thunderbird. Instead they've got that mediocre IMAP bridge you mentioned. No thanks. When I choose an email service I want to retain the ability to export all my data and leave on short notice, without having to depend on non-standard tools.

"I use proton mail just for the privacy guarantees enforced by social pressure on their brand."

There are no such guarantees. Social pressure on their brand did not stop Enron or Madoff from committing fraud. Nor did it stop millions of others from committing various crimes, atrocities, and other unethical acts throughout history.

In the realm of email providers, the case of Hushmail[1] serves as an instructive example.

Hushmail is an email provider that provides a service similar to ProtonMail, but:

"Developments in November 2007 led to doubts, amongst security-conscious users, about Hushmail's security, specifically, concern over a backdoor. The issue originated with the non-Java version of the Hush system. It performed the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the data to the user. The data is available as cleartext during this small window of time; the passphrase can be captured at this point, facilitating the decryption of all stored messages and future messages using this passphrase. Hushmail stated that the Java version is also vulnerable, in that they may be compelled to deliver a compromised java applet to a user."

and

"Hushmail supplied cleartext copies of private email messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.; e.g. in the case of United States v. Stumbo. In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were supplied to U.S. authorities."

Incidentally, despite all this, and what you'd expect to be "damage to their brand", Hushmail is still around, and I'd expect many of their users have never even heard of any of this.

[1] - https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_...

To be clear, I am connected enough to security-conscious social media that I think I would hear about it if someone found it out. I agree with you that someone who isn't at least a little bit diligent would miss news like this.

Let me also reemphasize that I don't consider email to be a secure or confidential medium of communication at all, even with PGP. I only want that my inbox is not sold to advertisers and the security practices of my provider aren't utter garbage. Maybe the fact that they're in Switzerland helps me in some ways, but if I had a state adversary I wouldn't bet on it.

The problem is that ProtonMail could violate your privacy by sending you Javascript that gave them your keys and you'd never know about it.

Relying on hearing about compromises in the news only sort-of works when:

1 - such compromises are revealed

2 - they're big enough to make news in the first place

3 - your own data hasn't yet been stolen, so you have time to change services after you hear about the compromise

None of these is guaranteed to happen ever.

And even if you did hear about some compromise in the news, it could be far too late for you, as your data (the data ProtonMail is supposed to protect) could already be in somebody else's hands.

> The problem is that ProtonMail could violate your privacy by sending you Javascript that gave them your keys and you'd never know about it.

I think we don't agree on how proton mail works. As I understand it, they already have my keys. You can't even give them just a subkey, it only works if you upload a set of PGP keys including the master secret key. What is your understanding of how it works?

As for your other concerns, unless I am conversing only with myself, the attack vector for my data is the entire e-mail ecosystem. Even if I only talk to people who use encrypted email, they are also part of my threat model, even if I don't trust a provider with my keypair. e-mail is simply not secure. It wasn't meant to be secure; security cannot be bolted on top.

What is your threat model and how do other providers or self hosting achieve your desired level of security?

"As I understand it, they already have my keys."

From: https://protonmail.com/security-details

"ProtonMail's zero access architecture means that your data is encrypted in a way that makes it inaccessible to us. Data is encrypted on the client side using an encryption key that we do not have access to."

That is a very interesting claim on their part considering that they hold the private PGP keys used by their service. I'll have to figure out what they mean by this.

Edit: Ok I see. They store the PGP keys encrypted with your password. Like you said, they could just as well inject javascript to phish your password from your session.

