Buy a domain name through a registrar such as Hover
Buy email service (I like Migadu,
but they don't have a phone app, I think) that allows/requires use of a custom domain,
and allows wildcarding or infinite email addresses. Decide if IMAP access is important to
you (see next step), because some services don't have IMAP or make it hard.
Decide if you want to access the email through their custom phone-app, their webmail client,
or through a generic desktop client (e.g. Thunderbird)
and generic phone client (e.g. K-9 Mail)
using IMAP. Advantage of the generic clients is that you can access email accounts from multiple services
(plus calendar and address book and RSS and maybe some chat) in one app.
Start using a password manager (e.g. KeePass), if you aren't already, so you can track all your accounts
and what email address you've used with each.
Slowly change all of your online accounts from old email address(s) to new email addresses.
It will take a long time to get them all switched over. I feel you never can delete the old email account(s):
stray messages will keep popping up there even years later, and you may have set them as recovery
addresses on various accounts.
I'm ending up on Hover, Migadu, Thunderbird on Linux, K9-Mail on Android,
KeePassXC on Linux, Keepass2Android Offline on Android, after trying a bunch of services and apps.
But your needs and choices may differ.
Email client application vs. browser:
Also called "desktop" vs. "webmail".
A desktop / client application (such as Thunderbird) is better:
If you're dealing with multiple email accounts.
If you get a LOT of email.
If you keep a LOT of email in your email folders.
If you're dealing with email accounts on multiple services (browser UI for each will be different).
Easier to create filters/rules ?
Probably can apply same filter/processing rules to multiple accounts.
Probably can move messages from multiple accounts into same folder.
Probably can have messages from multiple accounts feed into a single calendar.
Probably can search across multiple accounts.
Easier to apply PGP to messages ?
Can do email work while offline.
Maybe better notifications, or integration with OS notification mechanism.
Additional features such as handling RSS feeds and calendar.
Keeps your Contact list private ?
You don't lose Contact list if the service terminates your account.
If using POP3 (keeping messages in client), you can (have to) back up your own messages, and you can restore as needed.
If using POP3 (keeping messages in client), if a hacker breaches the service, they won't get all your old messages.
Webmail / browser is better:
If you need to access email on public devices, or devices where you can't install a client app.
Some email services may not support IMAP or POP3, or may charge money for it.
Takes less space on disk, especially if you're saving many old messages with big attachments.
Takes less space in RAM, since you'll be running one app (browser) instead of two (browser and email client).
Doesn't require a "bridge" or other connector for encrypted email services (ProtonMail).
Don't have to know how to set up IMAP/POP/SMTP access.
Simpler UI, not cluttered with fancy features you don't use.
Service handles backup of your messages (but probably doesn't offer any restore feature, if you
screw up and delete something you didn't want to).
Some services (GMail) include features such as calendar-sharing that you won't get with a client application ?
Don't have to worry about a hacker breaching your desktop machine and getting all your old messages (compared to using POP3 with a client app).
Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird).
The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too.
A mail client application is an additional complex piece of software that possibly is less secure.
Same cautions apply to email application and browser: keep it updated; using more plug-ins increases
attack surface and risk of bugs/vulnerabilities.
But, Thunderbird and Firefox both are made by Mozilla, so maybe Thunderbird is pretty secure.
With a client app, use IMAP or POP3 to connect to the server.
POP3 requires all messages to be downloaded to the client, so you can't have multiple clients
(e.g. laptop and phone) accessing the same messages.
FairEmail (open-source and privacy-focused; PGP; 6.5 MB).
Other client apps such as GMail can do IMAP to multiple services, not just their "home" service.
I dropped some other apps out of the list because they send email through their own servers,
or no new release in a long time, or ads.
Every single email app in the Google Play Store, it seems, has some reviews saying "best ever, works perfectly"
and other reviews saying "flaky, was good but no more, drops messages, etc".
From someone on reddit 10/2019:
The main problem with BlueMail, TypeApp, Edison, Spark, Newton, and Outlook, is that they use their own servers
to access your email. They act as an intermediary between you and your email provider, so they have access
to your email contents and/or metadata. This is not good from a privacy standpoint.
Apps such as Nine, Aquamail, Maildroid, K-9, and FairEmail access your email provider directly without
using any 3rd-party servers, so they are preferable from a privacy standpoint.
Get your own custom domain, and use it as your email address, but actually
use a commercial service to host the email. You can do this with ProtonMail (paid) and
other services. That way, if later you decide to change services, your email address doesn't change.
But it's a little odd from a privacy point of view. An email address such as "RANDOMCHARS@YOURNAME.me"
isn't hiding your name or identity from anyone; an address such as "RANDOMCHARS@protonmail.com" does hide your name.
Another downside: after you die, if your domain registration lapses, someone malicious could take over
the domain, create their own email addresses to match yours, and attack your other accounts.
A custom email domain may be easier for some attacker to
exploit. If you just use GMail, you're relying on GMail's admins not to get fooled into doing an
attacker's bidding, and relying on GMail's domain registration and DNS and mail servers to be solid.
If you use your own domain, you're relying the admins of your domain registar, DNS service, and mail
service not to get fooled. Most likely, Google's setup is safer than your setup.
