Did you know that Gmail, Outlook, and many other Big email services think they can read your emails and sell them?

That's why were here to help find some safe alternatives!

1. Runbox

2. Migadu


Credits to @sir for helping me on this one!

Hoped you enjoyed and Stay Safe!

@thsprsntdrknss @Tommy Tommy originally included these and I explained to him why they were wrong. Thread here:

@sir @Tommy I respect your argument but I have to disagree. Proton supports PGP and has a track record of not having anything to turn over to authorities. I do agree that it is a risk to put your security in someone else’s hands but I think for 90% of people these services are just fine and will suffice. But I respect your points and arguments.

@thsprsntdrknss @Tommy privacy is built on math, not trust. Anyone who asks you to trust them on matters of privacy is not deserving of your trust.

You're being this person right now:

@sir @Tommy you’re asking me to trust you right now. I’m not doubling down on being wrong, but I think you’re gonna have a hard time getting the average person to self host their own email server. You have to accept that privacy is a sliding scale and additional that no digital medium is perfect anyways. You’re being this person right now:

@thsprsntdrknss @sir @Tommy that's odd I didn't see anyone recommending that anyone should selfhost mail infrastructure in this thread.
It seem the target of that comment was made of straw.

@thsprsntdrknss @Tommy I don't recommend self-hosting. I recommend choosing service providers who are honest about the privacy guarantees that they can and cannot make, and don't choose convenient answers which allow them to foster an environment of vendor lock-in. Wake up, sheeple!

@sir @Tommy so genuinely asking: what makes these services more desirable than Proton or Tutanota if it’s not self hosting?

@sir @thsprsntdrknss @Tommy does proton make untrue claims about privacy? Or is it that components are not open sourced?

@sir @Luke @Tommy I'm not calling you a liar because you probably know way more about software than I do, but do you have any hard evidence of your claims? I like evidence when making my decisions.

@thsprsntdrknss @Luke @Tommy these are mathetmatical truths. I've explained it a dozen times to a dozen different people on Mastodon.

@Luke @sir @Tommy To my knowledge, it says that its apps are open source, that it does not have access to your keys, and that it does not store any metadata except login IP which can be disabled. I could be wrong, but that was the impression I was under.

@thsprsntdrknss @sir @Tommy even if a mail hosting co. open sources the server, you can’t know they are running that specific code anyway, no?

@thsprsntdrknss @Luke @Tommy
1 -> its clients are open source, but the server is not, and you have to pay to access your data (YOUR data, which YOU own) via standard protocols like IMAP & SMTP

2 -> they may not have access to your keys today, but web applications are inherently unsuitable for keeping secrets from service providers and if you log into the webmail tomorrow they could trivially exfiltrate your keys - this is only the illusion of privacy

3 -> what they tell you they log and what they actually log can be entirely different and you would never be any wiser to it.

4 -> you didn't mention this, but they claim to encrypt incoming emails transparently, but there's nothing to stop them from siphoning off the plaintext and, again, you would never notice. This gives you a false sense of security and de-emphasises end-to-end solutions like PGP which actually work.

@sir @Luke @Tommy Those are all completely fair points, but if I may play devil's advocate:
1) But I can still access my data via their website? Just because I can't download my data doesn't mean they aren't showing me all my data? I don't get the connection there.
2-4) Isn't that true of any non-self-hosted service?

@thsprsntdrknss @Luke @Tommy
1) Vendor lock in is a problem no matter how you slice it. They conveniently lack these standardized features for the express purpose of hoarding your data away from you, and then lie to you about made-up privacy reasons for doing so.

2-4) not necessarily. Services can be designed to avoid the (2)nd problem by not handling your secret data in a context which they can secretly update. (3) can be minimized by reducing the amount of data which is transmitted to them in the first place. (4) can't be avoided, but they should be upfront with the limitations of their approach and not sell it as a perfect solution. If they wanted to improve (4) they should be working to improve and standardized end-to-end approaches like PGP, or something new if they can't stomach PGP.

