[MollyR]

I'm thinking of switching my business email to protonmail from gmail.

Any users like it ?

The whole google memo revealed google employees are not as trustworthy as I thought. All the social media talk of blacklists, and inquisition tactics from some of upper management is bad for business.

I've already gotten emails from clients asking me to change their business google services to something else (anything else in their own words).

[ThePhysicist]

I've tried it, but their solution is (IMHO) a very poor fit for a business e-mail account, as there is (or was when I used the service) no way to manage e-mail accounts for your employees and no way to archive / extract their e-mails in case of need (I understand that it's a privacy-focused e-mail service, but as an employer you have legal requirements to keep business documents for several years, and having to rely on your employees goodwill to get the data out of the system is not an acceptable solution for this). Also, there's no calendar integration (https://protonmail.uservoice.com/forums/284483-feedback/sugg...), which again makes it difficult to use this as a business e-mail account.

I've switched to Mailbox.org in 2016 and I'm very happy with their product and service: Their system is based on an open-source solution (OpenExchange) so they don't need to reinvent the wheel and can focus on prodiving good hosting and service (which they do). They also have support for 2FA (including hardware tokens like Yubikeys) and recently revamped their management portal, which allows you to easily create and manage e-mail accounts for your employees.

[tony101]

It looks like ProtonMail released new account management features just a few weeks ago, including the capability for "organization admins to access the emails of other organization users" while still preserving end-to-end encryption.

Source: https://protonmail.com/blog/encrypted-email-for-organization...

[ComodoHacker]

>while all organization accounts are end-to-end encrypted, it is still possible for organization admins to access the emails of other organization users. Thus, organizational oversight and management is still possible, even with end-to-end encryption. Furthermore, administrative read permissions are also granted or revoked automatically when admin users are created or demoted.

I wonder how can they provide this without either storing encryption keys on their servers or reencrypting (client-side!) all email during such events.

[bartbutler]

It's a key escrow system. The admins hold a copy of the user's key, and promoting a new admin involves giving access to this key.

[ComodoHacker]

So where is this copy stored?

[ThePhysicist]

Interesting! You could probably do it by using the key of an existing admin to decrypt the escrow key and then reencrypt it with the public key of the new admin, all client-side.

[ThePhysicist]

Very intersting, I might give the solution another go in the future. Still, at this pace it will take them a long time until they are on par with a "normal" e-mail solution (it might be worth the trouble though).

[Accacin]

I've not seen anyone else talking about mailbox.org. I've been using them for a while after moving away from Fastmail and I'm loving it. Cheap and they're recommeded by https://www.privacytools.io/.

[psy-q]

I've been with them for over a year now as well and not a single issue. The interface is a bit cumbersome in some ways, it's a customized OpenXchange, so some mailbox.org-specific settings are done outside of the rest of the more general OpenXchange settings.

What you get with mailbox.org that you don't get with ProtonMail:

  * IMAP and SMTP
  * Support for hardware 2FA dongles like Yubikey
  * Ability to use your own GPG keys
  * Very capable mail filter config tool
  * Calendaring and contacts (with nice URLs so it's easy to use on Android via DAVdroid instead of Google's stuff)
  * File storage
  * Web-based spreadsheet, word processor and presentation tool

Their jurisdiction is Germany so you get whatever is left of EU privacy laws plus the Germany-specific ones.

[vopi]

I don't know much about eu laws and less of Germany. Out of curiosity if I was a Nazi could the government shot me down?

[pfg]

A number of European countries have laws that make denial of the holocaust (or sometimes more generally all known acts of genocide) and usage of Nazi symbols (swastika, etc.) illegal, with exceptions for things like art and research. Many also prohibit incitement to ethnic or racial hatred.

