I have compiled my official mail provider recommendations. With any provider, you must always use your own domain.


Good: Down to earth. Unlimited domains, storage, etc. Full marks for philosophical, ethical, and technical merits.

Bad: Difficult to set up. UI is a bit confusing. Advertises itself in your signature in the free plan. Apparently blocks VPN and Tor users (I have reached out to them about this).

Note: Was unable to evaluate their webmail


Good: excellent PGP support and good on other security fronts as well

Bad: requires google captcha, does not handle plaintext as well as I'd like, german leaks through into the english interface sometimes, too scatterbrained


Good: Goes above and beyond in support for various standards and protocols, handles plaintext email very well. Lots of good options for account security.

Bad: rough UI

## summary

migadu is hard to set up but is the best all-around offering. If you're security concious, has the best PGP support and good all-around security; has good account security options but no built-in PGP support.

Evaluated but not recommended: disroot, fastmail,,, protonmail, tutanota, riseup,, teknik, megacorp mail (gmail, outlook, etc)

For anyone with multiple domains, multiple senders, sending email programmatically, or simply with the knowledge and patience to do so - I recommend setting up your own mail server.

For your own mail server, I recommend setting up a box with Alpine Linux, postfix, dovecot, and opendkim to sign outgoing email, with no webmail. I also recommend running your own DNS server with bind9. Test your mail configuration with

I do not endorse any fast-and-easy docker-based solutions.

@sir Can you elaborate on why you don’t recommend the docker-based solutions for self-hosting? (I assuming including mailu, mail-in-a-box, &c.)

@emacsomancer @sir i don't use docker for anything at this time. i don't see the productivity gains for my use case, and i feel like it adds security risk.

@ITwrx I can think of lots of things not to use Docker for, but the roll-your-own-email setups seemed, on the surface, to be a reasonable use-case for Docker. Though I still have a vague unease about them.


@sir i'm using mail-in-a-box currently, but i'm going to need to migrate that whole thing to alpine so it can integrate properly with my sourcehut install. took this route to get things off the ground quickly, but it isn't flexible at all lol

@sir I would add here that a big challenge is getting an IP with a clean bill of health from whichever hosting provider this server ends up on.

And that it may also mean not being able to reliably send email to megacorps for at least a year (or in case of forever because they're that obnoxious) no matter how perfect your setup is with all the bells and whistles.

Whether that is a dealbreaker or an advantage is very subjective :)

@cmsirbu it's not especially difficult to get your IP cleared of wrongdoing

Maybe not difficult, but tedious. Microsoft for example is known to block whole /24 subnets for spam. If anyone on your network subnet is using the IP for spam, its pretty easy to get caught on the backwash and you need to deal with a lot of unsupportive staff to get of their blacklist. These kind of unwritten rules by the big three made me stop hosting my own mail in the end.

@cmsirbu @sir i too have received recycled ip addresses that had been abused by the previous leasee and placed on spam lists and it was easy to get them cleared. YMMV.

@sir A few more tips: You generally do not need a database server to manage multiple logins with virtual users. Disregard any tutorials that tell you otherwise. Postfix can authenticate via Dovecot and that can easily use a simple text file with user/auth/mailbox mappings.

Sieve scripts are extremely useful.

Instead of opendkim, you can also use amavis, which additionally takes care of validation and spam handling. Not difficult to set up.

(OT) And speaking of running your own DNS: It may be a good idea to run iodined so you have a way to bypass overzealous firewalls and captive portals/surveillance mechanisms of “free” public wifi networks.

@sir i use archlinux, postfix, dovecot and rspamd with dnsmasq and dnscrypt-proxy. thanks for the reminder about opendkim and bind9. i like alpine so far overall, and it looks to have a low attack surface, but i haven't used it enough to put it in production.

@sir rspamd is also a great addition, implements the opendkim and spamassassin stuff and greylisting in one tool.

@sir Even if you do not recommend "easy docker solutions", I think they are great though. for example lets you setup a mail server with good defaults. It's best when you don't want to read hundreds of documentations to set every configuration correctly.

@sir agree rolling your own is the best way if you can. Personally I use OpenBSD because OpenSMTPD config is a dream to write (+ dovecot, DKIMproxy, no webmail)

@sir I do run a mail inbound server across eight #openbsd boxes running #opensmtpd and #spamd and #spamassassin, so I dont have to reinvent every backyard mailserver.


How 'bout @Yunohost ? sets up mail and XMPP server, infinite domains (provides suggested DNS), and you can choose from several optional webmail apps to self-host. Is not a docker.

