Mailfence

Last updated

Mailfence
Official Mailfence logo with name.png
Mailfence Demo Mailbox Screenshot.png
Screenshot of Mailfence website, showing the user's inbox.
Type of site
 Webmail
Available in English, Spanish, French, German, Dutch, Italian, Portuguese and Russian
OwnerContactOffice Group
URL mailfence.com
CommercialYes
RegistrationRequired
Launched12 November 2013;11 years ago (2013-11-12)
Current statusOnline
Content license
 Proprietary

Mailfence is an encrypted email service with a focus on security and privacy that offers OpenPGP based end-to-end encryption and digital signatures for usage in emails. [1] [2] It was launched in November 2013 by Belgium-based company ContactOffice Group, which has been operating an online collaboration suite since 1999. [3]

Contents

History

Development

In the midst of 2013, the Mailfence project was started by the founders of ContactOffice.

In March 2016, a beta version of end-to-end encryption and digital signatures for emails was released. [4]

Mobile interface

In January 2021, Mailfence released a progressive web application for mobile devices. [5]

Block in Russia

On 5 March 2020, Mailfence reported that their SMTP servers are blocked by Russian-based email services. This was in response to their refusal to submit a Notice of Commencement of Collaboration with Roskomnadzor's (the Federal Supervision Agency for Communications, Information Technology, and Mass Communication) of the Russian government. Mailfence did not respond to this request, citing obligation to provide information about users, violating its Terms and the federal Belgian laws. [6]

Features

Mailfence provides secure email features, with other functions such as Calendar, Contacts, Documents and Collaboration. [7]

Mailfence Email

The service supports POP/IMAP and Exchange ActiveSync [8] as well as vanity domains with SPF, DKIM, DMARC [9] and catch-all address support. [10] Users can send both plain and rich text emails, organize messages in folders and/or categorize them with tags, take notes by setting comment on each message and create default message signatures for every sender address. Different identities can also be managed using aliases and filters for incoming emails.

The email application is based on the ContactOffice collaboration suite that supports POP/IMAP and Exchange ActiveSync [8] as well as vanity domains with SPF, DKIM, DMARC [9] and catch-all address support. [10]   It was enriched with security and privacy features in 2016 at the launch of the Mailfence service with features: managing access or generating specific password for web and non-web services, two-factor authentication, spam protection alongside of plus addressing, sender address blacklist and whitelist,

Mailfence Contacts

The contacts support (CSV, vCard, LDIF) import, (vCard, PDF) export and can be accessed using CardDAV. [11] Users may organize them with tags and can also create contact lists.

Mailfence Calendar

The calendar supports vCal/iCal import, export and can be accessed by using CalDAV. [12] Users can share their calendars with group members and can also create polls. [13]

Mailfence Documents

The documents can be accessed using WebDAV or edited online. Users can drag and drop files in folders, categorize them with tags take notes by setting comment on each file. [14]

Mailfence Groups

Groups allow users to share mailboxes, documents, contacts, calendars and perform instant chatting with group members in a secure way. A group administrator manages the access rights of group members and can also set another group member as co-admin or the main admin of the group. [15]

Mailfence Polls

Mailfence Polls is a meeting scheduler that claims to be secure and private.

Mailfence Chat

Jabber/XMPP protocol is the base of Mailfence chat functionality. First named Jabber, then XMPP (Extensible Messaging and Presence Protocol), this open-source protocol has been created for instant messaging.

Web-based clients

The web-interface comes with an embedded IMAP, POP3, CalDAV, and WebDAV client. Users can add external accounts and manage them centrally in the web-interface. [16] [17]

User management

Account owners can create and manage user accounts using the admin console. [18]

Server location

Since their servers are located in Belgium, [19] they are legally outside of US jurisdiction. Mailfence is therefore not subjected to US gag orders and NSLs, notwithstanding extradition treaties with the US. [20] [21] Under Belgian law, all national and international surveillance requests must go through a Belgian court. [22]

Security and privacy

Mailfence claims to be secure and private on their website, [23] offering most conventional security and privacy features, but they also claim to support some less-common privacy and security enhancing features:

Transport security

Like most major e-mail services, the service claims to use TLS with ephemeral key exchange to encrypt all internet traffic between users and Mailfence servers. HSTS, MTA-STS and DANE standards are also supported. [24] [25] [26]