[2ion]

Their service may be good enough but they are hardly investing enough into their product at the moment. mailbox.org is also not a core product of theirs. Just read through the forums (mostly in German); there are basic features/aspects missing you'd expect with a paid service nowadays like automated DKIM next to bug fixes needed around the web interface, which also can't compare to Fastmail's or Google's mail UI in terms of efficiency and usefulness – it's clunky: consequences of being fully dependent on foreign upstreams, I guess. Plus there's plenty of downtime. And that's for prices similar to Fastmail and GSuite when looking at similarly featured tiers (GSuite Basic – Fastmail professional – mailbox.org Mail XXL plan).

[unicornporn]

I actually ran mailbox and fastmail side by side before settling on mailbox. I think the UI is next to flawless. AFAIK they don't work on the UI themselves, they use https://www.open-xchange.com/

[Accacin]

Well that's fair enough, I basically never use the web interface so I probably haven't ran into those issues. For me it's about where they're located and their customer service more than their interface.

[the_common_man]

Why did you move out from fastmail? They are very clear about their privacy policy.

(Also who runs privacytools.io? Is he/she reputable?)

[linuxready]

I don't think Fastmail is very clear on their privacy policy (see also my other answer below).

Here is an extract from Fastmail TOS:

Fastmail can disclose your info/data if it thinks it's in the interest of the company: "The Service Provider will not monitor, edit, or disclose any personal information about you [...] unless required or allowed by law, or where the Service Provider has a good faith belief that such action is necessary to: [...] (2) protect and defend the rights or property of the Service Provider; [...] (4) act to protect the interests of its members or others [...]

[tajen]

Why did you switch away from Fastmail? I'm there.

[linuxready]

Possible reasons (I'm also with Fastmail and it makes me uncomfortable):

- Fastmail can immediately cancel your account for any reason: "The Service Provider may terminate your access to any part or all of the Service and any related service(s) at any time, with or without cause, with or without notice, effective immediately, for any reason whatsoever, with or without providing any refund of any payments."

- Fastmail can disclose your info/data if it thinks it's in the interest of the company: "The Service Provider will not monitor, edit, or disclose any personal information about you [...] unless required or allowed by law, or where the Service Provider has a good faith belief that such action is necessary to: [...] (2) protect and defend the rights or property of the Service Provider; [...] (4) act to protect the interests of its members or others [...]

By comparison, mailbox.org TOS are much better.

Also mailbox.org offers GPG encryption, which Fastmail doesn't (AFAIK).

[aladine]

Good reason, but i stick with fastmail for now. As the UI and user experience still good for me.

[Manicdave]

What made you switch to mailbox.org? Curious as am a fastmail user.

[the_stc]

I am very impressed with their service, accessing it on their .onion site. I've been paying with Bitcoin, but it has been a manual process. Their support seems responsive. The UI is great.

I was going to use fastmail, but ProtonMail's inbox encryption seemed like a nice bonus. I know it is not really securing my email, but it is nice to know that if they get a subpoena or warrant they cannot just dump my inbox. At least not without compromising their product - an active step.

Setup of domains and accounts is slick. Changing payment plans all works online, pro-rating and all.

[captn3m0]

I've been using migadu.com for a while (nice reliable email hosting for 4$/mo). They even have a nice drawbacks page: https://www.migadu.com/en/drawbacks.html

[newscracker]

Their straightforwardness is nice, but I wonder how sustainable the business model is - every paid account has some message send/receive limits but there is no cap on storage. [1] They also say they've been profitable (on the same page), but I'm a bit wary of anything that says "unlimited". Nevertheless, thanks for pointing to this one. It looks very attractive for those who need to use multiple addresses/aliases/domains.

[1]: https://www.migadu.com/en/benefits.html#anchor_storage

[nullwarp]

Oh wow this is perfect, I've been wanting an email service that is priced exactly like this forever. Thank you so much for posting it!

I have a lot of email/domain combinations and most places charge per domain which makes it super expensive super quick.

[jk2323]

I think they offer the same but cheaper: https://www.infomaniak.com/en/hosting/e-mail

[KirinDave]

I like it but as noted the lack of an exit path makes it scary for a long term business contract.

[vladimir-y]

Any reasons to not go with https://www.fastmail.com/ ?