One huge advantage of a custom email domain: for sites that force you to use email address
as login username, now you can have a unique email address for each site.
Make an email address such as "fb9999@MYDOMAIN" to use as your login for Facebook, and
don't use that address anywhere else. Makes it harder for an attacker to trace you
across sites, and figure out your login username for each site.
So, I would like to find an email service that is:
Free or very cheap.
Supports POP3 and IMAP.
Allows use of a custom domain.
Provided by some privacy-respecting company (not Google, Facebook, etc).
Not tied to something else I use (domain registrar, web hosting service, browser mfr, etc).
The service I chose (Migadu) lets me use unlimited addresses, with a catch-all that
feeds them into one mailbox. So I can use a different email address on every site,
without using funny chars such as "+" in the name. Have to use a password manager to
keep track of all of them.
Other services also support aliases, usually with some special format such as "firstname.lastname@example.org".
Maybe it's fairly easy for spammers to see that it's an alias, and strip off the "+extrastuff".
Tricky: check to see if your service will let you reply properly to an email that came in to an alias
address; the "from" address of the reply should be your alias address, not your real mailbox address.
I think many services do this properly.
Tricky: check to see if your service will let you originate an email from an alias
address; the "from" address of the reply should be your alias address, not your real mailbox address.
I think many services DON'T do this properly.
DNS and MX and SPF and DKIM and DMARC:
Once you have an email service, you have to set your domain's DNS records to point to the email server (MX records)
and control how email is handled (DKIM, SPF, DMARC records).
The service should have Help pages that direct you through the process.
Your DNS service may also have Help pages or web forms to help you.
The two may not quite match, so you might have to figure out a few things.
SPF and DKIM and DMARC:
These are DNS records that the receiver of a message supposedly from this domain can use to check the message.
SPF (Sender Policy Framework): specify mail servers this domain will be sending mail from.
DKIM (DomainKeys Identified Mail): crypto keys to sign critical parts of the message before sending.
DMARC (Domain-based Message Authentication, Reporting and Conformance): specify whether SPF/DKIM/both are
being used, and how failures should be handled.
dmarcian's "DMARC Record Wizard" (create DMARC record)
The DMARC record I started with contained
After everything worked for a while, I changed to
"v=DMARC1; p=quarantine; rua=mailto:MYADDRESS; ruf=mailto:MYADDRESS;".
Later changed to
"v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;pct=100;fo=1;rf=afrf;ri=345600;rua=mailto:DMARCIANADDRESS;ruf=mailto:MYADDRESS". (strict everything) dmarcian's "DMARC Inspector" (evaluate existing DMARC record)
Your DNS changes may take hours or days to be visible to other services,
depending on the TTL settings on your previous DNS records.
Despite setting "ri" to "" in my DMARC records, big services were sending aggregate reports
every 1 to 6 days. Instead of handling them yourself, sign up for a free service such as: dmarcian DMARC Analyzer (the "freemium" plan) Mailhardener Report URI
I created a free account with dmarcian, changed RUA in DMARC record to use a custom email address from dmarcian.
They also force you to change your policy to "reject". But I find their dashboard hard to understand.
Some people use their email account (or worse, chat account) as their database,
accumulating years of important messages and
documents/images that they store only in that account, searching them and accessing them from
This is a VERY bad idea:
The data is on someone else's server (giving them some legal rights to access the data,
and running the risk that they could turn off your account or go out of business or change the rules).
Searching and organizing and accessing the data is kind of awkward.
Critical data is mixed in with transient data and spam.
Exporting the whole thing to somewhere else if you change email service or address is an enormous pain.
Backup and restore is out of your control.
You have to have internet access to read your documents.
Get the data out onto your local hard disk, well-organized into folders with good folder names and file names.
Try to keep your email account close to empty (very hard, I know).
[WARNING: 9/2019 Thunderbird is going through major
changes from versions 60 to 68 to 70. Lots of add-ons not working, lots of error messages
in the add-on debug window. Many of the docs have not been updated to version 60, much less 68 or 70.]
Installed 9/2019 in Linux Mint, from Mint's Software Manager, but it's version 60.8, and web site has 68.1.
Removed it and installed from web site. But apparently 60 and 68 are sequential releases;
they skipped the numbers between ? And 68 is a major change; supports only WebExtensions, and much more.
Installed it as root into /opt. Created a launcher on the Mint desktop
to /opt/thunderbird/thunderbird. It saves config info under ~/.thunderbird.
Smooth integration with Yahoo Mail (free)
and GMail (with 2FA; had to "allow less-secure apps" in GMail account, and/or generate
an app-specific password ?).
Chose IMAP (leave messages on server), so I can still use client apps on my smartphone.
To use with ProtonMail, have to have a paid PM account, and install ProtonMail Bridge
on your computer to provide IMAP.
No way to connect to WhatsApp.
SMTP connection to Yahoo Mail seems unreliable, or doesn't like a different reply-to address, not sure.
Default port is 465, other is 587. Switch from 465 to 587 and back, then it worked.
Advanced configuration: hamburger icon in upper-right / Preferences / Preferences
/ General tab / Config Editor button in lower-right.
To stop Thunderbird from automatically opening next message after you delete current
message: use "Config Editor" and set "mail.close_message_window.on_delete" to true.
