Secure Communication
crypto nut


For communication apps, person at other end has to use same software.

Browser add-ons:
SafeGmail (GMail only; Chrome only) (Chrome add-on, or client app; encrypt/decrypt blocks of text in any web page)

Other solutions require you (and person at other end) to change email providers or use different applications. Not feasible, in my opinion.

In your email client, if possible, turn off automatic display of HTML, images, and Javascript. It's dangerous to let some random person send you a piece of software that executes in your client.

Don't just start using a service and assume it's totally secure by default. Go through all the account settings and maybe dial them down tighter.


  1. Buy a domain name through a registrar such as Hover

  2. Buy email service (I like Migadu, but they don't have a phone app, I think) that allows/requires use of a custom domain, and allows wildcarding or infinite email addresses. Decide if IMAP access is important to you (see next step), because some services don't have IMAP or make it hard.

  3. Decide if you want to access the email through their custom phone-app, their webmail client, or through a generic desktop client (e.g. Thunderbird) and generic phone client (e.g. K-9 Mail) using IMAP. Advantage of the generic clients is that you can access email accounts from multiple services (plus calendar and address book and RSS and maybe some chat) in one app.

  4. Start using a password manager (e.g. KeePass), if you aren't already, so you can track all your accounts and what email address you've used with each.

  5. Slowly change all of your online accounts from old email address(s) to new email addresses. It will take a long time to get them all switched over. I feel you never can delete the old email account(s): stray messages will keep popping up there even years later, and you may have set them as recovery addresses on various accounts.

I'm ending up on Hover, Migadu, Thunderbird on Linux, K9-Mail on Android, KeePassXC on Linux, Keepass2Android Offline on Android, after trying a bunch of services and apps. But your needs and choices may differ.

Email client application vs. browser:

Also called "desktop" vs. "webmail".

A desktop / client application (such as Thunderbird) is better:

Webmail / browser is better:

Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that possibly is less secure. Same cautions apply to email application and browser: keep it updated; using more plug-ins increases attack surface and risk of bugs/vulnerabilities.
But, Thunderbird and Firefox both are made by Mozilla, so maybe Thunderbird is pretty secure.

With a client app, use IMAP or POP3 to connect to the server. POP3 requires all messages to be downloaded to the client, so you can't have multiple clients (e.g. laptop and phone) accessing the same messages. And POP3 only handles Inbox; you can't do multiple folders ?

Likely future: JMAP

Email desktop client apps:

Interlink (fork of old version of Thunderbird)
SeaMonkey (internet app suite with some shared heritage with Thunderbird)
KMail (Linux only)
Evolution (Linux GNOME 3 only)
Outlook (no Linux)
Mailpile (client is in browser, accessing a local web server)
RainLoop (client is in browser, accessing a local web server)
Mailbird (Windows only)
Claws Mail (GTK+)
Geary (Linux GNOME 3 only)
Kube (no Windows)

"I use Mailspring and Thunderbird. I use Thunderbird to create rules and do various types of mail organization. Mailspring, I use for actually reading the mail, and for responding."

Heinz Tschabitscher's "Access Your Yahoo Mail Account With Your Email Program Using IMAP"
Yahoo's "IMAP server settings for Yahoo Mail"

Salman Khan's "Combined Desktop Client for Gmail, Slack, WhatsApp, etc."

Android client apps (as of 10/2019):

For me, phone app will be a backup to the desktop app, not my main mail client.
I need: free/cheap; IMAP support; not from a major company.
I want: PGP support; no ads; open-source.

Other client apps such as GMail can do IMAP to multiple services, not just their "home" service.

I dropped some other apps out of the list because they send email through their own servers, or no new release in a long time, or ads.

Every single email app in the Google Play Store, it seems, has some reviews saying "best ever, works perfectly" and other reviews saying "flaky, was good but no more, drops messages, etc".

From someone on reddit 10/2019:
The main problem with BlueMail, TypeApp, Edison, Spark, Newton, and Outlook, is that they use their own servers to access your email. They act as an intermediary between you and your email provider, so they have access to your email contents and/or metadata. This is not good from a privacy standpoint.

Apps such as Nine, Aquamail, Maildroid, K-9, and FairEmail access your email provider directly without using any 3rd-party servers, so they are preferable from a privacy standpoint.

I chose K-9 Mail

Custom domain:

Get your own custom domain, and use it as your email address, but actually use a commercial service to host the email. You can do this with ProtonMail (paid) and other services. That way, if later you decide to change services, your email address doesn't change.

But it's a little odd from a privacy point of view. An email address such as "" isn't hiding your name or identity from anyone; an address such as "" does hide your name.

Another downside: after you die, if your domain registration lapses, someone malicious could take over the domain, create their own email addresses to match yours, and attack your other accounts.

A custom email domain may be easier for some attacker to exploit. If you just use GMail, you're relying on GMail's admins not to get fooled into doing an attacker's bidding, and relying on GMail's domain registration and DNS and mail servers to be solid. If you use your own domain, you're relying the admins of your domain registar, DNS service, and mail service not to get fooled. Most likely, Google's setup is safer than your setup.

One huge advantage of a custom email domain: for sites that force you to use email address as login username, now you can have a unique email address for each site. Make an email address such as "fb9999@MYDOMAIN" to use as your login for Facebook, and don't use that address anywhere else. Makes it harder for an attacker to trace you across sites, and figure out your login username for each site.

So, I would like to find an email service that is:

Possibilities: Starter Email (€24/year)
ProtonMail (€48/year, but I already use ProtonMail free; IMAP requires paid and bridge)
Migadu (free plan is limited to 10 outgoing messages per day)
Disroot (article)
Tutanota ? (no IMAP)

Pinoy Newbie's "How to get a free email for custom domain with IMAP/POP3/SMPT support"

Email alias addresses:

The service I chose (Migadu) lets me use unlimited addresses, with a catch-all that feeds them into one mailbox. So I can use a different email address on every site, without using funny chars such as "+" in the name. Have to use a password manager to keep track of all of them.

