๐ Why I Fled Mailbox.org for Protonmail
A bumpy ride to get privacy-respecting e-mail
The Goal
As I described in the post ๐ Privacy for Non-Fanatics , I have recently been on a budget-friendly quest to claw back at least some of my privacy from the ever-expanding silicon giants.
Something that bothered me in particular was e-mail, through which a surprising amount of sensitive information is being sent in the UK - this would be considered highly inappropriate โ if not outright illegal โ in Denmark. ๐ค
The Journey
In the end, after being disappointed with the initial look and feel of MailFence, I went for the Germany-based Mailbox.org. These are both options that are highly praised in online reviews, but given my experience with Mailbox.org I find it hard to believe that even the more reputable tech sites did a thorough test of the service.
I had wanted to avoid ProtonMail out of a concern that they don’t offer regular IMAP/SMTP connectivity, but require the use of “ProtonMail Bridge” to be able to use other mail clients than the ProtonMail web service.
This is important to me, as I currently use 5 e-mail accounts due to different organisational affiliations, and this would be entirely unmanageable if I were to use individual inboxes on webservices.
The Problem(s)
As I was setting up SPF and DKIM on Mailbox.org, I had some problems due to an error in their “knowledge database”, which suggests using an SPF-type entry to set up SPF. While this might have made sense at the time of writing that entry (presumable refering to RFC4408), this document was made obsolete in 2014 with the introduction of RFC7208. RFC4408 was only ever experimental, and in the RFC7208 specification SPF-type RR’s are no longer valid and should be changed to TXT.
SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) RFC1035 only.
[…]
Use of alternative DNS RR types was supported in SPF’s experimental phase but has been discontinued.
โ RFC7208 ยง 3.1
Note the use of discontinued as opposed to deprecated. Using SPF RRs is not just discouraged, it is forbidden and invalid โ and has never been valid except in the experimental RFC!
As a result of using the wrong RR type (by following the mailbox.org guide), I couldn’t get Google to accept my SPF record, which was obviously not ideal. Eventually I figured out the issue and wanted to highlight this to Mailbox.org and filed a ticket with their support.
After having waited 12 days for a reply from their support team, I sent a quick follow up to their support team, in which I very politely explained that I was still hoping for a reply and had become worried I was forgotten by them. ๐ข
After another couple of days, taking the total wait for a simple support ticket up to over 2 weeks, they finally got back to me. It wasn’t quite what I was expecting though โ Germans are usually known for their formality and thoroughness, but I was left with a short, unhelpful reply written in some fairly broken English. No apologies for, or acknowledgement of, my inconvinence.
While I hadn’t been impressed with the dated look of the website, the UX issues with their online application, or the fact that you’d suddenly wander into parts of the application still in German, it was my experience with their support that broke the camels back - I simply didn’t feel comfortable staying with Mailbox.org.
Additionally, they don’t support recurring payments, nor do they appear to remind you when your balance is running out. I was one day from running out of credits when I finally left them, but hadn’t gotten any reminder to add my credits to my balance โ I dare not think what happens when you run out credits.
Update (2021-06-14)
Despite me having deleted my account, Mailbox.org continues to send me e-mails through their Jira support platform. I obviously cannot read or access these since I don’t have an account, but I get the nice notification e-mails nonetheless. It appears that the case has been closed after no less than 29 days.
Here is the kicker: The knowledge database still reflects a blatantly disallowed configuration that leads to failed SPF checks โ Despite my helpful reminder ๐คฆโโ๏ธ. Come on…
Steer clear of Mailbox.org
I really hope people steer clear of Mailbox.org in the future. While their heart might be in the right place, they seem very far from a reliable provider, especially for something as critical as e-mail. It should be noted that I was on the 3โฌ/mo plan.
It appears I am not alone in my experience: Other frustrated customer
Oh, and the guide still has not been fixed! ๐คฆโโ๏ธ
The Solution
ProtonMail’s paid offering is slightly less featureful than a comparable plan with Mailbox.org, but in return you get a solution that works much better and is far easier to use. Encryption is also enabled out of the box.
Unlike Mailbox.org, who actively guide you towards an invalid SPF setup, ProtonMail helps you setup SPF, DMARC, and DKIM - further, they even check that they are setup correctly and their automatic service spotted and alerted me to a typo in my DMARC setup! Absolutely amazing.
Even the ProtonMail 3.x version, which is due to be replaced with the even snazzier ProtonMail 4.0 very soon, had an excellent user experience and setting up ProtonMail Bridge for use with Outlook was easy and reliable.
I do kind of miss having 5 custom domains for the price of 3โฌ, but I only really need one, which I get for the price of 3.3$/month (โ2.7โฌ/month).
The Android app seems nice and I am really looking forward to using ProtonCalendar, once that has a couple more features that currently prevent me from switching over from Google Calendar.
I should add that this definitely isn’t sponsored, I am just really impressed with ProtonMail and really unimpressed with Mailbox.org…
TL;DR
Mailbox.org is a super poor choice for an e-mail provider.
ProtonMail is really good, but can be expensive if you need a lot of custom domains. It also won’t work for you if you need to use a non-Proton client on mobile.
ProtonMail is the king of mail providers, and with very good reason. ๐