Shadow Wiki

email
uspol
mobilecomms
im
browsers
namac/index
This page uses valid XHTML 1.0! This page uses valid CSS! Use any browser. Spyware Watchdog. Digdeeper. baobab Nugeia

           Prologue           

       Introduction       

There are many email providers & clients, in fact too many to reasonably decide upon without prior knowledge. They are fraught with misleading advertising gimmicks, security concerns, privacy violations, legal intrusion, political opinion & many other things.

Due to this extensive complication, I have endeavored to simplify the process of choosing here in this webpage, by comparing the specs & attributes of providers & clients.

Ideally, all email providers should follow these design principles (but of course they don't):
  1. Nanonymous access, (Tor/I2P/LokiNet/NameCoin/AnoNet access/address, etc) & the latest TLS w/ valid certificate or otherwise encryption (where applicable)
  2. No webmail interface AT ALL, unless it's SquirrelMail/totally devoid of JavaScript
  3. No JavaScript AT ALL
  4. No Google reCaptcha, a regular captcha may be used however (must be in accordance with rule #3)
  5. No Cloudflare or MITM-style DDOS protection AT ALL, DDOS protection may be used however (must be in accordance with rules #1, #3, & #4)
  6. A Terms of Service, that's clear, concise, & does not discriminate based on political ideology, basically saying "don't do illegal stuff"
  7. Logical site design (not like SAFe-MAIL or many US Government Websites etc)
  8. Nanonymous Privacy Policy that that says something like "We encrypt everything & don't read it" & "Nothing is logged except during technical issues or maintenance, in which case it is purged after 24h"
  9. No Google Analytics, Matomo, or anything of the sort, AT ALL
  10. Must follow the minimalist Unix philosophy (do one thing & do it well), & KISS (Keep It Simple, Stupid)

There is also TLS support to consider, both from client to server and server to server. TLS is what encrypts your data/messages/login info over the wire. If it is not encrypted, then it is bare, & ripe for sniffing. Clients should enforce using TLS or STARTTLS. Servers should as well, but as we see in the table, don't. This is usually done to continue support for legacy clients. STARTTLS upgrades the connection, on the given service's port to be encrypted. According to the RFC, as can be seen here, STARTTLS could potentially allow a MITM (Man-in-the-Middle) attack to occur, deleting the response, making the client think the server does not support an encrypted connection. This, combined with the sniffing issue, is why it is important to check your STARTTLS or TLS settings on your client and make sure they are set to enforce encryption, and not "connect anyway".

Alas, this is not so easy with server to server communication. The only way to ensure TLS connection between providers is to run the server yourself and have it set to enforce. You can usually tell if an email was sent using TLS by looking at the header, where it will mention TLS. If it does not mention TLS it was either sent without TLS, or the server is not reporting it in the header, which is also cause for concern.

Another way to ensure encryption, which ideally you should do all the time regardless of other variables, is PGP (Pretty Good Privacy). You create a public key, used for encrypting messages that can only be decrypted with your private key. You exchange public keys with the person you are emailing, setup up your given client appropriately, and the body (including attachments) of your email will be encrypted (the destination & subject, however, are not).

       GPG CLI Basics       

This assumes you have GPG (GnuPG) already installed & working. GnuPG is a "Complete and free implementation of the OpenPGP standard".

Generate your own public and private keys:
gpg --full-generate-key
Press enter (for default).
When you get What keysize do you want? (2048) type 4096 and press enter. Follow the rest of the prompts accordingly. The Real name: can be a username. Leave the Comment: blank (by just pressing enter).
Listing keys:
gpg --list-keys
Deleting a private key:
gpg --delete-secret-keys [key id]
Deleting a public key:
gpg --delete-key [key id]
Importing a key:
gpg --import [name].asc
Exporting a key:
gpg --output [name you want the file to have].asc --export [ID or email associated with the key]

       Chapter 1: Email Providers       

      How to use the table of Email Providers      

Green is the best, red is the worst. Orange is closer to bad/red, yellow is closer to good/green.

You can click on the name of a provider in the table to go to the notes. The title of the email provider above the notes will take you to the website.