Thunderbird has an Import function (messages, settings, etc) but no Export function !
Thunderbird stores digital certificates, just as browsers do. I installed a personal
certificate, and right away Yahoo Mail wanted to use it for OAuth. But YM works whether or not
you let it use the certificate.
Deleting an account from Thunderbird:
"If the account is IMAP, removing the account from TB doesn't affect the status of the account
with the email service or the messages that are on the IMAP server. If it's POP and the
downloaded messages are only on the local computer, not on the mail server, copy the mail
to a subfolder of Local Folders, then remove the account. That also doesn't affect the
online account or any mail left on the server. Remove accounts from Account Actions in Tools / Account Settings."
Fortunately I already had GnuPG installed, and I installed the EnigMail extension in Thunderbird.
Went to hamburger icon / EnigMail / Key Management,
added my ProtonMail public key to Thunderbird.
Highlighted the key, clicked on File / Compose Email to Selected Keys,
sent encrypted mail from my GMail account to my ProtonMail account,
it worked. Clicked "Trust Key" in ProtonMail, which is telling PM to trust the public key Thunderbird has generated for
my GMail account, apparently. Sent encrypted email from ProtonMail to GMail, it worked. No indication
in Thunderbird that the message is encrypted, but View Source shows that it is.
Used GMail app on phone to view the message, and it shows as encrypted, and the app
doesn't have the key needed to decrypt it.
Sending a PGP-encrypted message through Yahoo Mail (free) seems to fail;
keep getting an SMTP/mailbox error.
> Was sent an encryption key to encrypt my emails through engimail.
> Having trouble figuring out how to use it using online resources.
You should have the key you got sent in a file, whether you copied-pasted it from the message body or saved it as an attachment.
In the Enigmail menu at the top of Thunderbird:
Enigmail / Key Management
File / Import keys from file
Then select the file containing the key.
It will prompt you to confirm that you want to import the key.
The key is now on your keyring and ready for use.
To use the key to encrypt a message to the recipient:
Create a new message the standard way, with the Write option at the top left of Thunderbird.
Type your message and fill out the To: and Subject: fields normally.
At the top of the Message window, select Enigmail / Encrypt Message (or make sure it is already checked).
One of two things will happen when you click send. If the e-mail address you're sending to corresponds to
the mail address specified in the key it should automatically encrypt when it sends.
Otherwise at this point it will pop up a box saying "Enigmail Key Selection" and you will select the
key you want to encrypt the message with (i.e., the one you just imported to your keyring.)
When you have done that, click Send.
You can confirm the message was encrypted by going into your Sent mail folder. If you then open the message
you just sent and it pops up a "Please enter the passphrase to unlock the OpenPGP secret key" pinentry box,
you've succeeded. It's doing this because when you encrypt with someone else's public key, even you can't
read the text unless you yourself have the secret key, which you almost certainly do not
(unless you are writing a message to yourself). This is just telling you, "This is encrypted and if
you want to decrypt it, you need the secret key and its passphrase."
The important thing to understand here is two keys are involved:
- A public key, which is the one you should have been sent, or which you send to others, and publish widely.
This can only ever be used to encrypt. It cannot be used to decrypt.
- A private key, which you always keep private, and is associated with your public key.
People who send you public keys also have a corresponding private key they never share. This can only be used to decrypt.
Thunderbird can require a master password to open the application,
can store the password for each of your email accounts and login automatically,
and can save cookies for each email account. It saves config and mailbox
under ~/.thunderbird in Linux. What's the best way to secure all of this info ?
In my browser, I don't use a master password, let it store passwords, or save cookies.
But for Thunderbird, auto-connecting to mailboxes requires saving the passwords,
so I'm using a master password and letting it store the passwords.
Connecting Thunderbird to read/write Linux local CLI mail:
In Thunderbird, go to hamburger icon / New / Other Accounts.
Choose "Unix Mailspool".
Use email address user1@laptop1.
See dialog about Outgoing Server Information.
Use account name user1@laptop1.
Click Finish to create the account.
Find account "user1@laptop1" in the left-hand panel and highlight the Inbox for it.
Test by going to CLI and:
mail -s "subject1" user1 </etc/group
Then in Thunderbird click the "Get Messages" button in upper-left.
The "check server every 10 minutes" setting seems not to work;
new messages appear only when I click the "Get Messages" button.
To be able to send messages to local mail:
Don't see how to add a new SMTP server.
How to get Thunderbird to use 24-hour time format ?
On Linux, ran "sudo update-locale LC_TIME=en_DK.UTF-8" to affect /etc/default/locale, didn't change TB.
use a dconf-editor on org.gnome.desktop.interface.clock-format
Changed desktop launcher from "/opt/thunderbird/thunderbird" to
"env LC_TIME=en_DK.utf8 /opt/thunderbird/thunderbird" and it seems to have worked.
Maybe a Linux Mint bug ? Although I think the problem has been seen on other distros.
"Although the names of the days and months are localized according to the LC_TIME environment variable,
we were fetching the format itself using gettext according to the desktop's language.
We will get this fixed in Cinnamon and in MATE for 19.3." from
If you want to connect to a calendar server, need a server that supports the
Popular/standard (developed by Mozilla) TB add-on for calendar is called "Lightning".
iCalendar (ICS) will give read-only access; use CalDAV.
