Disclaimer: this post is a machine translation of the original Chinese version. Please refer to the original content for accurate information.

Preface

Keyoxide is similar to Keybase.io, used for verifying the identity consistency of online accounts.

For example, search for contact@forgejo.org on Keyoxide.org, and you’ll see that Forgejo owns a Mastodon instance account @forgejo@floss.social, the domain forgejo.org, and a Forgejo instance account @forgejo@codeberg.org.

You can also search using OpenPGP public key fingerprints. For instance, search for my fingerprint (which can be found on the “Contact” page) on Keyoxide.org, and you’ll see that Yuki claims ownership of accounts such as ActivityPub, Matrix, Forgejo, as well as the domain obsp.de.

Earlier this month I wrote an article with the title Encryption in Email Practice. My point of view is pretty straightforward, “encryption not complete means no encryption at all”, and people should stop relying on email for any secret or privacy. Nevertheless, people would not just stop because I (and many others) said don’t, as the inertia of communication is hard to revert.

The most interesting article I have read as an email enthusiast should be E-mail providers - which one to choose?, as the author themself appears to be a super paranoid and the ultimate seeker of privacy. The inspection method they have used is not technical, as they basically went through the privacy policy page of each provider and tried to sign up through Tor. Their criteria is at least extreme and trivial, if not hilarious:

The short answer is yes, the long answer is not always.

The benefits of using your own custom domain, and the drawbacks of not using it, are listed below:

• Email providers would shut down, and all you have to do is changing MX records.
• You don’t always need to pay for extra addresses. A simple catch-all would solve the problem, and you can reduce spam by setting up rules with each recipient address.
• More solutions available. Some email hosting providers are exclusive for custom domain users, and you can engage with different providers with your inbound and outbound, get the best solution of each. For example, I self host my inbound email with mail-in-a-box and have full control over the spam filter, but I’m concerned with IP reputation and deliverablity, so for the SMTP service I simply choose Amazon SES at a low price.

The points above sound pretty valid, but people have raised some concerns:

Modern demands on email privacy are exceeding its original design and are still growing even more enormous. This is morbid.

Let’s take a look at some certain use case: Alice created a banking/finance account (something similar to Revolut/Paypal), and her login credential are listed below:

username: alice@example.org
password: You1-Should9-Use0-A7-Password4-Manager2!

Alice was careless, she didn’t follow the best practice of backup and lost her KeePass database (or her Vaultwarden database, or she forgot master password, or the paper that she wrote passwords on). Unfortunately, this is the only copy of the above username/password combination, there’s no way to retrieve.