      Table of Email Providers      

Name Rating Perceived Connotation Allows client Tor access i2p access Website TLS TLS From Mandatory TLS From TLS To Mandatory TLS To JS Intensive Google reCaptcha Cloudflare Price
AOL Do Not Use Boomer/Surveillance Yes No No 1.2 ? ? 1.2 FAIL Yes ? No Free/Ads/Tracking
AT&T Do Not Use Cattle/Surveillance Yes No No 1.2 ? ? 1.2 FAIL Yes ? No Free/Ads/Tracking
Autistici Do Not Use Antifa/Pronouns/Far-leftism Yes No No 1.2 ? ? 1.2 FAIL No No No Ideologically Audited Request of Service
BeingLibertarian Sign-up disabled.
Bluelight/NetZero Do Not Use the 90's called, they want their website/botnet back Yes ? No 1.2 ? ? FAIL FAIL Yes ? No Paid (ISP subscription)/Lots of info
Cockli Not Bad Imageboard user Yes Yes No 1.2 ? ? 1.3 FAIL Sorta No No Free/Registration closed, to be invite only
Comcast/Xfinity Do Not Use Cattle/Surveillance Yes ? No 1.2 ? ? 1.2 FAIL Yes ? No Paid (ISP subscription)
CounterMail Good Contrarian/Cattle/Security Buff Yes Yes No 1.2 ? ? 1.2 FAIL ? ? No Paid
Criptext Do Not Use Security Buff/Surveillance No ? No 1.2 ? ? 1.2 FAIL Yes ? No Free/Tracking
CTemplar Do Not Use Security Buff/poor choice No No No 1.2 ? ? 1.3 FAIL Yes No Yes Paid/w/ "Free" Tier
Danwin1210 Not bad Hobby Yes Yes No 1.3 ? ? 1.3 OK No No No Free/Some Logging
Dismail Not Bad Security Buff/German Yes Yes No 1.2 ? ? 1.2 FAIL Sorta No No Free
Dismail (Yadim) Throwaway/Temporary accounts only.
Disroot Do Not Use Antifa/Far-leftism Yes Sorta No 1.2 OK FAIL 1.2 FAIL Yes No No Free/Non-Commercial Use
Dispostable Throwaway/Temporary accounts only.
Elude.in In a Pinch Questionable Ads Yes Yes No 1.2 ? ? 1.2 FAIL No No No Paid w/ "Free tier"/Ads
Excite Do Not Use Old/Obscure/Cattle/Surveillance ? ? ? N/A ? ? 1.0 FAIL ? ? No Free/Lots of info/Tracking
Fastmail Do Not Use Cattle/Surveillance Yes ? No 1.2 ? ? 1.2 FAIL Yes ? No Paid/Lots of info/Tracking
FakeMail Throwaway/Temporary accounts only.
FlashBox Throwaway/Temporary accounts only.
Freeshell.de In a Pinch Retro Yes Yes No 1.2 ? ? 1.2 FAIL ? ? No Free/Request Invite
GetNada Throwaway/Temporary accounts only.
GuerillaMail Throwaway/Temporary accounts only.
Google GMail Do Not Use Cattle/Surveillance Yes No No 1.3 ? ? 1.3 FAIL Yes Yes No Free/Tracking
GMX Do Not Use Cattle/Surveillance Yes No No 1.2 ? ? 1.3 FAIL Yes Yes No Free/Ads/Tracking/Lot's of info
Harakiri Throwaway/Temporary accounts only.
Hushmail Do Not Use Privacy Buff/Probable Surveillance Yes ? No 1.2 ? ? 1.2 FAIL ? ? No Paid/Lot's of info
iCloud Do Not Use Cattle/Surveillance ? No No 1.2 ? ? 1.2 FAIL Yes ? No Dependent on Expensive Proprietary Hardware/Tracking
InstallGentoo Appears to be broken or dead.
Kolabnow Do Not Use Cattle/Potential Surveillance Yes ? No 1.2 ? ? 1.2 FAIL Yes ? No Paid
La Poste Non-functional site, possibly blocking Tor.
Lavabit Do Not Use Security Buff/Too much Logging ? ? No 1.2 ? ? 1.2 FAIL ? ? No Paid
Luxsci Do Not Use Security Buff/Too much logging Yes Yes No 1.3 ? ? 1.2 FAIL ? ? No Paid/Logging
Lycos Do Not Use Cattle/Surveillance Yes ? No 1.2 ? ? 1.2 FAIL Yes Yes No Free w/ Premium Tier/Logging
Mailbox.org Do Not Use Security buff/Surveillance Yes Yes No 1.2 ? ? 1.2 FAIL Yes Yes No Paid
Mailfence Do Not Use Cattle/Potential Surveillance Yes ? No 1.2 ? ? 1.2 FAIL Yes ? No Paid w/ "Free" tier/Logging
MailForSpam Throwaway/Temporary accounts only.
MailGutter Throwaway/Temporary accounts only, blocks Tor.
Mailinator Throwaway/Temporary accounts only, blocks Tor.
MailSac Throwaway/Temporary accounts only.
Mail.com Do Not Use Cattle/Surveillance Yes No No 1.2 ? ? 1.2 FAIL Yes ? No Free/Lots of info
Mail.ru Do Not Use Russian/Surveillance Yes ? No 1.2 ? ? 1.2 FAIL Yes ? No Free/Tracking/Lots of info
Moakt Throwaway/Temporary accounts only.
MyTemp Throwaway/Temporary accounts only.
NixNet ? ? Yes Yes No 1.3 ? ? 1.3 FAIL ? ? No Free/Request Invite
NeoMailbox Do Not Use Cattle/Potential botnet Yes ? No 1.2 ? ? 1.2 FAIL ? ? No Paid/Logged
Novo Ordo Do Not Use Security Buff/Unusual Yes ? No 1.3 ? ? 1.3 FAIL ? ? No Paid
OnionMail In a pinch l33t hax0r/anonymous Yes Yes No No OK FAIL 1.2 FAIL No No No Free
OpenMailBox Discontinued.
Outlook Do Not Use Cattle/Surveillance Yes No No 1.2 ? ? 1.2 FAIL Yes ? No Free w/ Premium Tier/Tracking
Paranoid In a pinch Potential botnet Yes Sorta No 1.2 FAIL N/A + No Response 1.2 FAIL No No No Free/Request Invite
Posteo Good Security buff Yes Yes No 1.3 OK FAIL 1.2 FAIL Yes No No Paid
Postman In a pinch l33t hax0r/friendly neighborhood postman Yes No Yes N/A OK FAIL 1.3 FAIL No No No Free/Non-Commerical Use
ProtonMail In a pinch Security buff/Potential botnet Sorta Yes No 1.3 ? ? 1.2 FAIL Yes No No Paid w/ Free tier
Rackspace Do Not Use Business/Cattle/Surveillance Yes ? No 1.2 ? ? ? ? Yes ? No Paid/Tracking
RainMail Throwaway/Temporary accounts only.
Rediff Do Not Use Indian/Surveillance ? ? No 1.2 ? ? 1.2 FAIL Yes ? No Free w/ Premium Tier/Lots of info/Tracking
RiseUp Not bad Far-leftism Yes Yes No 1.2 OK FAIL 1.2 FAIL ? No No Free/Invite Only/Non-Commercial Use
Runbox Do Not Use Cattle/Potential Surveillance Yes ? No 1.2 ? ? 1.2 FAIL Yes ? No Paid/Lots of Info/Logging
SAFemail Do Not Use Insanity/Cattle/Potential Surveillance Yes ? No 1.2 ? ? 1.2 FAIL ? No No ?
Safe-Mail Sign-up disabled.
SCRYPTmail Discontinued.
Self Hosting You decide!
SDF In a pinch Retro Yes ? No 1.2 ? ? 1.3 FAIL No No No Paid
secMail Do Not Use Shady No Yes No No ? ? N/A N/A No No No Free
SharkLasers Throwaway/Temporary accounts only.
Snopyta Good Snek Yes Yes ? 1.3 OK FAIL 1.3 FAIL Yes No No Free/Request Access/Non-Commercial Use
Soverin Do Not Use Cattle/Privacy buff/Probable botnet Yes ? No 1.2 ? ? 1.3 FAIL Yes ? No Paid/Lots of info
StartMail Do Not Use Cattle/Potential Surveillance Yes Yes No 1.2 OK FAIL 1.2 FAIL Yes No No Paid w/ "Free" tier & tracking
Systemli Do Not Use Antifa/Far-Leftism Yes Yes No 1.2 ? ? 1.2 FAIL ? ? No Free/Invite Only/Non-Commercial Use
Teknik Do Not Use Cattle/Probable Surveillance Yes ? No 1.2 ? ? 1.2 FAIL ? ? Yes Free/Logging
TempInBox Throwaway/Temporary accounts only, no HTTPS.
TempMail Throwaway/Temporary accounts only.
Temp-Mail.ooo Discontinued. Throwaway/Temporary accounts only.
Temp-Mails Throwaway/Temporary accounts only.
Tempr Throwaway/Temporary accounts only, blocks Tor.
Tutanota Do Not Use Cattle/Surveillance No No No 1.2 ? ? 1.2 FAIL ? ? No Paid w/ "Free" tier/Logging
Thexyz Do Not Use Business/Surveillance Yes ? No 1.3 ? ? 1.2 FAIL Yes ? No Paid/Tracking
VFEmail Do Not Use Security Buff/Surveillance Yes ? No No ? ? 1.2 FAIL ? No Yes Paid w/ "Free" tier/Logging
Yahoo! Mail Do Not Use Cattle/Surveillance Yes No No 1.2 ? ? 1.2 FAIL Yes ? No Free/Ads/Tracking
Yandex In a pinch Russian/Surveillance Yes Sorta No 1.2 ? ? 1.3 FAIL Yes No No Free/Tracking
Zoho Do Not Use Business/Surveillance Yes ? No 1.3 ? ? 1.2 FAIL Yes No No Paid/Logging
Name Rating Perceived Connotation Allows client Tor access i2p access Website TLS TLS From Mandatory TLS From TLS To Mandatory TLS To JS Intensive Google reCaptcha Cloudflare Price

      Email Provider Notes      

Austistici

Another far-left organization with what appears to have a good privacy stance, however they do not have a "Privacy Policy", instead calling it "Your Data" [archive]. They also repeat themselves a lot & have different sections saying similar things.

If you are greatly interested in the Privacy Policy (I am not because I am too off-put by their political stance), you may wish to dig deeper.

Here's a quote from the "Request a Service" page: "Autistici/Inventati is a collective that recognizes & promotes anticapitalism, antiracism, antifascism, antisexism, antimililtarism, & the refusal of authoritarianism & hierarchies".
Probable translation: "Don't use for commercial purposes (Capitalism), respect my pronoun concerned identity politics, & make sure you support (violent suppression mob) antifa!"

Sounds a lot like Disroot & RiseUp (RiseUp is definitely least bad/best of the these three though).

Here's another quote: "don’t tell us that you want privacy &/or anonymity - we already know this, otherwise you wouldn’t have landed here. Tell us, instead, the reasons why you share these principles & what kind of person you are. You don’t have to detail your private life - we just need to get an idea of why we should offer a service to you". Oh boy, so I get audited too, to make sure I believe in these things!

