Moving My Emails

I recently decided to move my primary email address away from Gmail to an address at my own domain. First of all, I’d like to say that Gmail is a great product, with many great features that aren’t available elsewhere, and everything just works, making it easy to use. My reasons for moving are twofold: future-proofing and privacy.

Why I moved

Firstly, by moving my email address to my own domain, I can be sure of retaining that email address indefinitely. If Gmail were to shut down (which I’ll admit, seems unlikely) I would be dependent on the owner of the domain to allow me to have an email address “@gmail.com”. Barring domain seizure, I’m unlikely to ever have to move email address again.

It would be possible to set up email forwarding from my domain to Gmail, alternatively I could use Google Apps to host the email server for me at my domain, but having my own domain isn’t my only concern here.

The other concern is that given the disclosures of the past couple of years regarding the world’s intelligence services and major technology companies, it seems there is a reasonable chance that access to my email data isn’t as controlled as I would like it to be. In addition to this, Google are open about doing some level of data mining through your inbox; this is how they make the money to host your email for free in the first place.

Where I moved

So after deciding to leave Gmail, I had to look at where I wanted to go. For an hour or two I had notions of hosting my own email server. Then I got a couple of steps into the Ubuntu Postfix setup guide and realised this wasn’t for me. Email servers are vastly complex beasts and far more difficult to set up than say, a web server which I’m perfectly comfortable with.

So, I had to entrust my emails to a third party then. I decided to look for someone who cares about security and encryption. There are several out there despite (or probably because of) the collapse of LavaBit. The offerings include Tutanota, Posteo and Ladar Levison is even having a go at defining an email protocol with end-to-end encryption built in as Dark Mail.

In the end I decided to go with ProtonMail. Their software is open source and therefore open to review (which is actively encouraged), and the have a very good transparency report. They’re also reasonably cheap: free if you don’t care about custom domains and only 5 units of your choice of three currencies (EUR, USD and CHF) per month for a custom domain with 5GB of storage. There are also discounts for paying annually, and you can upgrade your account in a customizable fashion at very reasonable rates.

How I Got There

After signing up to ProtonMail and registering a domain, setting up the email hosting at the new domain was very simple, I just had to add some DNS records, which ProtonMail told me exactly what they were, and wait for them to propagate, which ProtonMail told me when they had.

So now I wanted to move everything from one email provider to another at a different address. Luckily Google make this pretty easy by offering mail forwarding, so I’m currently forwarding all mail from my old address to my new one to make sure I don’t miss anything.

This gives me plenty of time to slowly migrate all the accounts I’ve opened over the years with various internet services from one email address to the other, and to make sure anyone trying to get in contact with me has my new address. The only downside is that any emails that go via Gmail are subject to their previously mentioned data mining and are potentially passed in part or in whole to the NSA or similar agencies, but I’d rather get the message than miss it.

Footnote

I’m under no delusion that the new set up is 100% secure. Unless you’re going to host the email server locally, know how to set it up properly and have complete control and understanding of the code that the email server is running, you don’t have foolproof security. This state is probably unattainable and even then there are probably some loopholes.

If what you’re emailing is particularly sensitive, please use PGP and some trusted form of public key infrastructure (get in the queue for Keybase maybe).