• Simultaneous, or not: Do both ends have to be active at same time ? Phone call, VOIP call, video call are simultaneous. Email, Facebook are not.

  • Standard protocol, or proprietary: With standard protocols (e.g. plain email, IRC), the ends can use different clients. With proprietary protocols/systems (e.g. WhatsApp, Signal, Telegram), both ends have to use the specific client for that service.

  • Centralized, or distributed/federated/peer-to-peer:

  • One-to-one, or group:

  • Encryption: On data in motion, on data at rest. Who generates the keys, who holds the keys, who applies the keys, who supplies the code ?

  • Data types and formats: Short-text, long-text, HTML, audio, still image, motion video, screen-share, attachments/files. Emojis, Unicode, character sets.

  • Speed: Bandwidth, latency.

  • Quality: Resolution, video frames/second, audio sample size and samples/second, compression.

  • Time limits: Delayed-send, one-time viewing, deleted after N days, unlimited.

  • Distance/range.

  • Real name, pseudonym, anonymous.

  • Public or private conversations.

  • Body of knowledge: Contains a Wiki, or sets of files or FAQs.

  • Ability and legality of recording/saving/backingup communications.

  • Cost: free, pay money at flat rate, pay money per usage, pay with attention (advertising), pay with data.

Typical choices

  • In-person.

  • Audio phone call: phone, VOIP, etc.

  • Video call: Skype, Zoom, Google Meet, etc.

  • SMS

  • Plain email: GMail, Hotmail, Yahoo Mail, etc.

  • Secure email: Proton Mail, Tutanota/Tuta, etc.

  • Plain email with encrypted content/attachments.

  • Centralized proprietary multi-mode: Facebook, reddit, Twitter, WhatsApp, Signal, Telegram, Slack, etc.

  • Federated standardized multi-mode: Mastodon, Discord ?

Obviously many of these services or modes are not direct substitutes for one another. If someone says "Stop using Facebook, just talk to people in-person", they're spouting nonsense.

A key question: where are the people you want to communicate with ? If you have technical questions about subject X, and all the people using that are on some particular site or channel, that's where you need to be. If all your family are on service Y, you want to be on there too.

Intel Techniques' "Messaging" (archived, outdated)

Don't just start using a service and assume it's totally secure by default. Go through all the account settings and maybe dial them down tighter.

Maybe a way to categorize UX of public services:
   Who do you "follow" ?      Immediate response expected ?      Services
PeopleYesWhatsApp, Signal
PeopleNoTwitter, Mastodon
TopicsNoreddit, Lemmy


These things are different: email Account, email Address, email Client, email Service.

You may use a couple of Services (GMail, Yahoo Mail, Protonmail).
On each service usually you will have one Account.
There may be multiple Addresses that all feed into that one Account.
You may use various Clients (browser, Thunderbird, phone app) to access each Account.


  1. Buy a domain name through a registrar such as Hover

  2. Buy email service (I like Migadu, but they don't have a phone app, I think) that allows/requires use of a custom domain, and allows wildcarding or infinite email addresses. Decide if IMAP access is important to you (see next step), because some services don't have IMAP or make it hard.

  3. Decide if you want to access the email through their custom phone-app, their webmail client, or through a generic desktop client (e.g. Thunderbird) and generic phone client (e.g. K-9 Mail) using IMAP. Advantage of the generic clients is that you can access email accounts from multiple services (plus calendar and address book and RSS and maybe some chat) in one app.

  4. Start using a password manager (e.g. KeePass), if you aren't already, so you can track all your accounts and what email address you've used with each.

  5. Slowly change all of your online accounts from old email address(s) to new email addresses. It will take a long time to get them all switched over. I feel you never can delete the old email account(s): stray messages will keep popping up there even years later, and you may have set them as recovery addresses on various accounts. In fact, keep accessing the old account every couple of weeks, to make sure it doesn't get closed because of inactivity.

I'm ending up on Hover, Migadu, Thunderbird on Linux, K9-Mail on Android, KeePassXC on Linux, Keepass2Android Offline on Android, after trying a bunch of services and apps. But your needs and choices may differ.

Email client application vs. browser

Also called "desktop" vs. "webmail".

A desktop / client application (such as Thunderbird) is better:
  • If you're dealing with multiple email accounts.
  • If you get a LOT of email.
  • If you keep a LOT of email in your email folders.
  • If you're dealing with email accounts on multiple services (browser UI for each will be different; but some web clients, including GMail, can handle accounts from multiple services).
  • Easier to create filters/rules ?
  • Probably can apply same filter/processing rules to multiple accounts.
  • Probably can move messages from multiple accounts into same folder.
  • Probably can have messages from multiple accounts feed into a single calendar.
  • Probably can search across multiple accounts.
  • Easier to apply PGP to messages ?
  • Can do email work while offline.
  • Maybe better notifications, or integration with OS notification mechanism.
  • Additional features such as handling RSS feeds and calendar.
  • No ads.
  • Doesn't let one web service see all your accounts and messages.
  • Keeps your Contact list private ?
  • You don't lose Contact list if the service terminates your account.
  • If using POP3 (keeping messages only in client), you can (have to) back up your own messages, and you can restore as needed.
  • If using POP3 (keeping messages only in client), if a hacker breaches the service, they won't get all your old messages.

Webmail / browser is better:
  • If you need to access email on public devices, or devices where you can't install a client app.
  • Some email services may not support IMAP or POP3, or may charge money for it.
  • Takes less space on disk, especially if you're saving many old messages with big attachments.
  • Takes less space in RAM, since you'll be running one app (browser) instead of two (browser and email client).
  • Doesn't require a "bridge" or other connector for encrypted email services (Proton Mail).
  • Don't have to know how to set up IMAP/POP/SMTP access.
  • Simpler UI, not cluttered with fancy features you don't use.
  • Service handles backup of your messages (but probably doesn't offer any restore feature, if you screw up and delete something you didn't want to).
  • Some services (GMail) include features such as calendar-sharing that you won't get with a client application ?
  • Don't have to worry about a hacker breaching your desktop machine and getting all your old messages (compared to using POP3 with a client app).

Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that possibly is less secure. Same cautions apply to email application and browser: keep it updated; using more plug-ins increases attack surface and risk of bugs/vulnerabilities.
But, Thunderbird and Firefox both are made by Mozilla, so maybe Thunderbird is pretty secure.

With a client app, use IMAP or POP3 to connect to the server. POP3 requires all messages to be downloaded to the client, so you can't have multiple clients (e.g. laptop and phone) accessing the same messages. And POP3 only handles Inbox; you can't do multiple folders.
Teknikal's_Domain's "Comparing IMAP and POP"

Likely future: JMAP

Email desktop client apps

Betterbird (fork/parallel of Thunderbird ESR)
Interlink (fork of old version of Thunderbird)
SeaMonkey (internet app suite with some shared heritage with Thunderbird)

KMail (Linux only; article)
Evolution (Linux GNOME 3 only)
Geary (article; Linux GNOME 3 only ?)
Kube (no Windows)

Mailspring (no calendar; supports CardDAV for contacts; Flatpak)
Claws Mail (GTK+; can't compose HTML messages)
Sylpheed (no calendar ? contacts ?)

Mailpile (client is in browser, accessing a local web server)
RainLoop (client is in browser, accessing a local web server)

Zimbra Desktop (local client talks to local server; latest release early 2017 ?)

Outlook (no Linux)
Mailbird (Windows only)

BlueMail (calendar only on their server ? contacts ditto ? article)
Deepin Mail

"I use Mailspring and Thunderbird. I use Thunderbird to create rules and do various types of mail organization. Mailspring, I use for actually reading the mail, and for responding."

Karl Voit's "Moving from Thunderbird to Evolution for Emails and Calendar"

Mehedi Hasan's "10 Best Linux Email Clients for Your Workflow"

Heinz Tschabitscher's "Access Your Yahoo Mail Account With Your Email Program Using IMAP"
Yahoo's "IMAP server settings for Yahoo Mail"

Sobyte's "A detailed explanation of email port numbers"

Use plaintext email

Email Privacy Tester

Salman Khan's "Combined Desktop Client for Gmail, Slack, WhatsApp, etc."

Android client apps

For me, phone app will be a backup to the desktop app, not my main mail client.
I need: free/cheap; IMAP support; not from a major company.
I want: PGP support; no ads; open-source.

Other client apps such as GMail can do IMAP to multiple services, not just their "home" service.

I dropped some other apps out of the list because they send email through their own servers, or no new release in a long time, or ads.

Every single email app in the Google Play Store, it seems, has some reviews saying "best ever, works perfectly" and other reviews saying "flaky, was good but no more, drops messages, etc".

From someone on reddit 10/2019:
The main problem with TypeApp, Edison, Spark, Newton, and Outlook, is that they use their own servers to access your email. They act as an intermediary between you and your email provider, so they have access to your email contents and/or metadata. This is not good from a privacy standpoint.

Apps such as Nine, Aquamail, Maildroid, K-9, and FairEmail access your email provider directly without using any 3rd-party servers, so they are preferable from a privacy standpoint.

Sabiha Sultana's "Best Email Apps for Android"
Matt's "Mobile Email Sucks"

I chose K-9 Mail


Custom domain

Get your own custom domain, and use it as your email address, but actually use a commercial service to host the email. You can do this with Proton Mail (paid) and other services. That way, if later you decide to change services, your email address doesn't change.

But it's a little odd from a privacy point of view. An email address such as "" isn't hiding your name or identity from anyone; an address such as "" does hide your name.

Another downside: after you die, if your domain registration lapses, someone malicious could take over the domain, create their own email addresses to match yours, and attack your other accounts.

A custom email domain may be easier for some attacker to exploit. If you just use GMail, you're relying on GMail's admins not to get fooled into doing an attacker's bidding, and relying on GMail's domain registration and DNS and mail servers to be solid. If you use your own domain, you're relying the admins of your domain registar, DNS service, and mail service not to get fooled. Most likely, Google's setup is safer than your setup.

One huge advantage of a custom email domain: for sites that force you to use email address as login username, now you can have a unique email address for each site. Make an email address such as "fb9999@MYDOMAIN" to use as your login for Facebook, and don't use that address anywhere else. Makes it harder for an attacker to trace you across sites, and figure out your login username for each site.

So, I would like to find an email service that is:
  • Free or very cheap.
  • Supports POP3 and IMAP.
  • Allows use of a custom domain.
  • Provided by some privacy-respecting company (not Google, Facebook, etc).
  • Not tied to something else I use (domain registrar, web hosting service, browser mfr, etc).
  • Not in China or Russia.
  • Provides calendar and contacts servers.

