Today I took the decision to switch mail providers, moving from Proton Mail to Migadu.
I’ve been a loyal paying user of Proton Mail for about 5 years now, and during those years I’ve been fairly happy with the service they provide. However, looking back on it, I don’t think I’m their target audience, and I’ve come to realize my mailing life would be much better without them.
I first heard of Migadu when reading Drew Devault’s Email provider recommandations. If I were to only trust one person about best mail practices, that would probably be him.
In this post I write down some thoughts about the change.
What I like most about Migadu is that they charge by usage rather than by some artificial metric like the amount of custom domain names or mailboxes you have.
I own — rather, rent — several domain names for which I need mail adresses available, even though I rarely use them. With Migadu, I can create as much as I need, even at the lower tier. In contrast, to use several custom domains with Proton Mail you need to have at least an Unlimited subscription (12€/month), and for more than 3 it’s only possible with the Business tier (11€/user/month), even if the total space used by mailboxes amounts to less than 15GB, the space allowed in the Plus tier (4€/month).
Additionally, one of my domain name looks like
[familyname].me, which I’ve been using for years to have a
short mail address
relatives have grown quite envious (not really) and I’ve offered to
create mail adresses for them too. But with Proton Mail, every new user
and its associated mailbox under the same custom domain incurs
additional cost, unrelated to the real cost of memory space and
With Migadu, adding as many users as you want is free, so long as the total storage space remains under the limit granted by the subscription tier you pay for. This is how it should be measured. I. like. this.
The main feature put forward by Proton is the pervasive use of public-key cryptography to store your data. When mails are sent to your address, Proton will use your public key to encrypt them on their servers. The associated private key is derived from your password, and in principle Proton never has access to it. All the decryption happens on the client side.
While the idea is appealling, it does require quite a bit of trust in the provider, trust I’m not sure I’m willing to grant. Fastmail has a great write-up about this. If you — as a user — truly required so high privacy standards, you’d either control the entire infrastructure yourself, or use something other than mail.
Indeed, it feels like it would technically be very easy for Proton Mail to update the web client to retrieve private keys. Unless you are willing to thoroughly audit the client you use and stick with it, you just have to believe that Proton has no incentive (or external pressure) to do so.
Considering this, I somewhat feel like pushing encryption so much to the front has mostly become a marketing argument. Not so different from how some VPNs claim to do encryption over encryption for twice as much security.
My main motivation for going to Proton Mail in the first place was moving away from big corps whose business model relies solely on advertising and data harvest rather than being paid by users for the good service they provide. Not so much out of concern about encrypted storage.
If that’s what rocks their boat, and attracts new customers, frankly let them have it. However I simply can’t help but notice that this obstinate push for encryption is the source of many complications.
No IMAP and SMTP support
Because of how they store encrypted mails, they are not able to provide an IMAP and SMTP server for your favourite mail clients to connect to directly1. To remedy this, they released Proton Mail Bride, an app that will run on your computer, decrypt mail locally in the background and act as a private IMAP and SMTP server. I’ve personally had many issues with Bridge on Linux, I am not the only one, and it really does feel like an annoyance that is hard to justify, especially to less tech-savy relatives.
On mobile though, no such thing as Proton Bridge, you’re stuck with the clunky, slow, half-assed official client from Proton Mail.
For a very long time, it was impossible to search your mail by content on the webmail, because of encryption and all. They recently released a new feature whereby you can choose to pre-process every single mail in a specific browser so that search becomes possible. That’s a very impressive improvement. But considering I don’t care much about encryption, that also was a considerable time waiting for a quite basic feature.
Mail provider vs Software suite
(Not so) recently, ProtonMail has been renamed to Proton, an entity providing many different services, from the original mail provider to a VPN service, an encrypted cloud, an encrypted calendar, and likely more to come.
This may be appealing to many, especially as a replacement to big corp do-it-all solutions like Google services. To me however, it’s not a good sign: it feels like by trying to do everything, the development of any of those services gets slowed down, and we end up with half-assed solutions.
I don’t care about VPNs (and most people probably don’t need one). I don’t care about having an encrypted calendar. I manage my own cloud at home. What I want is a proper mail service, and if you’re gonna force me to use a shitty SMTP proxy and your official mobile app, you better make sure they are really good.
In contrast, Migadu only does mail hosting. Nothing more. It provides IMAP, SMTP and POP3 servers accessible over authenticated TLS, that just work. The administration interface is feature-full but straight to the point. They simply go out of your way.
After the official launch of their suite, Proton unveiled a complete rebranding, with a shiny new visual identiy. They really strengthened their storytelling, and started agressively advertising their brand. Maybe that’s the only way to keep growing and acquire new customers. But I find it very tiring. Even as a paying user, you are often bombarded with calls to upgrade your plan, benefit from an AMAZING discount for the new VPN tier, black friday yada yada.
I like the simple presentation of Migadu. Nothing much to add to this.
Proton argues that because they are based in Switzerland, the stricter local privacy laws should protect you from abusive law enforcement claims. Migadu is also registered in Switzerland but hosted in France (therefore having to abide by European data protection laws). I don’t think there is any substantial difference between the two situations, even though you probably shouldn’t count on your mail provider defending you either way if authorities are onto you.
Although I’ve been critical of Proton Mail in the past paragraphs, I do think it is the target of many disingenuous attacks. A recurring complaint has been the fact they do not make their products open-source from the get go. This happened when Bridge was released, when the Android app was released, and so on.
I think Proton Mail has dramatically improved over the years. Making things from scratch under public scrutiny is hard, and it somehow feels normal to me to take time to refine something in private and audit it before making it available. Especially is there are security concerns.
If I write code in private, I am able to take many shortcuts and produce quick ugly code that works. Cleaning it out for public appreciation and release comes later.
About the actual move
Not much to say here, nowadays it’s fairly easy to export all your Proton Mail mailboxes using their own Import-Export app. Importing this into any IMAP server isn’t too hard either.
What I do want to note is how surprisingly quick it was to setup Migadu. The administration panel is very clear and the instructions for updating DNS records incredibly informative. It even talks about autoconfig and autodiscovery records, which I had no idea was a thing! This lets Thunderbird fill out proper server information automatically, even for custom domains. Neat.
I wrote down this post mostly for myself, and to slowly get into the habit of throwing words at my computer and publishing without overthinking it. Feel free to comment on this by sending me a mail — hosted on Migadu — at email@example.com!
At least that’s how they justify it. Considering they don’t encrypt mail subjects, and I assume sender information, I’m not sure I understand why they cannot just provide an IMAP server that would deliver OpenPGP encrypted mails, that could then be read by any mail client that supports it (many of them do). But I don’t know much about how they store things, so I’ll give them the benefit of the doubt. It’s also possible that they purposely want to avoid customers having to deal with OpenPGP, hence the bridge. If that were the case, it’s inexcusable that they don’t let people that choose to be able to access a regular SMTP server directly.↩︎