Being based in Belgium, the service falls out of the scope of Five Eyes. On the other hand, Belgium does enforce some mandatory data retention directives that seem to apply to email providers. Luckily, these directives are strict and only permit the authorities to gain access with a warrant under very specific circumstances.
However, Belgium’s insistence that blanket data retention is useful for investigative purposes (and may even be good for citizens’ human rights!) is probably enough to put some people off. In addition, Belgium is part of the greater 14 Eyes surveillance agreement.
On the plus side, Mailfence does "maintain an up-to-date warrant canary and transparency report listing", which allows consumers to keep a watchful eye over whether the service has been compromised by the authorities.
How much does Mailfence cost?
Mailfence is a secure email provider that has a free subscription plan where users get access to an account with 500Mb of storage. The free service heavily restricts the use of the calendar and contacts features, however, and does not permit any synchronization across devices. In addition, it restricts group collaboration features to just one group with two members.
The only restriction to Contacts and Calendar usage for free is 1000 contacts or 1000 events.
The entry-level subscription plan costs just €2.50 (approx. $2.83 at the time of writing) per month – which is probably affordable for most people (and is the one we tested). However, compared to the popular service Posteo – which costs just $1.13 per month – it can be considered a little pricey. Within the Entry subscription, you get full synchronization, calendars, contacts, three groups with 10 members, 5GB-worth of messages, a custom email domain, 10 aliases, and 12GB for documents and other data.
If you want a little more, you could opt for the "Pro" plan – which extends storage capacity to 20GB for messages and 24GB for documents. The Pro plan does not add any further functionality to the entry-level plan, but lets subscribers create five Groups with up to 20 users, manage 5 custom domains and 50 aliases. Full support is available with both the Entry and Pro plans. Pro costs €7.50 (approx. $8.50) per month, which might seem pricey but is actually pretty good for enterprise use.
The Ultra plan is a new subscription that affords you a staggering 50GB for emails, 70GB for other documents, and 100 aliases across 7 groups. Functionality is much the same as other packages, however, priority is placed on Ultra customers, who have access to a 24/7 support line. It doesn't come cheap, of course, as it'll set you back €25.00 (approx. $28.36).
Users can elect to pay via credit card (Visa or Mastercard) or using cryptocurrencies (Bitcoin or Litecoin) for added privacy. Users can also opt to pay using PayPal.
The fact that this service is funded by the paid plans allows Mailfence to exist without advertising; which is why this secure email provider is often a choice for people looking to de-Google.
Features overview
For the cost of $2.77 per month, users get access to the following features:
- Send end-to-end encrypted emails with OpenPGP. Mailfence lets users send secure PGP emails to all the major email providers. Both signed and encrypted messages can be sent. Mailfence also provides complete control over OpenPGP key management with its integrated keystore.
- Supports POPS, IMAPS, and SMTPS. Popular email protocols are supported for sending and receiving emails across various providers.
- Password encrypt emails. This feature is based on symmetric encryption and allows users to password encrypt emails (encryption and decryption by sender and receiver) within their browser. This allows emails to be sent encrypted with a key that is never shared with the Mailfence back-end (known as a zero-knowledge framework). The encryption is based on an audited open-source cipher library and permits Mailfence users to send encrypted messages to non-Mailfence users.
- Full synchronization: Synchronize your accounts via desktop and mobile devices via Exchange ActiveSync (EAS).
- Groups: Securely communicate, manage and share files, contacts, calendars, and mailboxes with other members of your groups.
- Calendar, contacts, polls, and documents storage: The availability of these features allows people who are used to using Google’s suite to migrate while still retaining most of the functionality they are accustomed to.
- Custom domain support: Users can decide between Mailfence or unique domain name email addresses of their choice.
- Two Factor Authentication: Users can use 2FA apps to further protect their account, and can create service specific passwords for SMTP, IMAP, POP, EAS, xDAV and XMPP protocols (or disable those services if not used).
- Qualys SSL Labs rating: Mailfence’s website scores highly with this independent rating website: A+ with HSTS and PFS.
- Strips IP address from sent emails: However, the privacy policy does state that Mailfence stores a number of logs including IP addresses – presumably to comply with Belgian laws.
Privacy
Users do not need to provide a real name to subscribe to Mailfence, and it is possible to use a burner email address and to pay in cryptocurrencies in order to set up the account in privacy. However, the privacy policy does create some concerns when it states that:
We collect IP addresses, message-ID's, sender and recipient addresses, subjects, browser versions, countries and timestamps.
This collection occurs in order to comply with Belgian data retention directives that came into effect in 2016. However, the firm reminds users that (unlike the US and the UK) Belgium does not enforce gag orders, which means that if it were ever asked to hand over any data, it would be able to inform its users. It also has a warrant canary and publishes a transparency report, which again allows the user to keep a close eye on what the firm is doing.
Despite these attempts to remain transparent about its processes; there are definitely going to be some consumers that prefer a no logs email provider (and, to be fair, these do exist). However, the option is there to use a VPN in combination with this email provider; which would conceal the user’s real IP address from Mailfence.
Finally, Mailfence states that its employees are all bound by a confidentiality agreement that forces them to protect all collected data. In addition, there is no mention of any customer data being shared with third parties, advertisers, affiliates, or business partners.
We do not sell, trade or otherwise transfer to outside parties your personally identifiable information except when forced by Belgian law.
Security
Mailfence implements easy-to-use OpenPGP encryption for securing emails. This is designed to make using PGP encryption less tricky. Emails sent to fellow Mailfence members never leave Mailfence servers and can be encrypted either with PGP or the password encryption option. Emails to non-members can be sent unencrypted, or unencrypted but signed with a digital PGP key. In addition, users can opt to send emails fully encrypted and signed.