Possibilities: Starter Email (€24/year)
Proton Mail (free or €48/year; IMAP requires paid and bridge)
Migadu ($19/year for 20 outgoing messages per day)
Fastmail ($60/year for plan that allows custom domain) (€36/year for plan that allows custom domain)
Soverin (€40/year)
StartMail ($70/year for plan that allows custom domain)
Runbox (€30/year for plan that allows custom domain)
Disroot (article)
MXroute ($49/year)

Pinoy Newbie's "How to get a free email for custom domain with IMAP/POP3/SMTP support"

Other services:
Posteo (€12/year; no custom domain ?)
Criptext (no IMAP, no custom domain)
Skiff (no IMAP ? article)
Tutanota/Tuta ? (no IMAP)

Email alias addresses

The service I chose (Migadu) lets me use unlimited addresses, with a catch-all that feeds them into one mailbox. So I can use a different email address on every site, without using funny chars such as "+" in the name. Have to use a password manager to keep track of all of them.

Other services also support aliases, usually with some special format such as "". Maybe it's fairly easy for spammers to see that it's an alias, and strip off the "+extrastuff".

Tricky: check to see if your service will let you reply properly to an email that came in to an alias address; the "from" address of the reply should be your alias address, not your real mailbox address. I think many services do this properly.

Tricky: check to see if your service will let you originate an email from an alias address; the "from" address of the reply should be your alias address, not your real mailbox address. I think many services DON'T do this properly.

DNS and MX and SPF and DKIM and DMARC

Once you have an email service, you have to set your domain's DNS records to point to the email server (MX records) and control how email is handled (DKIM, SPF, DMARC records). The service should have Help pages that direct you through the process. Your DNS service may also have Help pages or web forms to help you. The two may not quite match, so you might have to figure out a few things.

These are DNS records that the receiver of a message supposedly from this domain can use to check the message.

From brightball's "Combatting Phishing with DMARC":
DMARC isn't the first specification to try to fix the [impersonation] problem. Multiple others have come along in the past with differing degrees of adoption. DMARC builds on two of them, called SPF and DKIM. Both of these protocols have gaps that are addressed by the other. With DMARC set up, you're telling any mail server that gets an email claiming to be from your domain "If this email doesn't pass either SPF or DKIM for my domain, it's not from me and you can discard it (or send it to spam)."

  • SPF (Sender Policy Framework): DNS record specifies the mail servers (IP addresses) this domain will be sending mail from.

  • DKIM (DomainKeys Identified Mail): DNS record specifies public crypto key; private key was used to sign critical parts of the message before sending.

  • DMARC (Domain-based Message Authentication, Reporting and Conformance): DNS record specifies whether SPF/DKIM/both are being used, and how failures should be handled.
    "DMARC checks the alignment between the SPF RFC5321.MailFrom domain and the RFC5322.From domain. So DMARC protects against this type of spoofing, but SPF in itself does not."

JonLuca's "Email authentication: SPF, DKIM and DMARC out in the wild"
Andy Gill's "Mail Technologies (DKIM & DMARC) - Part 2"
Alex Blackie's "Email Authenticity 101: DKIM, DMARC, and SPF"
Freddie Leeman's "Email security explained"
Simon Andrews' "I figured out how DMARC works, and it almost broke me"
Thomas Claburn's "If you're struggling to secure email forwarding ..."'s "Learn and Test DMARC" (cool visualization of the process)
kmille's "Verifying a DKIM signature by hand"

DNS record (TXT with format "v=STSv1; id=123456789") and a file (/.well-known/mta-sts.txt) on the site to tell mail servers to use TLS on the links among themselves.

MTA-STS (Mail Transfer Agent Strict Transport Security).

For reporting, create another DNS record (TXT with format "v=TLSRPTv1;rua=mailto:address@domain").

UK NCSC's "Email security and anti-spoofing"


dmarcian's "DMARC Record Wizard" (create DMARC record)

The DMARC record I started with contained "v=DMARC1; rua=mailto:MYADDRESS;".
After everything worked for a while, I changed to "v=DMARC1; p=quarantine; rua=mailto:MYADDRESS; ruf=mailto:MYADDRESS;".
Later changed to "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;pct=100;fo=1;rf=afrf;ri=345600;rua=mailto:DMARCIANADDRESS;ruf=mailto:MYADDRESS". (strict everything)
Still later changed to "v=DMARC1;p=reject;fo=1;rua=mailto:DMARCIANADDRESS;ruf=mailto:MYADDRESS;".
(Dmarcian notified about aggregate traffic from my domain to other domains ?)
dmarcian's "DMARC Inspector" (evaluate existing DMARC record)

Your DNS changes may take hours or days to be visible to other services, depending on the TTL settings on your previous DNS records.

After you send some email from your domain to some of the big domains such as Google, they may send a DMARC "aggregate" report to you at the "rua" address specified in your DMARC record. Pretty boring; set the frequency to every 3 months or something ("ri=604800" for 1 week, "ri=7862400" for 13 weeks).
Amy Gorrell's "How to Read Your First DMARC Reports (Part 1)"
MXToolBox's "Dmarc Report Analyzer"
EasyDMARC's "DMARC Aggregate Reports"
If there's some failure, giving an IP address, you could do a lookup using WhatIsMyIPAddress or similar.

Despite setting "ri" to "" in my DMARC records, big services were sending aggregate reports every 1 to 6 days. Instead of handling them yourself, sign up for a free service such as:
DMARC Analyzer (the "freemium" plan)
Report URI
I created a free account with dmarcian, changed RUA in DMARC record to use a custom email address from dmarcian. They also force you to change your policy to "reject". But I find their dashboard hard to understand. Later they changed the email address they wanted, and I had it wrong for a while.

If any malformed email message is sent from your domain to one of the big domains such as Google, they may send a DMARC "forensic" report to you at the "ruf" address specified in your DMARC record.
Amy Gorrell's "How to Read Your First DMARC Reports (Part 2)"

After reading JonLuca's "Email authentication: SPF, DKIM and DMARC out in the wild",
I changed my SPF record from (Migadu is my email service):

"v=spf1 a mx ~all"

"v=spf1 mx -all"
MXToolBox's "SPF Record Check" (also check "blacklist:YOURDOMAINNAME")

How to set DNS for a domain where you WON'T do email

Test your email service to see if it's blacklisted:
MXToolBox's "IP Blacklist Check"
Mail-Tester (send msg with real subject and body)
Josh Slone's "Email Blacklist: How to Tell If You're on It (and What to Do If You Are)"

Email account as database

Some people use their email account (or worse, chat account such as WhatsApp) as their database, accumulating years of important messages and documents/images that they store only in that account, searching them and accessing them from that account.

This is a VERY bad idea:
  • The data is on someone else's server (giving them some legal rights to access the data, and running the risk that they could turn off your account or go out of business or change the rules).
  • Searching and organizing and accessing the data is kind of awkward.
  • Critical data is mixed in with transient data and spam.
  • Exporting the whole thing to somewhere else if you change email service or address is an enormous pain.
  • Backup and restore is out of your control.
  • You have to have internet access to read your documents.
Get the data out onto your local hard disk, well-organized into folders with good folder names and file names. Try to keep your email account close to empty (very hard, I know).

Migadu's "Migrate Mails Using ImapSync"

Dmitry Frank's "Treating Email More Like a Password Manager"

Ask Leo's "How Do I Send Anonymous Email?"

Migrating email: Don't use GMail's "take out" feature to get all of your data out of GMail to move to another service. Instead, connect to GMail through IMAP (maybe using Thunderbird) and do an "export" from the client to some format such as CSV. This lets you preserve the folder structure.

Linux tool to export messages from IMAP server to local dirs, and other functions: offlineimap.

Importing messages from EML files into Thunderbird: "just drag and drop the .eml files into Thunderbird folders. If those are IMAP folders it should upload them to the e-mail server."

Linux desktop calendar client


Mozilla wiki's "Thunderbird"
Thunderbird Support
Matt Harris's Thunderbird blog

Thunderbird bugzilla
Thunderbird Calendar bugzilla
Thunderbird Chat bugzilla
Thunderbird Feed Reader bugzilla
Thunderbird Topicbox discussions

random neuron misfires' "Deploying Firefox and Thunderbird Policies"

[WARNING: 9/2019 Thunderbird is going through major changes from versions 60 to 68 to 70. Lots of add-ons not working, lots of error messages in the add-on debug window. Many of the docs have not been updated to version 60, much less 68 or 70.]

11/2020: went to file a small request for more information in error dialogs, and found the same request filed 20 years ago and still open.

6/2022: went to file a bug report that in version 101 (and previous) sometimes preview pane shows preview of wrong message, and found the same bug filed by numerous people over at least the last 11 years and still open.

6/2022: announcement that Thunderbird and K-9 Mail are merging/joining.

2/2023: Thunderbird's "The Future of Thunderbird"

Installed 9/2019 in Linux Mint, from Mint's Software Manager, but it's version 60.8, and web site has 68.1. Removed it and installed from web site. But apparently 60 and 68 are sequential releases; they skipped the numbers between ? And 68 is a major change; supports only WebExtensions, and much more.

Installed it as root into /opt. Created a launcher on the Mint desktop to /opt/thunderbird/thunderbird. It saves config info under ~/.thunderbird.

Smooth integration with Yahoo Mail (free) and GMail (with 2FA; had to "allow less-secure apps" in GMail account, and/or generate an app-specific password ?).
Chose IMAP (leave messages on server), so I can still use client apps on my smartphone.

To use with Proton Mail, have to have a paid PM account, and install Proton Mail Bridge on your computer to provide IMAP.

No way to connect to WhatsApp.

SMTP connection to Yahoo Mail seems unreliable, or doesn't like a different reply-to address, not sure. Default port is 465, other is 587. Switch from 465 to 587 and back, then it worked.

Advanced configuration: hamburger icon in upper-right / Preferences / Preferences / General tab / Config Editor button in lower-right.

To stop Thunderbird from automatically opening next message after you delete current message: use "Config Editor" and set "mail.close_message_window.on_delete" to true.

Thunderbird has an Import function (messages, settings, etc) but no Export function !

Thunderbird stores digital certificates, just as browsers do. I installed a personal certificate, and right away Yahoo Mail wanted to use it for OAuth. But YM works whether or not you let it use the certificate.

Using IMAP, if you want to keep some messages locally but delete them from the server: make a new local message-folder and copy the messages into that, then delete them from the server's folder.

Deleting an account from Thunderbird:
"If the account is IMAP, removing the account from TB doesn't affect the status of the account with the email service or the messages that are on the IMAP server. If it's POP and the downloaded messages are only on the local computer, not on the mail server, copy the mail to a subfolder of Local Folders, then remove the account. That also doesn't affect the online account or any mail left on the server. Remove accounts from Account Actions in Tools / Account Settings."

Encrypted mail

Old TB: PGP with EnigMail:
Mozilla's "Digitally Signing and Encrypting Messages"

Fortunately I already had GnuPG installed, and I installed the EnigMail extension in Thunderbird.

Went to hamburger icon / EnigMail / Key Management, added my Proton Mail public key to Thunderbird. Highlighted the key, clicked on File / Compose Email to Selected Keys, sent encrypted mail from my GMail account to my Proton Mail account, it worked. Clicked "Trust Key" in Proton Mail, which is telling PM to trust the public key Thunderbird has generated for my GMail account, apparently. Sent encrypted email from Proton Mail to GMail, it worked. No indication in Thunderbird that the message is encrypted, but View Source shows that it is. Used GMail app on phone to view the message, and it shows as encrypted, and the app doesn't have the key needed to decrypt it.

