Email is a very old internet standard, predating the world wide web. It was first defined in 1982. It was updated in 2008 and remains in widespread use. It’s not a great protocol by today’s standards, but we’re all stuck with it. You almost certainly already have an email account. Although everyone has an email account, not everyone understands how email works or how to make the most of their account. Almost everyone with an email account just chose the first free, convenient option available for an email service provider. I know that’s what I did at first. Most people just use Gmail, Outlook, Yahoo, AOL, or one of the other top providers. Knowing this has motivated me to write this post because I fear that others are missing out on a better email experience.
Choosing an Email Service Provider
The first step before using email is choosing an email service provider. Email is a federated protocol. This means that no single entity “owns” email. If you want, you can create your own email provider and use it. Instead of firstname.lastname@example.org, your domain would be something like email@example.com. But running your own mail server can be expensive and time-consuming. Mail servers also have many moving parts and require maintenance, so I won’t be writing about how to set up your own mail server. It’s just not a realistic option for non-technical users of email.
The best alternative to self-hosting is to pick an email service provider wisely. This list is obviously subjective, but here are some criteria which a good email service provider will meet:
- Only free software
- IMAP/POP3 support
- No logs policy
- Inside a privacy-respecting country
- Transparency reports
- Anonymous sign up
- Anonymous payment methods
- 2-factor authentication (TOTP)
- Inbound encryption (PGP)
- Tor support
- Sustainable business model
- Support team / help center
- Migration support
Privacy and Security
The email provider should have a policy of not keeping logs. This brings me to my next and important point that the email provider needs to reside within a privacy-respecting country. The legal requirements for collecting logs and sharing user data are going to differ depending on which country it’s in. Using an email provider based in the US or the UK is a very bad idea. Those countries don’t have strong privacy considerations and your email data (and metadata) won’t be safe. Email providers in those countries can’t guarantee safety of your emails. You can get a lot of information about what data is collected just by actually reading the Terms of Service when you sign up. Don’t use an email provider like Gmail, Outlook, or Yahoo that logs all your emails and sells them to advertisers. If it’s in the Terms of Service that the service shares non-trivial data with third parties, then that email service is garbage and you shouldn’t use it. In fact, good email providers will never share any data without a court order first. In order to take an email provider’s claims of protecting your data seriously, the email provider should have a transparency report providing as much detail as is legal about what information they can be forced to turn over, when, and how often it actually happens.
Also, email providers can’t share information about you they don’t have. If the email service provider offers anonymous sign up (they don’t request your name, address, phone number or other PII), this is a good sign. They should also offer anonymous payment mechanisms (cash or cryptocurrency). You should not provide personal information just to sign up for an email account. Any email service that requires you to probably doesn’t care very much about your privacy. For security, your email provider should use two-factor authentication to prevent your account from being stolen. In your browser, check the email service’s website for TLS 1.3. If the email service website doesn’t support TLS 1.3, that’s a bad sign. Check that they support DANE/TLSA. They should claim to encrypt the hard disks of the email server or the email accounts themselves to prohibit data theft. They shouldn’t ever send any email data unencrypted. It should always use TLS. The email service should provide you with “inbound encryption”. Inbound encryption means you can generate a keypair and provide the email service your public key to encrypt your emails with. This means the email service encrypts your emails, as they are received, on their servers with a key only you have access to. If your emails are later stolen or requested via court order, the service will only be able to provide encrypted versions of your emails unreadable to anyone except you.
Another good sign is if the email service supports access over Tor. The webmail client should support access over Tor Browser. It shouldn’t block tor connections. If it has an onion address, then the email service went through extra trouble for Tor support. As I said, email providers can’t share information about you they don’t have. If you connect over Tor, you are protecting your IP address. That means you don’t have to trust the email service not to log your IP when you access email.
I’ve gone over some of the technical details, but I haven’t mentioned the business model yet. When you sign up for an email service, you need to check how they are supporting the service financially. There’s a famous adage about online products: “If it’s free, you’re the product”. Unless your email service provider is a subscription service, donation funded or the host is just an altruist, then your emails and metadata are probably being sold to advertisers. Also you’ll want to make sure they are “well-established”. The service provider shouldn’t be too obscure. This is subjective but you probably want a few thousand other people to also be using the service. This is an indicator that the service is reliable. People want email to “just work”. If it has lots of downtime, is slow or it doesn’t work well, it won’t take long for people to switch to another service. Another indicator of reliability is that it has been around for a few years without major data breaches. If there have been data breaches, was the email service quick to respond? Do they have a dedicated 24/7 support team or help center for answering any questions you might have? If you can’t get your emails one day, will you have somebody to contact for support? A highly available, quick-to-reply support team is a good sign that the email service is competent. The email service should also have migration support. Migration support makes it easier to switch email providers if you ever want to use a different one.