Other services also support aliases, usually with some special format such as "". Maybe it's fairly easy for spammers to see that it's an alias, and strip off the "+extrastuff".

Tricky: check to see if your service will let you reply properly to an email that came in to an alias address; the "from" address of the reply should be your alias address, not your real mailbox address. I think many services do this properly.

Tricky: check to see if your service will let you originate an email from an alias address; the "from" address of the reply should be your alias address, not your real mailbox address. I think many services DON'T do this properly.

DNS and MX and SPF and DKIM and DMARC:

Once you have an email service, you have to set your domain's DNS records to point to the email server (MX records) and control how email is handled (DKIM, SPF, DMARC records). The service should have Help pages that direct you through the process. Your DNS service may also have Help pages or web forms to help you. The two may not quite match, so you might have to figure out a few things.

These are DNS records that the receiver of a message supposedly from this domain can use to check the message.
  • SPF (Sender Policy Framework): specify mail servers this domain will be sending mail from.

  • DKIM (DomainKeys Identified Mail): crypto keys to sign critical parts of the message before sending.

  • DMARC (Domain-based Message Authentication, Reporting and Conformance): specify whether SPF/DKIM/both are being used, and how failures should be handled.

JonLuca's "Email authentication: SPF, DKIM and DMARC out in the wild"
Andy Gill's "Mail Technologies (DKIM & DMARC) - Part 2"

dmarcian's "DMARC Record Wizard" (create DMARC record)
The DMARC record I started with contained "v=DMARC1; rua=mailto:MYADDRESS;".
After everything worked for a while, I changed to "v=DMARC1; p=quarantine; rua=mailto:MYADDRESS; ruf=mailto:MYADDRESS;".
Later changed to "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;pct=100;fo=1;rf=afrf;ri=345600;rua=mailto:DMARCIANADDRESS;ruf=mailto:MYADDRESS". (strict everything)
dmarcian's "DMARC Inspector" (evaluate existing DMARC record)

Your DNS changes may take hours or days to be visible to other services, depending on the TTL settings on your previous DNS records.

After you send some email from your domain to some of the big domains such as Google, they may send a DMARC "aggregate" report to you at the "rua" address specified in your DMARC record. Pretty boring; set the frequency to every 3 months or something ("ri=604800" for 1 week, "ri=7862400" for 13 weeks).
Amy Gorrell's "How to Read Your First DMARC Reports (Part 1)"
MXToolBox's "Dmarc Report Analyzer"
EasyDMARC's "DMARC Aggregate Reports"
If there's some failure, giving an IP address, you could do a lookup using WhatIsMyIPAddress or similar.

Despite setting "ri" to "" in my DMARC records, big services were sending aggregate reports every 1 to 6 days. Instead of handling them yourself, sign up for a free service such as:
DMARC Analyzer (the "freemium" plan)
Report URI
I created a free account with dmarcian, changed RUA in DMARC record to use a custom email address from dmarcian. They also force you to change your policy to "reject". But I find their dashboard hard to understand.

If any malformed email message is sent from your domain to one of the big domains such as Google, they may send a DMARC "forensic" report to you at the "ruf" address specified in your DMARC record.
Amy Gorrell's "How to Read Your First DMARC Reports (Part 2)"

After reading JonLuca's "Email authentication: SPF, DKIM and DMARC out in the wild",
I changed my SPF record from (Migadu is my email service):
"v=spf1 a mx ~all"
"v=spf1 mx -all"
MXToolBox's "SPF Record Check" (also check "blacklist:YOURDOMAINNAME")

Test your email service to see if it's blacklisted:
MXToolBox's "IP Blacklist Check"
Josh Slone's "Email Blacklist: How to Tell If You're on It (and What to Do If You Are)"

Email account as database:

Some people use their email account (or worse, chat account) as their database, accumulating years of important messages and documents/images that they store only in that account, searching them and accessing them from that account.

This is a VERY bad idea: Get the data out onto your local hard disk, well-organized into folders with good folder names and file names. Try to keep your email account close to empty (very hard, I know).


Mozilla wiki's "Thunderbird"
Thunderbird Support
Matt Harris's Thunderbird blog

Thunderbird bugzilla
Thunderbird Calendar bugzilla
Thunderbird Chat bugzilla
Thunderbird Feed Reader bugzilla

[WARNING: 9/2019 Thunderbird is going through major changes from versions 60 to 68 to 70. Lots of add-ons not working, lots of error messages in the add-on debug window. Many of the docs have not been updated to version 60, much less 68 or 70.]

Installed 9/2019 in Linux Mint, from Mint's Software Manager, but it's version 60.8, and web site has 68.1. Removed it and installed from web site. But apparently 60 and 68 are sequential releases; they skipped the numbers between ? And 68 is a major change; supports only WebExtensions, and much more.

Installed it as root into /opt. Created a launcher on the Mint desktop to /opt/thunderbird/thunderbird. It saves config info under ~/.thunderbird.

Smooth integration with Yahoo Mail (free) and GMail (with 2FA; had to "allow less-secure apps" in GMail account, and/or generate an app-specific password ?).
Chose IMAP (leave messages on server), so I can still use client apps on my smartphone.

To use with ProtonMail, have to have a paid PM account, and install ProtonMail Bridge on your computer to provide IMAP.

No way to connect to WhatsApp.

SMTP connection to Yahoo Mail seems unreliable, or doesn't like a different reply-to address, not sure. Default port is 465, other is 587. Switch from 465 to 587 and back, then it worked.

Advanced configuration: hamburger icon in upper-right / Preferences / Preferences / General tab / Config Editor button in lower-right.

To stop Thunderbird from automatically opening next message after you delete current message: use "Config Editor" and set "mail.close_message_window.on_delete" to true.

Thunderbird has an Import function (messages, settings, etc) but no Export function !