I just have my personal calendar, and only I connect to it. Things may get more
complicated if you want to share your calendar with other people, and access their
calendars. I don't know.
YOURUSERNAME is your email address without the "@yahoo.com".
Easiest if your "calendar name" in Yahoo Calendar has no spaces in it.
Create a single event in Yahoo Calendar, it is displayed correctly in Thunderbird.
Create a repeating event in Yahoo Calendar, it is not displayed at all in Thunderbird ?!
CalDAV to synchronize calendar (and tasks), CardDAV to synchronize contacts.
Apparently the apps are divided into calendar-displaying apps, and calendar-synchronizing apps.
You probably already have one of the former, and you need to add one of the latter.
Had to go into my Yahoo account and turn on "Allow apps that use less secure sign in".
Open Sync by Deepen Dhulla. Worked right away, given my Yahoo email address and password,
it showed my calendar name. But then the default Google Calendar app in the phone sees
the account from OpenSync but says "no calendar".
Installed "Simple Calendar - Event & Reminders" app by Simple Mobile Tools.
But it doesn't see the Yahoo account at all.
Installed "One Calendar" app by Code Spark. Tried to connect, couldn't,
looked at Help, and it says "OneCalendar can't connect to Yahoo because they don't support
WebDAV Collection Synchronization".
You need to get an ICS file. If you have an URL such as
change the "webcal" to "http" and copy the URL into Firefox's address bar.
It will ask you what to do with the ICS file. Save it to disk.
Then go into Thunderbird and do Hamburger / Events and Tasks / Import...
and select the ICS file. Choose what calendar to import it into.
For me, importing into Google calendar did not work (did nothing). Importing into Home
calendar did work (gave success message, reminders appeared, events appear in the calendar).
Confusing: my phone's Contacts app shows some contacts, and says it syncs with my
GMail account, but Contacts in GMail shows no contacts from the phone. Went into
phone's Contacts app and did export from phone to Google.
The real problem I'm trying to fix is that K-9 Mail's "Add from Contacts" menu item sees
no contacts. I think it's looking in Google's contacts, not the phone's contacts,
and the two are not synced ? Or maybe it's looking in Yahoo's contacts ? If I go to Google Contacts on
desktop and create a contact there, it shows up on phone and in K-9 Mail.
Finally fixed things by: going into my Yahoo Contacts on desktop, exporting to CSV, going to
Google Contacts on desktop and importing CSV. Got things straightened out there, then deleted all
contacts from Yahoo. Google Contacts have been synced to Contacts app on phone, and K-9 Mail sees them.
Manually copied a few extra items from phone's Contacts to Google Contacts on desktop.
In Google Contacts on desktop, got rid of items in "Other Contacts", then used "Duplicates" to merge
any duplicates. Then exported to CSV file (Google CSV format) to have a backup.
Looks like Thunderbird doesn't have the capability of syncing to a Contacts server.
Maybe there are extensions ?
https://webdav.io/carddav-thunderbird/ gContactSync extension (Syncs contacts amd groups between TB and Google Contacts)
In Thunderbird, was able (with some difficulty) to import the CSV file. But it contains duplicates,
and lost phone number country-codes.
In TB, if you want to send a message: open the address book, right-click
on a contact to send to, and select Write. A Compose dialog will open, To: will be set properly,
and then you can set the From: mailbox as you wish.
If you get stuck in "authentication failure" with GMail and Yahoo
(usually most persistent after changing the account's password):
I've been able to reliably fix it by going into the server settings of each email account
and switching the "authentication method" from whatever it needs to be to "normal password".
Then closing Thunderbird, opening it again. Letting it do all the checking of my addresses,
and then changing the "authentication method" back to OAuth2.
I'm sure there are many people who this won't work for, but for someone who has never
been able to reliably stop my GMail from giving me all types of IMAP problems, this has been a good find.
# quit out of Thunderbird app
mv thunderbird-*.bz2 /opt && cd /opt
rm -fr thunderbird
tar xvjf thunderbird-*.bz2
With 70.0b2, Enigmail extension got disabled.
Thunderbird's setup process is very intelligently done.
But I've noticed that feeds behave in two ways (some quirk of the servers, I think):
In some feeds, you can delete messages as you read them (or want to ignore them), and
they never will come back, only new messages will appear.
In other feeds, if you delete messages, they ALL will come back again the next time
the feed is updated. To avoid this, you have to "mark as read" instead of deleting messages.
In some audio feeds, the audio starts auto-playing when you open the message, and
there's no setting in TB to stop it.
Went into Preferences/Preferences/ConfigEditor and set "rss.display.prefer_plaintext" to true,
later set "rss.display.disallow_mime_handlers" to 1. Neither stopped the playing.
And I just cannot get about 10% of my RSS feeds to work. They just never show new items.
I can go to the feed web page and see there are new items. If I delete the feed from TB
and add it again usually the new items will appear. But then next time there is a new
item, it doesn't appear.
Feeds from megaphone.fm can't be added to TB (as of 2/2020); they fail validation.
Megaphone.fm says they pass validation in podba.se, which is Apple's recommended validator,
so they're not going to fix their feeds. In fact, they say some of the other validators
are reporting some bogus errors.
