Security & Privacy

What to Look for in a Private and Secure Email Service Provider

Posted on May 4th, 2017 by

Secure Email Service Provider

More and more people are becoming security conscious these days. A trend we certainly like to see! I frequently get asked which secure messenger is recommended, if anti-virus software is a good idea, if a firewall and encryption are needed, and also which email service provider should be used if one wants private and secure email exchange. The latter is a great question, and one which we'll answer today.

Email providers that offer privacy, and security specifically, is what this article will focus on. There are quite a few email providers out there, so rather than just proclaim one as the best, we'll explain what to look for in a secure and private email provider. In this way, you'll be armed with all the information needed to make the best choice for you.

How secure is your email?

Having a password on your email account means only you can log in and read its contents, right? Unfortunately, this is not the case. Email was not designed with privacy and security in mind, and what little security is available today is a bolt-on solution. Email itself is as insecure as it was decades ago, but stronger authentication methods to get to the stored email and encryption for the emails themselves and server connections are now available that may keep email around a bit longer yet. For a great article on why email is not secure, have a look here.

Sadly, email providers often have access to your stored emails; some providers even read your email, so they can send you more targeted advertising. Government and ISP snooping can be a risk as well, and of course, email providers can get hacked just like any other business. Then there is the intercepting of emails while they are in transit. And the list goes on. So, what can you do to protect and secure your email? Use a secure email provider, of course!

Following is a 7-point checklist of what to look for in a secure email provider.

1. Cost and payment methods

Being an email provider means operating servers, performing maintenance, supporting customers, and more. These things cost money, so a good email service will likely charge for an account. How much is cheap and how much is outrageous is completely up to you. It all depends on how much you want or need that service.

I asked a good friend what he would consider a reasonable cost for a private email service, and he suggested that $20 a month seems like a good price if it meant his email was private and secure. Personally, however, I would consider paying $20 for the year tops. It really just depends on the person and their needs.

Payment methods can be a deciding factor as well. Does a provider accept VISA or PayPal? What if the account and its creation must be completely anonymous? Does a provider accept bitcoin? These are all factors you should consider when looking for a secure email provider.

2. Free accounts

Some email providers offer their service completely free, and some offer a free basic account but charge for more storage space and features. If you don't pay for the product, you are the product. After all, email providers still have to pay the bills, so if their users are not paying, can you guess where that money comes from? You got it: Advertising.

In the case of providers that charge for accounts, but offer a free tier, then "free" might actually be free. While they want you to be happy with a free account, they hope you will spend money to upgrade. If the provider only offers free full-featured accounts, it's worth investigating how they pay their bills. Your email may be scanned for content to target you for advertising, or your information may be sold to data brokers. (Open source projects can be the exception.) You best option? Don't become the product, instead, do the research and find a more secure provider that values your privacy.

3. History and reputation

An email provider that has been around for two decades is not necessarily better or more secure than a provider that started in 2014. Time in service doesn't necessarily mean they have more experience or are the best option; after all, a provider that started in 2014 may have hired staff who did work for many years at other providers and bring their experience to the table. Therefore, it's best not to let the age of a provider be a deciding factor. However, reputation is important.

Do some searches online for things like, "[insert provider name] hacked" or "[insert provider name] security flaw" and see what pops up. Of course, you'll have to investigate the claims yourself to see if they are all true, how severe their potential issues were, and how those issues were mitigated.

Search for some things you find most important, for example, "[insert provider name] DDoS," if you want to know if the provider has ever been under attack and how they dealt with it. How about their product support? Is it trustworthy? Helpful? Do a search for "[insert provider name] Support" and the results might show you stories about how horrible their support and response times are or if their support is simply amazing. These are all things that can help you in your quest to find the right email provider for you.

4. Encryption

There would be no security and privacy if encryption was not involved in some way. Most email providers know that these kinds of details are very important to their potential customers, so will they typically tell you all about it on their website. Are server connections encrypted? Is data at rest encrypted? Does an SSL test show any issues? Make sure you take your time and read all the details.

5. Logs

A secure and private email provider that logs everything will likely not be in business long. Logs must be kept for various reasons, such as DDoS protection, but the amount of data that is logged and how long those logs are kept should factor into your decision. Less data logged and short log retention is what you're after.

6. IP Stripping

You want your IP address stripped out of the email headers, so that the recipient cannot find out who your Internet provider is or your location. The same goes for the server logs: make sure your IP masked, anonymized or completely removed (these details will likely be found in the provider's logging policies).