Thunderbird stores digital certificates, just as browsers do. I installed a personal certificate, and right away Yahoo Mail wanted to use it for OAuth. But YM works whether or not you let it use the certificate.

Deleting an account from Thunderbird:
"If the account is IMAP, removing the account from TB doesn't affect the status of the account with the email service or the messages that are on the IMAP server. If it's POP and the downloaded messages are only on the local computer, not on the mail server, copy the mail to a subfolder of Local Folders, then remove the account. That also doesn't affect the online account or any mail left on the server. Remove accounts from Account Actions in Tools / Account Settings."


Mozilla's "Digitally Signing and Encrypting Messages"

Fortunately I already had GnuPG installed, and I installed the EnigMail extension in Thunderbird.

Went to hamburger icon / EnigMail / Key Management, added my ProtonMail public key to Thunderbird. Highlighted the key, clicked on File / Compose Email to Selected Keys, sent encrypted mail from my GMail account to my ProtonMail account, it worked. Clicked "Trust Key" in ProtonMail, which is telling PM to trust the public key Thunderbird has generated for my GMail account, apparently. Sent encrypted email from ProtonMail to GMail, it worked. No indication in Thunderbird that the message is encrypted, but View Source shows that it is. Used GMail app on phone to view the message, and it shows as encrypted, and the app doesn't have the key needed to decrypt it.

Sending a PGP-encrypted message through Yahoo Mail (free) seems to fail; keep getting an SMTP/mailbox error.

10/2019: EnigMail extension is going away, future Thunderbird version will have native PGP: Patrick Brunschwig's "Future OpenPGP Support in Thunderbird" and Ryan Sipes' "Thunderbird, Enigmail and OpenPGP"

From someone on reddit 12/2019:

> Was sent an encryption key to encrypt my emails through engimail.
> Having trouble figuring out how to use it using online resources.

You should have the key you got sent in a file, whether you copied-pasted it from the message body or saved it as an attachment.

In the Enigmail menu at the top of Thunderbird:

Enigmail / Key Management


File / Import keys from file

Then select the file containing the key.

It will prompt you to confirm that you want to import the key.

The key is now on your keyring and ready for use.

To use the key to encrypt a message to the recipient:

Create a new message the standard way, with the Write option at the top left of Thunderbird.

Type your message and fill out the To: and Subject: fields normally.

At the top of the Message window, select Enigmail / Encrypt Message (or make sure it is already checked).

One of two things will happen when you click send. If the e-mail address you're sending to corresponds to the mail address specified in the key it should automatically encrypt when it sends.

Otherwise at this point it will pop up a box saying "Enigmail Key Selection" and you will select the key you want to encrypt the message with (i.e., the one you just imported to your keyring.)

When you have done that, click Send.

You can confirm the message was encrypted by going into your Sent mail folder. If you then open the message you just sent and it pops up a "Please enter the passphrase to unlock the OpenPGP secret key" pinentry box, you've succeeded. It's doing this because when you encrypt with someone else's public key, even you can't read the text unless you yourself have the secret key, which you almost certainly do not (unless you are writing a message to yourself). This is just telling you, "This is encrypted and if you want to decrypt it, you need the secret key and its passphrase."

The important thing to understand here is two keys are involved:

- A public key, which is the one you should have been sent, or which you send to others, and publish widely. This can only ever be used to encrypt. It cannot be used to decrypt.

- A private key, which you always keep private, and is associated with your public key. People who send you public keys also have a corresponding private key they never share. This can only be used to decrypt.


Thunderbird can require a master password to open the application, can store the password for each of your email accounts and login automatically, and can save cookies for each email account. It saves config and mailbox under ~/.thunderbird in Linux. What's the best way to secure all of this info ?

In my browser, I don't use a master password, let it store passwords, or save cookies.

But for Thunderbird, auto-connecting to mailboxes requires saving the passwords, so I'm using a master password and letting it store the passwords.

Connecting Thunderbird to read/write Linux local CLI mail:

First get CLI mail working: see "Getting Linux local CLI mail working" section of my "Using Linux" page.

In Thunderbird, go to hamburger icon / New / Other Accounts.
Choose "Unix Mailspool".
Use email address user1@laptop1.
See dialog about Outgoing Server Information.
Set Outgoing SMTP Server to "localhost" ?
Use account name user1@laptop1.
Click Finish to create the account.
Find account "user1@laptop1" in the left-hand panel and highlight the Inbox for it.

Test by going to CLI and:
mail -s "subject1" user1 </etc/group

# if mail command not found:
sudo apt install mailutils
Then in Thunderbird click the "Get Messages" button in upper-left.

The "check server every 10 minutes" setting seems not to work; new messages appear only when I click the "Get Messages" button.

To be able to send messages to local mail:
Don't see how to add a new SMTP server.

How to get Thunderbird to use 24-hour time format ?

On Linux, ran "sudo update-locale LC_TIME=en_DK.UTF-8" to affect /etc/default/locale, didn't change TB.
use a dconf-editor on org.gnome.desktop.interface.clock-format

Changed desktop launcher from "/opt/thunderbird/thunderbird" to "env LC_TIME=en_DK.utf8 /opt/thunderbird/thunderbird" and it seems to have worked.

Maybe a Linux Mint bug ? Although I think the problem has been seen on other distros. "Although the names of the days and months are localized according to the LC_TIME environment variable, we were fetching the format itself using gettext according to the desktop's language. We will get this fixed in Cinnamon and in MATE for 19.3." from Mint blog


If you want to connect to a calendar server, need a server that supports the CalDAV protocol.

Popular/standard (developed by Mozilla) TB add-on for calendar is called "Lightning".

iCalendar (ICS) will give read-only access; use CalDAV.

I just have my personal calendar, and only I connect to it. Things may get more complicated if you want to share your calendar with other people, and access their calendars. I don't know.