Still don't believe me? Here's a quote from their Policy page: "To be hosted on our servers you have to share our principles of anti-fascism, anti-racism, anti-sexism, anti-homophobia, anti-transphobia, & anti-militarism". This would be funny, except they appear to be serious. But like they say, don't use it if you don't fully agree with these things. I could probably write an article on why each of those things is not what they seem to sound like on the surface, but you probably either already know that &/or agree with them.

"It says explicitly that all of its privacy protections are only guaranteed if you follow their ideology - this is kind of an inherently precarious situation unless you adhere to the complete ideology with the same interpretations as the people who run the service."
- The original manager/owner of the Online Spyware Watchdog, pretty much summing things up

So apparently, some time after I wrote this, they added a Privacy Policy [archive].

Here's some quotes: "We store logs of user activity for a period up to 15 days (unless specified otherwise per service).",
"our servers will provide us with some non-personal data, including, without limitation, data relating to the browser you are using (browser type, whether it is a mobile/desktop device, OS version, preferred language), the date and time of your visit and the referring website, but not your IP address. None of the non-personal (meta)data allows the identification of the individual user, as it is not associated with or linked to your personal information.",
"It is not necessary to provide personal information in order to create an account. All data provided in the request is deleted from our systems 15 days after the request has been successfully granted.".
"we keep track of email metadata related to sender and recipient. We store logs of the “from” or “to” information for every message relayed and these logs are purged after 12 months." (PGP does not protect against this)!
"We keep record of your last successful authentication, so that it is possible for us to disable and delete unused or abandoned accounts."
"We keep track of the users’ activity on our Services, but the logs we store never contain any personally identifying information, and do not include information related to activities outside of our platform."
"In the case of suspicion of behavior non-compliant to our policies, we might kindly ask the user to comply or decide to erase an account permanently and without notice: again, users are admitted conditionally to their compliance to our policy and what we judge is their affinity to our Manifesto."
"Anonymous, aggregated information that cannot be linked back to an individual user may be made available to experienced researchers for the sole purpose of developing better systems for anonymous and secure communication. For example, we may aggregate information on how many messages on average a group of anonymous users send and receive, and with what frequency.", "We do not directly use these tools and analytics, but this service is available to all the users that choose to use them."
They will comply with requests coming from Italian authorities or "other compelling judicial authority" or if there is "public interest in doing so".
After account "deletion" mailbox content "will be automatically erased within 3 days".
"A/I will in no case store any data or log longer than 2 years after the last use of the Services.", so they may store certain data or logs up to 2 years? Unclear.

In summary: They log meta-data at the very least, are far-left, and require you to be far-left. Not a good combination.

BeingLibertarian

The email provider used by BeingLibertarian, a right-leaning libertarian online publication type site. The opinion/news site (beinglibertarian.com) is Cloudflared, but the email site (beinglibertarian.email) is not.

Does not have a Privacy Policy but instead a Manifesto [archive], let's go through the interesting bits!

"If a request from government authorities has been made for data that is supervised by me. I will do my best to make sure all requests fall in line with the 4th amendment of the United States Constitution. I will also make sure the effected parties are notified if such a situation arises.", sounds pretty good! Better than even RiseUp so far.
"My email server is more secure than Hillary Clinton's Microsoft Exchange 2010 Email server", amusing, but also not saying much, & a further injection of politics.
"I take privacy very seriously, & along with that means taking encryption very seriously", well, TLS isn't mandatory, but maybe this means the mailbox is encrypted?
"I do not deal with Anti-Semites as I am Jewish. However while I may disagree with what you say, I will defend your right to say it", way above & beyond what any of the 3 far-leftist servers would allow (Autistici, Disroot & RiseUp). Very nice!

But wait, there was no mention on if they log anything, for how long, if they read your mail, or if it's stored as plain text or not!

Here's an aside from the description on the main page: "helping our readers, contributors, & correspondents feel comfortable in knowing their communications will be kept private", "feel comfortable", what does that mean? Private from who?

Another aside from the main page: "This server is not for sending spam, or marketing information. If those are required a separate server called a "list server" will be created", pretty accommodating if you ask me, as many servers disallow "commercial use".

No obvious way to signup. I assume you have to write this "Geek in Chief" guy an email, & request an account, Snopyta-style. They do provide a GPG key.

I sent an email, but have not received a response after several weeks.

Initially I had them on the table with info in each column, but since they appear to not be accepting registrations, I will put that info here, and list it as "registration disabled".

Name Rating Perceived Connotation Allows client Tor access i2p access Website TLS TLS From Mandatory TLS From TLS To Mandatory TLS To JS Intensive Google reCaptcha Cloudflare Price
BeingLibertarian N/A Libertarian/Not for use ? ? No 1.2 ? ? 1.3 FAIL ? ? No N/A

Bluelight

They want your phone number & all sorts of strange information. Unclear if you actually have to pay them to get the email, as they seem to be selling dial-up internet.

But don't worry, they support Windows 95.

Cockli

The first most obvious problem is the name, they are obsessed with obscene names. This carries over to most of their domain options, but a couple are not terrible, such as "airmail.cc".

I believe you can sign up without having JavaScript enabled, but their web client does require JavaScript. However, you could sign up over Tor, without JS, & then use a client.

Now onto the privacy side. They comply "with every legal order for user information under the jurisdictions which are applicable". Many would do the same thing, even RiseUp has.

It should also be noted that data drives were seized, twice, before moving their servers out of Germany into Romania.

Mail server mx2.cock.li failed to connect.

Update May 2021:
Cockli has switched off invites, saying when they are brought back they will invite-only. [archive]

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Cock

Comcast

I believe this one requires a paid ISP subscription. It's unclear if you can login over Tor, I got one sign in page to load, where as another gave "Access Denied".

A quote from the sign in page that did load: "Comcast reserves the right at any time to monitor usage of this system to ensure compliance with the Comcast Access Control & Acceptable Use Policies".

I get the feeling they don't want me to use them. I've heard they do at least accept clients. I'll take a pass on this one.

Countermail

They seem okay, but are much more costly than Posteo. Base package is $29 for 6 months. Takes BTC.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#CounterMail

Criptext

Site will not load without JS.

Well, here we go again. Lots of "privacy" talk, but no walking in the Privacy Policy [archive]. They track you.

Here's some quotes:
Under "Analytics & Performance Cookies", "These cookies are used to collect information about our Services’ traffic & how users use our Services".

They use matomo. They use "Social Media Cookies" as well as "Targeted & advertising cookies". They "do not respond to “Do Not Track” signals".

Under "How We Share Your Personal Information" it says "We may disclose your personal information to our subsidiaries & corporate affiliates for purposes consistent with this Privacy Policy"!

It seems you must download their JavaScript & Electron based client to sign up & use the service.

Sounds pretty bad for the so-called "most private email service ever".

Ctemplar

Has Cloudflare & an Onion address, but the .onion address redirects to the clearnet page rendering it totally pointless, & most certainly does not count as Tor support.

Requires JabbaScript to even load the page, but says the JavaScript from the CDN can't be messed with in a harmful way to you, because of "checksums". They also say the CDN can be bypassed by using the Onion address, but as noted above, this is not the case.

Alas, these files that you would want to checksum do not exist on their GitHub, & are not seen even after building (ng build, ng serve).

Privacy policy is decent, but is overshadowed by the other issues.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#CTemplar

Danwin1210

Starting off the Privacy Policy [archive]: "Data protection is of a particularly high priority", however several things are tracked/recorded.

Here's an excerpt: "This general data and information is stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches my website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site / email transmission, (6) sender and recipient of an email, and (7) any other similar data and information that may be used in the event of attacks on my information technology systems".

One of the reasons being, they say is to "(2) optimize my services", a common excuse, however they say they do not "draw any conclusions about the data subject".