It's not clear how much TB's master password protects your data. I think it protects
server connection (login) info and certificates ? But it doesn't protect any
mail held locally on your machine.
For example, on my Linux machine, file
contains my local email messages in plaintext.
contains the URLs and names and connection info for my mailboxes and calendar on various services.
But I don't see any passwords in plaintext, anywhere in the files in the profile directory
(I assume they're in an encrypted sqlite database).
So, to protect that data at rest, you could use disk/partition/container
encryption, and have that profile in the encrypted space. Use LUKS or Veracrypt or something.
Doesn't support calendar or tasks. Will read contacts from Contacts app on phone.
K-9 Mail has an "import settings" feature, but that's only for importing a file exported
from another installation of K-9 Mail.
OpenKeychain supports creating a key, importing a key, or using a hardware token.
In K-9, went into Settings / Global Settings / Cryptography and selected OpenKeychain as
the cryptography app.
Setting up Yahoo Mail account in K-9: have to choose Manual setup.
IMAP server is imap.mail.yahoo.com security SSL/TLS port 993 authentication "normal password".
But can't get it to work. K-9 doesn't support OAuth2 authentication, and Yahoo requires it ?
Had to go into my Yahoo account and turn on "Allow apps that use less secure sign in".
Then got through IMAP.
SMTP server is smtp.mail.yahoo.com security SSL/TLS port 465 authentication "normal password".
Works. Uninstalled Yahoo Mail app from my phone.
Composing a message off-line works; message sends next time the phone is online.
When composing a new mail, "Add from Contacts" shows no Contacts. IMAP doesn't fetch contacts
from an email server; to do that you'd have to use an app such as DAVx5 (paid).
But K-9 should show the local Contacts list on the phone. Some people complain of various bad
behavior with Contacts. And my local Contacts app crashes if I try to do a search.
Gave all permissions to K-9, rebooted phone, no change.
to see if I can get a beta version of K-9.
A day later, Google Play Store entry of K-9 showed I am in the beta
program, should get beta next time the app updates. But as far as I can
tell, it hasn't updated yet, no way to force it, maybe no beta is available yet.
No master password feature in K-9; once someone logs into the phone, they get full access
to all of your email accounts that K-9 is connected to.
Very tricky: options under "..." are different depending on whether you have Unified InBox
turned on or off. To add a new email account, you have to have it turned on, I think.
GMail app gives scary warning if you try to disable it, so I left it enabled on the phone.
I want to just use my email app (K-9 Mail) for these, but K-9 Mail doesn't support these.
I currently use Google Android apps and Google services for these, but I want to get away from Google.
My email service is about to support calendar, not sure about tasks and contacts.
Not sure if they will have Android apps.
fruux has an Android app, but version in Play Store is 1.0.4 from 2013. Simple Mobile Tools has Calendar and Contacts apps for very-cheap.
"Simple Calendar Pro - Events & by Tibor Kaputa" and "Simple Contacts by Tibor Kaputa" are free on F-Droid.
(Beware of lots of fakes on Google Play Store:
If you use a local Calendar app, you also need to use something that will sync your local calendar
with your cloud calendar: DAVx5 (paid; €4; does CalDAV and CardDAV)
"DAVx5 by bitfire web engineering" is free on F-Droid.
CalDAV-Sync (paid; €2.5)
There are others, but many have bad reviews or are EOL, be careful.
Apparently, the architecture is:
Calendar app (Google Calendar, fruux app, Simple-Calendar, etc) provides a UI
Android calendar; provides storage and local API
Sync app (Google Calendar, DAVx5, CalDAV-Sync, etc)
CalDAV server (Google Calendar server, fruux server, NextCloud, etc)
From dev of Simple Mobile Tools, on reddit 8/2019:
"Contacts can have some glitches that I couldn't reproduce on any of my devices, as the way contacts
are stored on Android is a huge mess. It can differ a bit per manufacturer and OS version,
I still haven't solved all cases."
I'm thinking of using the Simple-Calendar and Simple-Contacts
apps on my Android 6 phone. Am I correct in thinking:
- the purchase price of €0.69 is a one-time price, not monthly or something ? [answer: yes]
- these apps will connect to CalDAV and CardDAV servers ? I don't need to buy
an additional app such as DAVx5 to do that ?
[answer: you DO have use a "sync adapter" such as DAVx5]
- I use the K-9 Mail app to do email on Android. Will it be able to read
contacts from Simple-Contacts ? It can read contacts from Google's Contacts app.
[answer: not sure they understood the question]
- I assume I should uninstall the standard Google Contacts and Calendar apps
before installing your apps ?
[answer: they all can be installed simultaneously, no need to remove old ones first]
I want to remove all the Google apps, but still connect to my Google calendar server:
On my Android phone, I see these packages:
Commercial "normal" service: GMail, Hotmail, Yahoo Mail, etc.
Free, essentially unlimited capacity, lots of features such as sorting and mobile apps,
added features such as Calendar, reliable, no-hassle.
But if you move to another service, you have to change your email address everywhere.
If you violate a rule, they could turn off your account, little chance of appeal.
Usually they harvest your data and sell it, or sell use of it.
