Posteo is a paid privacy email provider based in Germany. I signed up with them after a recent Fastmail price increase and my concern about Fastmail being an Australian company with servers in the USA.
I briefly considered Yandex, a free Russian email service with interface in English, but it does no good to me to trade NSA illegal spying for Russian Federal Security Service (FSB) illegal spying.
I came to the conclusion that all countries spy and the only way I was going to protect myself from that is by using an email service that is transparent about logs, has encrypted storage with the email provider locked out of them, with no access to the keys, and end to end encryption. What is known in the privacy industry as zero knowledge, and if the company is based out of the Five Eyes wiretapping alliance (UK,US,CA,AUS and NZ) even better.
Posteo fulfilled all the requirements I had in mind and I also liked that they do not have a Facebook page, it shows they really care about customers privacy.
How to open a Posteo account
Opening an account with Posteo took me around one minute, the company does not want to know your name, address, back up email or phone number.
You only need three things to sign up for a Posteo account:
- Pick a username
- Pick a password
- Pay with cash, Paypal, wiring, credit card or voucher (payment methods are anonymised)
Posteo payment
I used Paypal to buy the account, I know Paypal stores all transactions for years and the NSA probably has a direct feed to them but the transaction does not show your Posteo email address, the only available record in Paypal is the date and amount of money you sent to Posteo, your inbox or username is never printed anywhere in the receipt.
Posteo Paypal payment (5 years prepaid)
Futhermore, Posteo payment system automatically assigns a code to the inbox so that usernames can never be linked by the company with a payment. Tax laws compel Posteo to keep payment information for 10 years, this includes your name if you used bank transfer o Paypal to buy the account, but it never includes what your email address is and if the company was asked for this they are unable to provide the information, there is no law forcing Posteo to keep that data.
Specific details on how your payment is anonymized is very well explained with screenshots within Posteo’s FAQ.
One of my favourite things from this company is that their help pages disclose in plain English (German&French) the security measures they take to protect customers from illegal spying by government agencies, what logs Posteo keep, how long for and what happens if they receive a subpoena, as well as some background information about Germany privacy laws.
There are no trial Posteo accounts, payment is taken from day one, but if you are not happy with the service you have the right to revoke it within 14 days and credit will be refunded.
If I had to criticise anything from the payment system is that they do not accept Bitcoins.
Posteo email basics
You can access your email via web, IMAP or POP3, attachments are a generous 50MB and the initial inbox is 2GB with a couple of aliases, all of this can be increased according to needs.
Posteo has a single basic email package that is prepaid, if you feel like you need more storage space or more email aliases you can go to account settings and move a slider bar to add extras, as you do this the screen shows you how much more this will cost you, for example, an alias currently costs €0.10 a month, if you need four email aliases that is €0.40 more a month, if you no longer need them next month, you delete it and monthly price comes down again.
The way Posteo pricing is set up you don’t have to pay for things you don’t need, you customize it to your needs, it works out cheaper than paying for an oversized email package that subsidizes heavy or business email users.
The account includes a decent online calendar, that can be optionally be shared with a public URL, address book and notes, all of which can be encrypted, in which case sharing is no longer be possible.
Posteo email calendar
Consider carefully if you need your inbox encrypted, after you enable it some functions like email searching will no longer work and if you lose your password Posteo support can reset your account but you will not be able to read your old email messages without your old password as Posteo has no way to decrypt them.
For example, because I only plan on using Posteo in the browser I activated the additional email account protection that eliminates IMAP access, and this stopped notes from autosaving so I had to reactivate it. Next to each encryption setting you will see a box that tells you what features stop working if you choose security over functionality.
Posteo email security
There are a ton of security measures, and nearly all of them can be configured, Posteo is ideal for advanced privacy email users that like to have control and spend time tinkering with their security settings. It took me a good couple of hours of reading understanding all that Posteo had to offer.
This company is one of the first email providers to implementing DANE, a DNS based authentication method that checks the digital certificate fingerprints of other email providers, this detects bogus certificates replaced by sophisticated hackers, state sponsored operatives have been known to do this trick in the past.
For DANE to work other email providers must support it too, when sending an email to somebody a small green check box in Posteo let’s you know if the server you are communicating with is DANE compliant. Tutanota supports it and Protonmail has plans to have DANE this year, but the big NSA back doored email providers, like Gmail, Yahoo and Outlook, have no DANE support.
Encrypted email provider Posteo
Another setting activates a TLS-sending guarantee, with the checkbox ticked your messages will not be delivered to any TLS insecure email server, if Posteo comes across one you get a warning and have the option of sending the message without proper encryption in transit or not sending it.
To use PGP you need to install MailVelope addon browser, after that a new button that says “Compose&Encrypt” magically appears in the webmail interface.
You can add your public encryption key to Posteo keyserver and activate “encrypt all incoming email“, this means that all messages you receive will be automatically encrypted with your own PGP key at the door, on top of the encrypted inbox.
You might want to do this if you don’t trust Posteo’s own encryption, you add an extra layer with your own keys, however if you lose your private keys you will not be able to read the messages again and every time you click on an email in your inbox you are required to to enter the decryption password in MailVelope.
I found incoming encryption too burdensome, I would only propose it to the most paranoid kind not concerned with quick email access.
Posteo PGP encryption Mailvelope
Hat tip to Posteo for automatically bouncing my public encryption key back to my inbox with a warning that it did not conform to security.