The tracking data is kept separately for 48 hours, "The anonymous data of the server log files are stored separately from all personal data provided by a data subject for up to 48 hours", and then presumably (?) deleted. This is only some of the data.

They do not use tracker cookies, "This site makes only use of technically necessary session cookies and does not use any form of tracking cookies".

It seems the point they are attempting to make is that much of the data collection is necessary for basic technical operation. It ultimately depends on whether you believe them.

Dismail

They do not have a Privacy Policy. They have a "Datenschutz" which apparently translates to "Data protection declaration according to GDPR".

If you take this as the Privacy Policy, it seems okay. However I did have to translate it from German [archive] to English using itools/Google Translate, & over a VPN because it because it captcha'd me on Tor. But at least I didn't have to use any JabbaScript.

They are also hosted in Germany (in part by the same hosting provider no less, Hetzner), the same place that randomly seized some of Cockli's data drives, on two occasions.

Signup requires you to first get one of their XMPP accounts, then send an XMPP message to activate the email account. This does not require JavaScript, only the optional web interface does (you can use a client).

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Dismail

Disroot

They sound pretty cool, being pro-privacy & all.

Except, they act like antifa, the hypocritical violent mob who silences those whom they disagree with. Staying away from them is my recommendation, unless you are an actual far-leftist like them.

Let's take a look at their terms of service [archive]: "You may not engage in the following activities through the services provided by disroot.org:" [...] "Contributing to the discrimination, harassment or harm against any individual or group. That includes the spread of hate & bigotry through racism, ethnophobia, antisemitism, sexism, homophobia & other forms of discriminatory behavior".

Those are pretty broad things to not be allowed to do. Anything can get called "racist", & not referring to someone by their decided "pronouns" can be seen as "hateful". Unless someone reports you, how would they know you are doing these things? Is it just for plausible deniability, or do they have some other mechanism?

Here's another thing you can't do, according to the TOS: "Using Disroot services for financial gain, including but not limited to trading or managing sales, is not tolerated. Accounts created for the purpose of generating profits will be subject to termination upon inquiry".

"disroot.org may terminate your service at any time under the following conditions:" [if] "The account has engaged in one or more of the banned activities listed above".

"TLS From" information provided by digdeeper.

There is also evidence to suggest that they may not use TLS by default when sending to TLS equipped servers, if they do, they do not report it in the email header.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Disroot

Elude.in

Definitely has the best Privacy Policy so far. Some ads are rather questionable/shady, such as random Tor sites. Has optional SquirrelMail (web) client, which does not require JS, along with Rainloop that does. Can be seen here.

To use a mail client you have to pay, but they accept (only) BTC & XMR.

All of elude.in's certs failed.

Excite

First off, this provider uses TLS 1 with an expired cert.

Secondly, they want you to give them both a phone number & your address for registration!

Thirdly, I will torture myself by reading the Privacy Policy [archive]. Excerpts:

Under "Information You Provide To Us", it says they collect many things, outside of the already gargantuan amount of info they want for signup, including "Records of products or services obtained, or considered, or other consuming histories or tendencies", "Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement", "Physical location or movements which may be inferred from your IP address".

Under "Third-Parties and Behavioral Advertising", "We may receive information from third-parties, including our authorized service providers, IAC affiliates, advertising companies, and ad networks", "We work with various companies (such as advertisers, ad networks and data management platforms) to tailor online ads that you see elsewhere on the internet, including through behavioral advertising designed to target users' interests and deliver more relevant advertising".

Under "We or these third parties may collect the following information (and similar information):", "Demographic data collected on Ask Apps Services (e.g., age, zip or postal code, gender) and geographic location derived from your IP address on your visits to the Ask Apps Services and non-affiliated websites and applications", "We may disclose any or all of the collected information to third parties".

You can't make this up. I'm stopping here, this provider not only fails somewhat in the security department, privacy & anonymity are foreign concepts!! I was also not able to find any information on wether they allow email clients or not.

Fastmail

Requires you to send in a Postcard (obviously to Germany) to gain access to service, which is then put up in a gallery for all to see. An interesting novel idea, but perhaps not the most anonymous. Also requires an existing email address.

The Privacy Policy [archive] is in PDF form. It starts off okay by saying "Your personal data, to the extent necessary for the establishment, content or change of status (inventory data) are exclusively used for the processing of contracts made between you and us." (length of time not mentioned), and "Under no circumstances will the data collected be used beyond of the contractual purpose, or otherwise sold to third parties - if it is not essential for the performance of the contract - provided." Except we see see this isn't exactly true a little bit later.

Next it says "The following data is stored, but seperated from other data that you transmit", "Date and time of access", "Browser type / version", "Operating system", "URL of the previously visited site", "IP address". They say "It is not allowed for our partner companies to collect, process or use personal data, via our website".
But wait, Facebook is a 3rd party! Under "Using Facebook / social plugins", "Our site uses so-called social plugins ("Plugins") from the social network Facebook", "When you visit a page of our website that contains a social plugin, your browser establishes a direct connection with the Facebook servers. The content of the plugin is transmitted from Facebook directly to your browser and is integrated into the website.", "By integrating the plugin, Facebook receives the information that your browser has accessed the relevant page of our website, even if you do not have a Facebook account or are not currently logged in to Facebook. This information (including your IP address) is transmitted from your browser and immediately to a Facebook server in the US and stored there.". Sounds like a "3rd party" to me. It doesn't say what pages have the Facebook plugin.

They do say you can withdraw consent by emailing them, which removes service. They also recommend using Tor. The Terms of Use [archive] do not seems especially notable, though they do say the language of the contract is German, despite it obviously being in English. They also "reserve the right to prosecute you at your current residence", whatever that means.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#FastMail

GMail

From the Privacy Policy [archive]: "We collect information to provide better services to all our users — from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online,"

"When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using."

They track you a lot, they say this "depends on how you use our services & how you manage your privacy controls", & they treat it as "personal information". Whatever that means.

They do a decent job of making it sound "not evil", but they don't really say "you can turn all of this off & we'll stop tracking you".

They also used to read your emails, but supposedly stopped, but might still scan them. Whatever, next.

Google is part of PRISM.

https://spyware.neocities.org/articles/google_search.html

GMX

According to Wikipedia [archive] they are an ad-supported provider (big red flag, as this usually includes tracking), and are the owners of Mail.com.

They also want your phone number, just like mail.com.

According to their Privacy Policy [archive], they track your data "pseudo-anonymously". They admit to using Google Ads. They added a bunch of GDPR stuff in, there is lots of repetition, it was not meant to be easily understood.

Hushmail

This provider is basically Yahoo! (nanonyimity wise) but you have to pay for it.

Let's go straight to the Privacy Policy [archive].

"We keep records of the activity that takes place on our website, including a record of IP addresses used by website visitors and account holders. We use this information to analyze market trends, gather broad demographic information, and to prevent abuse of our services".

"As part of the account creation process your IP address will be recorded. We may request that you provide other information, such as a phone number, as well. We use this information to analyze market trends, gather broad demographic information, and to prevent abuse of our services. We will not share this information with third-parties".

"When you sign into your account, either by using a web browser or using other software, we will record certain information about your activity. When you perform actions such as reading or moving an email, we will also record these actions".

"Information we record may include your IP address, your browser type, browser language, date and time of the action, account usernames, sender and recipient email addresses, file names of attachments, subjects of emails, URLs in the bodies of unencrypted email, and any other information that we deem necessary to record for the purposes of maintaining the system and preventing abuse".

"When you communicate with us, you may provide us with personal information about yourself. Your communication with us may be retained in our system".

"If you have an unencrypted email in your account, it will be stored on the Hush servers unencrypted".

"We do not and will never share your personal information with any third-party except as specified in this policy. We will never sell your personal information under any circumstances".