But this does seem to mean that if one uses their API directly it would be possible to securely use their service. Thanks for the heads up. There is a third party open source bridge that reverse engineers their API. I think I will look into it to see how authentication is done.

https://github.com/emersion/hydroxide

I'm a happy Protonmail user, but The lack of quality of their bridge and import/export tools will cost them quite a lot on the long term. It's a bit sad to see. The UX work is really lacking there. On the other hand their current web interface is quite fast and straightforward.
That's doesn't sound like a reason not to trust PM specifically, but an indication that you want a zero-trust solution. Trust is an orthogonal concept to risk. Trust mitigates risk, it isn't a term for the absence of risk.
Who do you trust? Are you rolling your own secure email? Do you trust them more or less than Gmail?
I trust them less because their privacy claim around email (and really their entire service) is dumb.

It’s good to use your own domain, it’s good to use a non ad-driven business model like fastmail (though even this is mostly for the user experience and not security)

Beyond that “secure” email when you’re largely communicating with other @gmail users, isn’t a thing.

Google has some of the best security researchers in the world, I’d trust their employees to do a better job than proton at securing the service itself.

Email should be treated as largely public (for personal use) and not used for sensitive communication. It’s a little different in a corporate setting, but then you’re not using proton mail anyway.

Got it, I agree with this assessment. I know you're not the OP, but I was kind of looking for what they meant by "trust" and who gets included under that umbrella.
Always the same question: what's your threat model?
> The number of Google searches in all languages for privacy-focused Gmail alternatives

The irony here. I wonder if the number of people searching for Google search alternatives on Google is up as well?

Yes and even if Linux was a true alternative on phones you would still leak a lot to your ISP (they can triangulate your position using cell towers and unless you use a VPN they know every websites you connect to).
Reminds me of what I considered to be the only use of Internet Explorer on Windows 95 was to download Netscape!
At the core, google and other companies sell your data for advertisements, at best, at worst they're sending it all the NSA or some other black box.

I recommend everyone BUY A DOMAIN. Then switch providers. you can always switch with your own domain.

The select a provider based on thier offering be it protonmail, fastmail (shameless plug), or others

>At the core, google and other companies sell your data for advertisements, at best, at worst they're sending it all the NSA or some other black box.

Post Cambridge Analytica I'm not sure which is worse.

No worries, the NSA will see it all anyways :) There's no privacy on the internet.

That said: I'd love to run my own e-mail servers, but Yahoo does a pretty good job keeping spam away from me and offers enough convenience that I just stuck with it.

Happy to consider alternatives I can run on a cheap instance somewhere.

Yahoo, really? I get a lot of false positives w/ them.
> I recommend everyone BUY A DOMAIN.

you will end up having most of your conversations with gmail or outlook users so that would not change anything

This is the only correct response to this problem, and it needs to be seen more prominently.

E-mail in 2020 is not secure against a motivated attacker. It doesn't matter how secure and woke your provider is, when:

1. Everyone you talk on an e-mail thread gets a copy of the entire e-mail thread, to do whatever they want with.

2. You can't control the present and future security of other people's providers, or the present and future security of the computing devices they use to read the e-mail you send them.

Now, if you want to LARP, you can try setting up a mailing list for your friends who only use secure providers (For whatever definition of secure you want to use), and only limit your use of a single e-mail address to that mailing list. Great. Go for it. Write a blog post about it, even. But that's not going to solve the fundamental problems of #1 and #2 for the rest of the world.

Now, if you actually want security (as opposed to 'I want to LARP at security'), take a page from conspiracies in the financial sector, and don't use e-mail for any conversations that you'd like to remain secure.

Securing e-mail is a waste of time. It can't be secured, because of 50 years of social expectations about how e-mail should behave. (Other people retain copies of your e-mails, and other people can choose which provider services their address.) You can spend that effort on trying to secure a different communication protocol, which does not have those 50 years of social expectations, and that will probably lose to e-mail (Because those two security holes provide users with value, and when it comes to value versus security, security will lose every time.)