Nothing I’ve mentioned gives you a 100% guarantee that the email provider is secure, will stay in operation, doesn’t sell your data to advertisers, or is competent. But the more criteria that the email provider meets, the better the chances that it’s a good one. At some point you have to say “Okay, this email service meets so many criteria of being ethical that it either actually operates ethically or is so good at faking it I could never hope to tell the difference anyway”. Once you do enough research where you can confidently say that, then you should consider using it. There are other features email services provide that I haven’t mentioned such as email aliasing and email storage space. Those depend heavily on how you use email and if I listed all possible features of an email service, I’d never finish this post. But I think I have covered some of the key features to look for when choosing an email service.
Using an Email Client
Since most email users have been totally spoiled by the web, they have never heard the terms POP3 and IMAP. When you use an email client, you will have a choice of which protocol you prefer. POP stands for Post Office Protocol. The first version of POP was created in 1984. POP3 fetches emails from the remote email server, then deletes them from the server. It can be configured not to do that, but that’s its main benefit. If you only check email from a single device and you don’t want your emails hanging around on someone else’s computer, then POP is the way to go. Sent emails are stored in the client you sent them. Deleted emails are only deleted in the client you deleted them in. So POP is not a good protocol if you are using multiple devices to check email. It doesn’t try to sync across devices. POP is also good to use if you have very little space allocated to you on the remote server, but you regularly send and receive large email attachments.
IMAP stands for Internet Messaging Access Protocol. It was created in 1986. IMAP makes use of the remote email server. All messages are stored on the remote server. When you delete an email, it is deleted on the server. When you send an email, it is stored on the server. When you read an email, the server marks it as read. If you switch devices, your email inbox will look the same. It has a consistent experience across multiple devices. This is probably what you want to use most of the time.
Email Use Cases
The best time to use email is when it’s required. When you’re signing up for a website that requires email for instance. You don’t have to only have 1 email account either. I use several email aliases depending on the purpose. You can use different email accounts for every service you sign up for if you want. There’s throwaway email accounts available if you need to send or receive email quickly and then ditch the account. I wouldn’t recommend using email for receiving newsletters or information that you have another way of accessing. I might make another post talking about RSS, but it’s basically a web feed. RSS readers can pull content from all the websites that support RSS that you’re interested in without you actually visiting those sites. It’s a similar experience to using an email client, but with less of a digital footprint. With email, your email server has a record of which feeds you are subscribed to. With RSS, there is no “account”. No digital footprint showing you subscribed to that feed is necessarily created. If you anonymize RSS over Tor, then even a passive adversary like your ISP will have a hard time figuring out which news feeds you read. Even if you just visit the news site directly, that’s still arguably better for your privacy in terms of minimizing your digital footprint.
In summary, the most privacy-preserving way to use email is to avoid using email for anything except website sign ups. Ironic, isn’t it? I just wrote paragraphs about the best way to use email and now I’m saying that you should avoid using it for most things. If you have the will, you can use a new email account for every site you sign up for to further enhance privacy. Using an email client will make it easier to manage so many accounts at the same time. You won’t have to reenter all your passwords every time to check your emails. If you are signed up for lots of services, this could be impractical. You might consider using several email accounts for “categories” of services instead of a separate email account for every single service you sign up for. The benefit of this is you don’t have all your eggs in one basket. If one of your email accounts gets compromised or snooped on, the others remain unaffected. Also keep in mind throwaway email services for one-off sending and receiving of emails.
If and how you segregate out your email accounts is up to you. This is just an optional extra step you can take. Using multiple email accounts doesn’t always make your emails more private or your accounts more secure. It just improves “unlinkability”. A common example of this is having a personal email and a work email. Keeping your personal life and your work life separate is important for many people. You wouldn’t want your workplace to know all the services you’re signed up for and you wouldn’t want to be receiving work emails on your personal email account.
Those are my tips for getting the most out of email. It’s a lot of information to take in, but I wanted to be thorough. My motivation for writing this post as I said in the beginning was seeing the way most people use email. Until we have a widespread protocol that supercedes email, we should at least get the most out of it. And the way most people are using email right now is the absolute worst way to use it. There’s a lot of things in computing that aren’t harder to do a different way, it’s just that people haven’t been shown the better way of doing things. Most people don’t know anything beyond webmail despite the fact that email predates the web. I wrote this post to promote my preferred way of using email. I hope you have found it useful.