Sending a PGP-encrypted message through Yahoo Mail (free) seems to fail; keep getting an SMTP/mailbox error.

10/2019: EnigMail extension is going away, future Thunderbird version will have native PGP: Patrick Brunschwig's "Future OpenPGP Support in Thunderbird" and Ryan Sipes' "Thunderbird, Enigmail and OpenPGP" and Introduction to End-to-end encryption in Thunderbird

From someone on reddit 12/2019:
> Was sent an encryption key to encrypt my emails through engimail.
> Having trouble figuring out how to use it using online resources.

You should have the key you got sent in a file, whether you copied-pasted it from the message body or saved it as an attachment.

In the Enigmail menu at the top of Thunderbird:

Enigmail / Key Management


File / Import keys from file

Then select the file containing the key.

It will prompt you to confirm that you want to import the key.

The key is now on your keyring and ready for use.

To use the key to encrypt a message to the recipient:

Create a new message the standard way, with the Write option at the top left of Thunderbird.

Type your message and fill out the To: and Subject: fields normally.

At the top of the Message window, select Enigmail / Encrypt Message (or make sure it is already checked).

One of two things will happen when you click send. If the e-mail address you're sending to corresponds to the mail address specified in the key it should automatically encrypt when it sends.

Otherwise at this point it will pop up a box saying "Enigmail Key Selection" and you will select the key you want to encrypt the message with (i.e., the one you just imported to your keyring.)

When you have done that, click Send.

You can confirm the message was encrypted by going into your Sent mail folder. If you then open the message you just sent and it pops up a "Please enter the passphrase to unlock the OpenPGP secret key" pinentry box, you've succeeded. It's doing this because when you encrypt with someone else's public key, even you can't read the text unless you yourself have the secret key, which you almost certainly do not (unless you are writing a message to yourself). This is just telling you, "This is encrypted and if you want to decrypt it, you need the secret key and its passphrase."

The important thing to understand here is two keys are involved:

- A public key, which is the one you should have been sent, or which you send to others, and publish widely. This can only ever be used to encrypt. It cannot be used to decrypt.

- A private key, which you always keep private, and is associated with your public key. People who send you public keys also have a corresponding private key they never share. This can only be used to decrypt.

In TB 79+: OpenPGP or S/MIME:
Thunderbird Help's "OpenPGP in Thunderbird - HOWTO and FAQ"
MozillaWiki's "Thunderbird:OpenPGP"
Thunderbird Help's "Introduction to End-to-end encryption in Thunderbird"
Martin Brinkmann's "You need to use a Master Password in Thunderbird if you use OpenPGP"
Jamie McClelland's "Fine tuning Thunderbird's end-to-end encryption"

In Config Editor, I found that mail.openpgp.enable was already set to true.

In main view, in leftmost pane, select an email account, then in upper-right click on Account Settings. New tab "Account Settings" will open. In left side, click on "End-to-End Encryption". Two choices: OpenPGP or S/MIME.

For each email address at which you want to receive encrypted email, or that you want to use to send digitally signed email, you need to create a personal key.

To send an encrypted message to someone, you must have their public key (OpenPGP) or certificate (S/MIME).

To create a personal key:
Highlight an account.
Click on "Account Settings" in upper-right.
Click on "End-to-End Encryption" in left pane.
Under "OpenPGP" click on "Add Key".
"Create New Key", set "Key does not expire", "Generate key", "Confirm".
Warning says may take several minutes, but on my slow laptop it took about 2 seconds.
See "OpenPGP Key created successfully!".
Click on radio button next to key ID.

Click on "Manage OpenPGP Keys" button; a new window opens.
Highlight the key, right-click, select "Key properties".
Copy the key ID (have to type it manually !), fingerprint value, export public key (to pub.asc file; doesn't work to a VeraCrypt volume !), backup secret key (have to set a password that locks it).
Save all the info, probably in your password manager; note that this info is associated with the email address itself, not the hosting service or Thunderbird.

Or go to hamburger / Tools / OpenPGP Key Manager.

In "Account Settings", set "Do not enable encryption by default", and "Add my digital signature by default".

Go to address book, select your email address, click on "Write".
In the "Write" window, click the down-arrow next to the "Security" button, and select "Require encryption". "Digitally Sign This Message" and "Attach My Public Key" should be selected already.
Write the message and send it.

Receive the message.
In main window, subject should be shown as "...".
Double-click on message to read it.
In upper-right see an envelope-greenseal icon; this means the message has a valid digital signature.
In upper-right see a padlock icon; this means the message is encrypted.
Double-click on each icon to see info.
At bottom, see that there is an attachment, which is a .asc file containing your public key.

Send another message, this time with "Do not encrypt" and "Digitally Sign This Message" and NOT "Attach My Public Key". Receive the message.
In main window, subject should be shown in plaintext.
Double-click on message to read it.
In upper-right see an envelope-redX icon (seems wrong !).
In upper-right see NO padlock icon; message is not encrypted.
At bottom, see no attachment, your public key is not attached.

To get someone else's public key:
Have them send the pub.asc file to you.

Go to hamburger / Tools / OpenPGP Key Manager.

Justus and Neal's "Sequoia: Super Powering End-to-End Email Encryption in Mozilla Thunderbird"
Thomas Fitzsimmons' "Thunderbird and OpenPGP"


Thunderbird can require a master password to open the application, can store the password for each of your email accounts and login automatically, and can save cookies for each email account. It saves config and mailbox under ~/.thunderbird in Linux. What's the best way to secure all of this info ?

In my browser, I don't use a master password, let it store passwords, or save cookies.

But for Thunderbird, auto-connecting to mailboxes requires saving the passwords, so I'm using a master password and letting it store the passwords.

Apparently that master password just protects the other passwords. You can get into the app without the master password, and read existing mail. But you won't be able to fetch new mail, because the app won't have access to the individual account passwords.

Connecting Thunderbird to read/write Linux local CLI mail

[SUPPORT FOR THIS ("movemail") WAS REMOVED IN EARLY 2021 (circa version 87); NO LONGER SUPPORTED !!! I'm told Evolution and KMail do support this.]
[Workaround ?

mail USERNAME                 # to make sure it works
ls /var/mail/USERNAME         # to make sure it exists
# If not working, see "Getting Linux local CLI mail working"

# Quit out of Thunderbird.
cd $HOME/.thunderbird/SOMERANDOMTEXT.default-release/Mail/Local\ Folders
ln -s /var/mail/USERNAME .

First get CLI mail working: see "Getting Linux local CLI mail working" section of my "Using Linux" page.

In Thunderbird, go to hamburger icon / New / Other Accounts.
Choose "Unix Mailspool". [AROUND RELEASE 87, THIS IS GONE !!!]
Use email address user1@laptop1.
See dialog about Outgoing Server Information.
Set Outgoing SMTP Server to "localhost" ?
Use account name user1@laptop1.
Click Finish to create the account.
Find account "user1@laptop1" in the left-hand panel and highlight the Inbox for it.

Test by going to CLI and:

mail -s "subject1" user1 </etc/group

# if mail command not found:
sudo apt install mailutils
Then in Thunderbird click the "Get Messages" button in upper-left.

The "check server every 10 minutes" setting seems not to work; new messages appear only when I click the "Get Messages" button.

To be able to send messages to local mail:
Don't see how to add a new SMTP server.

Thunderbird use 24-hour time format ?

On Linux, ran "sudo update-locale LC_TIME=en_DK.UTF-8" to affect /etc/default/locale, didn't change TB.
use a dconf-editor on org.gnome.desktop.interface.clock-format

Changed desktop launcher from "/opt/thunderbird/thunderbird" to "env LC_TIME=en_DK.utf8 /opt/thunderbird/thunderbird" and it seems to have worked.

Maybe a Linux Mint bug ? Although I think the problem has been seen on other distros. "Although the names of the days and months are localized according to the LC_TIME environment variable, we were fetching the format itself using gettext according to the desktop's language. We will get this fixed in Cinnamon and in MATE for 19.3." from Mint blog


If you want to connect to a calendar server, need a server that supports the CalDAV protocol.

Popular/standard (developed by Mozilla) TB add-on for calendar is called "Lightning".

iCalendar (ICS) will give read-only access; use CalDAV.

I just have my personal calendar, and only I connect to it. Things may get more complicated if you want to share your calendar with other people, and access their calendars. I don't know.

Connecting to Yahoo Calendar:
Yahoo's "Sync or access your calendar on multiple devices and applications"
YOURUSERNAME is your email address without the "".
Easiest if your "calendar name" in Yahoo Calendar has no spaces in it.

Create a single event in Yahoo Calendar, it is displayed correctly in Thunderbird.
Create a repeating event in Yahoo Calendar, it is not displayed at all in Thunderbird ?!

Protocols: CalDAV to synchronize calendar (and tasks), CardDAV to synchronize contacts.

Apparently the apps are divided into calendar-displaying apps, and calendar-synchronizing apps. You probably already have one of the former, and you need to add one of the latter.

Had to go into my Yahoo account and turn on "Allow apps that use less secure sign in".

Kris Wouk's "How to Sync CalDAV and CardDAV to Android"
Namecheap's "How to configure Caldav/Carddav on Android"
Installed "Caldav Sync Free Beta" app. No icon on the display, but shows up in Settings / Apps as "CalDAV Sync Adapter".
Go to Settings / Accounts / Add account / CalDAV Sync Adapter, put in connection info, but never could get it to connect.

Open Sync by Deepen Dhulla. Worked right away, given my Yahoo email address and password, it showed my calendar name. But then the default Google Calendar app in the phone sees the account from OpenSync but says "no calendar".

Installed "Simple Calendar - Event & Reminders" app by Simple Mobile Tools. But it doesn't see the Yahoo account at all.

Installed "One Calendar" app by Code Spark. Tried to connect, couldn't, looked at Help, and it says "OneCalendar can't connect to Yahoo because they don't support WebDAV Collection Synchronization".

Gave up on Yahoo, deleted my calendar there.

Connecting to Google Calendar:
Google's "Get started with Google Calendar"

If you have 2FA enabled on Google Account, you have to get an app-specific password to connect TB to Google Calendar: Google's "Sign in using App Passwords"

In TB, set "location" of server to:

Maybe this has changed ? Now use OAuth ? Maybe address is:

Opened default Calendar app, the calendar events appear, some after a bit of delay.

In TB, created an event in the calendar, clicked Synchronize, went to phone, event was in calendar there. Fast.

10/2019: Heard that Migadu, my email provider, is about to support calendar. Good news.

fruux (service for calendar, contacts, and tasks)

Importing a calendar from elsewhere:
You need to get an ICS file. If you have an URL such as

change the "webcal" to "http" and copy the URL into Firefox's address bar. It will ask you what to do with the ICS file. Save it to disk.

Then go into Thunderbird and do Hamburger / Events and Tasks / Import... and select the ICS file. Choose what calendar to import it into.