The link may say that more people are looking for a private email inbox, but I don’t think most people are willing to pay the price of a domain and an external service. The latter is practically an oligopoly currently because of the lack of options; in terms of price, email services are a complete rip-off.
They're not willing to pay because they don't know that you can buy domains in the first place. Most of the time when I tell someone my first@lastname.com they're like ...and that'd be @gmail.com?
Or they don't want the hassle and find it too difficult and/or daunting.
Anecdotally confirmed by the number of times people react with some level of amazement when I tell them my email address is myname@myname.com. "How did you get that?", etc.

EDIT-after-parent-edit: That, too, regarding "and that'd be @gmail.com?".

I run a service that lets you hand out burner addresses that you can make up on the fly.

It does raise an eyebrow or two when I tell someone my email is theirname@myname.domain

Yes, and it's even worse when you're using a "new" TLD like .family. Almost nobody (based on personal anecdotal evidence) outside of tech is even aware those are now valid domains.
When even a .co is considered a typo, I think we've a long way to go with this...
Nah. I use gTLD's for my email. '.co' is just bad because it indeed looks like a missing character.

Things like '.family', '.wtf', etc. are less of a problem. At most people ask "what, no .com?", and that will be it.

I personally love mine. firstname@pobox.com. it's really easy to say "P O box" over the phone and everyone just gets it.
I have a service with one customer (me) that lets people email me via my phone number. For example: 732-757-2923@telephonemail.com (this isn’t the actual domain I use).
Since SMTP transfers things unencrypted, you kind of have to assume that a bad actor with reach as wide as the NSA's is intercepting all your email regardless of who your provider is. There's really no solution there, since the company from which you order your suppositories isn't using end-to-end encryption to send you their order confirmations.

That said, I still 100% support getting off of the free email providers in order to wave a middle finger at surveillance capitalism.

>Since SMTP transfers things unencrypted

But that's false. They're encrypted with TLS. It's just not end to end encrypted.

Doesn't most server support STARTTLS by now?
This is basically it. If you trust an entity, great, if not, move and update your DNS maybe even host your own if you're up to the challenge.
I have my own domain for blog, e-shop and e-mail.

Not everyone is even contactable from my own domain. The IP address used to belong to some spammers several years ago and some blacklists are still there.

Also, my newsletter, even though it uses double opt-in, triggered some automatic mechanisms of Spamhaus. I ended up on a blacklist several times. Fortunately, I was able to argue my way out and after the last incident, they must have updated their lists.

But those were bad times, no one could literally post a link to my blog onto Twitter etc.

Have you considered registering a brand new related email that doesn't have the negative association with it?

My company name was too long, so we registered a domain for our email that was just our initials and it was nicer to type, and really easy to set up.

The problem is that my blog already has some recognition. Surname dot net.
Or get a custom domain to use with gmail, best of both worlds!
Or you could just ditch Gmail and all of Google's shady practices.

There is clearly some merit to Proton Mail's privacy claims. Even Google goes out of their way to try to scrape data from ProtonMail: https://old.reddit.com/r/ProtonMail/comments/9yl94k/never_co...

Auto translate pages was quite a handy feature, you are probably complaining about it being enabled by default.

Until some time ago there used to be a prompt indicating that the page was translated. But haven't used chrome in a long time.

But what happens when half or more than your emails go to Gmail accounts? Google still see them.

I have my own domains, POP mailboxes hosted by my domain providers which also provide SMTP servers (I don't feel like self hosting) but I know Google know most of what I write.

The trouble is that opens another attack vector. This story[1] (previously discussed on HN[2]) comes to the opposite conclusion.

Who is right? Is there a consensus in the security community?

[1] https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...

[2] https://news.ycombinator.com/item?id=20927465

Unfortunately we rely on registrars for too many things nowadays, which is probably as bad as our enormous trust on commercial certificate authorities.
> The trouble is that opens another attack vector. This story[1] (previously discussed on HN[2]) comes to the opposite conclusion.

> Who is right? Is there a consensus in the security community?

There might not be one best answer. There have been many other stories on HN of people loosing access to their Gmail accounts, and having no recourse with Google to regain access.