Your own custom domain on top of a commercial service.
Solves the "if you move to another service, you have to change your email address everywhere" problem.
Commercial encrypted service: Protonmail, Tutanota, etc.
Base level is free, essentially unlimited capacity, often fewer features than a "normal"
service such as GMail, pretty reliable, maybe a few more hassles than with a "normal" service.
Usually the security is not 100%; if the service wanted to (or was served with a warrant),
they could poison your login page and grab your password.
Client encryption on top of a service:
Desktop clients: Thunderbird with Enigmail, Evolution with Seahorse, KMail with Kleopatra.
Keys are generated, held, and applied only on your client device.
The service only sees encrypted messages, and never has the keys.
You are responsible for backing up and protecting your keys.
Pretty close to 100% security; to compromise you, the client software (e.g. Mailvelope)
would have to conspire with the service (e.g. GMail), or both would have to be served with warrants.
Run your own email server: Mail-in-a-Box, Poste.io, Helm, etc.
Not a good idea: you'll have to be the administrator, doing tweaking and patching and backups etc.
And you'll have to open an incoming port into your home LAN, or use a cloud VPS.
From people on reddit:
Hi, sysadmin by day who's done everything from Exchange to the classic Sendmail stack.
Running your own email stack is a pain in the *ss. Sure, most of the hard work is in the setup,
but it is a lot of work. My personal email is currently on a hosted service.
Never host your own email server, especially if you are not experienced with them.
It is painful, anyone who has managed email servers will tell you to avoid it to all cost.
You will have to deal with email blacklist, ip bans, coorporate email servers rejecting you for no reason,
cloud providers marking you as spam with no feedback of why or how to solve it, low trust score, etc.
You will also have to deal with updating and keeping security patches up to date, but having downtimes
in mailservers mean that you will lose any mail that comes during that downtime period.
Nobody that had to deal with blacklisted mailservers, flagged spam IPs and random rejections from spam filters
can recommend a regular user to mantain their own mailserver. And imo this goes beyond having the technical skills to do it.
While i can mantain my own mail server, i'm a seasoned linux administrator, i use my email account for critical work,
i can't stop working to deal with mailserver's nuisances.
I've self-hosted my emails for over a year. And it was nice. I learned a lot, I had fun with it and I was proud to use it.
But with time, I also realized managing email servers is a whole job, and a hard one. So hard, that I finally changed
a few months ago to a proper email provider who knows what they are doing, it's their job.
Email is a system that was invented in the 70s and not at all with the purpose and usage it has today.
The protocols are still mainly the same, but a tons of "extensions, features and options" were added to fit
the modern usage. So basically, configuring your emails, is mostly activating option A B and C because you want
to be compatible with "modern emails" and deactivating D E and F to avoid problems. But you have to be aware of
every little option and the impact it has, is sometimes hard to find. Every time I had to change one option,
I broke the server for 2 days and spent a few weeks waiting for someone to tell me they sent an email
I didn't receive because my server config was f*cked up and was considered as a illegitimate/spam server.
It was painfully stressing. Especially if you are waiting for important emails.
Because, yes the biggest problem, I have encountered so far is that you realize how hyper-dependant you are on your emails.
Without them, you might not be able to log into accounts, receive important info, ...
So I would say:
* if you want to play with emails or want to learn how it works in depth, what is SPF, DKIM, DMARC,
what are the factors that indicates you are a spam server or not, ... then go for it, setup an email server,
tune the config, use it for testings but keep it as a fun learning project.
* if you want to really use emails for important things or online accounts, use an email provider,
they will configure it properly, probably better than what you can do yourself and maintain it properly
(plus they usually have redundancy, backups, ... that ensure your data is safe and your emails always accessible)
I self-host my own email using poste.io. It's pretty easy. Doing it yourself by hand is hard, which is what
most of the naysayers are talking about.
You do have to worry about your own security, though. Running in the cloud will pretty much be your only
option if you don't have a business internet connection at home due to port blocking and global blacklists
for residential IPs. Trusting the cloud with your unencrypted communications is generally a bad idea,
but you can take matters into your own hands with any provider that gives you console access and
custom ISO installation. Vultr has been good to me in this regard.
I wish some large email provider, such as GMail or Yahoo Mail, would start using end-to-end (client-to-client) encryption routinely,
and transparently. When you click the Send button, software (maybe an open-source browser plug-in) looks to see
if your recipient has a preferred encryption method and public key registered anywhere (or if
one is cached locally, via prior key-exchange). If recipient does,
the message gets encrypted (by open-source browser plug-in) via that method before sending.
If recipient is not registered anywhere, message goes unencrypted, as usual. Simple !
And now the email provider itself can't read or decrypt the messages, and
can't decrypt them for the government.
The company that does this first could seize the mantle of "privacy champion".
They still could do targeted advertising based on keywords: the plug-in that does
the encryption first extracts a few keywords, and then passes them on along with the
Searching your messages on the server would be affected; the server
wouldn't be able to read the text of the messages. I suppose you could do a search by
sending all of the encrypted messages to the client (browser), and decrypting them and doing the search there,
but that would be horribly inefficient (but possible). Or search-keywords could be sent to the server along with each encrypted message
(compromising security a fair amount, but enabling searching).
