I have been using Countermail for over a year on a weekly basis and this review is based on my experience with them during this time. The service is free to try for a few days, after that you will be asked for payment which can be done with credit card, Paypal, wire transfer or Bitcoin.
Credit card corporations force businesses to keep payment details stored for two weeks, Countermail claims to automatically destroy the records after that length of time but the credit card company and Paypal will likely preserve payment details for years although they will not be able to link them to any specific Countermail account or nick. If you pay with Bitcoin you will make tracing payment origin much more difficult but there is a surcharge.
Signing up is simple, not requiring any personal information other than choosing a username and password, you only need Java installed in your computer, after account creation you can get rid of Java and use IMAP and SMTP with Thunderbird and Enigmail. There is a tutorial in Countermail help pages explaining how to set it up. It took me a few hours, demanding lots of reading and testing, it wasn’t very easy to do.
Be very careful to remember your password because if you lose it, it can not be recovered and your data will be lost for ever.
Countermail webservers are live CD powered web servers, there is no hard drive, powering it off to install monitoring software will eliminate all data held in RAM, including encryption keys, and without any hard drive present computer forensics would be a waste of time. For further surety, encryption is executed in the user’s computer, Countermail does not store any password. By default it will keep your private encryption key (although the encrypted version only!) but not the password and you need bot of them to decrypt messages. If you are not comfortable with having your private keys in the server, you can delete them and store the keys in your computer or send Countermail your public encryption key. A second mail server with a hard drive stores messages and files but this is only accessible using the diskless webserver and no IPs are leaked.
The email service is based on a custom Squirrel email interface. You have the ability to automatically sign and encrypt email messages in your browser within webmail, including attachments, with the standard OpenPGP.
In Countermail settings you can import and export encryption keys, when you email someone Countermail will automatically encrypt the message with the key found in your keyring and if none is found you will be notified. Communicating with other Countermail or Hushmail users does not require you to have the receiver’s key, it will be automatically fetched for you.
You can create aliases under the countermail.com or cmail.nu domain name and distribute these disposable email addresses without never revealing your main inbox, it is best to do this from day one and if you receive spam you can delete the address. I advice you to choose a cryptic alias because after you erase it someone can register it straight away and any emails meant for you will go to that other person, it happened to me that I registered a very common alias @countermail.com address and I received messages meant to be for someone else, I never abused the content but I could have done.
The company claims to keep no logs of when you log in and out, email back ups are kept encrypted in Countermail servers for 7 days and rotated, the company headquarters and mail servers are all based in Sweden, your usage of their service is subjected to Swedish law.
When you send a webmail message your computer IP will be stripped from the headers and swapped by 127.0.0.1, if you use SMTP an anonymous German or Swiss tunnel IP will show in the headers. Other Countermail security practises include disabling HTML messages by default, you have to click on view HTML if someone sends embedded images.
If you click on a URL inside an email message it will be automatically deferred to stop the website server from seeing how you got there and clicking on the escape key on your keyboard will log you out of Countermail and take you to the page of your choice, this is meant to be an emergency log out key.
I wanted to play the paranoid card and I did not want Countermail to hold my encryption keys and it is necessary to note here that my Countermail private keys are created in my own computer and only send to their servers after they have been encrypted, but it did not feel right to trust someone else with something as important.
I communicated with other people deploying my own keys and it reduced webmail functionality, if the private encryption key is not uploaded to Countermail server you will get a Java error and you will not be able to view the message, you will have to download as attachment to your hard drive and save as text before decrypting it locally.
I contacted Countermail staff a couple of times about a problem I had importing a PGP public key and they replied to my support email in under 24 hours with helpful advice about how to get copy and paste right.
There are non email features included with the package, a bookmark and notes storage inside what they call “Safebox“, I found it very basic but no harm being there. You also get a calendar and an XMPP chat server compatible with Jabber clients like Jitsi and you can use Countermail portable downloading the prebuild Firefox Portable browser with Java from Countermail servers or set the email service with your own domain name for a one time fee.
Another option is to buy a USB key from Countermail that will be used as keyfile to login into your account, if your password is stolen nobody will be able to login unless they physically have the USB key in their power. I only used the email service during all this time, I can’t comment too much about the rest, I only glanced at it.
Overall, I think that this is one of the very few email services that not only protects your privacy with encryption but also makes your IP untraceable by not keeping logs. There are a dozen other encryption email services out there in the market and Countermail is one of the very few being very clear about not keeping any logs.
If you don’t need high level anonymity and are only concerned about email encryption (privacy), you might find cheaper and simple to use email services, but if you care about how long for your email provider keeps logs, about being able to pay in Bitcoins, and about your email service taking proactive measures to stop state surveillance as well as your email provider being located outside the USA, I don’t think there are too many competitors to choose from, it is either Countermail or Anonymous Speech, and I think that Countermail has better security with their diskless servers and by only keeping your private encryption keys after they have been first encrypted in your computer before they are uploaded to the server.
Assuming Countermail does everything as they say, it seems to be good value for money for those after a high degree of email privacy and anonymity.
And if you want a free anonymous email alternative, download Tor, OpenPGP Studio and combine it with any email provider, it will also get the job done.