For me, importing into Google calendar did not work (did nothing). Importing into Home calendar did work (gave success message, reminders appeared, events appear in the calendar).


Confusing: my phone's Contacts app shows some contacts, and says it syncs with my GMail account, but Contacts in GMail shows no contacts from the phone. Went into phone's Contacts app and did export from phone to Google.

The real problem I'm trying to fix is that K-9 Mail's "Add from Contacts" menu item sees no contacts. I think it's looking in Google's contacts, not the phone's contacts, and the two are not synced ? Or maybe it's looking in Yahoo's contacts ? If I go to Google Contacts on desktop and create a contact there, it shows up on phone and in K-9 Mail.

Finally fixed things by: going into my Yahoo Contacts on desktop, exporting to CSV, going to Google Contacts on desktop and importing CSV. Got things straightened out there, then deleted all contacts from Yahoo. Google Contacts have been synced to Contacts app on phone, and K-9 Mail sees them. Manually copied a few extra items from phone's Contacts to Google Contacts on desktop. In Google Contacts on desktop, got rid of items in "Other Contacts", then used "Duplicates" to merge any duplicates. Then exported to CSV file (Google CSV format) to have a backup.

Looks like Thunderbird doesn't have the capability of syncing to a Contacts server. Maybe there are extensions ?
gContactSync extension (Syncs contacts amd groups between TB and Google Contacts)

In Thunderbird, was able (with some difficulty) to import the CSV file. But it contains duplicates, and lost phone number country-codes.

In TB, if you want to send a message: open the address book, right-click on a contact to send to, and select Write. A Compose dialog will open, To: will be set properly, and then you can set the From: mailbox as you wish.



  • DKIM Verifier. Checks DKIM of email sent to you.

    In Preferences/General, enable "Verify DKIM signatures".

    In Preferences/Display, enable "Enable highlighting of From header", and change any background colors that are set to "transparent" to some other value.

    In Preferences/Advanced, disable "Reading the Authentication-Results header replaces the add-ons verification".

    It warns about 1024-bit keys as insecure, even though they've been standard for years (2048 is recommended as of 2018).

    LOTS of incoming mail will show warnings about incorrect certificates, weak keys, weak encryption algorithms, etc. Some has no DKIM at all.

See "Building a Thunderbird Extension" section of my "Develop an Application" page.

Fixing problems

Make backups, of profiles and inbox.msf file.

Heinz Tschabitscher's "Quick Guide to Repairing Folders in Mozilla Thunderbird"
Centennial Arts' "Thunderbird Folder Repair"
Bhavaya Tyagi's "Thunderbird Mailbox Repair Tool to Access Corrupted MBOX File"
Eric Simson's "Fix Common Problems or Errors in Mozilla Thunderbird"
DataHelp's "How to Repair & Rebuild MSF File to Remove Thunderbird Inbox Email Missing Error"

EmailAdepts' "Recovery Tool for Mozilla Thunderbird" (Windows only; $50)

"Authentication failure", from someone on reddit:
If you get stuck in "authentication failure" with GMail and Yahoo (usually most persistent after changing the account's password):

I've been able to reliably fix it by going into the server settings of each email account and switching the "authentication method" from whatever it needs to be to "normal password". Then closing Thunderbird, opening it again. Letting it do all the checking of my addresses, and then changing the "authentication method" back to OAuth2.

I'm sure there are many people who this won't work for, but for someone who has never been able to reliably stop my GMail from giving me all types of IMAP problems, this has been a good find.

Every now and then, look in $HOME/.thunderbird/PROFILENAME/ImapMail/ for any huge files, and repair the corresponding mailbox folders (select a folder, right-click, Properties, click Repair Folder). Sometimes you get one that has a huge reduction in size for some reason.

Dedoimedo's "[If] Thunderbird mail filters do not work"

Thunderbird beta

Later installed Thunderbird beta.


# Quit out of Thunderbird app.
# Download new to /tmp, or to elsewhere and then move it.
mv thunderbird-*.tar.bz2 /tmp

# To check hash, run:
shasum -a 256 /tmp/thunderbird-*.tar.bz2
# then go to:
# and search for the string of digits you got from "shasum".
# You should find the string, next to the correct filename.
# What is this verifying ?  That the file you received over the network
# matches what the owner of that HTTP/FTP site says it should match.

# To check signature (better):
sudo apt install gnupg dirmngr
# Get PGP public key; download:
# Display fingerprint of public key:
gpg --with-fingerprint SHA256SUMS.asc

sudo rm -fr /opt/thunderbird
sudo tar --directory=/opt -xvjf /tmp/thunderbird-*.tar.bz2
sudo rm -f /tmp/thunderbird-*.tar.bz2

Make launcher/shortcut point to file /opt/thunderbird/thunderbird.
Create ~/.local/share/applications/Thunderbird.desktop to contain:

[Desktop Entry]

Thunderbird beta Flatpak

There won't (ever) be one in the main Flathub, because they don't want developer releases of software. But there is a "flathub-beta".

I don't see how to package TB beta as a Flatpak, without recompiling it from source.

With 70.0b2, Enigmail extension got disabled. With 79, some PGP capability is back.

RSS Feeds

Thunderbird's setup process is very intelligently done.

But I've noticed that feeds behave in two ways (some quirk of the servers, I think):
  • In some feeds, you can delete messages as you read them (or want to ignore them), and they never will come back, only new messages will appear.

  • In other feeds, if you delete messages, they ALL will come back again the next time the feed is updated. To avoid this, you have to "mark as read" instead of deleting messages.

In some audio feeds, the audio starts auto-playing when you open the message, and there's no setting in TB to stop it. Went into Preferences/Preferences/ConfigEditor and set "rss.display.prefer_plaintext" to true, later set "rss.display.disallow_mime_handlers" to 1. Neither stopped the playing.

And I just cannot get about 10% of my RSS feeds to work. They just never show new items. I can go to the feed web page and see there are new items. If I delete the feed from TB and add it again usually the new items will appear. But then next time there is a new item, it doesn't appear.

Feeds from can't be added to TB (as of 2/2020); they fail validation. says they pass validation in, which is Apple's recommended validator, so they're not going to fix their feeds. In fact, they say some of the other validators are reporting some bogus errors. [You could try hand-editing an OPML file to put the feed into it, then import that file, bypassing validation.]

Four years since last update: gozman's "Slack to RSS"

Dropped use of TB for RSS feeds; just too many problems.
TB can export all feeds to an OPML file: feeds / Manage Subscriptions / Export / .

See RSS section.

Thunderbird's chat support seems pretty poor; probably better to use a different client. See Secure messaging (text, chat, voice, video) section.

Data on Disk

It's not clear how much TB's master password protects your data. I think it protects server connection (login) info and certificates ? But it doesn't protect any mail held locally on your machine.

For example, on my Linux machine, file ~/.thunderbird/PROFILENAME/Mail/localhost/Inbox contains my local email messages in plaintext.

Also, file ~/.thunderbird/PROFILENAME/prefs.js contains the URLs and names and connection info for my mailboxes and calendar on various services. But I don't see any passwords in plaintext, anywhere in the files in the profile directory (I assume they're in an encrypted sqlite database).

So, to protect that data at rest, you could use disk/partition/container encryption, and have that profile in the encrypted space. Use LUKS or VeraCrypt or something.

To write less to disk/SSD: in config editor, set browser.cache.disk.enable = false, browser.cache.memory.capacity = 200000 (KB), browser.cache.memory.enable = true.

Modifying UI


Moving your domain to a new email service

From people on reddit: control user-agent string sent in email by either:
- set general.useragent.override to desired user agent string, or
- set both mailnews.headers.sendUserAgent and mailnews.headers.useMinimalUserAgent to True.

From members of the TBird team, on YouTube 6/2022:
TBird has some 20 million users. 90-95% of TBird users are on Windows, maybe 5% on MacOS, maybe 2% on Linux.

K-9 Mail (Android)

K-9 Documentation
thundernest / k-9 (source code)
K-9 Forum

Doesn't support calendar or tasks. Will read contacts from Contacts app on phone.

6/2022: announcement that Thunderbird and K-9 Mail are merging/joining.

K-9 Mail has an "import settings" feature, but that's only for importing a file exported from another installation of K-9 Mail.

OpenKeychain supports creating a key, importing a key, or using a hardware token.

In K-9, went into Settings / Global Settings / Cryptography and selected OpenKeychain as the cryptography app.

Setting up Yahoo Mail account in K-9: have to choose Manual setup. IMAP server is security SSL/TLS port 993 authentication "normal password". But can't get it to work. K-9 doesn't support OAuth2 authentication, and Yahoo requires it ? Had to go into my Yahoo account and turn on "Allow apps that use less secure sign in". Then got through IMAP. SMTP server is security SSL/TLS port 465 authentication "normal password". Works. Uninstalled Yahoo Mail app from my phone.

Composing a message off-line works; message sends next time the phone is online.

When composing a new mail, "Add from Contacts" shows no Contacts. IMAP doesn't fetch contacts from an email server; to do that you'd have to use an app such as DAVx5 (paid). But K-9 should show the local Contacts list on the phone. Some people complain of various bad behavior with Contacts. And my local Contacts app crashes if I try to do a search. Gave all permissions to K-9, rebooted phone, no change.

Joined the test program to see if I can get a beta version of K-9. A day later, Google Play Store entry of K-9 showed I am in the beta program, should get beta next time the app updates. But as far as I can tell, it hasn't updated yet, no way to force it, maybe no beta is available yet.

No master password feature in K-9; once someone logs into the phone, they get full access to all of your email accounts that K-9 is connected to.

Very tricky: options under "..." are different depending on whether you have Unified InBox turned on or off. To add a new email account, you have to have it turned on, I think.

GMail app gives scary warning if you try to disable it, so I left it enabled on the phone.

Play Store and F-Droid versions of app are separate; can't install in one and upgrade in the other.

Release 5.8 in 7/2021: drops WebDAV, now requires Android 5.0 or later.

Evolution email client for Linux

Wikipedia's "GNOME Evolution"
Evolution (Linux GNOME 3 only)
Sync Contacts with Evolution on Linux
Karl Voit's "Moving from Thunderbird to Evolution for Emails and Calendar"
Probably best to use the Flatpak package, to get latest version.

Android client for cloud Calendar, Tasks, and Contacts

I want to just use my email app (K-9 Mail) for these, but K-9 Mail doesn't support these.

I currently use Google Android apps and Google services for these, but I want to get away from Google.

My email service is about to support calendar, not sure about tasks and contacts. Not sure if they will have Android apps.

fruux has an Android app, but version in Play Store is 1.0.4 from 2013.
Simple Mobile Tools has Calendar and Contacts apps for very-cheap.
"Simple Calendar Pro - Events & by Tibor Kaputa" and "Simple Contacts by Tibor Kaputa" are free on F-Droid.
(Beware of lots of fakes on Google Play Store: reddit post)

If you use a local Calendar app, you also need to use something that will sync your local calendar with your cloud calendar:
DAVx5 (paid; €4; does CalDAV and CardDAV)
"DAVx5 by bitfire web engineering" is free on F-Droid.
CalDAV-Sync (paid; €2.5)
There are others, but many have bad reviews or are EOL, be careful.