"If you send an email using Hushmail, your IP address will not appear in the headers of the email", something Lavabit fails to do.

"The information we use to display this is gathered from our records; we do not track your actual location", what?

"We store sales, marketing, and customer care information with third-parties that".

"We may temporarily share information that is not personally identifiable with third-party services for the limited purpose of supporting our advertising, sales and marketing activities. Those third parties are not permitted to use the information for any other purpose".

Under "How long do we retain your personal information?" it says the account will be deleted immediately but "The records we keep of your activities are permanently deleted after approximately 18 months. Records that are stored for statistical purposes may be kept indefinitely".

"Free accounts are deactivated if unused for a period of three weeks", so not especially practical unless you email constantly.

They want your phone number. Base price is $50 (a year). Supposedly it supports email clients, I don't know if this is available for free tier.

Seems like a case of talking the talk, but not walking the walk.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Hushmail

InstallGentoo

From the makers of the InstallGentoo Wiki. Appears to broken or dead. Says it has SquirrelMail, but the link won't load. No button for signup. Privacy Policy and TOS are nice and simple.

iCloud

iCloud is a walled garden / information silo service, that apparently (?) requires a Crapple device to gain email access. I might have tested this, but the JabbaScript requiring icloud.com tells me it had a "Connection Error" when I visited it over Tor.

Privacy Policy [archive] time:
"You may be asked to provide your personal information anytime you are in contact with Apple or an Apple affiliated company", well that's just a great start, isn't it? No honest provider needs your personal information!
"Apple and its affiliates may share this personal information with each other and use it consistent with this Privacy Policy", at least I can give them credit for saying this at the start of the privacy policy.
"They may also combine it with other information to provide and improve our products, services, content, and advertising".
"You are not required to provide the personal information that we have requested, but, if you chose not to do so, in many cases we will not be able to provide you with our products or services or respond to any queries you may have". Translation: "You don't have to give your personal info, but you do if you want service"!

Did I say that's only the first paragraph, after their baloney at the top? Did I also not mention that I had to delete elements in dev mode, on their not-loading site that was having a "Connection Error" so I could click the privacy button, which redirected me to a marketing page, not the Privacy Policy?

Here's a good one: "When you share your content with family and friends using Apple products," [...] "Apple may collect the information you provide about those people such as name, mailing address, email address, and phone number. Apple will use such information to fulfill your requests, provide the relevant product or service, or for anti-fraud purposes". Oh, just wonderful! So not only will they not give you any privacy or anonymity, they will abuse the privacy and anonymity of anyone else you contact through their services!

Apple (of which iCloud is a service of) is part of PRISM.

I'm done with this one, I've seen enough.

Kolabnow

No obvious Privacy Policy. Instead, there is only a mention of data policy in their TOS [archive], under "DATA PRIVACY AND SECURITY", saying "We will only keep the minimum of logs and debug information necessary to ensure that we can improve the service and resolve issues that may have occurred". Length of time not specified.

They do at least say above that, that "there will be no access to your data by third parties without a duly authorized warrant issued by a Swiss judge".

Site requires JS to properly navigate.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#KolabNow

Lavabit

This one has a storied history as it relates to whistle blower Edward Snowden. I suggest reading the Wikipedia article on it.

Now onto the Privacy Policy, which they call a "Privacy Pledge". It's not the best, but's better than most I guess.

They log your IP with extra steps: "Lavabit e-mail servers do record the IP address used to send an outgoing message in the header of an outgoing e-mail".

"We do not keep a record of the IP addresses used to access our services (except in the web server logs), and we not keep a record of what information was accessed during a particular session". Key part: "except in the web server logs".
"We record this information in the message header so that law enforcement officials in possession of a message that violates the law can identify the original sender". "Lavabit does not retain this information" (for how long do you though?).

So basically, use with a VPN or Tor if at all.

I would test it, except base price is $30, so I won't.

Luxsci

I went by their having blog posts on Tor, SMTP, POP & IMAP to judge their support for Tor & clients. Their site is a little bit complicated, but nothing on the order of SAFemail.

Issues begin to arise once you take a look at their Privacy Policy [archive]:
"While visiting the LuxSci web site, information is collected" [...] "This information includes Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, & click-stream data".
"web site forms may request: names, addresses, phone numbers, company demographics, as well as record current IP addresses & web browser user agents". "Company Demographics" though?! What?
"For owners of a LuxSci Free Trial Account" [...] "Personal information about the account (e.g., billing history, support history, order history, & contact information) may be kept indefinitely".

They might have decent security, but they lack proper privacy & anonymity.

Lycos

The cert fails for the one mail server. They require you to pay [archive] if you want client access.

Some excepts from the Privacy Policy [archive]:
"Lycos collects anonymous data and shares it with third-party advertisers in an aggregate form". "We do not sell your personal information to third parties".

"Lycos may place [web beacons] on Web pages and within Web-based email newsletters that we send. Working in conjunction with cookies, Web beacons allow Lycos to accurately count the number of unique users who have visited a specific page" [...] "This information is only collected in aggregate form and will not be linked to your personally identifiable information".

"Lycos may disclose information about individual users to third parties who agree to provide services to Lycos and who agree to maintain the confidentiality of such information in accordance with this Privacy Policy".

"We use third-party advertising companies to serve ads and collect information when you visit the Lycos Network. These companies may use information (not including your name, address email address or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. Third party advertisers' use of cookies is subject to their own privacy policies", they are really committed to logging you.

Nowhere do I see how long all this info about you is kept, even if it did, it would go through an advertising service's system too, subject to a different Privacy Policy. This is a deal breaker, even if the use of Google ReCaptcha wasn't already, which it is.

Mailbox.org

Uses Google reCaptcha according to their own Privacy Policy, I stopped reading there.

Claims to support Tor & clients, but does not mention an .onion address.

Server mx-n.mailbox.org failed to connect when using CheckTLS.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Mailfence

Mailfence

To much unnecessary data retention (45 days) & analytics (see digdeeper). You have to pay (they do accept BTC) for client access.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Mailfence

Mail.com

HAHAHAHAHA

From the Privacy Policy [archive] under: "Information We Collect"
  • Your name
  • Gender
  • Date of Birth
  • Postal address
  • E-mail address
  • Telephone & telefax numbers
  • Credit card information
  • Other billing information

Mail.ru

I am judging by the presence of this page to judge that it has client support.

Another botnet. Let's look at the Privacy Policy [archive], which I believe is best summarized by these chat messages from discussing this in the groupchat:

me: "https://web.archive.org/web/20200303061042/https://help.mail.ru/engmail-help/privacy"
me: "this is a dense one"
me: "For the purpose of performance of the agreement with the User for provision of the Service selected by the User and for granting access to the User to the functionality of the Service selected by him/her, the Company develops, improves, optimizes and implements new functionality of the Services (including services and products of informational, communication, advertising, educational, entertainment and other nature), including with the participation of affiliates and/or partners. In order to ensure achievement of the specified purposes the User agrees and instructs the Company to carry out, in compliance with the applicable legislation, processing (including collection, recording, systematization, accumulation, storage, refinement (updating, modification), comparison, retrieval, use, depersonalization, blocking, deletion and destruction) of the Users' Account data and Other data, including results of automated processing of such data, and specifically in the form of whole-number and/or text values and identifiers, transfer of the above data to the affiliates and/or partners in pursuance of such instruction for processing, as well as to collect (receive) the Users' Account data and Other data from the affiliates and/or partners."
me: "bruh"
digdeeper: "the final boss of botnet"
digdeeper: "including collection, recording, systematization, accumulation, storage, refinement (updating, modification), comparison, retrieval, use, depersonalization, blocking, deletion and destruction) of the Users' Account data and Other data"
digdeeper: "has all the attacks"
digdeeper: "lol"
digdeeper: "transfer of the above data to the affiliates and/or partners"
digdeeper: "and summons minions"

They also allow you to login with other botnet services (many of which are part of PRISM). Like Yandex, entering a phone number is optional, but they do want your date of birth & gender.