[arkadiyt]

I just set it up for my custom domain and it could not have been any simpler or easier. They have a really clean UI/status checks for setting up MX/SPF/DKIM/DMARC, I setup some custom addresses and a catch-all and it all just worked.

[tscs37]

How is their catchall support?

Last I checked into the status, they only planned to support it for business accounts and limited sending to only a few aliases.

[laken]

I went with Fastmail for catchall because since the last time I checked (about a month ago) they still didn't support it fully. I hope they do support it fully in the future as I'd seriously consider switching.

[arosier]

ProtonMail now supports catch-all email for ProtonMail Professional and Visionary plans. That means for each domain that has email hosted at ProtonMail, you can now designate one email address as the catch-all address by going to Settings –> Domains. For example, info@me.com could receive any email sent to the @me.com domain, even if the address did not exist. You can learn more about catch-all emails here (https://protonmail.com/support/knowledge-base/catch-all/).

https://protonmail.com/blog/protonmail-v3-10-release-notes/

[tscs37]

That's great to hear.

I'll probably have my current mail service run out and then switch to protonmail for personal mail and selfhosted mail for spamming notifications from my nextcloud instance.

[laken]

Can you send email back from the addresses the email was sent to? I think when I was looking into it, ProtonMail caps how many aliases you can create; making it not that good for catchall.

[gaadd33]

What part prevents you from sending it from any email address? I assume if you smtp auth with them ok then you should be able to send from any email@authed domain you want.

Do people limit that somehow?

[blunte]

I won't go into details, but I moved my personal and business activities (including 8 domains) away from PM after using their top tier service for a year. Let's just say that performance and usability in moderately heavy business use was not acceptable.

And keep in mind that even though your email is encrypted within PM, it is not encrypted on the mail servers of the people you have been communicating with (unless they are also PM accounts). So the primary attraction is largely moot.

I hope they catch up in the areas I think they need improvement, but providing Gmail level service is quite difficult unless you're big and well funded.

[jameskegel]

> google memo revealed google employees are not as trustworthy

What made you feel this way, specifically, in the memo?

[abpavel]

> blacklists, and inquisition tactics from some of upper management

the memo is just a reference to an episode. i.e. "the memo ordeal"

[deadalus]

'ideological echo chamber'

[jcmoscon]

*perfect use of the feel word.

[Lunatic666]

I gave it a try and I really like the Webmailer and the apps, but not having IMAP/SMTP is a dealbreaker, because you can't import/backup your mails at all. As soon as they add those features, I'll sign up for a paid plan again.

[mnm1]

I love proton and am a paid user, but I'm not sure if it has all the features a business needs. I'm personally waiting for a calendar before dumping google altogether (except for spam / email lists). Still, it seems better than anything else out there as far as privacy, though I would never count on email privacy to begin with for obvious reasons (unless I encrypt it myself / have others send encrypted email).

[influx]

Also the fact that they leaked an internal document to the world doesn't give me great confidence they won't do that again. There have already been instance of Google employees snooping in gmail:

http://www.businessinsider.com/google-engineer-stalked-teens...

[dgut]

What makes you think ProtonMail employees couldn't do the same? Not a critique of PM (I'm a paying user myself), but this is not a reason to switch.

[ComodoHacker]

>What makes you think ProtonMail employees couldn't do the same?

ProtonMail is end-to-end encrypted. (Can't verify it myself, though.)

[dijit]

Some of their software stack is open source. You can go have a look how it works for yourself, of course you have to trust that what they opened is what they run- but the foundations seem solid at least.

https://github.com/ProtonMail/WebClient

[UncleMeat]

How does an open source software stack stop employees from reading content?

[ihattendorf]

When they receive an email, they encrypt it with your public key. The private key is stored on their server encrypted with a passphrase only you know.

Assuming they don't backdoor their client to find out your passphrase, or log emails as they receive them, you're fairly safe from having an employee browse through your emails.

[aioprisan]

Has anyone audited that system and implementation? If not, can you really trust that there's no backdoor?

[hacksome]

You may want to give a try to Zoho.