Apparently, the architecture is:
  • Calendar app (Google Calendar, fruux app, Simple-Calendar, etc) provides a UI
  • Android calendar; provides storage and local API
  • Sync app (Google Calendar, DAVx5, CalDAV-Sync, etc)
  • Internet
  • CalDAV server (Google Calendar server, fruux server, NextCloud, etc)

From dev of Simple Mobile Tools, on reddit 8/2019:
"Contacts can have some glitches that I couldn't reproduce on any of my devices, as the way contacts are stored on Android is a huge mess. It can differ a bit per manufacturer and OS version, I still haven't solved all cases."

1/2020 sent these questions to Simple Mobile Tools, got a response within hours:
I'm thinking of using the Simple-Calendar and Simple-Contacts apps on my Android 6 phone. Am I correct in thinking:

- the purchase price of €0.69 is a one-time price, not monthly or something ? [answer: yes]

- these apps will connect to CalDAV and CardDAV servers ? I don't need to buy an additional app such as DAVx5 to do that ? [answer: you DO have use a "sync adapter" such as DAVx5]

- I use the K-9 Mail app to do email on Android. Will it be able to read contacts from Simple-Contacts ? It can read contacts from Google's Contacts app. [answer: not sure they understood the question]

- I assume I should uninstall the standard Google Contacts and Calendar apps before installing your apps ? [answer: they all can be installed simultaneously, no need to remove old ones first]

I want to remove all the Google apps, but still connect to my Google calendar server:
On my Android phone, I see these packages:

Email Services


  • Commercial "normal" service: GMail, Hotmail, Yahoo Mail, etc.

    Free, essentially unlimited capacity, lots of features such as sorting and mobile apps, added features such as Calendar, reliable, no-hassle.

    But if you move to another service, you have to change your email address everywhere. If you violate a rule, they could turn off your account, little chance of appeal. Usually they harvest your data and sell it, or sell use of it. If it's a minor/free service, they could go out of business and you'd have to change your address everywhere.

  • Your own custom domain on top of a commercial service.

    Solves the "if you move to another service, you have to change your email address everywhere" problem.

  • Commercial encrypted service that handles keys for you: Protonmail, Tutanota/Tuta, etc.

    Base level is free, essentially unlimited capacity, often fewer features than a "normal" service such as GMail, pretty reliable, maybe a few more hassles than with a "normal" service.

    Usually the security is not 100%; if the service wanted to (or was served with a warrant), they could poison your login page and grab your password.

  • Commercial encrypted service where you hold the private key. (article)

    Keys are generated on your client device, then the service gets only the public key.

    You are responsible for backing up and protecting your keys.

  • Client encryption on top of a service:

    For webmail: Mailvelope, FlowCrypt, Psono
    Desktop clients: Thunderbird with Enigmail, Evolution with Seahorse, KMail with Kleopatra.

    Keys are generated, held, and applied only on your client device. The service only sees encrypted messages, and never has the keys.

    You are responsible for backing up and protecting your keys.

    Pretty close to 100% security; to compromise you, the client software (e.g. Mailvelope) would have to conspire with the service (e.g. GMail), or both would have to be served with warrants.

  • Run your own email server (self-hosting):

    See Email self-hosting section, below.

Email self-hosting

Mail-in-a-Box,, Helm, Mailcow-dockerized, etc.

Not a good idea: you'll have to be the administrator, doing tweaking and patching and backups etc. And you'll have to open an incoming port into your home LAN, or use a cloud VPS (better idea). If a home server, costs for electricity, cooling, maybe a UPS, maybe higher service tier with your ISP.

Aint nobody got time for that
Gilles Chehade article
Jake Bauer's "A Month-and-a-Half of Self-Hosted Email"
Guillermo Garron's "How to self host your email server"
The Grumpy Troll's "Small Mailserver Best Current Practices"
Zach Bloomquist's "Reliable, Deliverable, Self-Hosted Email" (Mailu)
Air Information Blog's "Self hosted Email vs Gmail" (Mailu)
j. b. crawford's "diy mail"
reddit post with lots of resources
"The Hostile Email Landscape" (maybe from Jody Ribton)
David Timber's "What to do when Gmail marks all the mails from your server as spam"
Recommendations for software in 2.5 Admins podcast episode 128

From people on reddit:
Hi, sysadmin by day who's done everything from Exchange to the classic Sendmail stack. Running your own email stack is a pain in the *ss. Sure, most of the hard work is in the setup, but it is a lot of work. My personal email is currently on a hosted service.


Never host your own email server, especially if you are not experienced with them.

It is painful, anyone who has managed email servers will tell you to avoid it to all cost. You will have to deal with email blacklist, ip bans, coorporate email servers rejecting you for no reason, cloud providers marking you as spam with no feedback of why or how to solve it, low trust score, etc. You will also have to deal with updating and keeping security patches up to date, but having downtimes in mailservers mean that you will lose any mail that comes during that downtime period.


Nobody that had to deal with blacklisted mailservers, flagged spam IPs and random rejections from spam filters can recommend a regular user to maintain their own mailserver. And imo this goes beyond having the technical skills to do it. While i can maintain my own mail server, i'm a seasoned linux administrator, i use my email account for critical work, i can't stop working to deal with mailserver's nuisances.


I've self-hosted my emails for over a year. And it was nice. I learned a lot, I had fun with it and I was proud to use it. But with time, I also realized managing email servers is a whole job, and a hard one. So hard, that I finally changed a few months ago to a proper email provider who knows what they are doing, it's their job.

Email is a system that was invented in the 70s and not at all with the purpose and usage it has today. The protocols are still mainly the same, but a tons of "extensions, features and options" were added to fit the modern usage. So basically, configuring your emails, is mostly activating option A B and C because you want to be compatible with "modern emails" and deactivating D E and F to avoid problems. But you have to be aware of every little option and the impact it has, is sometimes hard to find. Every time I had to change one option, I broke the server for 2 days and spent a few weeks waiting for someone to tell me they sent an email I didn't receive because my server config was f*cked up and was considered as a illegitimate/spam server. It was painfully stressing. Especially if you are waiting for important emails.

Because, yes the biggest problem, I have encountered so far is that you realize how hyper-dependant you are on your emails. Without them, you might not be able to log into accounts, receive important info, ...

So I would say:

* if you want to play with emails or want to learn how it works in depth, what is SPF, DKIM, DMARC, what are the factors that indicates you are a spam server or not, ... then go for it, setup an email server, tune the config, use it for testings but keep it as a fun learning project.

* if you want to really use emails for important things or online accounts, use an email provider, they will configure it properly, probably better than what you can do yourself and maintain it properly (plus they usually have redundancy, backups, ... that ensure your data is safe and your emails always accessible)


I self-host my own email using It's pretty easy. Doing it yourself by hand is hard, which is what most of the naysayers are talking about.

You do have to worry about your own security, though. Running in the cloud will pretty much be your only option if you don't have a business internet connection at home due to port blocking and global blacklists for residential IPs. Trusting the cloud with your unencrypted communications is generally a bad idea, but you can take matters into your own hands with any provider that gives you console access and custom ISO installation. Vultr has been good to me in this regard.

From /u/xoxorockoutloud123 on reddit 6/2020:
Some thoughts from someone who used to host their own email server at home but switched over to the cloud [O365].

Mailcow and iRedMail are both great solutions if you are really set on hosting your own, but let me try to talk you out of it.

  • Email is critical in many situations as it's frequently another service's only contact method with you.

    • If your email server goes down, don't expect to receive alert emails. Or any emails that may contain important information. Some services will try to resend, but gambling important info on whether or not a third party will try to send again seems foolish.

  • Mail is hard to keep secure and safe.

    • Are you okay with all your previous emails being lost if your system goes down? If not, get ready to have to deal with a solid backup strategy.

    • Are you going to run your own auth back-end? You'll need to keep that safe and you may [depending on if you use a third-party provider here] lose out on MFA or other cool new auth features, such as Yubikey support.

  • Mail spam detection is a b*tch.

    • Are you hosting this at home? Your IP is probably in a spam blacklist. You'll need a third-party mail relay, like SendMail or Mailgun [I use mailgun for internal notification emails] to make sure your emails don't end in spam for literally everyone else.

    • Are you hosting this in a data center? Your IP is probably in a spam blacklist. See above. For example, my colocation server's IP is in the SpamHaus blacklist.

    • Do you want DMARC and DKIM? haha good luck.

  • Third-Party Mail hosting is cheap.

    • If you think getting a service provider for mail hosting is expensive, you are wrong. Zoho Mail offers free email hosting for up to 20 [I think?] users. I've been using them after self-hosting before moving to O365 [a different conversation] and they were great.

    • O365 is cheap too. G-Suite is alright.

  • You get to use more standard WebMail.

    • With O365, you get Outlook. With G-Suite, you get GMail. Both are much more common and standard WebMail interfaces than your usual self-hosting and your users would probably appreciate it.
      (inb4 people say you can self-host Exchange, yes yes, but now you are running Exchange. You don't want to run Exchange.)

  • Critical services give you anxiety.

    • Do you want to sleep soundly at night? Don't run critical services yourself.

    • Do you want users calling you for tech support all the time? Don't run critical services yourself.

If you got this far and still want to roll your own server, well, I like MailCow and Xeams a lot and have run both. If you want to roll a different WebUI, I would recommend RainLoop. It's very pretty and quite customizable.

If you do any "run your own server" things, what happens to them when you die ? Who else and what else depends on those servers ? What is to be done with them ? See "Electronic Assets" section of my "Legal Stuff" page.

Faisal F Rafat's "The 10 Best Linux Anti-Spam Tools and Software in 2020"

If an email domain gets abandoned for some reason, don't leave any web site accounts with dangling references to your old email address on that domain. Some scammer could pick up the domain, establish email service, and now they'd own your address on that domain. Change all of your site accounts to use a new address, don't leave them referencing the old dead address.

Some cases where a domain could get abandoned: you change your personal domain name, or a free/minor email service you use goes out of business.

I don't know what happens if you have a free email account with your ISP, then you cancel service and move to a new ISP. Do they recycle that address after a while, maybe issuing it to a new customer ? I hope not. Same with an account at school or work. If you graduate or quit, does your email address get recycled eventually ?

Test the Spammyness of your Emails

Email service that allows/encourages use through Tor browser: (onion link)
secMail (onion only)

Encrypted Email

"Cryptography turns a security problem into a key management problem."

Features encrypted email should have

  • End-to-end encryption: encrypt/decrypt done as close to the user as possible. Even so, it's still possible for a keylogger or something to grab the plaintext.

  • Encryption code installed once on user's machine, not every time you access email, so it's less likely to be suborned.

  • Encryption keys generated and held by the user: if code from the email provider is used to handle the keys, you can't be certain that the keys are safe.

  • Easy interoperability with other secure-email providers. Today, this is non-existent, to my knowledge. The best that is offered is that a user could extract keys and do PGP themselves.