Spam-filtering would be affected. If a spammer is willing to look up your public key and encrypt their message to you,
it will have to be caught on the client, not the server. That's an issue. Need an open-source spam-filter plug-in or something.
The reason I want an existing large provider to do this, as opposed to new secure-email startups,
is that the change by an existing large provider would immediately make encryption easily available to hundreds of millions
of existing users. No need for users to change providers, with new UI and new email addresses and having to transfer their contact lists.
Most users will NOT move to new secure-email services; we need to get encryption into existing services.
is a bit like what I want, although it's far from as transparent and integrated as what I outlined (which
requires changes by Google, Yahoo, etc).
Google and Yahoo were working on a couple of end-to-end things, but as of 2/2017 seem to have dropped their efforts.
This change is happening in the VOIP and IM markets, with WhatsApp and Skype changing to end-to-end encryption.
Once we have end-to-end encrypted message bodies, a few changes could secure the meta-data better.
Move the subject line inside the message body before encrypting, and move it back out when decrypting,
so all of the servers and middlemen see only a dummy subject line.
Encrypt the destination user's email address in some way that the destination server can decrypt,
so only the originating client and the destination server and destination client know the full destination address (all
other servers and middlemen can see the destination server name, but not the real destination user name).
Do same with originating user's email address, in way that only originating server and originating client and destination client can decrypt.
Example: a middleman would see "From: 5$33!8*AW@gmail.com To: 7^h$g#FS@yahoo.com Subject: none".
But encryption imposes quirks. For example, because the ProtonMail server can't
decrypt your messages, it can't do vacation-forwarding or server-based content-based filtering.
From someone on reddit 11/2018:
Gmail is decades ahead of ProtonMail in terms of feature support.
really good spam filtering
nested labels w/ coloring, multiple star icons
multiple inbox support
machine learning based importance detection
autosuggested replies and autocomplete
advanced plugin ecosystem
plain HTML fallback version when JS isn't available
12/2018: Some people are having issues because ProtonMail is fairly strict/correct
about encryption headers/certs (maybe
on incoming mail from other systems. Partly-bad mail that may be accepted
straight into another provider gets bounced, delayed, and re-tried before it
makes it into ProtonMail.
From someone on reddit 12/2018:
There is one downside to ProtonMail worth mentioning. They comply with OpenPGP standards so the mail envelope
remains stored unencrypted thus allowing search requests on sender, recipients and subjects.
But the mail body and attachments are encrypted so forget about webmail search on that content.
You'll need an offline copy in a mail client to index and search locally. Unfortunately, the only way
to do this with ProtonMail is to use their bridge application. I've tried and tried and it just won't
sync an IMAP mailbox with 2GB of mails (less than 20k emails). I've sent logs to their support team
without any solution in the end. I monitored the connection and it downloaded over 10GB to sync less
than 200MB worth of emails. They throttle the connection or something. It's not easy to debug since
everything is encrypted. But that's the point in the first place ...
Don't get me wrong, ProtonMail is great, they have improved impressively in a short amount of time.
They now allow the use of personal domains. But are they a suitable main email provider replacement?
Not yet in my case. So I stick to FastMail for now which has a web interface much faster and feature full
than GMail or ProtonMail. But I must rely on a computer with a mail client to send pgp encrypted emails.
And I am super worried about the Australian AA bill. Fastmail is Australian-based and the servers are in
the US, so enjoy worldwide mass surveillance. But it's still better than GMail, I believe fastmail will
not use my data to train some AI or to profile me to sell advertisers my soul.
I'm unable to find a single friend or family member who either: uses ProtonMail, or uses an email
system/client able to exchange PGP-encrypted email with me.
9/2019: Public PGP keys obtained via Settings / Keys / Export and through API server are different (at least
different encoding), and the one from the API server does not work when used by Facebook.
9/2019: Using ProtonMail through Tor Browser is very slow (especially on login) if Tor Browser security level
is set to "Safer"; faster if set to "Standard".
Someone said that's because "Safer" turns off JIT compiler.
10/2019: After using PM for a year or so, I'm going to move away from it.
The encryption is not really doing anything for me, and PM could break it if they
really wanted to (by serving a poisoned login page to me). The encryption
makes it harder to do IMAP, which I want to do so I can access all my email services
in one client (Thunderbird on laptop, K-9 Mail on phone) and while off-line. Encryption where I generate and hold the keys
would be more secure than having PM do that for me. And if I change to use my own custom
domain for email, I should never have to change email address ever again.
It's an email service where you MUST use your own domain name;
they provide the server and webmail UI and IMAP/POP3 access.
Need an existing email account somewhere to make an account here.
It's used to verify when creating the Migadu account, then used as username.
But I think you could close the account later, and Migadu would keep working.
10/2019: Created free account, and immediately have to connect my domain to it.
Went to my DNS host (different from my domain registrar), and Migadu site walked me through setting DNS records,
although the two systems were different enough to require some work.
Got the records changed, went to Migadu and clicked on Verify Configuration,
and it says it might take up to a week for the DNS changes to propagate to where
it can see them.
Inside Migadu, changed configuration so instead of one mailbox named "admin",
I have one named "bill", and then 5 or 6 aliases (including "admin" and a catch-all)
pointing to the single "bill" mailbox.