End-to-end encryption

The service uses an open-source implementation of OpenPGP (RFC 4880) for emails. OpenPGP keypair is generated in client-browser, encrypted (via AES256) with the user's passphrase, and then stored on Mailfence server. Since December 2018, the service also supports end-to-end encryption for emails using a shared password. [27]

OpenPGP signatures

The service gives the choice between "signing", or "signing and encrypting" an email message with or without attachments. [28]

Integrated Keystore

Since its launch in 2017, the service provides an integrated keystore to manage OpenPGP keys,. [29] OpenPGP keypairs can be generated, imported or exported. [30] Public keys of other users can be imported through file or in-line text. Mailfence also supports Web Key Directory besides key discovery via Public key servers. [31] [32]

Full OpenPGP interoperability

Users can communicate with any OpenPGP compatible service provider. [33]

Warrant Canary and Transparency Report

The service maintains an up-to-date transparency report and warrant canary. [34] [35]

See also

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

<span class="mw-page-title-main">End-to-end encryption</span> Encryption model where only the sender and recipient can read the ciphertext

End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to read or send messages.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

<span class="mw-page-title-main">Roundcube</span> Open-source web-based IMAP email client

Roundcube is a web-based IMAP email client. It makes extensive use of Ajax technology. Roundcube is licensed under the GNU GPL version 3 or later, with exceptions for skins and plugins.

The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

Secure messaging is a server-based approach to protect sensitive data when sent beyond the corporate borders, and it provides compliance with industry regulations such as HIPAA, GLBA and SOX. Advantages over classical secure e-mail are that confidential and authenticated exchanges can be started immediately by any internet user worldwide since there is no requirement to install any software nor to obtain or to distribute cryptographic keys beforehand. Secure messages provide non-repudiation as the recipients are personally identified and transactions are logged by the secure email platform.

<span class="mw-page-title-main">Outlook.com</span> Microsoft webmail service

Outlook.com, formerly Hotmail, is a free personal email service offered by Microsoft. This includes a webmail interface featuring mail, calendaring, contacts, and tasks services. Outlook can also be accessed via email clients using the IMAP or POP protocols.

<span class="mw-page-title-main">Jon Callas</span> American computer security expert

Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and former CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered "one of the most respected and well-known names in the mobile security industry." Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.

Exchange ActiveSync is a proprietary protocol designed for the synchronization of email, contacts, calendar, tasks, and notes from a messaging server to a smartphone or other mobile devices. The protocol also provides mobile device management and policy controls. The protocol is based on XML. The mobile device communicates over HTTP or HTTPS.

<span class="mw-page-title-main">Fastmail</span> Australian email service provider

Fastmail is an email hosting company based in Melbourne, Australia. In addition to its Fastmail-branded services, the company also operates Topicbox, a mailing list service, and Pobox, an email service it acquired in 2015.

<span class="mw-page-title-main">Proton Mail</span> End-to-end encrypted email service

Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 and headquartered in Plan-les-Ouates, in the Canton of Geneva of Switzerland. Proton Mail is now run by Proton AG, which also operates Proton VPN, Proton Drive, Proton Calendar, Proton Pass and Proton Wallet. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com.

<span class="mw-page-title-main">Threema</span> Instant messaging smartphone service

Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email addresses for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash.

<span class="mw-page-title-main">Tuta (email)</span> Free and open-source end-to-end encrypted email software and host

Tuta, formerly Tutanota, is an end-to-end encrypted email app and a freemium secure email service. The service is advertisement-free; it relies on donations and premium subscriptions. As of June 2023, Tutanota's owners claimed to have over 10 million users of the product. The company announced a transition to 100% renewable electricity in March 2019. This decision coincided with employee participation in Fridays for Future protests. On 1st October 2024, Tuta launched its standalone encrypted calendar app. Tuta Mail has recently integrated post-quantum cryptography features through its new protocol - TutaCrypt replacing standard encryption methods like RSA-2048 and AES-256 for its newly created accounts after March 2024.

