Private&secure email?

Better not spill those government secrets then? :sunglasses:

Posteo gets my vote, it’s cheap and 2GB of email space for 1€ lasts you a long time until it’s all cluttered up.

1 Like

I’d like to make a quick note to dissuade people of using the terms private and secure in one sentence when tallking about email. Email cannot be private since it relies on public MX records and well known domain names. Although you can obscure your identify by using foobar mail addresses, it’s kind of pointless for the use case. Which is to be able to be found and communicated with.

If you do want control over you email (ie. privacy and security), run your own. And, yes, you can communicate with all big services if you do your best to at least do SPF + DKIM and strict TLS on the transport level.

My mail servers only communicate (via SMTP and IMAP) via SSL. They also refuse to use older TLS (1.2 is minimum). So, the transport is, relatively secure. I run a gpg encrypting remailer (well, two, one called schleuder and one called gpg-remailer). The fact is, only recently has it been possible to get people to use tools like gpg. And, sadly, I don’t see that changing (Thunderbird, notwithstanding).

Now, anyone who looks closely will see that I’m NOT using DNSSEC. Though I do use the other bits of DANE. So I’m not even doing ‘all’ that I can where security is concerned. Why? Well, my emphasis is neither on privacy, nor security. I just want CONTROL over my email. Just like I have the keys to my physical mail box. Thank you. Very much. keys.openpgp.org

5 Likes

I disagree with such a simplistic statement: While it is true to a certain extent for metadata (i.e. “who communicates when with whom”, unfortunately including the “Subject:” line), it is not true for the email proper (i.e. the “email body”), when using end-to-end encryption (by OpenPGP specified by RFC 4880, or S/MIME). The tools are there for long: Thunderbird (OpenPGP and S/MIME), Microsoft Outlook (S/MIME is built-in, OpenPGP with Gpg4win’s plug-in GpgOL which can also replace Microsoft’s clumsy S/MIME implementation), built-in in KDE’s KMail / Kontact (OpenPGP and S/MIME) and Gnome’s Evolution, K-9 Mail with OpenKeychain (only OpenPGP) on Android or AAS / AlienDalvik, etc.
It is up to the people to utilise these tools or to continue to write emails open as postcards.

Also great progress has been made in the past decade to raise the security bar for email metadata and unencrypted email bodies on the transport-layer: Most email hosters do use SPF + DKIM and strict TLS nowadays (inform yourself if yours does), hence even unencrypted emails (“postcard-style”) can only be inspected by the MTAs which handle them, but not by any internet exchange. It is also up to the users to check that their email clients strictly use SMTP and IMAP (or POP) over TLS (≥ 1.1) with STARTTLS.

But I fully agree with the core point @poetaster implicitly made: For email you will by design always have to fully trust your email hoster WRT all email metadata and all unencrypted email bodies; if your are using a web-browser to access email and hence let the email hoster handle your private keys (“bad idea™”), also encrypted email bodies. Thus, if you do not want to trust a third party to host your email accounts safely, run your own email server (as @poetaster already pointed out), which does require some know-how and continuous effort.
Naturally your correspondents’ email servers also have access to all this information.


TL;DR: Use K-9 Mail with OpenKeychain (supports only OpenPGP) on Android or AAS / AlienDalvik for SailfishOS to encrypt your e-mails, and choose your email hoster well, if you want “private & secure” email on mobile devices.

3 Likes

To @olf 's excellent advice I wanted to add that the key server infrastructure has improved in the past 10 years so as to be usable :wink: keys.openpgp.org On said server you can also find some nice terse how-tos to help you disseminate and manage keys.

2 Likes

Im using Startmail, works great with all the inboxes