  • Privacy statement that the email provider keeps no logs, doesn't read messages, etc. But usually they say they WILL cooperate (to the extent possible) with a valid court order.

  • Open-source policy. But this is not an absolute guarantee; how do you know if the source being released is what is actually run by the service, and how well has that source been reviewed ?

  • Located in a country with good privacy laws, and separate from your country. Having multiple jurisdictions makes it harder for someone to track you and serve legal papers to get your data.

  • Zero-knowledge policy on accounts: the provider shouldn't require your real name, address, credit card. Should allow access through a VPN.

PrxBx's "Privacy-Conscious Email Services"

Tutanota/Tuta: has calendar, has free option, no IMAP. review

Hushmail: no free option.

Patrick Lambert's "Email encryption: Using PGP and S/MIME"
Peter Bright and Dan Goodin's "Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?"
I think S/MIME requires that users have certificates, not keys.
GnuPG's "Web Key Directory (WKD)"

We need transparent encryption of email

I wish some large email provider, such as GMail or Yahoo Mail, would start using end-to-end (client-to-client) encryption routinely, and transparently. When you click the Send button, software (maybe an open-source browser plug-in) looks to see if your recipient has a preferred encryption method and public key registered anywhere (or if one is cached locally, via prior key-exchange). If recipient does, the message gets encrypted (by open-source browser plug-in) via that method before sending. If recipient is not registered anywhere, message goes unencrypted, as usual. Simple ! And now the email provider itself can't read or decrypt the messages, and can't decrypt them for the government.

The company that does this first could seize the mantle of "privacy champion".

They still could do targeted advertising based on keywords: the plug-in that does the encryption first extracts a few keywords, and then passes them on along with the encrypted message.

Searching your messages on the server would be affected; the server wouldn't be able to read the text of the messages. I suppose you could do a search by sending all of the encrypted messages to the client (browser), and decrypting them and doing the search there, but that would be horribly inefficient (but possible). Or search-keywords could be sent to the server along with each encrypted message (compromising security a fair amount, but enabling searching).

Spam-filtering would be affected. If a spammer is willing to look up your public key and encrypt their message to you, it will have to be caught on the client, not the server. That's an issue. Need an open-source spam-filter plug-in or something.

The reason I want an existing large provider to do this, as opposed to new secure-email startups, is that the change by an existing large provider would immediately make encryption easily available to hundreds of millions of existing users. No need for users to change providers, with new UI and new email addresses and having to transfer their contact lists. Most users will NOT move to new secure-email services; we need to get encryption into existing services.

Mailvelope is a bit like what I want, although it's far from as transparent and integrated as what I outlined (which requires changes by Google, Yahoo, etc).

Google and Yahoo were working on a couple of end-to-end things, but as of 2/2017 seem to have dropped their efforts.

This change is happening in the VOIP and IM markets, with WhatsApp and Skype changing to end-to-end encryption.

Once we have end-to-end encrypted message bodies, a few changes could secure the meta-data better. Move the subject line inside the message body before encrypting, and move it back out when decrypting, so all of the servers and middlemen see only a dummy subject line. Encrypt the destination user's email address in some way that the destination server can decrypt, so only the originating client and the destination server and destination client know the full destination address (all other servers and middlemen can see the destination server name, but not the real destination user name). Do same with originating user's email address, in way that only originating server and originating client and destination client can decrypt. Example: a middleman would see "From: 5$33!8* To: 7^h$ Subject: none".

GitHub's "Overview of projects working on next-generation secure email"
Hugo Landau article

PGP encryption

[Independent of email client]

The idea is to write a message in a file, PGP encrypt that file, then send the encrypted file as an attachment to a no-content email message. The message should have placeholders for subject and body, maybe something like subject "encrypted message" and body "download the attached file and decrypt it with PGP". So any MITM or email server sees only "address X is sending something encrypted to address Y at time T".

I don't trust "keyrings" or key-caches such as Seahorse. I want to use dedicated apps or commands where I can see exactly what they're doing.

But even GPG will create a keyring, stored under "$HOME/.gnupg".

PGP is always asymmetric encryption (public key; key pairs) ?

Matt Dizak's "How to Use GnuPG for Encryption on Linux"
Dave McKay's "How to Encrypt and Decrypt Files With GPG on Linux"
Teknikal's_Domain's "PGP (GPG) Explained"
Teknikal's_Domain's "PGP Trust Levels and Signature Types Explained"
askmeaboutlinux's "How to use GNU Privacy Guard / GnuPG / GPG / PGP to encrypt email and data"
Garrit Franke's "A pretty good guide to pretty good privacy"
On Linux, use "kgpg"

Latacora's "Stop Using Encrypted Email"
Latacora's "The PGP Problem"
Moxie Marlinspike's "GPG And Me"
Cheapskate's Guide's "Now I Understand why Almost No One uses Encrypted Email"

# Create keys associated with you:
gpg --expert --full-gen-key
# RSA is default, but ECC is stronger ?
# Select ECC-ECC and Curve 25519 and no expiration.
# You'll set your username and email address.
# You'll set a passphrase to access this key.

gpg --list-keys

gpg --delete-keys UUUUUU
# UUUUUU can be the personal name or the email address.

# Send your public key to recipients, somehow.
# Export public key (to mypub.asc file):
gpg --export --armor UUUUUU >mypub.asc
# Then send mypub.asc to them somehow.

# Send your public key to a key server somewhere:
gpg --fingerprint UUUUUU
gpg --send-keys --keyserver FINGERPRINT

# Import a public key that someone has sent to you:
gpg --import theirpub.asc

# Send a message:
# If signed with your private key, they know it must have come from you.
# If encrypted with their public key, only they can read it.
# How to do both ?
# Use --armor option for ASCII files, leave it off for binary files ?

# How they decrypt it:
# They already have your public key and their private key stored.

GUI app "GPA":
CTemplar's "PGP Encryption: How It Works and How to Install PGP on Linux?"

Proton Mail

Highly recommended by security people: Proton Mail

Eric Mann's "End-to-End Crypto: Secure Email"

But encryption imposes quirks. For example, because the Proton Mail server can't decrypt your messages, it can't do vacation-forwarding or server-based content-based filtering.

From someone on reddit 11/2018:
Gmail is decades ahead of Proton Mail in terms of feature support.
  • really good spam filtering
  • nested labels w/ coloring, multiple star icons
  • multiple inbox support
  • machine learning based importance detection
  • autosuggested replies and autocomplete
  • advanced plugin ecosystem
  • plain HTML fallback version when JS isn't available

12/2018: Some people are having issues because Proton Mail is fairly strict/correct about encryption headers/certs (maybe SPF) on incoming mail from other systems. Partly-bad mail that may be accepted straight into another provider gets bounced, delayed, and re-tried before it makes it into Proton Mail.

From someone on reddit 12/2018:
There is one downside to Proton Mail worth mentioning. They comply with OpenPGP standards so the mail envelope remains stored unencrypted thus allowing search requests on sender, recipients and subjects. But the mail body and attachments are encrypted so forget about webmail search on that content. You'll need an offline copy in a mail client to index and search locally. Unfortunately, the only way to do this with Proton Mail is to use their bridge application. I've tried and tried and it just won't sync an IMAP mailbox with 2GB of mails (less than 20k emails). I've sent logs to their support team without any solution in the end. I monitored the connection and it downloaded over 10GB to sync less than 200MB worth of emails. They throttle the connection or something. It's not easy to debug since everything is encrypted. But that's the point in the first place ...

Don't get me wrong, Proton Mail is great, they have improved impressively in a short amount of time. They now allow the use of personal domains. But are they a suitable main email provider replacement? Not yet in my case. So I stick to FastMail for now which has a web interface much faster and feature full than GMail or Proton Mail. But I must rely on a computer with a mail client to send pgp encrypted emails. And I am super worried about the Australian AA bill. Fastmail is Australian-based and the servers are in the US, so enjoy worldwide mass surveillance. But it's still better than GMail, I believe fastmail will not use my data to train some AI or to profile me to sell advertisers my soul.

On any service where you aren't the sole holder of the keys, there are vulnerabilities:
Wired's "Mr. Robot Uses Proton Mail, But It Still Isn't Fully Secure"
Nadim Kobeissi's "An Analysis of the Proton Mail Cryptographic Architecture" (PDF)

My experience with Proton Mail

I have the free account.

I'm unable to find a single friend or family member who either: uses Proton Mail, or uses an email system/client able to exchange PGP-encrypted email with me.

9/2019: Public PGP keys obtained via Settings / Keys / Export and through API server are different (at least different encoding), and the one from the API server does not work when used by Facebook.

9/2019: Using Proton Mail through Tor Browser is very slow (especially on login) if Tor Browser security level is set to "Safer"; faster if set to "Standard". Someone said that's because "Safer" turns off JIT compiler.

10/2019: After using PM for a year or so, I'm going to move away from it. The encryption is not really doing anything for me, and PM could break it if they really wanted to (by serving a poisoned login page to me). The encryption makes it harder to do IMAP, which I want to do so I can access all my email services in one client (Thunderbird on laptop, K-9 Mail on phone) and while off-line. Encryption where I generate and hold the keys would be more secure than having PM do that for me. And if I change to use my own custom domain for email, I should never have to change email address ever again.

Major unfixed dangerous bug in the bridge, 2021-2022:
Message UIDs are not stable / possible data loss (deletion of wrong messages) #220
Sigma Star's "Our Protonmail Adventure - A Five Act Drama"


It's an email service where you MUST use your own domain name; they provide the server and webmail UI and IMAP/POP3 access.

8/2020: news that free service is being discontinued; now minimum plan will be $19/year.

Drew DeVault's "Email service provider recommendations"

From someone on reddit 2/2021:
"They don't force you to give them your real name or personal info, but there are no anonymous or cash payments. They only process payments via PayPal or Stripe though they claim to not keep any information about you that way."

Need an existing email account somewhere to make an account here. It's used to verify when creating the Migadu account, then used as username. But I think you could close the account later, and Migadu would keep working.

10/2019: Created free account, and immediately have to connect my domain to it. Went to my DNS host (different from my domain registrar), and Migadu site walked me through setting DNS records, although the two systems were different enough to require some work. Got the records changed, went to Migadu and clicked on Verify Configuration, and it says it might take up to a week for the DNS changes to propagate to where it can see them.

Inside Migadu, changed configuration so instead of one mailbox named "admin", I have one named "bill", and then 5 or 6 aliases (including "admin" and a catch-all) pointing to the single "bill" mailbox.

Turned on software TOTP on the account. Added another backup email address in case something goes wrong.

There is no software TOTP available on the webmail login to see your mailbox. Support says: "We don't have 2FA on the mailboxes. While we can limit the webmail, IMAP/POP3 remain completely unprotected with that second factor, as the protocols do not understand it."