Autocrypt is a cryptographic protocol for email clients aiming to simplify key exchange and enabling encryption. Version 1.0 of the Autocrypt specification was released in December 2017 and makes no attempt to protect against MITM attacks. It is implemented on top of OpenPGP replacing its complex key management by fully automated exchange of cryptographic keys between peers.

mailbox.org Encrypted email and web service provider in Germany

mailbox.org is an encrypted email service provider based in Germany. The encryption system uses PGP like most other encrypted email providers. It also features address books, calendars, video conferencing, online office and tasks management. It competes against Microsoft 365 and Google Workspace as a German based provider. Its target customers include private, business, school and public authorities.

References

  1. Johnson, Dave. "The 7 best secure email providers". Business Insider. Retrieved 7 April 2024.
  2. "The 5 Best Secure Email Services for 2024". Lifewire. Retrieved 7 April 2024.
  3. "ContactOffice launch and users". 29 December 2016.
  4. "BETA launch of a pure end-to-end encrypted email solution that gives you full control". 10 March 2016. Retrieved 25 May 2016.
  5. "Mailfence mobile app goes out of beta". 14 January 2021. Retrieved 14 January 2021.
  6. "Mailfence email servers blocked in Russia". 5 March 2020. Retrieved 5 March 2020.
  7. Leonard, John. "Escape from Yahoo: Nine encrypted email alternatives" . Retrieved 11 October 2016.
  8. 1 2 Skjefstad, Vegard. "Secure and Private E-mail: A Provider Overview". Archived from the original on 21 September 2015. Retrieved 1 August 2015.
  9. 1 2 "Spoofing defense for Custom domains: SPF, DKIM, DMARC". 8 January 2018. Retrieved 8 January 2018.
  10. 1 2 "Mailfence Release Notes Dec 2017". 5 December 2017. Retrieved 5 December 2017.
  11. "Mailfence Contacts: a secure contact management software". 28 February 2018. Retrieved 27 June 2018.
  12. "Mailfence Calendar: a secure online calendar to schedule, manage and track meetings & events". 31 October 2017. Retrieved 9 March 2018.
  13. "Mailfence Polls: simple and secure meeting scheduler". 28 November 2017. Retrieved 28 November 2017.
  14. "Mailfence Documents: secure file sharing, storage and collaboration". 9 November 2017. Retrieved 9 November 2017.
  15. "Mailfence Groups: secure group collaboration". 5 September 2017. Retrieved 5 September 2017.
  16. "How to encrypt email with Gmail and Outlook.com or any other provider" . Retrieved 11 October 2017.
  17. "POP3 vs IMAP vs Exchange ActiveSync. What's the difference?" . Retrieved 22 September 2017.
  18. "Manage your users with the mailfence admin console". 21 March 2019. Retrieved 21 March 2019.
  19. "The Mailfence SSL/TLS Certificate". 10 June 2016. Retrieved 10 June 2016.
  20. "United States Extradition Treaty with Belgium".
  21. "United States Supplemental Extradition Treaty with Belgium".
  22. "Mailfence privacy policy". Archived from the original on 18 July 2014. Retrieved 12 November 2013.
  23. Mailfence. "Secure and private email | Mailfence encrypted email service". Mailfence. Retrieved 19 March 2024.
  24. "SSL Report: mailfence.com". Qualys SSL Labs. 10 June 2016. Retrieved 14 January 2021.
  25. "MTA-STS validator - Mail Hardener tools" . Retrieved 27 July 2022.
  26. "DANE SMTP Validator" . Retrieved 14 January 2021.
  27. "Email Encryption". OpenPGP. 22 January 2024. Retrieved 7 April 2024.
  28. Thomas, Mike. "A (mostly) In Depth Review of Mailfence". Archived from the original on 20 December 2016. Retrieved 1 September 2016.
  29. Schürmann, Dominik. "OpenPGP Email encryption. For all operating systems. Standing the test of time" . Retrieved 1 September 2016.
  30. Tschabitscher, Heinz. "Encrypted email services keep your messages private" . Retrieved 3 June 2018.
  31. "Mailfence's OpenPGP keystore gives full control over key management". 17 May 2017. Retrieved 17 May 2017.
  32. "Mailfence keeps on improving security for its users". 22 December 2021. Retrieved 22 December 2021.
  33. "Encrypted email service providers". v. Archived from the original on 18 May 2016. Retrieved 25 May 2016.
  34. "Transparency Report and Warrant Canary". 29 April 2016. Retrieved 29 April 2016.
  35. "Service review" . Retrieved 20 February 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.