Connecting to Yahoo Calendar:

Yahoo's "Sync or access your calendar on multiple devices and applications"
YOURUSERNAME is your email address without the "".
Easiest if your "calendar name" in Yahoo Calendar has no spaces in it.

Create a single event in Yahoo Calendar, it is displayed correctly in Thunderbird.
Create a repeating event in Yahoo Calendar, it is not displayed at all in Thunderbird ?!

CalDAV to synchronize calendar (and tasks), CardDAV to synchronize contacts.

Apparently the apps are divided into calendar-displaying apps, and calendar-synchronizing apps. You probably already have one of the former, and you need to add one of the latter.

Had to go into my Yahoo account and turn on "Allow apps that use less secure sign in".

Kris Wouk's "How to Sync CalDAV and CardDAV to Android"
Namecheap's "How to configure Caldav/Carddav on Android"
Installed "Caldav Sync Free Beta" app. No icon on the display, but shows up in Settings / Apps as "CalDAV Sync Adapter".
Go to Settings / Accounts / Add account / CalDAV Sync Adapter, put in connection info, but never could get it to connect.

Open Sync by Deepen Dhulla. Worked right away, given my Yahoo email address and password, it showed my calendar name. But then the default Google Calendar app in the phone sees the account from OpenSync but says "no calendar".

Installed "Simple Calendar - Event & Reminders" app by Simple Mobile Tools. But it doesn't see the Yahoo account at all.

Installed "One Calendar" app by Code Spark. Tried to connect, couldn't, looked at Help, and it says "OneCalendar can't connect to Yahoo because they don't support WebDAV Collection Synchronization".

Gave up on Yahoo, deleted my calendar there.

Connecting to Google Calendar:

Google's "Get started with Google Calendar"

If you have 2FA enabled on Google Account, you have to get an app-specific password to connect TB to Google Calendar: Google's "Sign in using App Passwords"

In TB, set "location" of server to:

Opened default Calendar app, the calendar events appear, some after a bit of delay.

In TB, created an event in the calendar, clicked Synchronize, went to phone, event was in calendar there. Fast.

10/2019: Heard that Migadu, my email provider, is about to support calendar. Good news.

fruux (service for calendar, contacts, and tasks)

Importing a calendar from elsewhere:

You need to get an ICS file. If you have an URL such as
change the "webcal" to "http" and copy the URL into Firefox's address bar. It will ask you what to do with the ICS file. Save it to disk.

Then go into Thunderbird and do Hamburger / Events and Tasks / Import... and select the ICS file. Choose what calendar to import it into.

For me, importing into Google calendar did not work (did nothing). Importing into Home calendar did work (gave success message, reminders appeared, events appear in the calendar).


Confusing: my phone's Contacts app shows some contacts, and says it syncs with my GMail account, but Contacts in GMail shows no contacts from the phone. Went into phone's Contacts app and did export from phone to Google.

The real problem I'm trying to fix is that K-9 Mail's "Add from Contacts" menu item sees no contacts. I think it's looking in Google's contacts, not the phone's contacts, and the two are not synced ? Or maybe it's looking in Yahoo's contacts ? If I go to Google Contacts on desktop and create a contact there, it shows up on phone and in K-9 Mail.

Finally fixed things by: going into my Yahoo Contacts on desktop, exporting to CSV, going to Google Contacts on desktop and importing CSV. Got things straightened out there, then deleted all contacts from Yahoo. Google Contacts have been synced to Contacts app on phone, and K-9 Mail sees them. Manually copied a few extra items from phone's Contacts to Google Contacts on desktop. In Google Contacts on desktop, got rid of items in "Other Contacts", then used "Duplicates" to merge any duplicates. Then exported to CSV file (Google CSV format) to have a backup.

Looks like Thunderbird doesn't have the capability of syncing to a Contacts server. Maybe there are extensions ?
gContactSync extension (Syncs contacts amd groups between TB and Google Contacts)

In Thunderbird, was able (with some difficulty) to import the CSV file. But it contains duplicates, and lost phone number country-codes.

In TB, if you want to send a message: open the address book, right-click on a contact to send to, and select Write. A Compose dialog will open, To: will be set properly, and then you can set the From: mailbox as you wish.


Thunderbird's "Creating a new event or task"
Thunderbird's "Lightning User Interface"

There is no developed-by-Mozilla TB add-on for syncing Tasks.
"Google Tasks Sync" add-on by Tomasz Lewoc


See "Building a Thunderbird Extension" section of my "Develop an Application" page.

Fixing problems:

Make backups, of profiles and inbox.msf file.

Heinz Tschabitscher's "Quick Guide to Repairing Folders in Mozilla Thunderbird"
Centennial Arts' "Thunderbird Folder Repair"
Eric Simson's "Fix Common Problems or Errors in Mozilla Thunderbird"
DataHelp's "How to Repair & Rebuild MSF File to Remove Thunderbird Inbox Email Missing Error"

EmailAdepts' "Email Recovery for Mozilla Thunderbird" (Windows only; $50)

"Authentication failure", from someone on reddit:

If you get stuck in "authentication failure" with GMail and Yahoo (usually most persistent after changing the account's password):

I've been able to reliably fix it by going into the server settings of each email account and switching the "authentication method" from whatever it needs to be to "normal password". Then closing Thunderbird, opening it again. Letting it do all the checking of my addresses, and then changing the "authentication method" back to OAuth2.

I'm sure there are many people who this won't work for, but for someone who has never been able to reliably stop my GMail from giving me all types of IMAP problems, this has been a good find.

Later installed the beta version: here. Install:
# quit out of Thunderbird app
sudo bash
mv thunderbird-*.bz2 /opt && cd /opt
rm -r thunderbird
tar xvjf thunderbird-*.bz2
rm thunderbird-*.bz2
With 70.0b2, Enigmail extension got disabled.

RSS Feeds:

Thunderbird's setup process is very intelligently done.

