r/emailprivacy

I have spent way too much time overthinking my email setup lately after moving away from Google/Gmsil, and I’m curious where this sub stands.

If you had to pick the absolute "cleanest" setup for a private person right now, what wins?

Something like this?

- first@lastname.com

- a@last.pro (or any ultra-short domain)

- name@proton.me (or random-words@proton/tuta)

- firstname@outlook.com

Is owning your own domain still the gold standard, or does it feel a bit too "corporate" for just emailing friends?

I spent some time going through Aster Mail's public codebase. They market themselves as end-to-end encrypted, zero-access, post-quantum secure email. The code tells a different story.

I'm posting this because people in this community deserve to know what they're actually trusting their communications to. Everything below is verifiable from their public source code.

FULL DISCLOSURE: I am one of the founders of Secria Mail.

The critical issues:

1. Post-quantum encryption doesn't actually exist. Their README promises "complete post-quantum protection" using ML-KEM-768. The code generates the post-quantum keys, uploads the public half to the server, then immediately deletes the secret half before saving it. It's never used to encrypt anything. They get the marketing checkbox. Users get zero post-quantum protection.
2. "Forgot password via email" uploads the vault key in plaintext. When a user enables email recovery, the client sends both the encrypted vault AND the key that decrypts it in the same HTTP request. Anyone with database access, staff, a breach, a court order, can decrypt the vault and read everything. This single feature breaks their entire "zero-access" claim.
3. Tor mode silently fails open. If Tor fails to start, the client sends the request over the regular internet with no warning. The user thinks they're anonymous. They're not. This is the kind of bug that gets activists and journalists hurt.
4. The password hashing algorithm advertised is not the one used. The API says Argon2id. The code uses PBKDF2 with 310k iterations. Combined with #3, weak passwords can be cracked at hardware speed.

Other serious issues:

5. The Double Ratchet implementation skips a required authentication step. A network attacker can corrupt the protocol state without decrypting anything. Real protocol-level deviation from the Signal spec.

6. The desktop app exposes an unrestricted "make any HTTP request" function to the renderer. A single XSS bug, and they allow inline scripts, turns into the ability to hit internal services, exfiltrate data, and bypass Tor.

7. Mobile biometric lock is a UI illusion. Face ID / Touch ID just toggles a boolean. No key is bound to the biometric. On a rooted phone, the lock is bypassed by changing one value.

8. Cross-account login tokens are "encrypted" with a key stored in plaintext next to them. One XSS = takeover of every account on that device.

9. The Tor cleartext-blocking check has a substring bug. A URL like http://evil.example.onion.fake.com/ passes the check.

10. Inbound encrypted email signatures aren't verified. Anyone can forge messages that appear to come from anyone.

11. Their "signed prekey" uses RSA-4096 instead of an EC key. Registration takes ~30 seconds because of this. It's a strong indicator that whoever wrote this layer didn't understand the protocol.

In plain terms: most of what they market as security guarantees aren't enforced by the code. A motivated attacker, a malicious insider, or a court order can defeat the "we can't read your email" claim today, without breaking any cryptography.

I'm not posting this to start any sort of drama. I'm posting it because I genuinely care about peoples privacy and security.

Happy to answer questions or walk through any of these in more detail.

-Adrian

Hi everyone,

I’m currently looking for a high-security email alternative to Proton and Tuta. While they are great, I need something that leans even harder into absolute anonymity and "dark" privacy for journalism and other highly delicate activities.
Here are my non-negotiables:

• 100% Anonymous Signup: No phone numbers, no recovery emails, and no PII (Personally Identifiable Information) required. I need to be able to spin up an account without leaving a trace.

• Zero-Access Architecture: The provider must have absolutely zero access to my data. I’m looking for full End-to-End Encryption (E2EE) where the keys are generated and stored only on my end. If the provider is subpoenaed, they should have nothing to hand over but encrypted gibberish.

• No Metadata Leaks: Ideally, a service that strips metadata from headers and doesn't log IP addresses (or even better, has a dedicated .onion address).

• Crypto Payments: Being able to pay via Bitcoin (via Lightning or mixers) or Monero (XMR) is a huge plus to keep the financial trail non-existent.

I’m interested to hear what the community recommends in 2026 for someone who needs to stay completely off the grid. Who is currently the king of "trust no one" email?

Disclaimer: I am strictly a messenger for this inquiry. The individual behind this request does not have a Reddit account, and I am simply forwarding this on their behalf to gather expert advice.

Genuine question.

Between phishing attempts, spam, trackers, data breaches, verification codes, and recovery emails tied to almost everything… email honestly feels more vulnerable than ever lately.

Do people still feel in control of their inbox/privacy anymore, or are most people just overwhelmed at this point?

