I made the switch a couple of days ago. Here is my experience so far: - interface looks better than a few years ago. It is still gwt based though which is notably insecure (I got a NPE in a warning the other day). - they do support multiple domains but with a limit on aliases which is quite low (10 for the base plan) - plus addressing is nice but managing where each go (folder) is a pain. - no subdomain addressing - privacy feels better with servers not in the US - my threath model doesnt include the NSA so I am fine having unencrypted emails if I can have IMAP instead of browser based. - calendar is very well done and simple to use - combined with Nine on android I replaced google calendar, contacts and gmail.

Overall I am happy with the switch.

Gwt? Npe?

I am happy with mailfence. Miss yubikey and real twofactor (only in browser are two factor needed, imap etc just rely on normal password).

I have catchall enabled and can use both my mailfence and my own domain interchangeable.

I think I signed up with a 10 minute free mail. Paid with Bitcoin. Didn't provide any personal info (as principle, didn't use VPN etc).

Set up dmarc etc. Helpful support.

Really happy overall.

I use fairemail for email and simplecontacts + davx5. Works really well.

not op but iiuc: gwt = google web toolkit npw = null pointer exception

Thanks. How can I detect if gwt is used?

You will see gwt transfers in network explorer.

I've been all in on secure email, and friends the last week or so since buying yet another domain. It's really a painful world. The tradeoff continues to be that Google and Microsoft both provide a tonne of value (and security) for $5/month/user. At the same time the obvious tradeoff on privacy and anonymity is made :(.

The secure email services provide far less product-based value, though clearly the security and lack of ad tracking is there.

Ultimately the market will declare - but currently people overwhelmingly choose brand (Google) and feature-based value, whilst giving up their privacy. It's quite frustrating.

>The secure email services provide far less product-based value, though clearly the security and lack of ad tracking is there.

I have thought about this as well. What do you think could be added to secure email services to make the value more appealing?

In the dark distant past, ISPs of old would include email as a side effect of their data services including shell accounts, user file hosting, and maybe even CGI-BIN, if you paid.

The only thoughts I have had were to bundle some kind of VOIP/SMS package along with the secure email offer. Perhaps some startup MVNO could also include secure email and other advanced features along with their mobile data services.

All of this seems pretty far fetched, as email looks to be as niche of a product category as Premium IRC.

> as email looks to be as niche of a product category as Premium IRC

It's another feature checkbox among other features... and few even really consider it a high priority feature. For Google/MS commercial options include an office suite, even if the cheaper options are web only, which is still a pretty good value add. Not to mention network effect on "free" versions.

It's very hard to compete with a perception of free is what it comes down to. In the end, most people aren't afraid of their government spying on them with an "I've got nothing to hide" attitude about it. Prior to Snowden's leaks, my own thoughts were there was too much data to do anything with, I was deeply wrong.

In the end, if you wanted to compete, you'd have to get a web office suite at least better than Google Docs and undercut both Google and MS on price. Or maybe go the Apple route and provide best of breed integration and apps... unfortunately there's money to be made and competing with MS and Google would be very difficult. I'm not sure there's enough support for open-source to aid a startup to have a self and commercially hosted option... of course then there's the AWS path where they're suddenly offering your software and undercutting you.

I think you're bang on, except that VOIP is even more niche than secure email. Ultimately I think the problem is that email is effectively a commodity - domain providers, hosting providers... well they pretty much give it to you for free.

Google and MSFT seem to be competing on a value proposition like the full suite of office needs, even if it's for your person. I may be wrong, but I don't think that the average facebook using, instagram reading person even cares about email.

I don't think people choose brand and feature-based value ; they choose reliable mail provider. See https://news.ycombinator.com/item?id=21577413

I recently switched to Mailfence after briefly using Mailbox.org. My issue with Mailbox.org was getting IMAP mail, calendar, and contacts synchronized across Mac and IOS. Mailfence worked perfectly with Exchange ActiveSync for IOS and IMAP/CardDav/CalDav for MacOS.