Communication with Mailfence servers happens via Transport Layer Security (SSL/TLS) encryption. This is true for both web services and IMAP / POP / SMTP email client access. This stops any eavesdropping, tampering, or message forgery from occurring in transit.
The service also provides Perfect Forward Secrecy (PFS) for encrypted connections (HTTPS). This ensures that, during a security breach, no previous communications can be decrypted. Finally, HTTP Strict Transport Security (HSTS) is activated on all of its web pages and the service receives an A++ score with Qualys.
Mailfence has also implemented MTA-STS and DANE protocol to ensure other servers always send emails using encrypted channel. This makes it much harder for attackers to listen on to emails between Mailfence and non-Mailfence accounts.
Mailfence uses a standard implementation of OpenPGP with full key management available via a built-in keystore. PGP keys are generated in the browser and stored (encrypted) on Mailfence’s servers using an AES-256 cipher. This is generally considered secure (despite the closed-source nature of Mailfence’s proprietary client).
The option is also there to secure email with symmetric encryption (secure message escrow); which can be used to avoid sharing any keys with Mailfence altogether. Users must share the password securely outside of the app (in person, for example) to use this feature. S/MIME used to be available for inbound signature validation, however, the firm told me that they are no longer supporting this feature.
Concerns? Because encryption occurs within the browser (E2EE) Mailfence is considered secure. However, because it is a JavaScript application – there are some security issues (which apply to all JavaScript mail clients and not just Mailfence). Anybody who wants to avoid these JavaScript vulnerabilities (which can allow a man-in-the-middle attack to force compromised encryption keys onto both the sender and recipient’s browsers) will need to use an email provider with a dedicated email client.
Finally, Mailfence also implements IP stripping from messages. This means that your IP address is never attached to an outgoing email.
Ease of Use
Opening a Mailfence account is extremely easy, and anybody can begin the process for free to get a taste of how the software works. Once an account has been registered, the user receives an email that allows them to verify their account. This can be a burner email, but please bear in mind that the firm will communicate with you via this email if you ever have any problems.
Once logged into the service from your browser, you can go ahead and choose an email address. Users that upgrade to a paid plan can opt for a custom domain.
With the email account setup, you are able to start using the email service with no problems.
To start testing, we sent a number of PGP encrypted emails over to secondary company accounts without issue.
We also went ahead and imported email contacts using the 'External addresses' feature with no fuss. Overall, we found the client to be stable, and we experienced no glitches or bugs during our trials.
Where ease of use is concerned, Mailfence is a doddle because it doesn’t require users to download and install any software. In addition, unlike with some email clients, there is no steep learning curve. Even PGP encryption, which is generally considered tricky, is made easy thanks to the better usability of the platform.
We also enjoyed the fact that all the primary functions are baked in without the need to install secondary plugins or add-ons. This makes Mailfence ideal for non-techy users who want to jump right in and start protecting emails with encryption.
The Mailfence contacts feature is easy to use and allows users to quickly import contacts from Google or another email provider.
We also enjoyed the ability to synchronize across devices, which is much easier than with some other email providers. Mailfence also allows users to easily migrate all of their contacts, encrypted keypairs, and encrypted data to another email provider should the need arise.
A closer look at settings reveals that Maifence has a lot of useful functions.
The ability to create an Away message lets users auto-reply when they are out of the office or on vacation.
The Virtual drive lets users access documents directly from a special folder on their computer. This folder is protected with a login and a password. Guides for setting up the virtual drive are available for all platforms from inside the settings menu. Users can also set up a virtual drive on iOS or Android devices.
We also like that Two Factor authentication is baked into the service, which adds an extra level of security to the client.
Finally, the ability to send password encrypted emails (which allows non-techy users to protect messages without the need to understand encryption keys) is an added bonus which makes Mailfence ideal for beginners or non-techy users.
Customer support
Mailfence provides support to all users (enhanced support for paying users); which means that you will be able to get help when setting up the service or ironing out any kinks you might experience.
In addition, the firm provides a detailed blog, online documentation, and a support site that has many useful articles and tips for doing everything from migrating your old contacts list over to Mailfence – to articles about security features and implementation on the platform.
We found the resource to be comprehensive and certainly appears to be enough to give most free users the information they need to use the service.
Also good; free users can ask questions via an email response system.
Conclusion
Mailfence is a solid and easy-to-use email provider that is ideal for beginners. Encryption is strong, and because it is browser-based, there is no need to download any software. The firm’s commitment to privacy – which involves donating 15% of its Pro account proceeds to Electronic Frontier Foundation and European Digital Rights – is also commendable.
Perhaps the only slight drawback to this service is that it is closed-source. However, all the cryptographic fundamentals are open-source and they have been audited thoroughly. In addition, the firm has previously promised to make its software open-source, which would be an excellent step for the firm to take. Until that time, however, we can't overlook the fact that the code is still closed-source.
The main difference between Mailfence and many of its competitors is that it offers an ideal one-stop alternative to Gmail, Google Calendar, and Google Docs. Its end-to-end encrypted email solution is integrated into a suite with numerous features; Mailfence Contacts, Mailfence Docs, Mailfence Calendar, Mailfence Chat, and Mailfence Groups. This is great for anybody de-Googling who wants secure emailing without giving up all the other Google Suite features they are used to having.
For free, this email provider is useful. Although, it is rather limited in features compared to the paid plans. For anybody looking for an easy-to-use email client that is feature rich and has a minimal learning curve, however, the paid for plans can definitely be recommended.