My gut feel is the best any of us can do is to set up our digital lives so that our accounts are "misaligned" to make it more difficult to use social engineering to pivot between them. For instance, in the story you linked, they key to an actual attack was a shared credit card number between Paypal and Godaddy that was used for verification. Ignoring the fact of how stupid it is to use just 4 digits for such a task, it would have made that path more difficult for the attacker if he'd used a dedicated card for Godaddy (given his domains were valuable enough to him that they could be used to extort a $50k twitter handle from him). Having different, secret, email addresses/domains attached to important accounts could also provide a stumbling block.

But it's also worth noting that much of the attacker's planned attack failed, and he only succeeded in the end through extortion.

The only thing preventing me from leaving Gmail is that they have awesome clients (web, android, iphone). And all of them sync well. Does anyone else have this?
I don't know about Proton, but right now I cannot think of anything missing from FastMail that exist in Gmail -- they even support label now. The clients are better than Gmail, IMO.
They lack automatic translation of emails. Not a big deal, but in gmail it's one click away and with fastmail you have to copy-paste.
If you depend on Google suite, you might miss out on features provided by the online office tooling.
All email clients (non-web) do the same thing (including sync). And you can plug imap/smtp into almost every email client.

As for the gmail web client, various services are providing similar interfaces on their email service.

Awesome clients? For android try ninemail (if you are calling android default email client awsome you wont come to your breath for next 2 weeks ;). For web you have gazillion of them, from roundcube to horde and nextcloud plugin (anyway, its just a user interface, protocols are standardised (mostly IMAP beeing used for accessing mail and any client supporting it can read emails). But yep. It is for self hosted people. And I think that everyone in 2020 should be self hosted (I thought that in 2000 too but it is just getting worse, everyone locking himself into some vendor jail, one way or another).
Or K9 if you want an open source client to inspect the source code if you feel like it's necessary to ensure that the app works as intended.
If you are focused on privacy, you probably aren't using a client app. Browsers are the way to go, particularly on mobile devices. They allow you to more easily prevent data being stored on the device. The simple presence of an app evidences that you have an account with that service whereas a browser, absent bookmarks, reveals nothing. I don't hesitate to unlock my phone for airport checks. They aren't going to find anything, nor be able to say I have an account anywhere.

(A great thing about HN is that you don't need to have an account in order to read articles. So I can bookmark it on my phone without worry.)

Since the browsers are a spyware on their own, especially chrome, this is not really true. And fingerprinting, cdns, etc. doesnt really provide you privacy. And local storage, history, cookies, syncing bookmarks to google etc. doesnt help either. We could argue about ssh / rdp access but browser is surely not a way to go.
But if you use an open browser you have at least a hope of addressing those issues. The app is a black box you just have to trust.
Not really (I am quite proficient at reversing, but this is a special case ;) ).

Browser is a huge, unreviewable (well not true but there is not just simple to reverse java code but also arm dissasembly to be done and that part can take forever), black box that you have to trust and as you dont use it for one single task (as for instance mail client - there is exactly one ip address where it needs to connect to in my case - to my mail server - and my mail client is allowed to connect exactly there and nowhere else) you cant "jail" (pun, not as bsd jail) it. And I dont use any google spyware on my android phone, like GMS.

This might be of help to you, I have reviewed the code and if you pay a donation directly, it wont do anything fishy (and I am building my own version and diffing every version with my baseline - for 2.266 I can guarantee it is safe): https://github.com/M66B/NetGuard

It's possible to value (incremental gains in) privacy without taking it to such extremes. I definitely wouldn't want to go to such lengths, and I'm probably somewhat more privacy-conscious than many.
>Does anyone else have this?

Everyone has this. It's called IMAP.

IMAP is not a cross-platform client. It's a protocol.
Yes. That's why everyone has it.
Is it possible to configure Fastmail's web client to connect to an arbitrary CardDAV and CalDAV server?

