this post was submitted on 28 Jun 2023
11 points (100.0% liked)

Privacy

1266 readers
357 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

Hey all, I've been taking my digital privacy and security much more seriously this year, but the one thing I've been stuck on and feels overwhelming to me is email. So I wanted to know what do you guys use or what practices do you follow? Do you keep a separate email or alias for every single account, or just compartmentalize, like one email address for online shopping, one for business, one personal correspondence, and etc.

What services do you use? Right now I have a free Tutanota and ProtonMail account but haven't decided which one to pay for, if either. ProtonMail makes me iffy with the amount of controversy and debate that has come out of them in recent years even though it comes with a lot of other nice stuff like cloud storage and a vpn. Tutanota I just dislike the fact I can't add it to third party mail apps like Thunderbird, but this might not be a deal breaker. I know there are others, so what do you guys use? I don't need something to protect my emails from the NSA or organizations like that but definitely something more private and secure than gmail. Thanks.

all 25 comments
sorted by: hot top controversial new old
[–] cmeerw 1 points 1 year ago (1 children)

I run my own email server(s), one address for personal emails and one business address.

[–] sro2112 1 points 1 year ago

I've been really into self-hosting this year and self-hosting an email server has definitely been on my todo list, but mainly for fun/learning rather than serious usage as my primary email. Mainly because I've heard is difficult and time consuming to configure properly so you don't end up on spamlists of the major providers. What's your experience been like, was it difficult to configure, any trouble with people not receiving your emails?

[–] Mikina 1 points 1 year ago* (last edited 1 year ago) (1 children)

I have one generic company-sounding domain, and use catch-all email address for it, so I can set up randomized name.surename@.com combinations for every service I need an account for. While it probably doesn't even make a difference with all the advanced fingerprinting methods that are around nowadays, it feels a little bit smoother than generating a random obviously throwaway email address with some of the disposable email services that are around, and for a fraction of a cost.

Then I have my work emails and one official domain with my name that I use whenever is something important enough that I want to use my real info for. And I also have an email for cases where I need to say my email out loud, which is just spam@.email. Efficient, and people usually get it right at first try. (But I did encountered a few cases where .email was not a valid TLD, since the filter was set up based on character count -.-)

I've been using ProtonMail, and I'm pretty happy with them. I have not heard about the controversies up until now, but I think that it's understandable that they have to comply with court orders, and unless I'm mistaken they can't hand over your actual emails, since they are encrypted at rest by your password, right? Since I'm not really worried about having to do anything with police, it's not a threat model I need to take in consideration. But thanks for the info, I'll probably find a different provider if something happens with our local political situation. For now, what's the most important for me is that my emails and data are not used to teach any kind of ML bullshit about how to manipulate or impersonate people, and I think that's what the ProtonMail encryption provides sufficiently.

[–] sro2112 1 points 1 year ago (1 children)

Cool, thank you. Yeah I need to buy a domain for email at some point

unless I’m mistaken they can’t hand over your actual emails, since they are encrypted at rest by your password, right?

That is true I believe, they can use the address to identify you but if the email content is encrypted they can't get the contents. The subject line though is not encrypted.

Same though, I'm not necessarily trying to avoid the police or government but mainly advertising/AI bullshit/ less reliance on google. Do you use proton's other services, like the cloud storage and VPN?

[–] Mikina 1 points 1 year ago (1 children)

I have my own NAS where I store most of my files that's open to internet through a geoblocked Cloudflare Tunnel, and if I need to share something I just use the Synology Drive. I tried setting up Nextcloud, but my NAS is too weak for it and didn't support it by default, and manual instalation didn't really work properly so I gave up.

VPN I've never found the need for. I was thinking about Mullvad Browser+VPN, since I really like the idea they are going for, but I was too lazy to setup yet another browser. I don't know how verified Mullvad is, since I haven't heard much people talking about it and only found it on the new version of privacytools.io - I think it was something like https://www.privacyguides.org/en/. I don't really know what happened between them and privacytools, or which one is more trustworthy - especially since they have mostly different recommandations.

But the main idea of Mullvad is that it's I think a fork of Tor Browser for internet, that's set up to work without needing any extensions and has the same fingerprint for every user, which stays the same since you don't need a stack of privacy extensions. And it works in tandem with Mullvad VPN, which means that it's really hard to fingeprint you based on your browser+VPN provider combination, because while you may have be one of the few users of i.e. ProtonVPN that uses Firefox with uBlock, Decentralyes and CookieAutoDelete, so you can still be eventually identified, all the users of Mullvad use the same browser with same origin IP and same fingerprint. And that idea actually makes a lot of sense on paper.