@sir @Luke @Tommy Also, afterthought related to #4 specifically: PGP doesn't encrypt metadata, so with any service - Proton, Mailbox, Gmail - what's to stop any service from logging your metadata? PGP isn't a foolproof option either.

Correct me if I"m wrong. Again, I do not claim to be a tech expert. I'm a fucking bass player.

@thsprsntdrknss @Luke @Tommy see my other reply - if they take issue with limitations in PGP, they should work on new or improved standards which *can* make the same or better privacy guarantees, rather than *reducing* the privacy guarantees and pretending it's better.

@abloo @sir @Luke @Tommy In response to 4, isn't Proton based on PGP? Don't they basically just streamline the PGP process? I agree they could do more but it's not like they build their own encryption like Telegram or Tutanota. And in responses to 2 and 3, how do the services you recommend conform to them? Again, seriously asking. I want to learn. I want to improve.

@thsprsntdrknss @abloo @Luke @Tommy protonmail has limited PGP support but it's not what their solution is based on. Even if it were: it's not a valid excuse for IMAP/SMTP, that's just a convenient way to secure vendor lock-in for them.

I have made my email provider recommendations available here:

@sir @thsprsntdrknss @abloo @Luke @Tommy hey could you explain briefly how the providers you listed solve the problems you listed? Namely:

1. requiring payment for imap/smtp access
2. them having plaintext access to incoming mail
3. running untrusted code on their servers

I'm not quite interested in a self-hosted mail setup yet since I'm concerned about the network reliability of the place I would be hosting from.

@sir @thsprsntdrknss @Tommy maybe I missed it but how does it matter if their server is open source. You have to trust that it’s what they’re running right?

@Luke @Tommy @thsprsntdrknss yes, but if they lose that trust, you can run it on your own server, or someone else can set it up and take their business. It helps to hold them accountable, and there are other benifits besides

@thsprsntdrknss @Tommy Or to phrase it differently, there's the vendor lock-in factor of free software and there's the security factor of free software.

@Luke You're talking about the security factor and then it's true that you can't prove what software they're running, so it doesn't matter if you have the source code to some software they claim to be running. But @sir was referring to the vendor lock-in factor.

When it comes to the practical ability to get your data and re-host it, people can verify this and hold them accountable.

@clacke @sir @Luke @Tommy I mean, i use ProtonMail with a domain name hosted elsewhere. I can always change email providers and redirect that domain name. I know it’s not the same as what you’re saying but that’s a type of accountability isn’t it? You fuck me over, I take my business elsewhere?

@clacke @sir @thsprsntdrknss @Tommy open source server code does not mean they provide a way to get your data out or even run said code.
@Luke @sir @thsprsntdrknss @Tommy No it doesn't, the theoretical ability to rehost and be able to self-host is only step zero.
@clacke @Tommy @sir @thsprsntdrknss controlling the domain is a prerequisite for re-hosting a mail server. The open source status of the server code is not.
@Tommy @sir that's a fine list. I can get behind this.
Any of those would be a nice option for those who don't take pleasure in running mail infrastructure.

@mdkcore @Tommy @sir Same here. I really enjoy how open they are about the stuff they run on their side and how they expose their services with standard protocols: CalDAV, CardDAV, FTP, the regular mail stuff. No proprietary "alternatives" like at Google Drive or Protonmail.

@Tommy @sir or just install @cloudron on a VPS somewhere and get your own self hosted email server out of the box! 🙂 Here's my Cloudron referral code for a free month: 5adcafc820c53c3d


Yes! How could I have forgotton!
Riseup is very trustworthy and unbiased.

Thank you for asking!

@Tommy @sir These aren't the best first impressions.
Web without JavaScript, fun.

Sign in to participate in the conversation
Mastodon 🔐

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Matrix Chat:
Support us on OpenCollective, many contributions are tax deductible!