But I've noticed that feeds behave in two ways (some quirk of the servers, I think):

In some audio feeds, the audio starts auto-playing when you open the message, and there's no setting in TB to stop it. Went into Preferences/Preferences/ConfigEditor and set "rss.display.prefer_plaintext" to true, later set "rss.display.disallow_mime_handlers" to 1. Neither stopped the playing.

And I just cannot get about 10% of my RSS feeds to work. They just never show new items. I can go to the feed web page and see there are new items. If I delete the feed from TB and add it again usually the new items will appear. But then next time there is a new item, it doesn't appear.

Feeds from can't be added to TB (as of 2/2020); they fail validation. says they pass validation in, which is Apple's recommended validator, so they're not going to fix their feeds. In fact, they say some of the other validators are reporting some bogus errors.

Four years since last update: gozman's "Slack to RSS"

Dropped use of TB for RSS feeds; just too many problems.
TB can export all feeds to an OPML file: feeds / Manage Subscriptions / Export / .

See RSS section.

Thunderbird's chat support seems pretty poor; probably better to use a different client. See Secure messaging (text, chat, voice, video) section.

Data on Disk:

It's not clear how much TB's master password protects your data. I think it protects server connection (login) info and certificates ? But it doesn't protect any mail held locally on your machine.

For example, on my Linux machine, file ~/.thunderbird/PROFILENAME/Mail/localhost/Inbox contains my local email messages in plaintext.

Also, file ~/.thunderbird/PROFILENAME/prefs.js contains the URLs and names and connection info for my mailboxes and calendar on various services. But I don't see any passwords in plaintext, anywhere in the files in the profile directory (I assume they're in an encrypted sqlite database).

So, to protect that data at rest, you could use disk/partition/container encryption, and have that profile in the encrypted space. Use LUKS or Veracrypt or something.

K-9 Mail (Android)

K-9 Documentation
k9mail / k-9

Doesn't support calendar or tasks. Will read contacts from Contacts app on phone.

K-9 Mail has an "import settings" feature, but that's only for importing a file exported from another installation of K-9 Mail.

OpenKeychain supports creating a key, importing a key, or using a hardware token.

In K-9, went into Settings / Global Settings / Cryptography and selected OpenKeychain as the cryptography app.

Setting up Yahoo Mail account in K-9: have to choose Manual setup. IMAP server is security SSL/TLS port 993 authentication "normal password". But can't get it to work. K-9 doesn't support OAuth2 authentication, and Yahoo requires it ? Had to go into my Yahoo account and turn on "Allow apps that use less secure sign in". Then got through IMAP. SMTP server is security SSL/TLS port 465 authentication "normal password". Works. Uninstalled Yahoo Mail app from my phone.

Composing a message off-line works; message sends next time the phone is online.

When composing a new mail, "Add from Contacts" shows no Contacts. IMAP doesn't fetch contacts from an email server; to do that you'd have to use an app such as DAVx5 (paid). But K-9 should show the local Contacts list on the phone. Some people complain of various bad behavior with Contacts. And my local Contacts app crashes if I try to do a search. Gave all permissions to K-9, rebooted phone, no change.

Joined the test program to see if I can get a beta version of K-9. A day later, Google Play Store entry of K-9 showed I am in the beta program, should get beta next time the app updates. But as far as I can tell, it hasn't updated yet, no way to force it, maybe no beta is available yet.

No master password feature in K-9; once someone logs into the phone, they get full access to all of your email accounts that K-9 is connected to.

Very tricky: options under "..." are different depending on whether you have Unified InBox turned on or off. To add a new email account, you have to have it turned on, I think.

GMail app gives scary warning if you try to disable it, so I left it enabled on the phone.

Android client for cloud Calendar, Tasks, and Contacts

I want to just use my email app (K-9 Mail) for these, but K-9 Mail doesn't support these.

I currently use Google Android apps and Google services for these, but I want to get away from Google.

My email service is about to support calendar, not sure about tasks and contacts. Not sure if they will have Android apps.

fruux has an Android app, but version in Play Store is 1.0.4 from 2013.
Simple Mobile Tools has Calendar and Contacts apps for very-cheap.
"Simple Calendar Pro - Events & by Tibor Kaputa" and "Simple Contacts by Tibor Kaputa" are free on F-Droid.
(Beware of lots of fakes on Google Play Store: reddit post)

If you use a local Calendar app, you also need to use something that will sync your local calendar with your cloud calendar:
DAVx5 (paid; €4; does CalDAV and CardDAV)
"DAVx5 by bitfire web engineering" is free on F-Droid.
CalDAV-Sync (paid; €2.5)
There are others, but many have bad reviews or are EOL, be careful.

Apparently, the architecture is:

From dev of Simple Mobile Tools, on reddit 8/2019:
"Contacts can have some glitches that I couldn't reproduce on any of my devices, as the way contacts are stored on Android is a huge mess. It can differ a bit per manufacturer and OS version, I still haven't solved all cases."

1/2020 sent these questions to Simple Mobile Tools, got a response within hours:

I'm thinking of using the Simple-Calendar and Simple-Contacts apps on my Android 6 phone. Am I correct in thinking:

- the purchase price of €0.69 is a one-time price, not monthly or something ? [answer: yes]

- these apps will connect to CalDAV and CardDAV servers ? I don't need to buy an additional app such as DAVx5 to do that ? [answer: you DO have use a "sync adapter" such as DAVx5]

- I use the K-9 Mail app to do email on Android. Will it be able to read contacts from Simple-Contacts ? It can read contacts from Google's Contacts app. [answer: not sure they understood the question]

- I assume I should uninstall the standard Google Contacts and Calendar apps before installing your apps ? [answer: they all can be installed simultaneously, no need to remove old ones first]

I want to remove all the Google apps, but still connect to my Google calendar server:

On my Android phone, I see these packages:

Email Services


If an email domain gets abandoned for some reason, don't leave any web site accounts with dangling references to your old email address on that domain. Some scammer could pick up the domain, establish email service, and now they'd own your address on that domain. Change all of your site accounts to use a new address, don't leave them referencing the old dead address.

