I have been a paid customer for both (Posteo for 2 years, then moved to ProtonMail Visionary to my own domain names).

Posteo isn't inherently a bad service, the privacy policy is solid, the price is good, but with the lack of DMARC and ARC policy and their refusal to add one means that their service has open flaws. This can be serious for some people's threat models and also highlights some laziness, since every other big provider has a DMARC policy themselves. Their justification for not using DMARC is the DMARC FAQ answering why a service wouldn't use it, which states:

Why would someone fake mail from [free email provider] when they could just register an account?

and

DMARC is a new technology

A fake or subversive email from a person registering an account with a different looking email address of the person they are impersonating would be more likely to be caught as a fake than a spoofed, received email from what appears to be the real email address of that person. Spoofing the email address would be more successful in some cases. Also, DMARC is far from new and dates essentially over a decade old.

While not demonstrated anywhere on the Posteo FAQ about DMARC, I would personally imagine they don't care that much because Posteo constantly remind you to use PGP for emails between others, which can be used to 'sign' a message to verify that this email was written by the legitimate owner of that email address, providing you had their public key before they sent an email to you.

Posteo's mailbox encryption means they cannot see the emails and metadata, however because of how it is implemented (being able to use a custom E-Mail client) the mailbox has the possibility to be decrypted during an authentication, while they don't know the keys to decrypt your mailbox, this wouldn't really matter since:

  • The service posteo provides isn't secured by zero-knowledge/zero-access methodologies.
  • Posteo isn't transmitting the encrypted mailbox to you, why do you think using any email client works? No email client app just supports recieving Posteo's unique crypto-mail emails to decrypt on your local machine. The only encryption protecting viewing the emails and their contents is the TLS encryption between you and Posteo while you are authenticated. If the TLS connection was monitored by Posteo via interception they could also see it.

Posteo also claim this themselves:

With crypto mail storage enabled, your emails will only be decrypted for you the moment they are accessed.

Because the emails are first encrypted when they reach our servers, Posteo crypto mail storage is no substitute for regular end-to-end encryption set up by the sender of an email. This does not, therefore, protect you from a lawful interception (TKÜ).

(source)

ProtonMail's service when it comes to mailbox storage is zero-access and they cannot read contents of your mailbox at all and the usage of a ProtonMail app is required to assist that. They imply this in Transparency also, while in Posteo's transparency they have disclosed mailboxes, mainly due to Crypto Mail Storage not being turned on, or by an interception occuring.

The only flaw ProtonMail really does have, like mentioned with Posteo, is the lack of end-to-end encryption used for email transit, where instead it is encrypted with TLS using certificates maintained by the service. This would only truly apply to emails that are not PGP encrypted or other ProtonMail email addresses. However, this is a flaw with email as a whole (no end-to-end encryption), not a flaw of each individual service, so it would be wrong to criticise both on these fronts.

I would suggest ProtonMail above everything but if spoofing isn't part of your threat model I'd say it's sufficient... but considering how Proton provides just as well of a service for free, it would be strange in my opinion. I would like to see Posteo add a DMARC policy soon though, maybe I'd be more favourable if it did.

    • [deleted]

    Thank you so much for this developed answer !

    • [deleted]

    I am a posteo cliente currently. It pisses me of that the service is not as good as protonmail

    • [deleted]

    final you said "The service posteo provides isn't secured by zero-knowledge/zero-access methodologies."
    Even with the crypto storage activated (no pgp) ???

      [deleted] If crypto storage is activated, they cannot see the mailbox. However they would be able to intercept the connection of the mailbox and grab the contents of the mailbox in real-time as they are being accessed to see them. This is unlikely and they said in transparency this would only matter in a Law Enforcement situation, and they would have to be actively intercepting the user waiting for evidence continuously.

      ProtonMail provides no access to the inbox at all, but may be able to reveal other data such as the user's IP address, which can be changed by a VPN or other solution.

      Both email services (email as a whole) have the issue of being able to see emails that come in from other email servers, because email is not end-to-end encrypted. If an email is encrypted with PGP or other end-to-end encryption solution this would not matter, but there is still metadata that transits through emails anyway.

        • [deleted]

        final They are able to access it in real time only if iI access it via a third party client like K9 with IMAP ?

          [deleted] They are able to access it in real time only if iI access it via a third party client like K9 with IMAP ?

          Can be seen in all cases including their webmail, as the decryption for the emails is done on their side rather than on yours. The reason they need to see in real time is because they can only decrypt with a key protected by the user's password, which Posteo do not know. So if an account for whatever reason was being monitored and the user who owned the account logged in, that would be the only way to access the mailbox contents. Posteo can only see such information if they were planned to be monitored beforehand.

          • [deleted]

          I thought this was more secure... The only reason why Proton can not do this is because they use their own app ?
          Why the fuck dooes posteo do not do an app...

            • [deleted]

            I do not understand well. I find this complicated.
            But posteo has been clear and transparent about all this and they did not lie right ?

