VFEmail is a secure email provider that was founded in 2001. It is a small independent service that was extremely popular with its users until it suffered a catastrophic hack in February 2019. At that time, a hacker infiltrated the service and deleted every server and backup of VFEmail. As a result, users lost access to their inbox and the entire contents of their account - including their messages, contacts, attachments, and saved files.
Following the attack, reports surfaced that the service would likely never return. However, as of this moment, it appears to be up and running - and users are able to sign up for free or pay for a premium account.
The question of whether it is wise to take out a subscription - or even make use of the free plan - is a fair one. After all, it is not exactly understood why somebody decided to attack and destroy the service (there was no ransom as is often the case with these kinds of attacks). With this in mind, opening a VFEmail account seems risky and could lead to the loss of your entire inbox.
Despite the obvious concerns - the service is up and running again. So, we thought it would be best to check if we can shed any light on whether it is worth considering.
How much does VFEmail cost?
VFEmail allows users to enjoy its service for free. The free “Copper” subscription plan provides users with 10 Mb of email space; which is a very limited amount of storage space. However, users do get access to features such as a calendar, a notepad, a task manager, address book for contacts, and a folder for uploading and storing files. Copper also comes with SMTP/POP/IMAP functionality and unlimited disposable addresses. However, free users will have to suffer some adverts within the webmail interface. In addition, free users are limited to sending 10 emails per day.
A premium account can be purchased in either Bronze, Silver, Gold, or Platinum. Bronze provides everything from Copper plus: PGP encryption, Ad-free experience, IP masking, 3 permanent aliases, server-side filtering. Bronze costs a one-off fee of just $24.95 and provides 1 Gb of storage space.
A Silver account extends what you get with Bronze to include 3 Gb of storage, 400 emails a day message quota, 8 changeable aliases, a challenge-response system that verifies the sender is real, a non-us mailbox hosted in the Netherlands, and two custom domains of your choosing. Silver costs $15 per year.
A Gold account costs $30 per year and improves on the Silver account by adding 12 Changeable aliases, 5 custom domains, 5 user accounts, a Metadata Mitigator feature that automatically “rewrites your sender address to protect your privacy from log harvesting”, FTP Storage, a blacklist feature, and IMAP synchronization for two complete IMAP mailboxes. The Gold account comes with 5 GB of storage, unlimited bandwidth, and a 600 email per day message quota.
Finally, Platinum - which costs $50 per year - provides the same as Gold but with 15 changeable aliases, 15 custom domains, 15 individual accounts, 750 messages a day quota, and 20 Gb of storage.
- SMTP/POP/IMAP compatibility for synching email accounts
- Unlimited temporary disposable addresses
- Custom domains
- File storage
- PGP encryption
- Blacklist feature
- Up to 20 Gb of storage
VFEmail does not require users to provide any sort of identification to sign up. No separate email or phone number is needed, which means you can sign up using a VPN or Tor and gain privacy or anonymity from the service at sign up.
In order to encrypt emails with PGP it will be necessary to purchase a subscription, which, under the circumstances (considering its recent hack) is probably unwise. A free email account is not going to provide any provisions for sending secure emails. It does, however, store all emails encrypted at rest.
The same goes for IP address scrubbing. This feature and VFEmail's unique metadata obfuscation technique is only available on paid accounts. That obfuscation uses a system to conceal the from address and make it harder (but not impossible) to figure out.
The firm appears to provide secure TLS/SSL (HTTPS) for communicating with its servers, although, according to Qualys SSL Labs, the firm scores only a B. This is a low score when compared to the majority of top of the range email services. The reason given by Qualys is that the “server supports weak Diffie-Hellman (DH) key exchange parameters.”
However, it is worth noting that as far as we can tell the cipher suites look fine. And, because DH is only used for FS (not to secure the exchange itself, so Logjam shouldn't be an issue); we aren’t sure why Qualys is being so harsh.
The fact that the firm recently suffered a critical hack - that allowed an intruder to delete everything the firm had stored on its servers - is a troubling sign in terms of security. In addition, the firm’s admission that data on its webmail is likely vulnerable to attack by a sophisticated actor such as the NSA, is probably enough to put many people off (though does at least demonstrate that the firm is honest).
Using this email provider via a third party client with PGP is definitely going to be much more secure and means that (as long as you are willing to risk using a service that was recently hacked) it should be secure.
A roundcube client is also available and users can enable Mailvelope with this option. This means it is possible to send emails for free with PGP encryption if you know how to get Mailvelope up and running with roundcube (very easy). Once you have set it up, you will be able to share and receive public keys, import them to the keyring, and use the envelope icon from within email in the roundcube client to encrypt and decrypt emails using your password.
However, despite this useful functionality (which is nothing special because Mailvelope is compatible with most third-party email providers anyway); there still appears to be too many risks associated with VFEmail to be able to confidently recommend it.
Ease of Use
Starting an account with VFEmail is easy, and it is possible to do so without handing over any personal information. For free, users gain access to an email account with encryption at rest but no built-in PGP functionality.
We found the webmail interface easy to get around, and free users do get the use of a calendar, address book, tasks feature, notes, and a file manager for uploading and storing files securely on its servers.
Importing contacts can be done from in the address book and users are able to import via CSV file from any other provider.
Subscribing to any of the paid plans allows users to begin using the client with PGP encryption from within the webmail interface. However, users can opt to use PGP encryption via a stand-alone client using POP or IMAP (even on the free account). This will allow users to handle their keys locally and use the service much more securely.
Users are also given the option to sign in and use a RoundCube version of the webmail interface. This is an open source webmail client that many privacy-conscious users may prefer.
No PGP encryption is baked into the roundcube client, so you will need to use Mailvelope to send PGP encrypted email (and users can do so for free).
Customer service is only available via email, and despite attempting twice we were completely unable to gain any response from the firm. This is a bad sign that likely demonstrates that although the service is up and running again, it is not being properly staffed since the hack it suffered in February.
The site does have a number of guides and FAQs section. However, without being able to ascertain whether the firm is confident that it has patched up whatever vulnerability allowed it to be exploited it is very hard to recommend this service.
We would generally recommend against using this service - even if you are techy enough to use it without the need for any communication with the firm.
Overall, we found this email account relatively easy to use, and if it hadn’t recently suffered a catastrophic hack, it would probably be a service that we could recommend to anybody wanting to move away from Google or other invasive email services.
As far as privacy and security are concerned, the recent hack raises alarm bells and the fact that it is based in the US - and admits it will work with US authorities if served a warrant - is problematic. Even storing data on its Dutch servers is no longer a secure option due to the outcome of the Microsoft VS US case.
To conclude, we see too many holes in this service to be able to currently recommend it. Anybody who decides to use VFEmail needs to be aware that their email data could be at risk of either unwanted intrusion or possible loss of data due to another hack.
What’s more, the email service appears to be completely unmanned. And, it is impossible to get hold of anybody to get answers surrounding the status of the service following its recent hack. Considering what is available elsewhere at a similar price, we must recommend that you look elsewhere for a better email provider.