So basically as the title says. My dad is getting more and more frustrated with Yahoo and how they keep adding in features that he doesn't use. He liked the "old" yahoomail from about 4-5 years ago and it's simplicity. I've gone through and turned off as many features as possible, but still it's frustrating him. Is there a good basic email that would be a dupe for him. One of the things he definitely doesn't want is ai trying to help him sort and summarize his emails. Thanks y'all.

I’m puzzling out my email strategy. im curious about what others are doing.

I want:

-an encrypted inbox

-sending to/from my domain with consistent deliverability

-to keep costs down. im happy to pay, but I’m seeing a lot I wouldn’t use in a lot of these paid plans

- “good privacy” if the service exists outside my own inbox. I don’t have a full definition for this, mostly just wanting to deny megacorps the right to my data.

-want to start using aliases

- lifetime subscription preferred, (but this seems rare)

I don’t care about:

-storage. I’ve used 6gb in 20 years of never deleting an email in gmail. I bet I could reduce that by deleting nonsense.

What I’ve been playing with so far:

-domain at addy.io. It’s great at email aliasing itself, but im getting lots of deliverability problems when I send from an alias. Replying seems fine.

-been thinking about paying for Tuta. I could move everything over with all the storage you get, but there’s no way to filter out notifications by email rules due to the privacy policy (but I do like how un-googled they are)

-proton would let me separate out the notifications, but is more expensive. only one domain, and tuta lets you do 3 for less.

“I’m trying to be more careful with my email privacy and I’m curious what small habits actually make a difference, like using aliases, separating accounts, checking app permissions, avoiding tracking pixels, or being more careful with signups.”

We built SpamMail.org, a disposable email provider designed for people who want more control over temporary and privacy-focused inboxes.

Core features:

- Create custom email aliases
- Manage multiple aliases from a single account
- Use your own domains
- Use one universal inbox across aliases and domains
- Access everything through IMAP using a unified inbox

The idea is simple: one account, many identities, minimal friction.

Infrastructure and privacy:

- Hosted by us in Europe, primarily Germany
- Company based in Austria
- GDPR-compliant by design
- Data minimization: we only store what is technically required
- Built with privacy as a default assumption, not as a marketing layer

For power users, we offer additional features and support crypto payments for users who want to preserve a higher degree of anonymity.

Roadmap:

- Sending emails
- Browser extensions
- Native desktop apps
- Native mobile apps
- E-Mail forwarding

The goal is to make alias-based email management less painful, especially power users and privacy-conscious users who do not want to expose their primary inbox everywhere.

Feedback welcome.

I'm looking for a service with PGP on the client side, in case I need to access it from any computer, and I've seen the StartMail option.

However, based on their blog, it doesn't seem to be under development. The latest service updates are minimal, and there haven't been any major developments since 2023.

I also don't see that they have native mobile apps or a roadmap, and even the requests section of the support page has disappeared, where they themselves acknowledged that users were requesting the calendar, passkeys, etc.

Given all this, and knowing the limitations of server-side encryption, is there anyone who has been using them for a while and has contacted support to confirm that they are still there?

I don't mind using niche services, but I'd like to know your opinion on the longevity of this service.

Many thanks to anyone who can help me!

I decided to go for privacy focused emails. I understood that Proton, tuta and posteo good options. Because of my requirements I need more storage than usual. Inbox.eu provide good options with very good price.

How is your experience with inbox.eu? In terms of privacy, support and ease of you. I do not find inbox.eu app appealing, it's very very basic and do not work properly. I'm using K9 mail as alternative.

1. I must have .com

2. Posteo is not easy to remember (for me) or practical

3. More storage

Any comments or do you suggest anything before I fully integrate to inbox.eu

So could you please tell me how strength of service of Posteo is. I want to utilize it as a recovery and anonymous email. So I hope it is reliable.

I plan to move from gmail where I have two accounts - one for everything personal (work, finances, shopping) and one for internet activity (social media, gaming). Posteo and Mailboxorg.

My plan now is to spread it all out for the sake of security and privacy - so have one account for

- work/friends

- social media/gaming

- shopping/subscriptions

- finance

- throwaway (this one, I think I'll create a free email somewhere else since it is just a throwaway after all)

and, in addition, give aliases to some sites (e.g. create an alias for Reddit on my social email account, one shopping alias for my shopping email account etc). It's a bit overkill, I admit, but if possible, I want to make it as bulletproof as possible against all kinds of spam, security breaches.

Now my question is, before I move to one of the services mentioned, can I create several separate email accounts (so truly separate, not aliases) on one of the two providers? If so, do I have to pay for each new email account or can I somehow connect these email accounts with each other so I have to pay less? Posteo, for instance, gives you twenty aliases to use with two of them being for free. Can these aliases be replaced by another different email account? I only need 20 aliases at best, so I don't want to get the other aliases from the other email accounts and then potential pay more.