My requirements were:

1. Support my own domain

2. Support IMAP, CardDav, and CalDav

3. Privacy friendly country

Some alternatives I looked at and rejected were:

* Posteo - Doesn't allow domains

* Fastmail - The Assistance and Access Bill of 2018 makes Australia a privacy unfriendly country (also part of the Five Eyes)

* Protonmail - Doesn't support standard protocols and IMAP bridge was flaky

They want a minimum 7-character login, and first & last name-- then it seems you can't just type your desired actual address's name@mailfence.com, instead you have to select from a short list of varied combinations of login, first, last. I just changed my first name to the short name I wanted and went back to that list, and as expected, it appeared as an option. I picked it, I restored my real name, everything is OK AFAICT. Still, I wish vivaldi.net and mail.com would get on the 2FA train... especially the former.

This seems like yet another "secure email" provider where the cryptographic security is cosmetic, because it's delivered over HTTP requests that can with every individual backend fetch silently override the encryption or exfiltrate keys.

Also, their "we take software security" blurb is weak:

We use operating systems and open source software that take security seriously. However, software have bugs. In most cases, an update for a security problem will be available within minutes/hours of the original report. We perform the update as soon as it is available and validated.

Applying patches is table stakes. What portions of their stack, including their own code, have they actually had audited? Do they have software security engineers on staff? Is there a /security page somewhere on this site that explains where to report vulnerabilities?

If browser based are there anything better than https? Imap + pgp?

My own take: you can't trust any web-based solution. But you can choose a provider which plays nice with open standards, supports eff and openpgp etc.

I don't let mailfence handle my keys, but I liked that they on every level, let me do what I want.

And I like that they let other people trust them to handle their pgp keys. Thus helping that ecosystem.

> If browser based are there anything better than https? Imap + pgp?

I guess Electron might be a reasonable application to quickly move your crypto code from the website to a local client so that a compromised server can't simply backdoor it. But then you want it to auto-update for security issues and you're back to square one. And if someone inspects the source code of each update (they won't), they'll just be slower updating and either run the old (vulnerable) code for longer, have forced and unscheduled downtime (while looking at the diff), or run the new code before it has been vetted.

Security/privacy aside - it's a bummer that it doesn't mention multiple domains per account. I have ~20 diff domains tied my sole fastmail account.

I didn’t know you could do that with fastmail

you're probably not alone. I just noticed that they don't list it on their pricing plans either. So either I'm grandfathered into it or they're messing up their marketing.

How do you evaluate the security or privacy of providers like this one? I think years ago they or one of their fans went all over Quora and Reddit saying good things about it, but I wasn’t sure in the end how to evaluate their claims or find independent reviews and ended up Switching to ProtonMail.

While I used it, it was good at least. Setting up a custom domain at the time required sending the company an email iirc?

I think catchall and dmarc required an email. Yes a bit odd maybe. But hey; a human responded within 15 minutes.

Can anyone highlight differentiators vs [protonmail, fastmail, ...]? What advice for someone busy but technical, looking to get off gmail?

I read the title too quickly and saw "Mailfeasance"

It would be a great name for an email service catering to spammers and scammers.

Wants an email... to sign up for email? Lolwut?

Claims to be "browser-based" so I'm going to guess Electron. Also mentions OpenPGP and Belgium HQ for legal protections. Though I'd guess they'll also need to only hire Belgium developers to maintain the claim that they're outside the reach of other governments.

Some countries have a better or worse history on personal and political freedoms than others. Doesn't mean it will always be the case.

Beyond this, you can create solutions that can prevent even yourself from certain types of snooping with out a lot of additional work. This is a place where I think available source helps, if not open.

In the end, you pick your battles. Even if you self-host, there are risks.

Are Belgian developers immune to insert-evil-country-of-choice bribing, extortion or just being plain evil?

Are we still doing this "Oh, they are nationality so they are spies!" thing?

> Are we still doing this "Oh, they are nationality so they are spies!" thing?

Stereotyping is counterproductive. Still, based on recent changes in Australian law I can see why some organisations may pause before using services based there, or which rely on Australian contractors who may be compelled to compromise systems. So any companies boasting of their jurisdiction should not be immune to skepticism about how robust that distinction is in practice.

Browser based as in, go to a website where you are served http.