[–] sro2112 1 points 1 year ago

I'm actually a current Mullvad VPN customer, I know of their browser but I haven't tried it. They're very privacy friendly, no email required for sign up, and you can even mail them cash to pay. While I like what stand for and think they're awesome, recently they decided to stop offering port forwarding for their VPN, so I need to find an alternative. My main use case for VPNs is torrenting, so port forwarding helps with that a lot. Proton VPN offers port forwarding which was why I was considering just using them for both email and VPN.

Their browser sounds interesting though, from what I've heard it's basically Tor browser but without the Tor network. The fingerprinting protection sounds awesome, I think one issue with my current browser setup is that I'm probably very unique and easy to fingerprint. So will look into that.

[–] pixelpop3 1 points 1 year ago* (last edited 1 year ago)

It really depends on who you "fear". I mostly use Forefox Relay and have chosen Google (Gmail, Android, etc) as the "devil I know". If I end up in a state actor's cross hairs (TLA, etc) I assume I'm a meat popsicle. Mostly I'm trying to thwart internet randos/vigilante and marketing firms that want to violate my privacy and I think Firefox Relay is enough to trip them up.

I don't view Google as escapable and I think they are under a lot of scrutiny. My view of Google is they want to collect and keep data and sell access as a service without losing their own control of the data. I don't see them having much incentive to sell raw data to others.

I have a custom domain name I now use for work-related contacts and societies. Currently it runs Google Apps since I don't want to deal with spamlists etc. But I can easily move it elsewhere with minimal interruption. I almost did during the recent Google Apps drama. I recently changed jobs after being at my previous employer for about 8 years and learned it's a real pain/time sink to chase down contacts otherwise when you move employers. And my new employer has draconian BOFH email retention policies that maybe make sense for employee email but are just hell for my professional but not employer-tied identity/activities. I don't use it for work that belongs to [current employer], it's for work networking things like society memberships, certification agencies, working groups, society committees, etc. Basically work that would apply at any of my employers and would move with me elsewhere.

[–] vvv 1 points 1 year ago (1 children)

I've been on a very slow-burn transition from using gmail (and other google services). Email is hard, since that's an address others contact you by, so you can't easily switch providers on a whim. I kinda broke the problem down into steps:

First, buy my own domain, and have the registrar forward all email sent to it, to my gmail account. At this point, I could continue using gmail as the interface, and host, but I no longer had to use it as an address I hand to people/services, I would give them [servicename]@[mydomain.whatever].

Second, I purchased email hosting from the registrar. I continued with the setup, of having everything forwarded to gmail, using it as a host and interface, but used the alias feature to send replied back from any @[mydomain.whatever] address.

Third, I started investigating alternate email clients: thunderbird and fairemail are where I'm currently at, so that I'm only gmail as the email host, but no longer rely on it's interface.

I haven't taken the final step, of switching to a different provider (cause I'm a big wuss)... I might wind up doing something self-hosted, but at this point it's easy enough for me to switch by re-pointing my forwards. Most email comes in/out of an address at my domain, and I don't depend on gmail to be my email 'client'.

So all that to say, not that I have an answer for you, but I have a recommendation, to buy your own domain, and give yourself the flexibility to switch around different providers.

[–] sro2112 1 points 1 year ago

So all that to say, not that I have an answer for you, but I have a recommendation, to buy your own domain, and give yourself the flexibility to switch around different providers.

Yeah, I've been looking into buying a domain for that exact reason, flexibility if I do switch providers so I don't have to change my email on a bunch of accounts or give people out a new email address.

Self-hosting interests me too but have heard it's very hard to get right so people actually receive your emails. I haven't looked super deep into it though, it's just been on my todo list to try.

Thank you!

[–] 0x0 1 points 1 year ago

I have a free Protonmail account i seldom use but like because they have a Tor address.

I have a paid Tutanota account to which i'm trying to migrate all my mail, from the free GoogleApps-based university account i used for years. I also have an alias i use as a throw-away-ish address.

I have a free GMX account i briefly used, also with a throw-away-is alias, i might just drop it since i'm on Tutanota now anyway.

I'd love to host my own mail server on a VPS with a domain i own, but it's increasingly difficult. The big players came up with DKIM, DMARC, SPF and all these funky acronyms for the sake of fighting spam, but they're also easy ways to make it harder for you to run your own server 'cos they'll just flag you as undesirable. A form of embrace-extend-extinguish i guess.

And then there's spam and actually avoiding it.

Still on my ever increasing TODO list, if nothing else for learning purposes.

[–] funbike 0 points 1 year ago

I hate to admit it but I'm all-in on google, for mail, drive, calendar, meet/chat, Android, oauth. It's all too convenient.

I have one personal account, one per long-term client/employer (w/their service), and one garbage (for sign-ups and low-priority web accounts). I often use the [email protected] pattern for creating special-purpose temporary addresses. We use sendgrid for sending user emails.