              • [deleted]

              • Edited

              It is crazy that there is so few trustworthy secure email providers... Knowing this we only have Protonmail and Tutanota (maybe Startmail/mailbox)...

                [deleted]
                Further context:
                Posteo don't log IP address or user information, but can have their mailbox accessible dependent on settings and if there was a law enforcement order demanding that the mailbox be intercepted to receive this info.

                Posteo during 2022
                User info: 0
                IP addresses: 0
                Mailbox contents: 4
                https://posteo.de/en/site/transparency_report

                According to privacy ProtonMail can see IP temporarily but will have discretion in choosing to log for law enforcement or to combat abuse from the platform caused by the user's email.

                They mention the limitations of Email protocols and information they can see from it: which is the same I have mentioned before (incoming messages and metadata):

                2.2.2 Account Activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times. We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses to pursue the legitimate interest of protecting the integrity of our Services and users. Such inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan the content of the messages after they have been encrypted. We also have access to the following records of Account activity: number of messages sent, amount of storage space used, total number of messages, last login time. User data is never used for advertising purposes.

                As for the spam and virus protection, Posteo do it too: https://posteo.de/en/site/privacy_policy
                https://proton.me/mail/privacy-policy

                ProtonMail during 2022

                • Number of legal orders: 6,995
                • Contested orders: 1,038
                • Orders complied with: 5,957
                  • [deleted]

                  After reading your first message carefully I understand better. Thank you so much

                  • [deleted]

                  final "Orders complied with: 5,957"
                  What was this ? Essentially IP addresses right ?

                    [deleted] I thought this was more secure... The only reason why Proton can not do this is because they use their own app ?
                    Why the fuck dooes posteo do not do an app...

                    Email as a whole isn't a secure protocol, the only real solutions are to bake other software or features into it, like what Proton and Posteo do, it isn't fully possible to have a perfect email service.

                    [deleted] I do not understand well. I find this complicated.
                    But posteo has been clear and transparent about all this and they did not lie right ?

                    Posteo have never lied about their service, in fact I think their service is good, it's just that Proton do some parts better. If Proton had a service that logged less of the other information like Posteo not logging IP address at all, then it would be perfect.

                    [deleted] It is crazy that there is so few trustworthy secure email providers... Knowing this we only have Protonmail and Tutanota (maybe Startmail/mailbox)...

                    Tutanota is pretty good, Posteo is good but has serious limitations, Proton is but can be costly. It's a matter of whats better or worse, I use Proton primarily because it supports DMARC and custom domain names, but Posteo's strong privacy policy can be advantageous in some positions.

                    [deleted] "Orders complied with: 5,957"
                    What was this ? Essentially IP addresses right ?

                    They do not specify. Likely they provided all information they had stored in their systems at the time, which is all the information in their privacy policy. Information that is 'encrypted' would not be accessible.

                    They specify more information on one case on where they had to surrender user info here: https://proton.me/blog/climate-activist-arrest - this case in particular was important as it reached press attention, but they had no choice in providing this info since it was requested by Swiss courts.

                    • zzz replied to this.
                    • zzz likes this.

                      final
                      My favorite quote from that blog post:

                      No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. The Swiss legal system, while not perfect, does provide a number of checks and balances, and it’s worth noting that even in this case, approval from 3 authorities in 2 countries was required, and that’s a fairly high bar which prevents most (but obviously not all) abuse of the system. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested, which is not the case in most countries.

                      Out of curiosity, does Posteo specify which country's jurisdiction they operate under?

                        zzz
                        Yes, it is Germany (hence the .de in Posteo's domain)

                        • zzz likes this.
                        • [deleted]

                        • Edited

                        How does Proton to be zero-access, unlike Posteo ? How do they manage to not be able to read the incoming messages in real-time ? Why doesn't Posteo upgrade to be zero-access ?
                        Proton decrypt the emails client-side, unlike Posteo ?
                        You said

                        Posteo isn't transmitting the encrypted mailbox to you, why do you think using any email client Bworks?
                        So this is not the case with Proton ?
                        (Sorry @final I asked too much questions because I did not understand well becauae I was tired but your answers are insanely great. Thx.)

                          • [deleted]

                          It is because Proton's encryption works like Posteo's encryption on entry with PGP ? Activate it for Posteo provides the same level of privacy/security as Proton right ?

                            [deleted] Why the fuck dooes posteo do not do an app...

                            Because it's a cheap service.
                            The saying "you get what you pay for" isn't always the case, but when it comes to Posteo vs. Protonmail, in my opinion, it is. Posteo will cost you a lot less money, but will provide you with a clunky third-party web interface that is rarely updated, and no end-to-end encryption. Last time I checked, and correct me if I'm wrong and if this has been improved, you can also buypass Posteo's 2fa simply by connecting it to a third-party client over IMAP.

                            What I don't like about Protonmail is that it requires you to upgrade to the most expensive plan to get more than one custom domain. The Unlimited plan is expensive if you simply want their mail service, and not their VPN etc. in addition.