Partner is a die-hard webmail user who detests native desktop clients. I'd like them to be able to use Fastmail webmail with my self-hosted calendar and contacts.

What Gmail data do you believe is used for advertising? What would convince you that it was not?
I've been incredibly happy with mailbox.org.
On a related note, DuckDuckGo's growth trajectory is amazing:

https://duckduckgo.com/traffic

Maybe a desire for privacy is driving this. Or maybe Google's increasing bias, or ad saturation, or AMP, or something else...

I use DDG on my mobile device now. I switched when Google started showing images in the omnibox as I typed in search terms. I found it useless and distracting but (of course) Google knew better and didn't offer any way to disable it.

Generally I'm pretty happy with DDG results and don't feel the need to switch back to Google. I have seen a lot of scam ads on DDG which I've reported but never received a response to. The new Apple map integration seems to work pretty well even though I'm on Android.

I'd wish DDG would either provide their own email service or create a front-end for your choice of mail providers (i.e. iCloud, Protonmail, etc).

I'd love to move away from everything Google (further support a company who is pro-consumer) to a company in which i trust and whose business model/ethos is privacy.

I just want Duckduckgo browser on desktop. Obviously its just chromium with a "delete history" shortcut built in, but the way their mobile browser inverts the way you think about privacy really helps. It inverts your browsing experience from "We will save all your cookies, history and data unless you clear it" to "We will delete your cookies and history constantly all the time unless you specify the websites you want to have your stuff saved on."
What is the real appetite for privacy? It's talked about a lot and I believe in it personally. Everyone I talk to says it is important to them but are totally uninterested even in modifying settings with existing providers let alone changing. There is a very strong disconnect between what people say and do on privacy.
I think most people simply don't care, regardless of what they say. Convenience really rules the world.
anyone in a FVEYs, or 14EYs, or 22EYs country should use Yandex mail. hosted in Moscow.

FBI cant issue an NSL to read every email you sent or received to construct your patterns of life to more easily parellel construct you or blackmail/coerce you into compliance.

even NSA has to tread lightly, and cant just casually feed your emails into XKEYSCORE, because if they get caught, then Yandex with the assistance of FSB will kick out NSA and/or hack back or retaliate with active measures. so NSA would only risk blowing their Yandex collection for very high National Priority targets. not you.

in a sense, the smartest surveillance evasion tactic is to hide in the fog of cyber war between the Nation States. if you're not Baghdadi or Carter Page, you wont have to worry as much.

plus, Yandex mail is better than gmail. Yandex is what gmail was 10 years ago--simple UI, no bloat, no ads, no spam, no BS. Yandex has a mobile email app too. better, you can host your private DNS on Yandex, then use Yandex for your private domain's emails.

and unlike Google, who is probably selling your info about you from your emails to an ecosystems of ad spammers and "database of ruin" analytics spy companies, Yandex is not. thanks to US sanctions on Russia, your data is effectively siloed off from the US market.

finally, consider the Shadowbroker hacker used Yandex to leak the stolen NSA EQGRP files. has the Shadowbroker been caught? nope. Yandex security looks better than anyone else's.

we live in interesting times, when Russia is now a safer place to store your data than the US. the world has gone mad.

Do you know if Yandex mail has a friendly API? One of the things that keeps me on Gmail is that they have an API with many language bindings that I have used on occasion.

Also, I see that they have their own browser?? https://browser.yandex.com/ I assume it's just a rebrand.

i highly recommend Yandex browser. it is a Chrome fork, but it appear to be heavily modified with extra security features added. Such as DNSSEC pointing to Yandex's own DNS servers. I presume everything that phones home to Google has been ripped out of Yandex browser, much like Ungoogled Chromium. I like Yandex browser mainly because it puts the URL bar at the bottom. Google removed that feature years ago. Yandex browser also integrates with all of Yandex's services, like Mail and Disk.

and yes, Yandex has an API for everything. You don't need language bindings as long as your language speaks HTTPS.

even if you use protonmail and your correspondence use google the “privacy” claim is pointless...
Unfortunately with encrypted mail like ProtonMail you can't setup email filters that act on the contents of the email; only the headers. This makes it harder to keep organised and fight unwanted mail so I've gone with fastmail
There is one rather ugly privacy threat that I seldom see discussed even on HN.