No reddit sub for this company, so I created one: /r/Migadu

Also see Migadu blog

About 6 hours after creating the account and making DNS changes, SPF record is reported as okay, but others are incorrect. Eventually contacted Support, and quickly they told me what to change, needed several record values to have "." at the ends, not as specified in the instructions: 'Your DNS is automatically appending the domain name in the end of the hostname. To prevent this, end the hostname with a dot "."' Did that, soon they said all was well. But mail from Proton Mail to my Migadu mailbox (via my domain) still bounces. Tried sending mail from Yahoo Mail, and that works, and I can IMAP in to Migadu and read and delete the message. So Proton Mail must have stale DNS information that will work its way out [correct]. Email from Migadu to Proton Mail works. Sending from GMail to Migadu works.

10/2019: Support says Calendar and other new features coming in a matter of weeks.

A week later, received an email from a Google DMARC service, giving an XML file evaluating my DNS record setup and email traffic to Google. Looks okay to me, but I forwarded it to Migadu to see what they say about it. All good, but I tweaked my DMARC record anyway.

Spam filtering is configurable, with 5 levels.

Useful: Migadu's "Guides"

I'm using unique random usernames in the email addresses I'm giving to most sites, and letting the catch-all redirect the mail into my main mailbox.

Found that some emails come in with no "To" info shown, even in the "Message source", so I can't see what address they were sent to. But the catch-all redirected them into my main mailbox.

Tweaked my DMARC record (on DNS host) to say "ri=864000" (report every 10 days). I was getting a report from GMail just about every day.

Calendar and Contacts

[I'm trying to move all of my calendar and contacts stuff from Google to Migadu, and stop using Google, so some of this information is in that context. Also, I am using latest beta version (80.0b4) of Thunderbird on Ubuntu Linux, and running an old version (6.0) of Android on my smartphone.]

By default there are two Migadu calendars (should be auto-discoverable):

Migadu contacts should be auto-discovered too but here they are:

MAILBOXADDRESS is not your Migadu overall admin account login, it's the address you send email to/from. Something@YOURDOMAINNAME

As far as I know, there is no UI (yet) to access these on the Migadu web site. You have to do everything through CalDAV and CardDAV. Migadu Webmail UI for an email account has a Contacts tab, but that seems unconnected to the CardDAV facility. I see nothing on the Admin panel about contacts or calendar. Nothing on their web site (help, FAQ, guides) about contacts or calendar.

20 Aug 2020: someone on reddit posted this from Support:
"we plan to announce it now in September. We dedicated some time to build also a opensource webmail / calendar client which will be part of the whole offering."

Migadu calendar in Thunderbird:
  1. Exported Google calendar from Thunderbird to ICS file.
  2. Was able to add Migadu calendar to Thunderbird: open Calendar view and right-click for "New Calendar", or do hamburger / New / Calendar.
  3. But can't import events from Thunderbird ICS file into new (Migadu) calendar. Import-all-events gives an error, importing one at a time seems to work, but then no events actually show up.
  4. Manually creating events in the Migadu calendar does work, so I think the problem is with Thunderbird.
  5. Workaround: in Thunderbird, viewing both Google and Migadu calendars together, I was able to cut events from old (Google) calendar and paste them into new (Migadu) calendar.
  6. Once that was done, I removed the Google calendar from Thunderbird.

Migadu calendar on Android:
  1. Installed DAVx5 app.
  2. In DAVx5, click big "+" button to add an "account", which will connect to (Migadu) calendar using URL/acct/password method with URL, acct is MAILBOXADDRESS, password is the password for that email acct. Name of account by default is MAILBOXADDRESS.
  3. In DAVx5, then click on big icon for that account to get into settings for it.
  4. Click on "CalDAV" tab, check box next to "Home" calendar, then click on sync icon in lower-right.
  5. Go to Google Calendar app, click 3-dots icon and then "Calendars to display".
  6. Probably see calendars "PC Sync", "Google", and "Home (MAILBOXADDRESS)".
  7. Un-check the others and check "Home".
  8. Back to main calendar view, and you should see the events in your Migadu calendar.

No longer using Google calendar server, on desktop or phone !
But still using Google Calendar app on phone.

For CardDAV Address Book in Thunderbird:
  1. Added special beta version of add-on from
  2. But I see a note that it stopped working with the 80.0b1 beta of Thunderbird. Version 51.4 in TB 80.0b4 still doesn't work.
  3. A new icon that looks like a person should appear in upper-right next to the normal calendar icon, but I don't see that. Also should be a "CardBook" item in the Tools menu. Or press Ctrl+Shift+B and you should get CardBook instead of the normal Address Book. CardBook manual
  4. Version 91 supposed to support CardDAV.
  5. Clicked on Address Book, saw current address books, clicked on File / New / CardDAV Address Book.
  6. For username, entered main email (account) name.
  7. For location, entered
  8. Give email account password.
  9. See new address book "Family" appear.
  10. Can drag and drop contacts from old address book to new address book "Family".
  11. Seems to be no way to remove address books "Personal Address Book" and "Collected Addresses".
  12. Logged into Migadu webmail, no contacts shown, had to enable CardDAV synchronization and then click "synchronize".

Address Book in Android:
  1. In DAVx5 app, click on big icon for Migadu account to get into settings for it.
  2. Click on "CardDAV" tab, add Contacts permissions if not there already, check box next to "Family" contacts, then click on sync icon in lower-right.
  3. Go to phone's Contacts app.
  4. Click on 3-dots icon, click on "Contacts to display", and you should see about 6 sources, including maybe your Google account, "Phone contact", and "Family (MAILBOXADDRESS vw)" from Migadu. If you choose only "Family", then go back, you will see only one contact in your Migadu address book. Do 3-dots and "Contacts to display" again, set back to "All contacts", see all contacts again.
  5. Do 3-dots and "Import/Export", set From to (in my case) GMail, click Next, set To to "Family", Next, select every contact (one by one), click OK. Now number of contacts displayed will be about doubled, lots of duplicates.
  6. Do 3-dots and "Accounts", click on "Google". You may see two accounts. Click on each account in turn, and turn off contact syncing (and anything else you want to turn off). Back out to main Contacts list, and you should be back to normal number of contacts (not doubled).
  7. I also exported my contacts from Phone to Migadu, there were a couple there I don't want to lose.
  8. Still some duplicate contacts. I'm not sure how Migadu/DAVx5 is interacting with phone and WhatsApp contacts. There's some color-coding, but I don't understand it.

RSS (Really Simple Syndication)

I used Thunderbird for RSS feeds for a while, but dropped it, there just were too many problems.

TB can export all feeds to an OPML file: feeds / Manage Subscriptions / Export / .

Curiositry's "What is RSS?"

Ambarish Kumar's "5 Best Feed Reader Apps for Linux"
Aaron Kili's "14 Best RSS Feed Readers for Linux in 2018"
Swapnil Tirthakar's "10 Best RSS Readers for Ubuntu"

Akregator (KDE application)
RSSOwl (last updated late 2014)
Evolution email application (but the RSS plug-in last updated 2011)
RSS Guard
Feedreader (similar to Akregator, but shortcuts less convenient)

Decided to use Liferea (Linux Feed Reader)

5 Feb 2020 Installed through Mint 19.3 Software Manager; version 1.12.2-1, which seems to date from Jan 2018.

Deleted "Example Feeds" folder and everything in it.
Imported OPML file from Thunderbird.

Go through Tools / Preferences:
Set Feeds / Default Feed Refresh Interval to 1 day.
Enable Browser / Open links in Liferea and Browser / Disable JavaScript.
Enable Privacy / Tell sites I do not want to be tracked.
Set Enclosures / Download using to "uGet" (it's installed in Mint, by default).
Plugins turn off everything except Bold Unread.

No way to set sort order of all feeds in one operation. I want them to sort by date oldest-first; have to change each feed individually. And each feed has two icons in the left pane, a Folder and then a Feed (probably an artifact of importing from Thunderbird), and they have separate sort orders ? You can get rid of the two-icon thing by dragging the inner icon (Feed) out to the top level and then deleting the now-empty Folder. And sorting in oldest-first is a bad idea, because every time you open a feed, the scrollbar will be at the top position.

In a feed, no way to select all or multiple items and operate on them in a batch. But in the left pane, you can right-click on a feed and select "Mark all as read". Or ctrl+R does the same.

In a feed, right-click on an item, and there are no key-shortcuts in the context menu. Ctrl+M to toggle read/unread.

In a feed item, click on Attachments at bottom left and right-click on an attachment and select Save As. See uGet window.

See green "G" icon in system tray.
Right-click on it to see and change uGet settings.
Change to "Quiet" mode (turns off "starting to download" notifications, but not the "done all downloads" notification).
Turn off clipboard monitoring.
But in quiet mode only, if you save the same attachment twice or more, it will download it twice or more, adding ".0" or ".1" etc to the filename each time.

Left-click on the green "G" icon to see the queue of downloaded files.

Was able to add a feed that TB refused to add, but had to leave the https:// off the front of the feed URL.

In fact, moving from Thunderbird's RSS to Liferea fixed almost all of the RSS problems I was having, leaving only one existing problem (three particular feeds broken, all from; added to existing bug report Went from maybe a 12% failure rate to a 3% failure rate. Reported the problems to CBC, they said "we pass Apple's validation, we're not changing anything". (Later someone told me a workaround: source the feed from command "wget --output-document=- --quiet https:....xml")

lwindolf / liferea (code and bug-reporting)
almejo / liferea-snap (snap version)

uGet bug reports
uGet on SourceForge (code)

There is a LOT of logging in the system journal by Liferea.
Do "sudo journalctl | grep liferea"
liferea --help-gtk

4/2020: Installed Ubuntu 20.04, and now Liferea is unable to launch uGet.
In Terminal, I can run "uget-gtk SOMEURL" just fine. Launching Transmission fails in same way. Other download options don't work.
wget --continue --directory-prefix=/home/user1/Videos %s

Removed snap version, installed deb version, it works. Database of what items have been read is in ~/.local/share/liferea, feedlists are in ~/.config/liferea. uGet config is in ~/.config/uGet.

uGet: logs a ton of HTTP transaction info into system journal.

uGet using command "uget-gtk '%s' >/dev/null 2>&1" and variations of that: can't stop the logging into system journal.

aria2c: logs a fair amount into system journal; no GUI. Use command "aria2c -d /home/user1/Videos %s".

SteadyFlow: download folder always gets set back to $HOME/Downloads; not smart about parsing URL to make filename.

kGet: logs a lot of lines into system journal; not smart about parsing URL to make filename.

Transmission: expects torrent file.

Xtreme Download Manager: package "xdman"; dark-mode UI that is hard to read; lots of features I don't want; no CLI, so couldn't get it to work.

wget: no GUI; logs a lot of lines into system journal; not smart about parsing URL to make filename. Use command "wget -nH -P /home/user1/Videos '%s'".

I would think Liferea's --debug-net option is "stuck" in the "on" state, except that the logged lines are quite different for each downloader.

