| Not really, or well really not. To have email working you need to own a DNS record which means that your details are on record some where (domain privacy settings don't really work against an adversary like the NSA or anyone with a decent enough legal team). To pay for the server you need to pay for hosting which leaves another paper trail, you can't host mail servers in your home as your ISP will block SMTP traffic in most cases to combat spam from botnets, if you still want to do it you have to use your ISP's SMTP relay which isn't "NSA proof" and also quite likely puts every email you send on a list easily accessible by law enforcement. When you run your own server you inherit all the security risks associated with every piece of software which runs on that server, most people aren't really good at dealing, zero-days are also usually patched prior to disclosure by the big players (e.g. Heartbleed) and even when not companies like Google will have a plethora of mitigating controls that reduce the impact of any potential non-disclosed vulnerability. As far as the aliases go if you run your own server aliases mean nothing even if you buy a separate domain for each alias the MX records will still be the same which means that all email addresses can be traced to you, if you only want aliased for disposable mails/spam control then any current mail provider usually offers unlimited aliases also. As far as controlling the chain you aren't really, you have little control over how the mails are being relayed, you might be forced to use an email relay (some ISP's actually do transparent mail relays), your target might be behind a mail relay, and even when not you don't know if the guy you are sending it too doesn't use gmail or any other provider to manage their mailboxes using POP3. And the last part and what people usually dislike being brought up is that actively trying to avoid the NSA puts you on their radar, the NSA has different levels of wide range and targeted surveillance the more "interesting" you seem the more likely you are to be tagged by one of their more targeted programs. Now this isn't an argument that results in saying "you shouldn't encrypt anything and send stuff in the clear" but it is an argument that if you actually care about operation security then not standing out is a critical part of your opsec. People often point out and say that "security trough obscurity" is a fallacy, but that on it's own is even a bigger fallacy, obscurity is a critical part of real world security (whether it's technical or operational) the important thing to remember is that one must not rely only on obscurity to ensure security but one that ignores it completely just exposes them selves to unnecessary risks. |