Brief Notes on Email

If you don’t pay for the product… you are the product.

Self-hosting email is one of the most painful things I’ve attempted in my journey for privacy and security online. IP reputation is simply something that I’m not willing to pay for, in terms of time or money.

Of the cloud-hosted options, there are few good choices.

Gmail, Outlook, and Yahoo have excelent IP reputation and full suite of features, but are products I avoid because of advertising and data collection.

I only consider services which:

1. express that privacy is a major concern
2. take measures to reduce provider access to content (such as client-side encryption)
3. have a reasonably secure reputation for reliability and customer service
4. can accept mail at my domain for at least 5 users (my immediate family)

I arrived at Swiss-based ProtonMail in 2016, and now use it for my family as well. There are other fine options as well, but I cannot reccomend any (which are still in business) because I have not used them.

Features which I appreciate are:

• excelent IP reputation
• client-side encryption of mail contents
• key autodiscovery, supporting the very few other users who also encrypt mail
• local writing assistant (AI in the browser)
• an adequate (though not unlimited) limit for domains and aliases

It’s not free (for my needs). I have a Visionary account, though I could make due (uncomfortably) with the Family account as well. The key differenciator for me is the number of domains, as the domain must be bound to the account to send mail from it. My use case is unusual though, and most people will be perfectly comfortable with the free plan as long as they periodically delete old mail.

Generally, I appreciate what email once was, and despise what it has become. Conveniant as it is, email should not be one’s username. I also get vastly more unwanted email than I do legitimate. Even amongst the legitimate email, almost all of it is automated. Correspondance from humans, or even relevent (and appreciated) automated notifications make up a fraction of 1% of all my email.

I am forced to keep up with my email inbox (the same way I keep up with my physical mailbox), for fear of missing some renewal notice. However, I will never send anything of importance over either - as there is no expectation of privacy in the mail (electronic or otherwise). Almost all mail passes unencrypted from server to server.

Even though I cannot have the level of privacy I want, I will continue to use privacy-focused services like ProtonMail for as long as I can afford to do so. I’m not a shady guy, but I still want privacy.

Furthermore, consider this. The means to have completely private email has existed for over 30 years, and the understanding of how to make it ubiquitous and easy for consumers has existed for almost as long. The overhead required to implement these features has been greatly reduced, and even the smallest client devices have been capable of bearing the compute burden of encryption for more than 15 years. The reason we don’t have email privacy is because email providers don’t want it. For most of us, even the secure and respectable providers will (or at least up until very recently did) use your emails to better target ads. Regulation helps, but they are not a complete solution and they are not applied equally to all.

For long-term sustainability, it’s important to rely on providers who, even if they aren’t perfect, have values that align with your own.