Turned on software TOTP on the account. Added another backup email address
in case something goes wrong.
There is no software TOTP available on the webmail login to see your mailbox.
Support says: "We don't have 2FA on the mailboxes. While we can limit the webmail,
IMAP/POP3 remain completely unprotected with that second factor, as the protocols do not understand it."
No reddit sub for this company, so I created one:
About 6 hours after creating the account and making DNS changes, SPF record is reported as okay,
but others are incorrect. Eventually contacted Support, and quickly they told me
what to change, needed several record values to have "." at the ends, not as
specified in the instructions: 'Your DNS is automatically appending the domain name in the end of the
hostname. To prevent this, end the hostname with a dot "."' Did that, soon they said all was well.
But mail from ProtonMail to my Migadu mailbox (via my domain) still bounces. Tried sending mail from Yahoo Mail,
and that works, and I can IMAP in to Migadu and read and delete the message. So ProtonMail must
have stale DNS information that will work its way out [correct]. Email from Migadu to ProtonMail works.
Sending from GMail to Migadu works.
10/2019: Support says Calendar and other new features coming in a matter of weeks.
A week later, received an email from a Google DMARC service, giving an XML file
evaluating my DNS record setup and email traffic to Google. Looks okay to me, but I forwarded it to Migadu to
see what they say about it. All good, but I tweaked my DMARC record anyway.
5 Feb 2020 Installed through Mint's Software Manager; version 1.12.2-1, which seems to date from Jan 2018.
Deleted "Example Feeds" folder and everything in it.
Imported OPML file from Thunderbird.
Go through Tools / Preferences:
Set Feeds / Default Feed Refresh Interval to 1 day.
Enable Privacy / Tell sites I do not want to be tracked.
Set Enclosures / Download using to "uGet" (it's installed in Mint, by default).
Plugins turn off everything except Bold Unread.
No way to set sort order of all feeds in one operation. I want them to sort
by date oldest-first; have to change each feed individually. And each feed has
two icons in the left pane, a Folder and then a Feed (probably an artifact of
importing from Thunderbird), and they have separate sort orders ?
You can get rid of the two-icon thing by dragging the inner icon (Feed) out to the top level
and then deleting the now-empty Folder.
And sorting in oldest-first is a bad idea, because every time you open a feed,
the scrollbar will be at the top position.
In a feed, no way to select all or multiple items and operate on them in a batch.
But in the left pane, you can right-click on a feed and select "Mark all as read".
Or ctrl+R does the same.
In a feed, right-click on an item, and there are no key-shortcuts in the context menu.
Ctrl+M to toggle read/unread.
In a feed item, click on Attachments at bottom left and right-click on an attachment
and select Save As. See uGet window.
See green "G" icon in system tray.
Right-click on it to see and change uGet settings.
Change to "Quiet" mode (turns off "starting to download" notifications,
but not the "done all downloads" notification).
Turn off clipboard monitoring.
But in quiet mode only, if you save the same attachment twice or more, it will download it
twice or more, adding ".0" or ".1" etc to the filename each time.
Left-click on the green "G" icon to see the queue of downloaded files.
Was able to add a feed that TB refused to add, but had to leave the https:// off the
front of the feed URL.
In fact, moving from Thunderbird's RSS to Liferea fixed almost all of the RSS problems I was
having, leaving only one existing problem (three particular feeds broken, all from cbc.ca;
added to existing bug report https://github.com/lwindolf/liferea/issues/260).
Went from maybe a 12% failure rate to a 3% failure rate. Reported the problems to CBC,
they said "we pass Apple's validation, we're not changing anything".
(Later someone told me a workaround: source the feed from command
"wget --output-document=- --quiet https:....xml")
Some people say that internet email fundamentally can not be made very secure, without a total
redesign. So they use non-email messaging.
There is a convergence between text-chat and voice-call and video-call applications.
Text-chat applications are adding voice and video, Skype has text, etc.
Justin Carroll pointed out on a podcast:
Many/most IM applications have the bad quality of using your phone number as your userID/username,
making it impossible to keep your phone number private, and allowing people to voice-call or SMS you
instead of only contacting you inside the IM application, etc. That's unfortunate.
[Some that don't use phone number: Kik, Discord, Threema, Wickr Me, Riot, Wire, Tox ?
Telegram requires a phone number to sign up, but then you can run the app on any phone.
Discord through browser requires a phone number to sign up if you're using a VPN, but you can sign up
non-VPN and no phone, turn on TOTP 2FA, then use it with VPN and no phone.]
You want a service where the user (or the client app) generates and holds the encryption keys.
You don't want a server to generate and hold the keys; that would not be end-to-end encrypted,
and (with some effort) the service could read your traffic if they wished.
Person-to-person messaging/chat (only within system, or SMS to any phone).
Voice calls (only within system, or to any phone).
Some major choices: WhatsApp (biggest user base, but uses phone number and owned by Facebook) Signal (uses phone number)
Session (fork of Signal that does not use phone number) Wire (doesn't use phone number)
Services where user (or client app) holds the keys: Riot client using matrix.org server or some other Matrix server. Signal
Don't just start using a service and assume it's totally secure by default.
Go through all the account settings and maybe dial them down tighter.