NixNet

Apparently has an Onion address, but the link to the email portion of the site goes to clearnet.

Let's jump right into the Privacy Policy [archive]. Under "IP Address", it says "Some applications (Gitea, Mumble, XMPP, and NixNet Mail) collect your IP when you register. At the moment, that information is kept indefinitely. However, I’m working on either completely disabling it or setting something up that will periodically delete stored IP addresses. When I do, this document will be updated accordingly." Not a good start. What's next? "If you don’t want me to have that information to begin with, just use Tor Browser.", okay, not bad.

Under "Browser Fingerprint" it says "As far as I know, nothing collects or uses any of that information.", which is somewhat reassuring. After "Usage and storage of collected information" it says "Whatever data is collected is stored on servers I have sole control over and it won’t be shared with any third parties whatsoever.".

Under "Exceptions" it says "I do live in the US; I have three servers here, three in Germany, and another in Luxembourg. If, for whatever reason, I’m compelled by law enforcement to give up your email, IP address, or any other information, I will even though I don’t want to. As such, I do whatever I can to make sure I don’t have that information. If I don’t have it, I can’t share it."

All in all, seems pretty decent, I have however yet to actually try the service.

NeoMailbox

Has no Privacy Policy. $50 a year for base package. Keeps logs for 6 months.

TLS fails on one of it's servers, mail2.neomailbox.com, but works on the other one, mail1.neomailbox.com.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Neomailbox

NovoOrdo

Has an onion address, but it is only provided over HTTPS, so you will get a security error for it being a self-signed cert, and it's just a redirect to the cleanet page anyway, much like CTemplar.
They claim to have an onion address for SMTP, IMAP & POP, but I have not tested if they work or not.

Allows payment with BTC, but this requires JavaScript. Cost is $34 for 1 year, $13 for 3 months, or $80 for 3 years.

While the domain is "novo-ordo.com", they call the service "Sub Rosa". I'm not sure why they don't just call the entire website that. Maybe it's because they also a re-mailer service or something.

The Privacy Policy [archive] is questionable. Let's go through it:
"Our server is located in Switzerland where privacy is protected by law", debatable (see what digdeeper has to say about countries' privacy laws), but okay.
"We avoid the collection of personal information whenever possible", kinda vague, and virtually meaningless unless you put some sort of belief or trust in them.
"No information on the legal use of this service by any user is sold, forwarded, traded, or intentionally released in any way", so illegal use can be "sold, forwarded, traded, or intentionally released in any way", ha!
"Your email is not read by humans or machines", so then animals or ayys can still read it.
"All email stored on our server is encrypted. The keys are stored in a different jurisdiction than the server", some providers could learn from this.
"Email is not backed-up unless special arrangements are made. There are no copies of your email. It is recommended that you keep your own copies of important emails", this is both good and bad. For privacy it's good, but, if something happens & you missed an important email and/or weren't using POP, you are screwed.
"We will only keep the minimum of logs and debug information necessary to ensure that we can improve the service and resolve issues that may have occurred", uh oh. What does "minimum" mean?! "These logs are typically kept for less than one week", logs of what?
"We employ a state-of-the art security-centric design based on open source software which we make use of to provide the Service", totally meaningless statement.

The log keeping and onion address are the biggest issues here, I cannot recommend this in good faith.

OnionMail

Arriving at the site for the software, it seems to be primarily in Italian, & the English has some typos in it. OnionMail is not one server, but a collection of servers all using the same software. It can send messages to clearnet through the use of exit servers. The directory of servers & exit servers is here, as well as on every OnionMail server.

TLS on the mail website does not have valid certificates, nor does the single exit server onionmail.info sadly (exit servers are what allow you to send email to the clearnet). The exit server mxtor.xyz does not work at all. They do at least give you an SSL cert on signup so you can verify that is is their server's you are logging into with you mail client.

For the purposes of this review I used the "hiddenmail" OnionMail server, located at 7w65g63fgumvpuvd.onion. It is possible there is some deviation between this one & one of the others, but not by much. They all apparently use the same exit servers, & "Rulez". Emails will be sent out by default it seems with TLS v1.2.

There is no "Privacy Policy" on the servers, but instead "Rulez" (with a "z") that claim everything is encrypted & deleted after a short time. Due to it only being accessible over Tor (.onion addresses), they won't be getting your IP, so that's good.

Signup is unusual in that they give you your passwords, which are different for each protocol (SMTP, POP, IMAP).

There is no webmail, which is a good thing actually, unless it's SquirrelMail.

This is an otherwise good idea, but it fails with the lack of a direct, obvious, Privacy Policy, as well as the certs totally failing for the clearnet exit server (Let's Encrypt exists!).

Outlook

Formerly known as Hotmail.

HAHAHHAHAHAHAHHAHAHA

An except from their Privacy Policy [archive]: "Microsoft collects data from you, through our interactions with you and through our products. You provide some of this data directly, and we get some of it by collecting data about your interactions, use, and experiences with our products. The data we collect depends on the context of your interactions with Microsoft and the choices you make, including your privacy settings and the products and features you use. We also obtain data about you from third parties."

HAHAHAHAHHAHAHA

Microsoft (of which Outlook is a service of) is part of PRISM.

Paranoid

If only they were better, for they say all the right things! But alas, they have no Privacy Policy.

The project appears to be dormant or dead, as their Twitter's last tweet is from 2015.

They have an .onion address (paranoidlcx3y23p.onion), but it appears to only be for the mail server itself, not the website.

To activate each address (there are 5 of them), you will need a PGP key. They claim to bounce unencrypted emails from their @2048.email & @4096.email addresses (we tested both), but they do not (the email was sent unencrypted). It is still encrypted by Paranoid.

All incoming emails are encrypted using your uploaded PGP key, even if unencrypted. But this is almost totally pointless, as they could still read encrypted emails before they encrypt them. Where it could be useful, I suppose, is it would be another layer of protection from a third-party viewing your inbox.

You may experience sign up issues depending on what email provider you use when asking for an invite. I used elude.in & had no issues. According to digdeeper, there are issues with RiseUp & Disroot being rejected, & no response is received when using Autistici.

Along with the domains paranoid.email, 2048.email & 4096.email, it also includes mime.email & paranoid.is, too. All of these were TLS tested, & all resolved to the same servers, thus resulting the same.

All of Paranoid's mail server's certificates do not verify.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Paranoid

Posteo

They sound pretty good, but are paid (1 EUR a month).

They are hosted in Germany, the same place that randomly seized some of Cockli's data drives, on two occasions.

They allow signing in over Tor, but do not have an .onion address, according to baobab. It is unknown if signing up over Tor is allowed. It requires JavaScript to sign-up. Their JavaScript is open source.

A German court had ruled that they must log IP addresses [archive], but this no longer has any legal basis, as the law was changed [archive].

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Posteo

Postman

Only available through I2P, however it can send messages to clearnet servers.

Sometimes called "I2P-Mail". Not to be confused with I2P-bote, which cannot send messages to clearnet servers, & is something else entirely.

Has no Privacy Policy. Instead has a set of "rules" above the sign-up, which I will list here (because I know of no service which let's you archive I2P sites):
  • "Use at your own risk!"
  • "Do not use your account for criminal or illegal activity, like phishing, stalking, illegal substance trade etc etc. Abusers will be disabled immediately!"
  • "Don’t use this service to spam / harass / threat other users or internet addresses."
  • "Don’t abuse this service by sending large number of mails to a big number or recipients"
  • "Don’t use small poll intervals for the POP3 service."
  • "Do not store your mail forever. Fetch & delete your mails as soon as possible!"
  • "Delete your account, when you’re done testing of finished playing around."
  • "Please report any problems to postman on IRC ( irc2p )"
  • "Don’t send mails to your normal internet mailaccount ( this weakens your anonymity)"
  • "Commercial use of this service is not allowed."