The spam fighting services. First of all, I'm not sure whether they are being run locally on the mail servers or maybe the mail servers forward our emails body to a third party anti-spam service to get a "spam score".

And secondly, after being assigned a "spam score" a part of your email may end up in the headers as "X-something" where the anti-spam service describes why it didn't like your email. And we know that many 3-letter agencies collect as much email metadata (e.g. headers) as they can sniff out. So, you should know that the first X bytes of your unencrypted emails are less private than the remaining part, because they can be part of the metadata.

Spam detection is run locally on the receiving mail server, and adds the result information to the email as the "X-something" header fields you are referring to as part of the receive pipeline. See e.g. rspamd.

Should you forward the email with these header fields intact, then all it does is reveal a bit about your mail providers' infrastructure, which is already entirely public information.

I've seen small parts of my email body in the "X-something" headers inserted there by the anti-spam service. I can try to find an example later when I get to my desktop.
I don't have memory of such behavior, but even then, this is in your receive pipeline, reading plain-text, publicly readable email meant for you and appending something to its plain-text, publicly readable header meant for you, all in order for the server to present this information to you/your mail agent.

I don't see why any of this would lead to any amount of concern, but feel free to present the header field you refer to.

I am looking for a world where email does not exist.
I see people discussing different alternatives, but for me there are very few viable solutions that would be nearly as good as gmail. And actually I don't like it this way. I hate to use the m word here, but it's kind of monopolistic for me.

And seriously, this is an email period it was invented how many decades ago? It should be easy to have something that works very well with offerings from multiple providers.

As you dig deeper, there are a lot of little details that give Google the advantage. I'm not expert enough to describe all of them in detail, but certainly part of it is we have big players who are dominant on Android and Apple making it difficult for small players to catch up. We also have, as one person pointed out, blacklists and not being easy to get around that with other providers because Google is so dominant in this space too.

This is really just an ad for Proton Mail.
My problem with ProtonMail is their requirement to use their bridge software for 3rd party mail apps and their requirement to use only their mobile application.

I get the limitation because of the encryption, but I wish I can just turn off the encryption for specific apps. I don’t need my mail encrypted in flight, I just don’t want it sitting on Google servers. For that ProtonMail is overkill.

Is someone at Firefox listening? This is a service you can monetize right now.
I wasted a good bit of time looking through their page to see if ProtonMail bridge would work with arbitrary tools like offlineimap and found it nowhere there so for anyone else with the same question. It appears it does.

https://spaceandtim.es/code/protonmail_mutt/

I barely use email anymore, and I don't really use any chat apps.

I think about moving off Gmail, but 99% of my emails are from retailers I shop with.

Newsletters are now RSS, email with humans.. doesn't happen much, etc etc.

Business emails are not very interesting -- we use secure methods to share info when needed.

Email is.. to me personally, not very important anymore.

(I show up to my accountant's office to sign things.. I keep looking for something that I need to secure.)

Perhaps a bit off topic, but I created a service that at least hides your real email address when signing up to services.

Its not a new idea, but I wanted to build something mostly for myself. So it is rudimental, but works.

https://mailphantom.com/

Mine has been working out well for the past, I don't know, close to 10 years: exim4 + dovecot running on Debian. I'm the only one with access to the OS, software, and data, and TLS works, so I'm pretty confident that it's at least as or more private than any hosted solution. It feels weird that self-hosting is seen as such an outlier case these days, but it's not difficult to set up and maintain.