7. Privacy policy and terms

The privacy policy and terms & conditions should always be read. Not just for a secure email provider but for every service that has them. It typically gives you a good sense of how your data is collected, stored and/or used. If and how the provider will handle government requests for data is another piece of information most will find important.

These 7 key factors are the big ones to look out for. But that doesn't mean these are the only things to look for. There can be many other deciding factors for you, such as the ability to use your own domain, aliases, location, mail client compatibility, webmail access, TOR address, mobile app, and more.

Now that you've been armed with the right details to look out for in a secure email provider, let's get to some options to start your search!

Secure Email Service Providers

Below is a list of some recommended secure and private email providers to check out.

ProtonMail

Quoted as "Being the Only Email System The NSA Can't Access," ProtonMail is certainly a favorite. ProtonMail's main selling points are end-to-end encryption, zero access to user data, located in Switzerland, encrypted data at rest and no tracking or logging of personally identifiable information. For all the nitty-gritty details, have a look at their website here. Interestingly enough, they also have a tor accessible site, which can be found here.

Startmail

Based in Europe, Startmail is a fairly new player when it comes to providing secure and private email, but one of the oldest when it comes to offering privacy online. Startmail offers one-click PGP encryption, PFS and SSL encryption, disposable email addresses and the ability to send encrypted email to anyone regardless of the provider the recipient uses. More information can be found here.

Posteo.de

Posted.de is a pretty well known email provider that offers anonymous signup, IP stripping, anonymous payment, encryption in all the right places, two factor authentication, and more. Located in Germany and priced very reasonably, this is definitely a provider to consider. More info here.

Tutanota

Tutanota is completely open source, which enables security experts to verify the code that protects your emails. Their servers are located in Germany, and some of the features you get with an account are 1 GB of space, aliases, and the ability to send encrypted email to anyone regardless of the provider the recipient uses. Android and iOS apps are available, too. While Tutanota is fairly basic, it gets the job done and best of all it's free! (A premium account is available for a price that's very hard to beat.) More information can be found here.

CounterMail

With selling points such as diskless servers, CounterMail is the only email service provider that offer protection against man-in-the-middle attacks (as far as they know) and a USB key option that prevents account access unless plugged in. It's hard not to give them a try right away. Of course, with features such as end-to-end encryption, IP stripping, use of own domains and a password manager, it offers things you'd expect from the best secure email provider.

Running diskless servers so that sensitive information can not be easily retrieved if stored (servers run off of CD's) is a neat thing to mention, but CounterMail does limit mailbox sizes significantly. Their largest mailbox size offering is 500 MB and will run $59 for the year. Additional storage can cost as much as $109 (a one time fee) for a little over 2 GB of storage total. Higher pricing is explained on their website, saying, "Our server have full disk encryption, which uses extra CPU and hard drive resources." (Wait, hard drives? I thought there weren't any!) For clarification on that, you can contact CounterMail, but all that said, they are a good option for secure and private email. More information can be found here.

Lavabit

Lavabit is a secure email provider that chose to shut down their service a few years ago to prevent government access to all user accounts. Nonetheless, they deserve a special mention here. They have restarted the service, and it's new and improved. While new accounts cannot currently be created yet, if you had an account with them at the time they shut down, you can log back in now. For new accounts, you can pre-register. More information can be found here.

Some other email providers you can check out:

This should be enough to help you find and make an informed decision on a secure and private email provider.

Are you using a secure and private email provider? Share your thoughts and experiences in the comments below!

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →
  • johndoe

    Even Protonmail says they’re not good enough if you’re the next Snowden. (blog/protonmail-threat-model/) and doesn’t support PGP. Countermail says diskless WEB servers, encrypted MAIL servers. Would be nice if a tech writer knew the difference.

  • Allison Kilback

    What about msgsafe.io? I think that they’re one of the easiest to use because each new email address that you create is automatically generated a GPG key and S/MIME certificate. They also strip out all the junk (meta-data) in the headers of email you receive, and you have the option of choosing a custom location of where you want you mail to appear to be coming from.
    In addition, you don’t have to use their webmail interface – you can set it up to have all your mail forwarded with encryption to another email address you own. You can also block mail from specific email addresses, or choose to only receive mail from only your contacts. It’s a great way to feed out the spam while keeping your email super secure.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}