Won't be storing your IP because you can only connect over I2P. No statement on if email is stored encrypted, or if they might read you email. A lot like @Paranoid in this respect.

They tell you to use the weird "Suisimail" web (locally hosted, though) interface, instead of a client (which they do support) because it is preconfigured for anonyimity.

Took a very long time to get a "TLS From" response using Postman (several days), I suspect it was "greylisted" or something. Most of the clearnet mail servers seem to be non-functioning, or they have blocked TLS Check. On the one that does work, the certs fail.

ProtonMail

You have to pay if you want to use a client. Lots of JavaScript.

Tor support could be better, as the Tor link only work on the sign in page, & if you sign in, but not for signing up (that is to say, if you click "sign up" you are redirected to the clearnet site).

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#ProtonMail

Rackspace

I was unable to test TLS, because I did not purchase it and all domains are custom.

Says on the main page "We will never read, sell or scan your email content for advertising purposes", which is interesting because default on are advertising cookies that you have to turn off in there little JS-requiring cookie acceptance box.

They want your name, phone number, current email address & business name to sign up. They say the price is $2.99, but the "estimated monthly total" is $10. They do not appear to accept crypto-currency.

Has no Privacy Policy, but instead a Privacy Center [archive], & a Privacy Notice.

On the Privacy Center they admit they say they track you, with 3rd parties: "Rackspace and our service providers or third party advertisers may use cookies, web beacons, or other similar technologies when you visit or interact with us online.".

In the Privacy Notice, they say they collect a bunch of stuff, including GeoIP Location, but not for how long, and that it might get shared with a third party.

How secure are they? Unclear. Are they private and anonymous? Definitely not.

Rediff

Their cert fails when testing with checkTLS. Also requires phone verification.

Privacy Policy [archive] is ambiguous, at a bare minimum it tracks you everywhere without deleting the logs.

Riseup

Far-left politics galore. Allows Tor access, has onion addresses. Requires an invite from an existing member. You are allowed to give invites after a set amount of time. On the plus side, you also get access to a VPN & XMPP account. Also has infinite free email "aliases", if that's something you are into.

According to their social contract [archive] they "ask that you do not use riseup.net services to advocate any of the following" including "Support for capitalism, domination, or hierarchy". How, or if, this is enforced, I am not sure.

They will also comply with law enforcement where they see fit [source, archive].

They do not like it [archive] if you hand out invites indiscriminately.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#RiseUp

Runbox

Questionable Privacy Policy. Site looks all messed up without JavaScript.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Runbox

SAFemail

Most evasive site design possible. They could hide anything in this maze of documents & similar sounding names.

Digdeep on this one if you actually care about the finer points of how they log you.

All of SAFe-Mail's certs fail.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#SAFe-mail

Safe-Mail

Requires JavaScript to browse their FAQ. Does not allow joining.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#SafemailNL

SDF

SDF, or "Super Dimension Fortress Public Access Unix System", has been around since 1987. You may wish to read the Wikipedia article, as there is some backstory to them.

They require an existing email address to sign up, and then $5 over PayPal or $1 dollar in cash, by mail. There is also a premium "arpa" plan. Image can be seen here, they do not mention a crypto option.

Their other main flaw is that they have no Privacy Policy. So it's unknown if they store logs, or if the email is encrypted or not.

There is webmail in the form of SquirrelMail, so there is no JavaScript required unless you choose to use PayPal.

secMail

Takes questionable ads to a whole new level. Written text appears to be written by either a translation program or someone who is not especially adept at English. Lacks TLS, see geneticabhorrence's report.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#secmail https://geneticabhorrence.neocities.org/secmail.html

Self Hosting

This is the best option because it allows you to have near total control over your data.

There's lots of server software to use, including OpenSMTPd and others. Either install Linux or BSD on your own box, or pay somebody (anonymously if need be) to host it for you.

Snopyta

Requires an email to signup. Then you have to request activation. The .onion addresses do not work for signing up. Signup requires JavaScript, as does the webmail client.

Now onto the TOS [archive]. The only notable thing is this, under "6. Using services for commercial activities":
"Using Snopyta services for commercial purposes is not allowed & will be treated as abuse of the service. Trading a service with third party is prohibited Accounts created for the purpose of generating profits will be subject to termination upon inquiry. The use for any other commercial activity will be examined on a case-by-case basis & the decision to terminate such accounts will be taken on the basis of communication with the account holder & the nature of the activities concerned. If you are unsure, feel free to ask. Depending on the type of commercial activity we may allow the usage".
The aside of "If you are unsure, feel free to ask. Depending on the type of commercial activity we may allow the usage" is interesting though.

But what of the Privacy Policy [archive]? Well, they might log your IP address for 24 hours:
"To fix problems or stop attacks, it may be necessary to temporarily store access or error logs. If this is the case we store data such as but not limited to a timestamp, your IP, your useragent & the URL you access. The data collected is kept for as long as is necessary to resolve the problem, but for a maximum of 24 hours".

Mail is stored unencrypted (unless GPG encrypted): "E-Mails are stored in plaintext on the server unless encrypted by the user (GPG). The disk of the server itself is encrypted. IP addresses of logged in users are stored per device on the server as long as logged in". Also: "The maillog is kept for 24 hours".

They are also hosted partly in Germany (by the same hosting provider no less, Hetzner), the same place that randomly seized some of Cockli's data drives, on two occasions.

Could be way, way worse. Unlike RiseUp, Disroot & Austistici, they have a decent Privacy Policy without getting all political about it.

It has come to my attention that Snopyta engages in a degree of censorship, at least on their Mastodon instance(s). How this could affect the email side of things is unclear. See here: https://social.snopyta.org/@noctilucent/105331944765998730

Soverin

This is another one that makes a big deal about "privacy", but the actual Privacy Policy [archive] (which, by the way, requires JavaScript even with the archived version, AND you have to click on it! They do however have a PDF version [archive].) erodes the meaning of what they say.

Under "2. What do we use your data for?" it says "Verifying your Account through your mobile phone", "Should you lose your password, a verification code will be sent". Well, that pretty much blows all their posturing out the window. You can't be for privacy & require a "mobile" phone number, this is an oxymoron! Sure, there are probably ways around this, but you shouldn't have to do this ESPECIALLY if they claim to be pro-privacy.

But wait, there's more! At the very bottom of their "Data Processing Addendum" (the PDF version 404s so you will have to go to the same place or archive as the Privacy Policy & TOS, & click "Data Processing Addendum"), they say this under "Types of Personal Data" (meaning taken/processed): "phone number", "address" & "name (optional)". Apparently requiring your phone number is not enough, they also require your address, whilst redacting their's from the "whois"! I suspect this is for payment, but could be easily avoided by taking crypto-currency (such as Monero), which they appear to (Bitcoin), through their 3rd party payment processor, yet they still don't say that the address is optional.

StartMail

Tor is allowed, as are clients but you have to "create a device" in the settings & use the password they give you. With the trial, the webmail (which requires JS to login) will tell you can't send messages except to support, this is not true as you can with a client.

They do track you, but in a supposedly anonymous way, & say they don't give info to third parties.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#StartMail

Systemli

Just when I thought an email provider couldn't get any more blatantly political, I find Systemli.

Let us quote from their Terms of Service [archive]:
"The usage of our services depends on the compatibility with our self-conception", "We will prevent usage that contradicts our understanding. We reserve the right to delete the relevant accounts and related content in such cases"! Yikes!

