Mailfence Review 2019

Mailfence is a secure email provider that was first launched in 2013 by ContactOffice Group. Generally, Mailfence has an excellent reputation with both users and security experts (because its encryption is based on open source cryptographic fundamentals). However, it is worth bearing in mind that the content license is proprietary; which means there are closed source elements to its full suite of services (encompassing a calendar, document storage, and more). 

This encrypted email provider is a fully featured service that has excellent interoperability with all other OpenPGP compatible encrypted email services. Being based in Belgium, the service falls out of the scope of Five Eyes. On the other hand, Belgium does enforce some mandatory data retention directives that seem to apply to email providers. Luckily, these directives are strict and only permit the authorities to gain access with a warrant under very specific circumstances. 

However, Belgium’s insistence that blanket data retention is useful for investigative purposes (and may even be good for citizens’ human rights!) is probably enough to put some people off. In addition, Belgium is part of the greater 14 Eyes surveillance agreement. 

On the plus side, Mailfence does “maintain an up-to-date warrant canary and transparency report listing,” which allows consumers to keep a watchful eye over whether the service has been compromised by the authorities. 

Mailfence logo

How much does Mailfence cost?

Mailfence is a secure email provider that has a free subscription plan. For free, users get access to an account with 500Mb of storage. The free service heavily restricts the use of the calendar and contacts features and does not permit any synchronization across devices. In addition, it restricts the email service to just one group with two members.

The entry-level subscription plan costs just $2.77 per month - which is probably affordable for most people (and is the one we tested). However, compared to the popular service Posteo - which costs just $1.13 per month - it can be considered a little pricey. For $2.77, users get full synchronization, calendars, contacts, three groups with 10 members, and 12Gb of storage (5Gb for messages and the rest for storage for documents and other data).

Finally, subscribers have the option to opt for the “Pro” plan - which extends storage capacity to 20Gb for messages and 24Gb for documents. The pro plan does not add any further functionality to the entry-level plan, but does let subscribers create five Groups with up to 20 users. Full support is available with both the entry level and pro plans. Pro costs $8.32 per month, which might seem pricey but is actually pretty good for enterprise use.

Users can elect to pay via credit card (Visa or Mastercard) or using cryptocurrencies (Bitcoin or Litecoin) for added privacy. Users can also opt to pay using PayPal.

The fact that this service is funded by the paid plans allows Mailfence to exist without advertising; which is why this secure email provider is often a choice for people looking to de-google. 

Features overview

For the cost of $2.77 per month, users get access to the following features:

Send end-to-end encrypted emails with OpenPGP. Mailfence lets users send secure PGP emails to all the major email providers. Both signed and encrypted messages can be sent. Mailfence also provides complete control over OpenPGP key management with its integrated keystore.

  • Supports POPS, IMAPS, and SMTPS. Popular email protocols are supported for sending and receiving emails across various providers. 
  • Password encrypt emails. This feature is based on symmetric encryption and allows users to password encrypt emails (encryption and decryption by sender and receiver) within their browser. This allows emails to be sent encrypted with a key that is never shared with the Mailfence back-end (known as a zero-knowledge framework). The encryption is based on an audited open source cipher library and permits Mailfence users to send encrypted messages to non-Mailfence users.
  • Full synchronization: Synchronize your accounts via desktop and mobile devices. 
  • Groups: Securely manage and share files, contacts, calendars, and mailboxes with other members of your groups.
  • Calendar, contacts, and documents storage: The availability of these features allows people who are used to using Google’s suite to migrate while still retaining most of the functionality they are accustomed to.
  • Custom domain support: Users can opt to have. mailfence or unique domain name email addresses of their choice.
  • Two Factor Authentication: Users can use 2FA apps to further protect their account.
  • Qualys SSL Labs rating: Mailfence’s website scores highly with this independent rating website: A+ with HSTS and PFS.
  • Strips IP address from sent emails: However, the privacy policy does state that Mailfence stores a number of logs including IP addresses - presumably to comply with Belgian laws. 

Privacy

Users do not need to provide a real name to subscribe to Mailfence, and it is possible to use a burner email address and to pay in cryptocurrencies in order to set up the account in privacy. However, the privacy policy does create some concerns when it states that:

“We collect IP addresses, message-ID's, sender and recipient addresses, subjects, browser versions, countries and timestamps.”

This collection occurs in order to comply with Belgian data retention directives that came into effect in 2016. However, the firm reminds users that (unlike the US and the UK) Belgium does not enforce gag orders, which means that if it were ever asked to hand over any data, it would be able to inform its users. It also has a warrant canary and publishes a transparency report, which again allows the user to keep a close eye on what the firm is doing. 

Despite these attempts to remain transparent about its processes; there are definitely going to be some consumers that prefer a no logs email provider (and, to be fair, these do exist). However, the option is there to use a VPN in combination with this email provider; which would conceal the user’s real IP address from Mailfence. 

Finally, Mailfence states that its employees are all bound by a confidentiality agreement that forces them to protect all collected data. In addition, there is no mention of any customer data being shared with third parties, advertisers, affiliates, or business partners.

“We do not sell, trade or otherwise transfer to outside parties your personally identifiable information except when forced by Belgian law”

Security

Mailfence implements simple “one-click” OpenPGP encryption for securing emails. This is designed to make using PGP encryption less tricky. Emails sent to fellow Mailfence never leave Mailfence servers and can be encrypted either with PGP or the password encryption option. Emails to non-member can be sent unencrypted, or unencrypted but signed with a digital PGP key. In addition, users can opt to send emails fully encrypted and signed.