Some cases where a domain could get abandoned: you change your personal domain name, or a free/minor email service you use goes out of business.

I don't know what happens if you have a free email account with your ISP, then you cancel service and move to a new ISP. Do they recycle that address after a while, maybe issuing it to a new customer ? I hope not. Same with an account at school or work. If you graduate or quit, does your email address get recycled eventually ?

Encrypted Email

Features encrypted email should have:

That One Privacy Site's "Email Comparison"
PrxBx's "Privacy-Conscious Email Services"

Tutanota: has calendar, has free option, no IMAP.

Hushmail: no free option.

Patrick Lambert's "Email encryption: Using PGP and S/MIME"

We need transparent encryption of email:

I wish some large email provider, such as GMail or Yahoo Mail, would start using end-to-end (client-to-client) encryption routinely, and transparently. When you click the Send button, software (maybe an open-source browser plug-in) looks to see if your recipient has a preferred encryption method and public key registered anywhere (or if one is cached locally, via prior key-exchange). If recipient does, the message gets encrypted (by open-source browser plug-in) via that method before sending. If recipient is not registered anywhere, message goes unencrypted, as usual. Simple ! And now the email provider itself can't read or decrypt the messages, and can't decrypt them for the government.

The company that does this first could seize the mantle of "privacy champion".

They still could do targeted advertising based on keywords: the plug-in that does the encryption first extracts a few keywords, and then passes them on along with the encrypted message.

Searching your messages on the server would be affected; the server wouldn't be able to read the text of the messages. I suppose you could do a search by sending all of the encrypted messages to the client (browser), and decrypting them and doing the search there, but that would be horribly inefficient (but possible). Or search-keywords could be sent to the server along with each encrypted message (compromising security a fair amount, but enabling searching).

Spam-filtering would be affected. If a spammer is willing to look up your public key and encrypt their message to you, it will have to be caught on the client, not the server. That's an issue. Need an open-source spam-filter plug-in or something.

The reason I want an existing large provider to do this, as opposed to new secure-email startups, is that the change by an existing large provider would immediately make encryption easily available to hundreds of millions of existing users. No need for users to change providers, with new UI and new email addresses and having to transfer their contact lists. Most users will NOT move to new secure-email services; we need to get encryption into existing services.

Mailvelope is a bit like what I want, although it's far from as transparent and integrated as what I outlined (which requires changes by Google, Yahoo, etc).

Google and Yahoo were working on a couple of end-to-end things, but as of 2/2017 seem to have dropped their efforts.

This change is happening in the VOIP and IM markets, with WhatsApp and Skype changing to end-to-end encryption.

Once we have end-to-end encrypted message bodies, a few changes could secure the meta-data better. Move the subject line inside the message body before encrypting, and move it back out when decrypting, so all of the servers and middlemen see only a dummy subject line. Encrypt the destination user's email address in some way that the destination server can decrypt, so only the originating client and the destination server and destination client know the full destination address (all other servers and middlemen can see the destination server name, but not the real destination user name). Do same with originating user's email address, in way that only originating server and originating client and destination client can decrypt. Example: a middleman would see "From: 5$33!8* To: 7^h$ Subject: none".

GitHub's "Overview of projects working on next-generation secure email"


Highly recommended by security people: ProtonMail

Eric Mann's "End-to-End Crypto: Secure Email"

But encryption imposes quirks. For example, because the ProtonMail server can't decrypt your messages, it can't do vacation-forwarding or server-based content-based filtering.

From someone on reddit 11/2018:
Gmail is decades ahead of ProtonMail in terms of feature support.

12/2018: Some people are having issues because ProtonMail is fairly strict/correct about encryption headers/certs (maybe SPF) on incoming mail from other systems. Partly-bad mail that may be accepted straight into another provider gets bounced, delayed, and re-tried before it makes it into ProtonMail.

From someone on reddit 12/2018:

There is one downside to ProtonMail worth mentioning. They comply with OpenPGP standards so the mail envelope remains stored unencrypted thus allowing search requests on sender, recipients and subjects. But the mail body and attachments are encrypted so forget about webmail search on that content. You'll need an offline copy in a mail client to index and search locally. Unfortunately, the only way to do this with ProtonMail is to use their bridge application. I've tried and tried and it just won't sync an IMAP mailbox with 2GB of mails (less than 20k emails). I've sent logs to their support team without any solution in the end. I monitored the connection and it downloaded over 10GB to sync less than 200MB worth of emails. They throttle the connection or something. It's not easy to debug since everything is encrypted. But that's the point in the first place ...

Don't get me wrong, ProtonMail is great, they have improved impressively in a short amount of time. They now allow the use of personal domains. But are they a suitable main email provider replacement? Not yet in my case. So I stick to FastMail for now which has a web interface much faster and feature full than GMail or ProtonMail. But I must rely on a computer with a mail client to send pgp encrypted emails. And I am super worried about the Australian AA bill. Fastmail is Australian-based and the servers are in the US, so enjoy worldwide mass surveillance. But it's still better than GMail, I believe fastmail will not use my data to train some AI or to profile me to sell advertisers my soul.

On any service where you aren't the sole holder of the keys, there are vulnerabilities:
Wired's "Mr. Robot Uses ProtonMail, But It Still Isn't Fully Secure"
Nadim Kobeissi's "An Analysis of the ProtonMail Cryptographic Architecture" (PDF)

My experience with ProtonMail:

I have the free account.

I'm unable to find a single friend or family member who either: uses ProtonMail, or uses an email system/client able to exchange PGP-encrypted email with me.

9/2019: Public PGP keys obtained via Settings / Keys / Export and through API server are different (at least different encoding), and the one from the API server does not work when used by Facebook.

9/2019: Using ProtonMail through Tor Browser is very slow (especially on login) if Tor Browser security level is set to "Safer"; faster if set to "Standard". Someone said that's because "Safer" turns off JIT compiler.

