I am currently thinking whether or not to sign up to Proton Mail. I am no stranger to paid “private” email services (having tried 3 different ones so far)
The problem is that email is only secure if you send emails within the same provider, in addition most “secure” email providers do use PGP to encrypt your email box, however they always hold the private key on their servers which means that they could technically unencrypt your messages if forced.
SOLUTION: Using SimpleLogin or Addy.io (previous Anonaddy) as my main email provider and enabling PGP encryption.
Why?
Allows the addition of public keys to encrypt all forwarded emails
does not keep private keys on their servers
change title of every email to a default sentence, so the subject of the message is hidden
Email provider cannot read any message since it would be encrypted.
Create almost unlimited emails and not limited to 15 addresses on ProtonMail
Cheaper than almost all “private and secure” email providers
Be able to keep email hosted on a free email provider
DISCLAIMER:
since everything is encrypted you cannot use WebMail. Just have to use an offline email client with the private key to unencrypt all emails.
What do you think of this approach?
What issues would I find?
Any suggestions?
In my mind it sounds great but maybe I am overlooking something.
I am aware that the most important data of our communication is metadata, however there would be no subject and all emails received from an email alias provider are not the official ones from the company, thus it would be harder to analyze the relationships.
Extra:
I was maybe considering Proton mail due to its calendar features but it does not allow for external people to edit, so in a way it is as closed as google calendar. In my opinion they should at least allow people with a simple login email as they now own the company.
The main reason I don’t want to use ProtonMail is I can’t trust anyone who hold my private key.
Email aliases services is fine for regular use and you can combine it with any email providers, but you need you need a custom domain. Why ? Because you don’t know what would happen to the services in the future. So you can move all of your aliases to another services in case something bad happen because you have full control of the domain.
Another problem with custom domain is you are using your real ID on the domain registrar. The public didn’t know who your are since most of the domain registrar today offer domain privacy protection for free so your real ID won’t show up when someone using whois tools, but the domain registrar know who you are.
The solution is buy a domain on njal.la and pay with monero.
I don’t want to talk about anonimity over privacy, but in this case the two things are related (IMO).
Bear in mind if you go this route, Simplelogin can still technically read all your emails as it is them who convert them to PGP emails before forwarding on to your email provider.
I have been with them for a while (before Proton takeover) and use a different address for every service.
If they go out of business, it will take me a very long time to go through all accounts and change them so as said, a custom domain may have been a better start for me but 530 aliases in, i’m not changing it back now lol.
Unfortunately, you overlook a very important issue. Some companies and banks block SimpleLogin. I mean they don’t only block the email, but they also suspend your account with no reason and no right to appeal.
This was discussed a few months ago on the forum. You can see some company names.
Tbh, not all the emails are sensitive.
Most companies use Google or Microsoft infrastructure, and afaik, the sender and subject lines are not E2EE with PGP. So, even though you will self host your email, other side not using PM will reveal your emails, anyway.
Is it worth the hassle? That’s up to you.
I also use SL, and as a backup I use iCloud hide my alias service if SL is blocked, and 15 pm aliases for banking and important websites. That’s my solution for now.
I understand that but I also think that most companies get an alert if your domain is pointing to a protonmail server.
My current solution is that I have an email from a big email provider (e.g. Google, Microsoft, Apple), and check it every month. I never have to send emails to my bank or any national service. Since most legal documents are now always sent via a web portal on their official website. Alternatively you could forwards all emails to a simple login alias.
Also to ensure it is quite private and anonymous I have never sent emails using these addresses and each bank/institution as a different ‘alias’ so in case it gets leaked I know where the hole was made. This alias is really simple, just adding a dot “.” in a different place of the email address.
For instance my email is fakeemail@(BigEmailProvider),
and for bank A is fake.email@(BigEmailProvider)
while for bank B is f.akeemail@(BigEmailProvider).