Communication with Mailfence servers happens via Transport Layer Security (SSL/TLS) encryption. This is true for both web services and IMAP / POP / SMTP email client access. This stops any eavesdropping, tampering, or message forgery from occurring in transit. 

The service also provides Perfect Forward Secrecy (PFS) for encrypted connections (HTTPS). This ensures that during a security breach, no previous communications can be decrypted. Finally, HTTP Strict Transport Security (HSTS) is activated on all of its web pages and the service receives an A++ score with Qualys.

Mailfence uses a standard implementation of OpenPGP with full key management available via a built-in keystore.PGP keys are generated in the browser and stored on Mailfence’s servers using an AES-256 cipher, this is generally considered secure (despite the closed source nature of Mailfence’s proprietary client).

The option is also there to secure email with symmetric encryption (secure message escrow); which can be used to avoid sharing any keys with Mailfence altogether. Users must share the password securely outside of the app (in person, for example) to use this feature. S/MIME used to be available for inbound signature validation, however, the firm told me that they are no longer supporting this feature.

Concerns? Due to the fact that encryption occurs within the browser (E2EE) Mailfence is considered secure. However, because it is a JavaScript application - there are some security issues (which apply to all JavaScript mail clients and not just Mailfence).

Anybody who wants to avoid these JavaScript vulnerabilities (which can allow a man-in-the-middle attack to force compromised encryption keys onto both the sender and recipient’s browsers) will need to to use an email provider with a dedicated email client.

Finally, Mailfence also implements IP stripping from messages. This means that your IP address is never attached to an outgoing email.

Ease of Use

Opening a Mailfence account is extremely easy, and anybody can begin the process for free to get a taste of how the software works. Once an account has been registered, the user receives an email that allows them to verify their account. This can be a burner email, but please bear in mind that the firm will communicate with you via this email if you ever have any problems. 

Once logged into the service from your browser, you can go ahead and choose an email address. Users that upgrade to a paid plan can opt for a custom domain.

choosing your email address

With the email account setup, you are able to start using the email service with no problems. We sent a number of PGP encrypted emails over to secondary company accounts without issue.

openpgp encryption

We also went ahead and imported email contacts using the 'External addresses' feature with no fuss. Overall, we found the client to be stable, and we experienced no glitches or bugs during our trials. 

importing email addresses

Where ease of use is concerned, Mailfence is a doddle because it doesn’t require users to download and install any software. In addition, unlike with some email clients, there is no steep learning curve. Even PGP encryption, which is generally considered tricky, is made easy thanks to the one-click feature. 

We also enjoyed the fact that all the primary functions are baked in without the need to install secondary plugins or add-ons. This makes Mailfence ideal for non-techy users who want to jump right in and start protecting emails with encryption. 

The Mailfence contacts feature is easy to use and allows users to quickly import contacts from Google or another email provider. 

import format

We also enjoyed the ability to synchronize across devices, which is much easier than with some other email providers. Mailfence also allows users to easily migrate all of their contacts, encrypted keypairs, and encrypted data to another email provider should the need arise. 

A closer look at settings reveals that Maifence has a lot of useful functions. 

Mailfence menu

The ability to create an Away message lets users auto-reply when they are out of the office or on vacation. 

The Virtual drive lets users access documents directly from a special folder on their computer. This folder is protected with a login and a password. Guides for setting up the virtual drive are available for all platforms from inside the settings menu. Users can also set up a virtual drive on iOS or Android devices.

We also like that Two Factor authentication is baked into the service, which adds an extra level of security to the client. 

the two factor authentication

Finally, the ability to send password encrypted emails (which allows non-techy users to protect messages without the need to understand encryption keys) is an added bonus which makes Mailfence ideal for beginners or non-techy users.

Customer support

Mailfence provides support to all users (enhanced support for paying users); which means that you will be able to get help to set up the service or iron out any kinks you might experience. 

In addition, the firm provides a detailed Blog that has many useful articles and tips for doing everything from migrating your old contacts list over to Mailfence - to articles about security features and implementation on the platform. 

We found the resource to be comprehensive and certainly appears to be enough to give most free users the information they need to use the service.

customer support

Also good; free users are also given the ability to ask questions via an email response system. 

Conclusion

Mailfence is a solid and easy-to-use email provider that is ideal for beginners. Encryption is solid, and because it is browser-based, there is no need to download any software. The firm’s commitment to privacy - which involves donating 15% of its Pro account proceeds to Electronic Frontier Foundation and European Digital Rights - is commendable. 

Perhaps the only slight drawback to this service is that it is closed source. However, all the cryptographic fundamentals are open source and they have been audited thoroughly. In addition, the firm has previously promised to make its software open source, which would be an excellent step for the firm to take.

For free, there can be no doubt that this email provider is useful. Though, it is rather limited in features compared to the paid for plans. For anybody looking for an easy-to-use email client that is feature rich and has a minimal learning curve, the paid for plans can definitely be recommended. 

Written by: Ray Walsh

Digital privacy expert with 4+ years experience testing and reviewing VPNs. He's been quoted in The Express, Barrons, the Scottish Herald, ThreatPost, CNET & many more. Ray is currently rated number 1 VPN authority by Agilience.com.

0 Comments

There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.