During key generation I made the mistake of adding my first name to the public encryption key and Posteo very rightly rejected it in their keyserver as the name can be used to track down your identity, I was only able to add the key to the server after changing the name field with a non descriptive text, like my email address.
Two factor authentication is possible too, Posteo works with any open standard TOTP app, like Google Authenticator, but the company recommends FreeOTP because it is open source (developed by Fedora), or if you own a Yubikey you can use it for two factor authentication, the help pages come with clear instructions and screenshots about how to set it up.
Posteo downsides
It put me off Posteo that they don’t own the .com of their email address, I had people in the past sending me messages to a .com version of my address, it is a common mistake many people do. I find it very short sighted that a company like Posteo, offering a choice of 30 different domain names for your email aliases, does not have a single neutral .com that you can pick for an email address. You can have a @posteo.af address, country code from Afghanistan, and a @posteo.jp country code from Japan, but .com is not an option.
I would have appreciated a non descriptive .com domain which URL does not resolve to Posteo homepage that can be used as an alias.
Another downside for me is that Posteo does not have a Spam folder and you can not have one. Posteo drops all spam silently and you must trust they do it correctly.
My experience with email providers so far has been that no spam filter is 100% perfect and I have no way of finding out if a message is not getting to my inbox because it was flagged as spam by mistake or because it was never sent.
You can whitelist addresses in the filter but there is no way of whitelisting something you don’t know about.
Posteo advantages
Posteo comes with Mailvelope preconfigured, after installing the addon in my browser a new encryption button appears in the webmail interface and this gives me the ability to communicate with other PGP users holding my own encryption keys instead of Posteo doing that.
The encrypted email inbox and being able to encrypt all incoming messages with my own private encryption keys is a huge perk too.
Posteo message filtering
It takes time time to encrypt messages yourself, entering passwords, selecting the right keys, etc, if you are tight on time and security is not that important for you it might be best that your email provider does all of that, but if you want to err on the cautious side and trust nobody with your encryption keys, owning your own keys is they right way to do it.
I also liked the email filtering, being able to file messages into folders as they arrive, according to subject, sender, etc.
Posteo support
Support is not suited for businesses, but I think that an individual will be ok waiting one or two days for a reply. You can contact Posteo by email during German working hours.
I sent Posteo support an email to ask a question about my settings and it took 24 hours to get a reply that solved my question.There is no ticketing system, this might unnerve some people, because you keep wondering if the email was ever received, but not having a ticketing system is advantageous for those who value privacy and a very good idea
The company barely keeping records of anything means that the information can not be lost or stolen and you can always check the “sent receipt” box if you email support, this way you will know they have received your inquiry.
Posteo vs Protonmail
I like Protonmail design and them forcing two different passwords to access the encrypted inbox. The main reason why I did not buy a Protonmail premium account is that their paid accounts cost five times more than Posteo. Protonmail has a bigger inbox but I wasn’t going to use it.
It also put me off a bit knowing that in 2015 Protonmail had paid ransom to some cybercriminals DDoS their servers, it shakes my trust on how much of a fight the company is willing to put up for what it is right when I see Protonmail selecting the easy way and pay up to avoid problems.
Posteo vs Tutanota
I was really close to buying a Tutanota premium account, they offer more aliases than Posteo, both companies are based in Germany, and cost the same, plus I like a couple of features Tutanota not found in Posteo, like being able to send links to password protected messages.
I finally went for Posteo because of their Mailvelope pre-configuration and because I wanted a company that will not go bust. Posteo has been around for more years than Tutanota and they do not offer loss making free accounts which makes it more likely that they will survive.
Posteo review conclusion
If you are comfortable managing your own PGP encryption keys, want an email service with an encrypted inbox that does not keep logs or records your identity and it comes with lots of features at a cheap price, I think that Posteo is unbeatable, far cheaper than other paid providers (€12/year).
You should also pick Posteo for an email provider with calendar, notes and aliases that will respect your privacy and if you need a mailing list provider, this is still in beta but it should be rolled out soon.
But if you rather have your email provider do to all PGP encryption for you at the back end don’t pick Posteo and if you wish to pay with Bitcoins Posteo should be out of limits for you too.
abc123
Long time lurker here, I know you’ve done a review on countermail long time ago. I would appreciate if you could do a brief Posteo vs Countermail. Thanks in advance.
Hacker10
Hello abc123,
I used Countermail for two years. I did not add them to the post because I thought it was already long enough, but here you go:
Posteo vs Countermail:
They both can use PGP email but Countermail does not need any plugin, in that sense is better. But Countermail is far more expensive than Posteo and I don’t like their email interface, I find Posteo easier to use. On the positive side Countermail has the unique diskless servers, it should make tampering with the email server far more difficult.
Privacy policy is about the same, both services don’t keep any identifiable information and both companies are based in the European Union. I chose Posteo based on pricing and an email interface that I find more user friendly.
hacker10
Chris
I’ve been using posteo for several months now and love it. Love the TLS guarantee
Peter
“Posteo drops all spam silently” is not true, it SMTP REJECTS spam, so spammers usually don’t notice but legit senders will see.
Guido
I have been using Posteo for couple of years and really and very unfortunately my advice is : stay away from it. Do you want your email flooded with spam like “wonderful Russian brunette wants to meet you, reply and I will send you my pics” and NO you do not need to surf adult sites to get these. Their spam filter simply does NOT work. I have sent over a hundred of these emails back to Posteo to review as the company ask for and nope nothing changed. These spams are not just annoying they are a security threat as they may contain scripts or viruses. Really STAY AWAY FROM POSTEO.