10/2019: After using PM for a year or so, I'm going to move away from it. The encryption is not really doing anything for me, and PM could break it if they really wanted to (by serving a poisoned login page to me). The encryption makes it harder to do IMAP, which I want to do so I can access all my email services in one client (Thunderbird on laptop, K-9 Mail on phone) and while off-line. Encryption where I generate and hold the keys would be more secure than having PM do that for me. And if I change to use my own custom domain for email, I should never have to change email address ever again.


It's an email service where you MUST use your own domain name; they provide the server and webmail UI and IMAP/POP3 access.

Need an existing email account somewhere to make an account here. It's used to verify when creating the Migadu account, then used as username. But I think you could close the account later, and Migadu would keep working.

10/2019: Created free account, and immediately have to connect my domain to it. Went to my DNS host (different from my domain registrar), and Migadu site walked me through setting DNS records, although the two systems were different enough to require some work. Got the records changed, went to Migadu and clicked on Verify Configuration, and it says it might take up to a week for the DNS changes to propagate to where it can see them.

Inside Migadu, changed configuration so instead of one mailbox named "admin", I have one named "bill", and then 5 or 6 aliases (including "admin" and a catch-all) pointing to the single "bill" mailbox.

Turned on software TOTP on the account. Added another backup email address in case something goes wrong.

There is no software TOTP available on the webmail login to see your mailbox. Support says: "We don't have 2FA on the mailboxes. While we can limit the webmail, IMAP/POP3 remain completely unprotected with that second factor, as the protocols do not understand it."

No reddit sub for this company, so I created one: /r/Migadu

About 6 hours after creating the account and making DNS changes, SPF record is reported as okay, but others are incorrect. Eventually contacted Support, and quickly they told me what to change, needed several record values to have "." at the ends, not as specified in the instructions: 'Your DNS is automatically appending the domain name in the end of the hostname. To prevent this, end the hostname with a dot "."' Did that, soon they said all was well. But mail from ProtonMail to my Migadu mailbox (via my domain) still bounces. Tried sending mail from Yahoo Mail, and that works, and I can IMAP in to Migadu and read and delete the message. So ProtonMail must have stale DNS information that will work its way out [correct]. Email from Migadu to ProtonMail works. Sending from GMail to Migadu works.

10/2019: Support says Calendar and other new features coming in a matter of weeks.

A week later, received an email from a Google DMARC service, giving an XML file evaluating my DNS record setup and email traffic to Google. Looks okay to me, but I forwarded it to Migadu to see what they say about it. All good, but I tweaked my DMARC record anyway.

Spam filtering is configurable, with 5 levels.

Useful: Migadu's "Guides"

I'm using unique random usernames in the email addresses I'm giving to most sites, and letting the catch-all redirect the mail into my main mailbox.

Found that some emails come in with no "To" info shown, even in the "Message source", so I can't see what address they were sent to. But the catch-all redirected them into my main mailbox.

Tweaked my DMARC record (on DNS host) to say "ri=864000" (report every 10 days). I was getting a report from GMail just about every day.

RSS (Really Simple Syndication)

I used Thunderbird for RSS feeds for a while, but dropped it, there just were too many problems.

TB can export all feeds to an OPML file: feeds / Manage Subscriptions / Export / .

Ambarish Kumar's "5 Best Feed Reader Apps for Linux"
Aaron Kili's "14 Best RSS Feed Readers for Linux in 2018"
Swapnil Tirthakar's "10 Best RSS Readers for Ubuntu"

RSSOwl (last updated late 2014)
Evolution email application (but the RSS plug-in last updated 2011)

Decided to go with Liferea (Linux Feed Reader):

5 Feb 2020 Installed through Mint 19.3 Software Manager; version 1.12.2-1, which seems to date from Jan 2018.

Deleted "Example Feeds" folder and everything in it.
Imported OPML file from Thunderbird.

Go through Tools / Preferences:
Set Feeds / Default Feed Refresh Interval to 1 day.
Enable Browser / Open links in Liferea and Browser / Disable Javascript.
Enable Privacy / Tell sites I do not want to be tracked.
Set Enclosures / Download using to "uGet" (it's installed in Mint, by default).
Plugins turn off everything except Bold Unread.

No way to set sort order of all feeds in one operation. I want them to sort by date oldest-first; have to change each feed individually. And each feed has two icons in the left pane, a Folder and then a Feed (probably an artifact of importing from Thunderbird), and they have separate sort orders ? You can get rid of the two-icon thing by dragging the inner icon (Feed) out to the top level and then deleting the now-empty Folder. And sorting in oldest-first is a bad idea, because every time you open a feed, the scrollbar will be at the top position.

In a feed, no way to select all or multiple items and operate on them in a batch. But in the left pane, you can right-click on a feed and select "Mark all as read". Or ctrl+R does the same.

In a feed, right-click on an item, and there are no key-shortcuts in the context menu. Ctrl+M to toggle read/unread.

In a feed item, click on Attachments at bottom left and right-click on an attachment and select Save As. See uGet window.

See green "G" icon in system tray.
Right-click on it to see and change uGet settings.
Change to "Quiet" mode (turns off "starting to download" notifications, but not the "done all downloads" notification).
Turn off clipboard monitoring.
But in quiet mode only, if you save the same attachment twice or more, it will download it twice or more, adding ".0" or ".1" etc to the filename each time.

Left-click on the green "G" icon to see the queue of downloaded files.

Was able to add a feed that TB refused to add, but had to leave the https:// off the front of the feed URL.

