Earlier this month I wrote an article with the title Encryption in Email Practice. My point of view is pretty straightforward, “encryption not complete means no encryption at all”, and people should stop relying on email for any secret or privacy. Nevertheless, people would not just stop because I (and many others) said don’t, as the inertia of communication is hard to revert.

The most interesting article I have read as an email enthusiast should be E-mail providers - which one to choose?, as the author themself appears to be a super paranoid and the ultimate seeker of privacy. The inspection method they have used is not technical, as they basically went through the privacy policy page of each provider and tried to sign up through Tor. Their criteria is at least extreme and trivial, if not hilarious:

  • If they said they would log your IP address, that’s too bad!
  • If they said they use analytic tools on their website (even the ones like self-hosted Matomo, and not Google Analytics), that’s too bad!
  • If they use a CDN, that’s too bad! If the CDN provider happens to be Cloudflare, that’s the worst garbage!
  • If you can’t sign up with Tor, that’s too bad!
  • If they charge you more than 2 bucks per month, that’s robbery!
  • If you need to pay for a custom domain name at a registrar, that’s robbery!
  • If they share your information with a third party, that’s the worst garbage!
  • If you need to do a Captcha (even Friendly Captcha, not Google reCaptcha) or you have to sign up with a phone number, that’s the worst garbage!
  • If the webpage doesn’t work without JavaScript, that’s the worst garbage! Well, I partially agree with the last one, and they have one nice criterion that I fully agree with:
  • If you can’t use email clients with IMAP/SMTP protocols, that’s too bad!

You might ask: what’s wrong with the listed criteria if the author just wants maximum privacy?

Apparently, they have mistaken two concepts, and I don’t know if they did that deliberately, since they seem to be “technical” enough to distinguish these terms by definition: privacy and anonymity.

Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. Anonymity describes situations where the acting person’s identity is unknown.

VPN and Tor, they are the favorite anonymizers, when it comes to signing up with an email provider. Captchas and phone number verification help them to stop malicious automated requests. I’m not trying to speak in favor of any email hosting providers, but that’s the truth, especially for those who introduces a freemium pricing model. Proton and Tuta have become extraordinarily prevailing in recent years because they have a free tier. Of course marketing counts, but offering something for free itself would speak louder than any marketing approach. And this reflects on the user count. Proton claims to have 100 million users currently, Tuta has reached 10 million users in 2023 when Fastmail with 30 years of history only had less then a half million. Tuta has deprecated their 12 EUR/year paid plan because it’s not sustainable. While Posteo manages to remain a minimum price of 12 EUR/year plan for over 15 years, Proton and Tuta’s paid customers always donate a part of money to the charity of those greed free customers. To make sure that such charity actually makes sense (in order these potential paid customers into real ones that would provide profit) instead of going to nowhere, they have to establish a rule preventing multiple free accounts, to adopt an approach to discriminate human from bots, as well as using identifiers to prevent making multiple free accounts. The only way is forbid anonymity, because the usage of Tor prevents monitoring free account count from a single user, and while the user’s ultimate goal is to emerge from nowhere and disappear in nowhere (plus, you can’t suspend my account if I disappear, that’s too bad!), the conflict of covering expense and providing absolute free service as in beer and freedom would be harsh. I don’t know why the author just pretend he doesn’t know that, as the free services that he speak highly of, like Disroot and RiseUp, live on users’ donation and the community is small enough for a freemium pricing model. If RiseUp is no longer invite-only, or Disroot disables manual registration approval, or they start to market themselves as private email providers who wants to make profit from that, they will eventually become Proton or Tuta. Anonymous Tor users would flood in, server’s won’t be capable, and malicious traffic, automated spam would harm mail server’s reputation.

Enough for anonymity, let’s get down to privacy. Thanks to this digdeeper guy, I have never read so many companies’ privacy policy with comments all at once. Still, the digdeeper guy admits that a company can just hide their invasive activities from the terms and pretend it haven’t happened or will not happen in the future, and sometimes they have to state in the terms that they must obey the law to cooperate with governments because it will be unlawful otherwise! So what’s the point of picking the words and amusing yourself with your “masturbatory” opinions (I return the word to the author)? Most of the email services, as I could see in the article, has not been test by them at all, for stupid reasons like JavaScript, Captcha, pricing, banning Tor or Privacy Policy doesn’t look like something a drug dealer might fancy. The real privacy implementation is zero-knowledge encryption to mail servers, and you can do that with OpenPGP. I know, someone would yell at this: but if you use Gmail, Google would log your IP address and other data like client type, time zone and blah blah… Well, this is NOT IN THE REALM of email privacy! These kinds of evil that Google does to you doesn’t have anything to do with email itself. Unless the provider explicitly prohibits usage of third party client or put a restriction on the client type, I don’t think this should be considered any further.

Some people also mistake security with privacy. A thread on Privacy Guides forum shows how average user tries to care about everything before they know what it really means. Posteo is not recommended among email providers in PrivacyGuides.org for their DMARC policy being set to “none”, instead of “reject” or “quarantine”. I do appreciate the standard, but rookies would say: “your DMARC policy is none, that’s too bad! Anyone can just spoof you!”

Well, yes, this is a security issue, and security by definition means you believe the entity is indeed who they claim to be. example.org’s DMARC policy indicates the mailserver’s recommended action if someone who claims to send an email from user@example.org . “None” means just let it reach wherever, “quarantine” means drop it to junk folder and “reject” means reject.

Because email lacks a method to check if you are authorized to send email from user@example.org, you can send email from any server that have its port 25 open claiming yourself to be user@example.org. But if example.org does not list your IP address in their SPF record, or your DKIM signature is invalid, then the receiver would probably refer to example.org’s DMARC record for further actions. So, DMARC records is domain wide, and should only be decided by the domain owner. If they think “well it’s fine to just let people spoof me, since the reply will arrive at my mailbox anyway”, they set it to “none”. It’s very interesting that Gmail.com has DMARC policy set to “none” and Outlook.com has DMARC policy set to “none” with subdomain policy set to “quarantine”. They don’t really care about anyone on that domain to be spoofed, right? (I’m just pointing out a fact, I will never suggest anyone who use a domain for their personal email to set DMARC policy to “none”, that’s not secure. Meanwhile many other email providers like Proton, Tuta, Zoho and iCloud has policy “quarantine” or “reject”.)

Here comes the problem: you tell receiver to drop SPF or DKIM invalid incoming mails, by setting up “reject” policy, but… is your wish their command? You would be surprised that many private email providers themselves do not respect DMARC policy, despite they themselves have a strict one. That’s because they are so afraid of missing important incoming mails that have been carelessly improperly authenticated, that they would unlikely to do what they’ve been told, and the maximum respect they could give to “reject” DMARC policy is quarantine, that is to say, put it in Junk folder so that it won’t just go to nowhere. Any some of them doesn’t even rely on DMARC policy at all, they calculate DKIM signature and put all the failures into junk folder regardless of a “none” policy. But there are some respectful ones that really listen to instructions: Gmail (yeah…), Purelymail (you decide where to respect DMARC or not, they have a toggle in their web panel), MXRoute. These provider’s aren’t for privacy seekers that much, but they do take security protocols seriously.

Ask yourself what do you really want from email before seeking private email providers, and don’t confuse one thing with another. Otherwise, you won’t be able to protect yourself from threats.