I’m trying to both simplify my subscriptions and shift away from Proton (for a number of reasons), and I’m undecided where I want to go for email. I’m mainly thinking about (as the title indicates) Runbox and Mailbox, but I’m open to other suggestions as well.
I want a service that’ll work with a normal email client. I’m likely going to use addy.io for aliases (with PGP), so the only time they’ll see my plaintext emails is the rare occasion I use the email address directly. I’m also planning to use a custom domain. I only care about email, since I’m planning to set up my own CalDAV server (and probably rely on Proton or Tuta until I do).
Does anyone know about how these services handle spoofing? I saw some concerning claims about Mailbox, but I’m not sure if they’re still valid.
You must log in or # to comment.
What were the concerns you saw about Mailbox? I’ve been using it (and addy.io) a while as part of my move away from Proton, and I have no complaints thus far. It works with my email app nicely, which is a big reason I like it over Tuta, although Tuta is pretty nice as well, as long as you don’t mind using their app.
It was this support thread I believe: https://userforum-en.mailbox.org/topic/anti-spoofing-for-custom-domains-spf-dkim-dmarc
There’s also this one that seems to be the same issue: https://userforum-en.mailbox.org/topic/2316-emailspooftest-results-and-fails
From reading it (and another thread on Privacy Guides), I think it’s just incoming mail that’s the problem. Basically they aren’t fully upholding the various anti-spoofing settings for the domain. This isn’t great, but it’s not as bad as some malicious entity being able to act as someone on your custom domain.
Note that I have no idea how Runbox does here since it’s hard to find reviews for it. I’m sort of torn here since I like the sound of Runbox as a company and I haven’t really seen anything particularly negative about the service itself, but I also would prefer Mailbox’s PGP encryption at rest using my own key in case I give out my email directly to a bank or something.
Regarding Tuta, I dislike how they don’t support PGP. It basically makes them useless (to me) since I personally know zero people with a Tuta account (not that I know many people who bother to use PGP either though). The apps are also pretty janky.