I hope everything I ask for here makes sense. Thank you for your attention!

Hey guys,

So im currently looking for alternatives to GMX and Gmail to use as my main Email. Which ones can you recommend? (Preferably I want one from Germany since im located here aswell and the data privacy laws are (at the moment) excellent).

Thanks in advance!

A r/Secria founder recently posted about vulnerabilities in r/AsterPrivacy Mail’s open source code. That’s appreciated. Most users aren’t developers, so this kind of disclosure is helpful. Always good to see devs take initiative.

Every new email provider has its flaws though. Aster Mail launched with a generous free plan and still is, to be fair. But they recently reduced the free custom domain limit from 3 to 1 without grandfathering existing users. Worse, I once saw a Reddit comment from their team admitting it was just a promotional thing and terms would change. That kind of thing really hurts reliability and trust. Hope they realise this in a positive way.

As for Secria, credit to their dev for auditing a competitor’s code. But when can we expect an audit of Secria itself? Oh wait, Secria isn’t even open source. Interesting. On top of that, Secria’s pricing is nearly on par with Proton. Why would they price it that way? The question is - would you pay for Proton or a new provider with no track record and no open source transparency, both at the same price? Ok. Let’s forget it.

I recently signed up for r/ProxiedMail. The UI isn’t great, but the lifetime plan seemed worth it. I was hoping it’d grow into something like Addy_io or SimpleLogin someday. But right after signing up, errors everywhere - couldn’t use the service or upgrade. I contacted the dev through email, Twitter, and their web chat. No reply. At least I found out early. Account deleted.

The privacy email space is growing, but trust and transparency still remain the biggest challenges for new providers. Generous plans attract users. Deleted comments and broken signups push them away. Not that complicated. r/ProtonMail, r/Tutanota, r/SimpleLogin, r/Addy_io and others have been around for a while and have set the standard. New providers are compared against them whether they like it or not. Hope to see more open audits, honest communication, and reliable services from this space. We deserve better options.

Mailbox has been on my radar ever since it was made official that Google is letting Gemini read my Gmail emails. So I visited the Mailbox subreddit, expecting to see questions from people who haven't paid yet but are considering it, bar that one last question. But all I saw was a lot of people complaining.

Initially that put me off but now I'm thinking maybe it's a survivorship bias thing, where people who don't have anything to complain about don't go to the subreddit.

So any good experiences from the crowd here?

I try to move from Gmail to another provider and those two are my final candidates, but I have been struggling to decide between those two for weeks now. It's a coin flip really - except I am missing some important info. Hence my attempt to ask this community here.

My requirements:

- Allow for several emails (~5 emails)

- Allow for ~20 aliases in total that are able to be spread on the aforementioned several accounts

- Relatively private for an email provider (though those two seem to be on par)

- Reliability (not many downtimes, relatively future-proof)

- I do not need a suite - the email accounts themselves are what's important to me, nothing else

- Price can go up to ~40€ a year

And not to sound rude, but please give me facts rather than "I have been using it for X years and am comfortable with it". These answers don't really help.

Thank you for your attention!

Hola chicos ¿que opinión teneis del servicio de correo qrypty? lo digo porque se habla mucho de secria, astermail, tuta y proton pero parece que es el gran desconocido qrypty, de hecho he tenido muchas dificultades para obtener información. tiene muy buenas cualidades como servicio de correo.

• arquitectura de conocimiento cero
• los encabezados anónimos de enrutamiento mediante un sistema de retransmisión interna.
• Integración con dominios personalizados con cifrado de extremo a extremo .
• Su código ha sido transparente desde el primer día
• Uso de nodos sin disco físico, es decir usa nodos que operan enteramente en RAM .
• Cifrado post-cuántico (ML-KEM)
• Servidores en Suiza e Islandia

Ya me contáis vuestra opinión, si lo habéis usado y que os parece el servicio

Gracias

I'm working with a client who has a Yahoo Mail account that's he's more than maxed out on the free tier. He would still like to use the account so would like all of his over 200,000 emails dating back to 2004 to be saved locally and his inbox cleared.

The issue is I can't seem to get Thunderbird to sync more than 10,000 of the latest emails.

Is there a trick to get it to download everything?

Hi, I have a mentally unwell relative, who emails me directly and then adds people I do and don't know to the email or forwards my emails on to others out of context. I'd rather communicate with them on whatsapp, but they will only use email and due to their illness I cannot discuss this with them.

Is there a free email platform which keeps all threads private (no one outside of my contacts can be added to a thread with me, and my emails cannot be forwarded). I realize screenshots can be taken, which I'm ok with. I tested proton mail's free version but I was able to add other people to the replies.

Appreciate any help.

Thanks