Make a change:
  1. File a bug report or feature request.
  2. Fork the whole original repo on GitHub to make your own repo on GitHub: login to GitHub web site, go to repo, click "fork" button near upper-right.
  3. Create a branch (on project's main page in GitHub, click "Master" pull-down near upper-left, and type new branch's name). Now the pull-down should show the name of your new branch.
  4. From green "Code" pull-down button, get URL of your repo.
  5. On local disk, at CLI, cd to Projects folder, then "git clone".
  6. Cd into the new directory.
  7. Have to "checkout" to the branch on disk ("git checkout issue857").
  8. Do "git status" to see that you're on branch, not master.
  9. Edit files on disk, test, repeat.
  10. To see what you've changed, do "git diff".
  11. Commit and push changed files to the branch as you go along, or after it's all working ("git add FILENAMES" and "git commit -a -m 'whatever'" and "git push -u origin issue857").
  12. Get whole thing into a finished state.
  13. When all changes are done and committed to the branch, open a pull request for the branch: go to issue on original project repo, click on "Pull Requests" in top-center, click on green "New pull request" button on right side, click on link "compare across forks", change "head repository" to your repo on GitHub, change branch to your branch, verify that changes look okay, click green "Create pull request" button, set description and comment (add link to original issue), click green "Create pull request" button.
  14. Go to original issue and add a link to the pull request.
  15. Owner should approve and merge the pull request (the changes), and close the issue.

Tried KDE's Akregator

Version 5.19.3 (21.12.3) on openSUSE Tumbleweed KDE in 4/2022.

UI very similar to that of Liferea.

Doesn't use a separate downloader to download attachments. You just right-click on link and "Save link as ...".

Doesn't allow running a command to get a feed file; Liferea did.

Based on KDE's Akonadi PIM infrastructure. Should work if you install under a DE other than KDE. Doesn't launch Akonadi server unless you use a plug-in that requires it ? "akonadictl status"

Doesn't have a "sort feeds" feature.

Doesn't have a "limit of N items per feed" feature.

Doesn't have a "mark all items in feed as unread" feature.

No way to turn off progress dialog while doing "Save link as ..." to save an enclosure, and no way to turn off the "done" notification when it's done.

Fetching feed gets confused if feed site does something weird with HTTP vs HTTPS. Try changing URL to HTTP.

If fetching a feed fails, the notification for that goes away too quickly to click on or read.

No select-all for items in a feed. Click on first item to select it, scroll to last item, shift-click on last item.

App doesn't remember "which groups were expanded" when quit and then re-launch.

Archiving control is broken; disk space under ~/.local/share/akregator/Archive will grow forever.

Interesting RSS feeds

RSS feed for YouTube playlist that doesn't have a feed icon:
Similar for user and channel:
For channel with URL containing "/c/", use "user=".
Or, do View Source on the YouTube page and search for "rssurl", and use it as a channel ID.

Generate RSS feed for a site that doesn't have one:

Or write your own script to generate an RSS feed file, and host it on your own web site, e.g.: and output rssfeed-salon-science-and-health.xml

Lots of blogs and podcasts, all of which have RSS feeds: FeedSpot

RSS feeds I read/monitor (I skim all the titles every day, but read or listen to maybe 5% of the items): feedlist.opml (feedlist.html; created with Linux script

Jack Evans' "The struggles of building a Feed Reader"

Emperor: let the RSS flow through you

Secure messaging (text, chat, voice, video)

Some people say that internet email fundamentally can not be made very secure, without a significant redesign. So they use non-email messaging.

There is a convergence between text-chat and voice-call and video-call applications. Text-chat applications are adding voice and video, Skype has text, etc.

Justin Carroll pointed out on a podcast:
Many/most IM applications have the bad quality of using your phone number as your userID/username, making it impossible to keep your phone number private, and allowing people to voice-call or SMS you instead of only contacting you inside the IM application, etc. That's unfortunate.
[Some that don't use phone number: Kik, Discord, Threema, Wickr Me, Riot, Wire, Tox ? Telegram requires a phone number to sign up, but then you can run the app on any phone. Discord through browser requires a phone number to sign up if you're using a VPN, but you can sign up non-VPN and no phone, turn on TOTP 2FA, then use it with VPN and no phone.]

You want a service where the user (or the client app) generates and holds the encryption keys. You don't want a server to generate and hold the keys; that would not be end-to-end encrypted, and (with some effort) the service could read your traffic if they wished. Hugo Landau article

Messaging features

  • Person-to-person messaging/chat (only within system, or SMS to any phone).
  • Group messaging/chat/feed.
  • Forum/topic-based posts/comments.

  • Text.
  • Subject line plus text.
  • Images.
  • Audio clips.
  • Video clips.
  • Voice calls (only within system, or to any phone).
  • Video calls.

Group Organization

  • Topic-oriented versus feed.
  • Single-level/sequential/chronological/flat versus multi-level/threaded/conversation/folders/tree.
  • Voting affects order, or not.
For example, the top level of reddit (subs) or Matrix (rooms) is topic-oriented, while the top level of Facebook or Twitter or Discord or email is a feed. Regular chat/Matrix and regular email are single-level; Facebook and Twitter (I think) have one or two levels under each post; reddit has infinite levels under each post.

Mike Crittenden's "If it will matter after today, stop talking about it in a chat room"

The Changelog's "The Hidden Drawbacks of P2P"

Individual messaging services

A selection of services, not all of them.
I probably have some things wrong in here, I haven't tried many of these.
Services where user (or client app) holds the keys: Riot, Element, Signal.

  • Generally one-to-one services:

    • Threema:

    • WhatsApp:

      Biggest user base, but requires phone number, owned by Facebook.
      Dedoimedo's "How to fix and restore WhatsApp from a local backup"

    • green check-mark  Signal:

      Requires phone number.
      UI and features seem identical to those of WhatsApp.
      Easy for a new, non-techie user to get started.
      Has a good desktop app.
      Jan Harasym's "I don't trust Signal"

    • Session:

      Fork of Signal that does not use phone number.

    • Wire:

      Doesn't use phone number.
      Allows multiple accounts on one device.
      A little harder for a new, non-techie user to get started.

    • Status:

      Doesn't use phone number.

    • SimpleX:

      Doesn't use phone number.

    • Skype:

      Available through Mint's Software Manager; use the native version, not the Flatpak version.
      Useful for making cheap international voice-calls to phones in other countries, or making free voice/video/text/filesharing calls to other Skype computers anywhere.

      Or you could use a browser and go to, but apparently this only works in Chrome browser (or Firefox with user-agent changed to Chrome ?). Does not accept ungoogled-chromium.

      Or you could use a browser add-on for Firefox (but tried 3 or 4 of most-popular in 1/2020 with FF 71, and they all failed).

    • Rocket.Chat:

    • Delta Chat:

      Delta Chat
      Looks like chat but actually uses email underneath.
      Teknikal's_Domain's "Delta Chat: Instant Messaging Using ... Email?"

    • Mysudo:

      No desktop app.

  • Generally many-to-many services:

Don't just start using a service and assume it's totally secure by default. Go through all the account settings and maybe dial them down tighter.

Ioana Rijnetu's "The Best Encrypted Messaging Apps You Should Use Today"
David Nield's "Best encrypted messaging apps 2019 for Android"
Mike Kuketz's Messenger matrix
Micah Lee's "Battle of the Secure Messaging Apps: How Signal Beats WhatsApp"
Thorin Klosowski's "Secure Messaging App Showdown: WhatsApp vs. Signal"
Drew DeVault's "I don't trust Signal"
Cecilia Boschini's "The Secure Messaging App Conundrum: Signal vs. Telegram"
InfoSec Handbook's "Our experience with the Fediverse, and why we left"

My sense so far: find content or people you want, and then use whatever service they are on. Part of my family is on WhatsApp, and it turns out there are advantages to using WhatsApp in the desktop browser instead of phone app (cut and paste, access to photos on hard disk).

Single-service client apps


Client apps that present many services in same UI

Some of these may just provide a way to collect pages/tabs and do notifications and such, without really providing a unified UI.

Thunderbird 73 only supports IRC and XMPP and a couple others. (WhatsApp, Skype and others use forms of XMPP, but I don't think that means TB supports them.)

Franz (free for maximum of 3 services; free doesn't allow VPN ?)
Franz list of supported services
Ambarish Kumar's "Franz Combines all Your Messaging Apps in a Single Application"

Ferdi (dead 4/2022 ? fork of Franz; removes the limits, adds features)


sivaramsi / manageyum (last update 6/2017)

All-in-One Messenger (a Chrome browser app; Signal not supported ?)

My experience with Ferdi 4/2020:
I'm running Mint 19.3 with 5.3 kernel.
Version of Ferdi in Mint's Software Manager is a Flatpak.
I downloaded the 5.4.3 DEB file from Ferdi.
"Ferdi currently supports Slack, WhatsApp, WeChat, HipChat, Facebook Messenger, Telegram, Google Hangouts, GroupMe, Skype and many more."

Did "sudo apt install ferdi_5.4.3_amd64.deb", got apt-daemon error; my system has a problem.
Did "sudo dpkg -i ferdi_5.4.3_amd64.deb", succeeded.
Launched Ferdi from Start menu, and it came up okay.

You can use a Ferdi account to sync your services between devices, or use Ferdi without an account so your data doesn't get sent to external servers. I chose without-account.

You want to "discover services", not "search for services". The latter searches among services you've already added to the app.

I added service "Discord", for which I already have an account. Discord web page appeared inside a Ferdi frame, I logged in, seems normal (maybe even better than in browser, I was seeing some refresh issues in browser). Not sure that Ferdi is adding anything useful here. Looks like it can pipe notifications into the desktop notification mechanism, and you could get notifications from N different services in one place.

Quit Ferdi and then re-launched it, and it automatically re-opened Discord and I was still logged in. I think if I'd stayed out of Ferdi long enough, it would close services and I'd have to log in again. but that is "service hibernation", and in Settings I have it turned off. Why does it work ? [Later I did turn it on.]

I added service "WhatsApp", for which I already have an account. Had to log in by using phone to take a picture of a QR code, as usual for WhatApp Web.

I added service "WhatsApp", for which I already have an account. Used server

Could add services for GMail, Proton Mail, Google Calendar. But I already have those in other clients.

With 3 services open, Ferdi is running as 11 processes occupying more than 700 MB of RAM ! A few hours later, with 4 services, there are 12 processes taking about 830 MB of RAM. A few more hours later, over 950 MB.

After shutting down the system overnight, Ferdi was able to reconnect to Discord, Riot and WhatsApp automatically. Had to give the login info for Protonmail to reconnect to it. And soon it's using over 750 MB of RAM. Eight hours later, down to 450 MB or so, but a couple of the services had closed. After re-opening them, back up to 850 or so.

Ferdi on GitHub

Video/Audio Conferencing/Streaming

Palantir from LOTR


Topic-based Forums

Generally these don't have secure messaging as a key feature.


Browser add-ons that do non-standard encryption (other end has to use same software, or click on a link):
SafeGmail (GMail only; Chrome only) (Chrome add-on, or client app; encrypt/decrypt blocks of text in any web page)

In your email client, if possible, turn off automatic display of HTML, images, and JavaScript. It's dangerous to let some random person send you a piece of software that executes in your client. It's JavaScript