On email privacy: can I store my own email and relay them through an email provider?
-
But like in 2025 there is still no mechanism to do true end to end without manually setting up pgp? Meaning when i browse using https i do not need to think or anything. It happens automagically. But with emails, where do i even start with pgp when i use gmail via email client like thunderbird
No.
Use S/MIME or PGP and directly encrypt emails to your recipient. This is the only E2E encryption available to email.
The best metaphor for email I've found is that you're writing your message on a postcard and handing it to your neighbor closest to the destination, who hands it to her neighbor, and so on, until it gets there. There are usually fewer hops, but also your email is broken into packets which could go through god knows how many routers, each of which can read your email.
E2E requires setting up a private key; RFC 821 provided no such mechanism. Your only option is out-of-band negotiation, like PGP.
There is a good proposal out there that sets mail headed announcing that you accept encrypted emails, and includes information about your ID, which clients could parse and verify against public key servers; it hadn't really gained a lot of traction, as it causes issues for data harvesters but also at the end user side. Like, how is notmuch and mairix supposed to handle these? They'd need permanent access to your private key to decrypt and index the emails, and then now your index is unencrypted.
There's been a fair amount of debate about this, and it's a lot of work that would need coordinating between teams of volunteers... it hasn't made much progress because of the complexity, but it's a nice solution.
-
Amazing comment. Saved. Thank you so much.
Indeed, I have thought about hosting my own email, but the problem of dealing with IP blacklists made it seem not worth it.
Thank you so much for the explanation on DKIM and SPF. It makes sense to me now, indeed I didn't really have a clue about either of these before I read your comment. Thank you for breaking it down.
I use sendgrid as my outgoing smtp relay to avoid ip reputation issues you mention. You still have to configure your dns settings for spf and dkim pointing at their servers instead of yours. Their free tier is 10x the email I’ll ever send so it doesn’t cost anything. There are a few companies in this space with free tiers. It works, but it isnt Gmail level deliverability. I still get spam binned occasionally.
-
Only thing I can comment on is that 99% of all E-Mails you will get are unencrypted and can be read by your relay. (There are few e2e encrypted emails being send.)
So either trust them or don't use a relay.
Not true that most incoming email will plaintext. It’s the opposite:
“Most of today’s email services, including Gmail, employ transport layer security (TLS) to protect emails in transit”
Ref: https://umatechnology.org/gmails-new-encryption-can-make-email-safer-heres-why-you-should-use-it/
-
But like in 2025 there is still no mechanism to do true end to end without manually setting up pgp? Meaning when i browse using https i do not need to think or anything. It happens automagically. But with emails, where do i even start with pgp when i use gmail via email client like thunderbird
Https give you encryption in transit. The files you view will be accesible to the host.
Same idea with email.
-
I use sendgrid as my outgoing smtp relay to avoid ip reputation issues you mention. You still have to configure your dns settings for spf and dkim pointing at their servers instead of yours. Their free tier is 10x the email I’ll ever send so it doesn’t cost anything. There are a few companies in this space with free tiers. It works, but it isnt Gmail level deliverability. I still get spam binned occasionally.
The previous commenter mentioned mxroute and I got sendgrid from your comment. I will look at these products, is there any other provider that you recommend?
-
Not true that most incoming email will plaintext. It’s the opposite:
“Most of today’s email services, including Gmail, employ transport layer security (TLS) to protect emails in transit”
Ref: https://umatechnology.org/gmails-new-encryption-can-make-email-safer-heres-why-you-should-use-it/
The emails are unencrypted, emails in transit are in transit between the e-mail servers and relays and use secure tls channels.
They are only encrypted from your phone/notebook/browser to the server, then when send they will be encrypted till the next server.Every server/relay first decrypts everything send to it, because it has to due to the TLS terminating at each server.
See also your source:
Transport Encryption: This form of encryption is used to secure your emails while they are transmitted over the internet. Most of today’s email services, including Gmail, employ transport layer security (TLS) to protect emails in transit. While it encrypts emails between servers, it doesn’t protect the content once it reaches the recipient’s inbox.^1^
In practical terms, Your e-mail server, your e-mail servers relay (if it has any) and your recipients relay server/server can all read your email unless
End-to-End Encryption (E2EE): E2EE takes encryption a step further. It ensures that only the sender and the recipient can decrypt and read the emails. Even the email service provider cannot access the contents of the email. E2EE is typically achieved through third-party encryption tools or services.^1^
Which takes active effort from both the sender and the recipient to make work - it's almost only possible with people you know and little else.
^1^ https://umatechnology.org/gmails-new-encryption-can-make-email-safer-heres-why-you-should-use-it/
-
Yeah, in 2025 doing encrypted email is a painful process. Every option is a hack on top of a 43 year old protocol.
Here is a howto from Mozilla on pgp with Thunderbird. It isn’t a pleasant process.
https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq
Luckely we're not relying on emails for security relevant and or private information, right?
-
I previously looked into doing exactly this, and recall this comment on HN: https://news.ycombinator.com/item?id=31245923
One could argue the price of smtp2go at $150/yr is a bit steep, but it would also neatly avoid issues with sending outbound mail, since you're paying them to deal with those headaches. For inbound mail, I can't see why any mail operator wouldn't deliver to the server designated by your MX records, though you'll also have to deal with spam and other concerns vis-a-vis self hosting.
On the same thread but different comment, VPS operators might already run an SMTP server that you can relay through.
I wish you good luck in this endeavor!
Thanks. After speaking with some others here, I've realised that this is actually quite doable (in theory). The other commenter has a great note on DKIM and SPF that I'm sure will help anyone looking to do this. Thanks for your help, I've also found a lot of companies offering a free SMTP server for a limited number of emails (which is more emails than I'll ever send so it works for me).
-
I don't see how you wouldn't have your email on an email providers servers - that's how email works. You send an email via a provider, they forward it to the destination address you've included with the email.
That destination address is another email provider's server, which holds it until the receiver connects and downloads it. Email is a store-and-forward system, designed at a time when users weren't always connected. It still works this way.
Email is old, so the fundamental mechanics are pretty simple, and encryption wasn't an option at the time - so it's sent in the clear. Otherwise it would require both sender and receiver (either at both ends, or the servers) to agree on an encryption to use.
It is possible. One can have IMAP hosted on their server and simply use the SMTP server operated by a different entity. There are companies offering SMTP servers for free as long as you're under the limit.
-
Not true that most incoming email will plaintext. It’s the opposite:
“Most of today’s email services, including Gmail, employ transport layer security (TLS) to protect emails in transit”
Ref: https://umatechnology.org/gmails-new-encryption-can-make-email-safer-heres-why-you-should-use-it/
TLS is a transport encryption. PGP is content encryption. The latter one is what is most important, even if almost no one uses it.
-
I use sendgrid as my outgoing smtp relay to avoid ip reputation issues you mention. You still have to configure your dns settings for spf and dkim pointing at their servers instead of yours. Their free tier is 10x the email I’ll ever send so it doesn’t cost anything. There are a few companies in this space with free tiers. It works, but it isnt Gmail level deliverability. I still get spam binned occasionally.