Worst issues: currently debian 9. When installed as OS on arm, *I* have been unable to use imap clients (there may be workarounds, but not discovered as yet.)

#Yunohost How do you handle your interactions with gmail? I set up my own mailserver using dkim, spf and so on, i am getting 10/10 points on but google still flags my mails as spam.

@containsliquid gmail doesn't flag my emails afaik, but I don't do anything special Thank you. I think i have to take a look at their postmaster program.

Could you expand on why not fastmail? I'm guessing the others didn't make the list because they do not allow custom domains or use nonstandard protocols, right?

Also check out purelymail. It's new, but seems promising

@sir why not disroot, riseup and I think they are the only good free email providers.

@sir I can honestly recommed #uberspace. Good mixture of privacy, control and painlessness. Basically a shell on a shared host with mailserver setup, you can use dotqmail, maildrop, etc. Hosted in Germany, so good data protection & privacy regulations. Unfortunately, some documentation seems to be only available in German... Worth checking out (some of their staff is in the fediverse), but you've probably decided already.

@sir It's one of those hosters where asking why Chromium shows that TLS security could be improved, gets the founder to write you a multi-page Email explaining that security is fine, up to modern standards, and its more important to avoid Java 7 clients breaking. :)

@sir What speaks against Tutanota? I've been with them for a few months and have been quite happy so far (limited filtering options, but super fast and beautiful web UI and mobile app).

@solarkraft same psuedo-secure gaslighting protonmail engages in

@sir I’d be interested to why you didn’t like Fastmail

@sir I've been using fastmail for my personal domain for several years now. Why "not recommended"?

@sir Maybe in the future it will be possible to register domains on RSK, which will be accepted by DNS providers. (I want to believe)

@sir There are a particular reason to exclude Posteo from the list? I saw it many time on posts, blogs, comparatives as a good alternative to mailbox

@t0rrex if your email is not on your domain, that's a very big deal breaker. Posteo doesn't even let you pay for a custom domain.

@sir Just curious what was the downside you found with Fastmail? I'm delighted with them. They care about standards, their web UIs are actually accessible, and their tech sport is superb.

@feoh Australlia has completely unacceptable encryption/data security laws



I'd like to know what's wrong with riseup as well. They look great outside of not providing custom domains. They have unlimited aliases, 1 GB of storage and encrypt your inbox with your password.

@kayg @nurinoas it was broken when I tried, I couldn't get signed up

@sir Thanks for recommending Migadu! Never heard of them before, but they seem great. Just reached them about server-side Sieve support and they replied in like 15 minutes that they're planning to release it in a few weeks. Think I might finally switch from fastmail.

@sir just curious, why don’t you recommend #fastmail? That’s what I use now but I’m open to switching if there is some shady stuff I don’t know about...!

@sir thanks for that exhaustive list, it is super useful! I can see that is not in. I am just a regular user (not working for them / linked in any way) and is a good contender IMO. The UI is a bit rough but you get used to it quickly enough!

@sir On the UI part, they're progressively rolling out Runbox 7, which is GPLv3+
@sir also I don't know how this just appeared in my tl after 6 months lmao

@sir Hello, I've been using Runbox, with my own domain for a few years, and I'm now considering Protonmail. 2 avantages of the latter : "zero access encryption at rest" and it's located in Switzerland (so out of 5 / 9 / 14 Eyes, contrary to Runbox's Norway). Meanwwhile, I just discovered you thanks to your post about Signal (in which you make very valid points !), so I'm very eager to understand why Protonmail should be avoided.

@saroumane Protonmail lies about the capabilities of its encryption - it's entirely plausible that they would start recording your plaintext emails, perhaps in response to a sopeana, or a change in ownership, and you would never know. They then use these faux-privacy guarantees as justification for not supporting industry standard & open protocols, which is just a cover for promoting vendor lock-in.

@sir "Protonmail lies about the capabilities of its encryption" Any pointers about that ?

1. I send an unencrypted email to
2. My mail server connects to and writes the unencrypted email to their servers
3. ProtonMail now posesses the unencrypted email


@sir I think you missed the "at rest" part in "zero access encryption at rest". Of course they can make a copy of every email coming in their server. But that's a different problem. A kind of "No logging policy" vs "Storage policy".

@saroumane policies are okay but actual mathematically guaranteed security is a hell of a lot better. Use PGP. Encryption at rest is a feel-good promise which doesn't actually make any real security guarantees and is a piss-poor justification for conveniently excluding open and standard protocols that would prevent vendor lock-in

@saroumane if you want to be another faux-securitybro sucking off ProtonMail then by all means, just leave me out of your leaps in reasoning

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!