But what is it you must agree with?

According to their "About Us" [archive] page, they see themselves as emancipatory, anti-fascist (almost always meaning the antifa mob, who are what they claim to oppose), anti-racist (this can have so many meanings), anti-nationalist (no country-based pride for you boy-o, burn that flag!), anti-capitalist (meaning no commercial use I assume), feminist (no comment).

There is no Privacy Policy detailing what they do and don't keep in terms of data, they only say on the homepage that they are a "Non-commercial provider of privacy friendly communication", "Without surveillance".

To each's own I guess, I will be staying far away from this one though.

Teknik

Logs dates & other things. The "Privacy" page [archive] leaves some things unanswered.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Teknik

Throwaways

On the surface they seem like a good idea: You don't have to signup for an account, email is mostly for signing up to other accounts.

Look at it tiny bit deeper however, and this begins to not make sense. First off, there is no telling that it will actually work, because many services block not only temporary email, but even non-mainstream providers, like Autistici. Temporary email is also usually for receiving email only. Since the account disappears, good luck getting a password reset.
Even if you managed to find one that wasn't blocked yet, it could end up being blocked tomorrow which would render my rating useless.

All disposable email providers use webmail too, which is a major red-flag. You should not be using any of these!


If, however, you are still so inclined to use such a service, here is a small list of them (I vouch for none):

If you are still interested, I recommend checking out the /r/EmailPrivacy Wiki. Credit to them, as the place where I found out about many of the providers in this table.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#temp

thexyz

According to their front page they offer "Ad-free & private email for business". Where else have we seen the "for business's" shtick? A bit farther down it says that they "deliver the highest standards of security, privacy". This totally falls apart when you read the Privacy Policy [archive], which requires JavaScript to be enabled, otherwise you can't view their silly spoilers. They also use "third-parties" for almost everything possible, including newsletters, helpdesk, and security.

Starting right off the Privacy Policy, without even having to "reveal" any unnecessarily JavaScript-dependent spoilers, they say "When someone visits the Thexyz website, we use third-party services, such as Google Analytics, to collect standard internet log information and details of visitor behavior patterns." So much for "Private", huh?

It does say "Visitors can opt out of Google's tracking cookie or install a browser plugin to opt out of all Google Analytics tracking software.", however the "opt out of Google's tracking cookie " link takes you to a Google page! Also, the concept of requiring a browser plugin to disable tracking, on a supposedly "private" site, is ludicrous. They recommend the "Google Analytics Opt-out Browser Add-on", I don't know if this contains spyware or not, but I would advise using uMatrix (for Firefox or Chromium & derivatives) or eMatrix (for Palemoon & derivatives) instead. For more on browser addons, see digdeeper's article on the subject.

Under "People who contact us via social media" it says that "Our website includes social media features (such as the Facebook “Like” button)", "These features may collect your IP address and which page you are visiting on our website".

How about "Disclosure of Personal Information"? Well this is comforting: "In most circumstances, we will not disclose personal data without consent.", "However, when we investigate a complaint, for example, we will need to share personal information with the organization concerned and with other relevant bodies.", which is at least a potential issue considering their significant usage of third-parties.

In case you needed them to spell it out for you, under "Collection of Information" it says "When you sign in to our services, you are not anonymous to us."

Under "Privacy of your Account" they gaslight and say "Our ad-free webmail does not have any tracking built into it"!

What utter baloney, for which they charge minimum (just "Premium Email") $2.95 a month (which would be $35.4 a year), plus whatever tax.

Tutanota

They talk the talk, claiming to be the most secure in the world. But do they walk the walk?

Starting off the "Privacy" page [archive]: "in case of a dispute or discrepancy between the German Data Privacy Statement and the English translation, the German version shall prevail". Oh boy! So going through it may be totally pointless!

But I did anyway, & basically, they log stuff. The logs potentially even continue 30 days after you request account deletion.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#Tutanota

VFEmail

Their Privacy Policy/TOS [archive] sucks.

According to digdeeper, the registration is broken. Making this not only a terrible choice, but totally useless.

If that wasn't bad enough, this is included in every email you send (info from digdeeper):
"This free account was provided by VFEmail.net - report spam to abuse@vfemail.net
*AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial & Bulk Mail Options!"

All of VFEmail's certs fail.

http://digdeep4orxw6psc33yxa2dgmuycj74zi6334xhxjlgppw6odvkzkiad.onion/ghost/email.html#VFEmail

Yahoo

Both Yahoo! & AOL are owned by Verizon media. AT&T email redirects to the Yahoo! login &/or is merged with Yahoo! Mail. The AT&T one manages to be slightly worse however, since you can't even load the page in Tor Browser without getting redirected to "Access Denied"!

Another laugher. First off it requires a phone number to sign up. A huge, absolutely massive, red flag. Whilst it might work with something like TextFree or another non-your-actual-personal-phone-SMS, what's the point?

Now, how about some excerpts from their Privacy Policy [archive]: "we may recognize you or your devices even if you are not signed in to our Services" [...] "Verizon Media analyzes & stores all communications content, including email content from incoming & outgoing mail. This allows us to deliver, personalize & develop relevant features, content, advertising & Services".

I think I'll stop reading & pass on these three.

Both Yahoo! & AOL are part of PRISM.

Yandex

A weird one in that it seems to not care if you use Tor (maybe because encryption is illegal in Russia).

It asks for a phone number on sign up, but has a "I don't have a phone" option which is nice, instead asking you to solve a captcha (not a Google reCaptcha, just a normal captcha which is fine) & add a security question.

Will track you. Here's an excerpt from the Privacy Policy [archive]: "collect, process and present statistical data or big data, or perform other research and/or analysis of Personal information". This is under "What are the legal basis for processing your Personal information & the purposes of it". So basically anything.

Maybe could be used as a PGP over Tor only thing, but still, what a joke.

Zoho

According to themselves they are a "Unique and powerful suite of software to run your entire business", this suite includes email.

This provider is listed on many lists that come up when you search for "what are the best email providers". This is not really a complement, as those very same lists put providers such as GMail & Outlook at the top.

I was planning on looking at this provider anyway, but then I saw an advertisement on CNN about it. So here goes, starting right off with the Privacy Policy [archive]:
"we automatically log some basic information like how you got to the site, where you navigated within it, & what features & settings you use". Wew boy! Already off to a strong start I see!
What else we got? "We use this information to improve our websites & services & to drive new product development", the common excuse rears it's ugly head once again.
"If you engage with our brand on social media" [...] "we'll have access to your interactions & profile information. We'll still have that information even if you later remove it from the social media site", ah great.
"We retain your personal information for as long as it is required for the purposes stated in this Privacy Policy", indefinite storage of logs/data. Deleting your account does no good!

I think it's obvious this provider does not care about your privacy or anonymity.

Also requires phone verification, even to close the account.



           Chapter 2: Email Clients           



      How to use the table of Email Clients      

TODO

      Table of Email Clients      

Name Targeting
Claws Desktop/GUI
Fairemail Android
Koushin Web (installed on server)
K-9 Mail Android
SquirrelMail Web (installed on server)
Mutt Terminal/TUI

      Email Client Notes      

Claws

Not very good with HTML processing, even though HTML is also a vulnerability (more on this in the future). Has three plugins to handle HTML viewing of emails, only one of which work's in my experience (lite HTML Viewer). One of the HTML plugins, Fancy, has apparently not worked since 2017.

Fairmail

Is on F-Droid.

k9

Is on F-Droid.

Koushin

Apparently does not require JavaScript, being in pure HTML, according to nixnet.email. Written in Go.

SquirrelMail

No JavaScript required.

Mutt

Make sure to set ssl_force_tls.

           Epilogue           

Powered by NAMAC! Licensed CC0.