In fact, moving from Thunderbird's RSS to Liferea fixed almost all of the RSS problems I was having, leaving only one existing problem (three particular feeds broken, all from; added to existing bug report Went from maybe a 12% failure rate to a 3% failure rate. Reported the problems to CBC, they said "we pass Apple's validation, we're not changing anything". (Later someone told me a workaround: source the feed from command "wget --output-document=- --quiet https:....xml")

lwindolf / liferea (code and bug-reporting)
almejo / liferea-snap (snap version)

uGet bug reports
uGet on SourceForge (code)

There is a LOT of logging in the system journal by Liferea.
Do "sudo journalctl | grep liferea"
liferea --help-gtk

4/2020: Installed Ubuntu 20.04, and now Liferea is unable to launch uGet.
In Terminal, I can run "uget-gtk SOMEURL" just fine. Launching Transmission fails in same way. Other download options don't work.
wget --continue --directory-prefix=/home/user1/Videos %s

There is an apt version in the repo.

Secure messaging (text, chat, voice, video)

Some people say that internet email fundamentally can not be made very secure, without a total redesign. So they use non-email messaging.

There is a convergence between text-chat and voice-call and video-call applications. Text-chat applications are adding voice and video, Skype has text, etc.

Justin Carroll pointed out on a podcast:
Many/most IM applications have the bad quality of using your phone number as your userID/username, making it impossible to keep your phone number private, and allowing people to voice-call or SMS you instead of only contacting you inside the IM application, etc. That's unfortunate.
[Some that don't use phone number: Kik, Discord, Threema, Wickr Me, Riot, Wire, Tox ? Telegram requires a phone number to sign up, but then you can run the app on any phone. Discord through browser requires a phone number to sign up if you're using a VPN, but you can sign up non-VPN and no phone, turn on TOTP 2FA, then use it with VPN and no phone.]

You want a service where the user (or the client app) generates and holds the encryption keys. You don't want a server to generate and hold the keys; that would not be end-to-end encrypted, and (with some effort) the service could read your traffic if they wished.


Individual services:

Some major choices:
WhatsApp (biggest user base, but requires phone number, owned by Facebook)
Signal (requires phone number)
Session (fork of Signal that does not use phone number)
Wire (doesn't use phone number)
Status (doesn't use phone number)
Telegram (requires phone number; forces you to install their phone-app to register, but later you can remove the app; will force 2-minute delay and then SMS each time you log on to web page)
Riot (client that uses Matrix protocol)

Services where user (or client app) holds the keys:
Riot (client using server or some other Matrix server)

Don't just start using a service and assume it's totally secure by default. Go through all the account settings and maybe dial them down tighter.

Ioana Rijnetu's "The Best Encrypted Messaging Apps You Should Use Today"
David Nield's "Best encrypted messaging apps 2019 for Android"
Micah Lee's "Battle of the Secure Messaging Apps: How Signal Beats WhatsApp"
Thorin Klosowski's "Secure Messaging App Showdown: WhatsApp vs. Signal"
Drew DeVault's "I don't trust Signal"

My sense so far: find content or people you want, and then use whatever service they are on. Part of my family is on WhatsApp, and it turns out there are advantages to using WhatsApp in the desktop browser instead of phone app (cut and paste, access to photos on hard disk).

Client apps that present many services in same UI:

Some of these may just provide a way to collect pages/tabs and do notifications and such, without really providing a unified UI.

Thunderbird 73 only supports IRC and XMPP and a couple others. (WhatsApp, Skype and others use forms of XMPP, but I don't think that means TB supports them.)

Franz (free for maximum of 3 services; free doesn't allow VPN ?)
Franz list of supported services
Ambarish Kumar's "Franz Combines all Your Messaging Apps in a Single Application"

Ferdi (fork of Franz; removes the limits, adds features)


sivaramsi / manageyum (last update 6/2017)

All-in-One Messenger (a Chrome browser app; Signal not supported ?)


My experience with Ferdi 4/2020:
I'm running Mint 19.3 with 5.3 kernel.
Version of Ferdi in Mint's Software Manager is a Flatpak.
I downloaded the 5.4.3 DEB file from Ferdi.
"Ferdi currently supports Slack, WhatsApp, WeChat, HipChat, Facebook Messenger, Telegram, Google Hangouts, GroupMe, Skype and many more."

Did "sudo apt install ferdi_5.4.3_amd64.deb", got apt-daemon error; my system has a problem.
Did "sudo dpkg -i ferdi_5.4.3_amd64.deb", succeeded.
Launched Ferdi from Start menu, and it came up okay.

You can use a Ferdi account to sync your services between devices, or use Ferdi without an account so your data doesn't get sent to external servers. I chose without-account.

You want to "discover services", not "search for services". The latter searches among services you've already added to the app.

I added service "Discord", for which I already have an account. Discord web page appeared inside a Ferdi frame, I logged in, seems normal (maybe even better than in browser, I was seeing some refresh issues in browser). Not sure that Ferdi is adding anything useful here. Looks like it can pipe notifications into the desktop notification mechanism, and you could get notifications from N different services in one place.

Quit Ferdi and then re-launched it, and it automatically re-opened Discord and I was still logged in. I think if I'd stayed out of Ferdi long enough, it would close services and I'd have to log in again. but that is "service hibernation", and in Settings I have it turned off. Why does it work ? [Later I did turn it on.]

I added service "WhatsApp", for which I already have an account. Had to log in by using phone to take a picture of a QR code, as usual for WhatApp Web.

I added service "WhatsApp", for which I already have an account. Used server

Could add services for GMail, ProtonMail, Google Calendar. But I already have those in other clients.

With 3 services open, Ferdi is running as 11 processes occupying more than 700 MB of RAM ! A few hours later, with 4 services, there are 12 processes taking about 830 MB of RAM. A few more hours later, over 950 MB.

After shutting down the system overnight, Ferdi was able to reconnect to Discord, Riot and WhatsApp automatically. Had to give the login info for Protonmail to reconnect to it. And soon it's using over 750 MB of RAM. Eight hours later, down to 450 MB or so, but a couple of the services had closed. After re-opening them, back up to 850 or so.

Ferdi on GitHub


Latacora's "Stop Using Encrypted Email"
Latacora's "The PGP Problem"

Search my site

This page updated: June 2020