It's impossible to choose a "secure" email provider, unfortunately.

Email can't guarantee E2EE without a block cipher tool like GPG. Even if your provider stores and transmits only encrypted email data, once sent it does not maintain that guarantee while being passed by another entity's MTA.

If you email google, google gets to do whatever googly stuff it would like to do with its algorithm. If you email exchange, roundcube, ISP, hotmail, it could wind up being archived to tape, or simply be sitting for a long time in some unencrypted mail spool, maybe in a public cloud. If you selfhost, you would be forgiven if you find you have made a mistake or simply got pwned.

I've never selfhosted email, but I understand it is a lot of work to set up if you aren't familiar, and while maintenance is okay once you get rolling, there are occasional emergencies or hiccups that require intervention.

Aside from being much slower, regular mail is quite better since you can easily inspect the envelope for evidence of tampering, while email will be imperceptibly copied.

> Even if your provider stores and transmits only encrypted email data, once sent it does not maintain that guarantee while being passed by another entity's MTA.

What? If Alice encrypts an email to Bob, using Bob's PGP key on her laptop, then it doesn't matter how many MTAs that email passes through, the email stays encrypted at every hop.

> it could wind up being archived to tape

I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack the private key and read the email.

That seems expensive (and illegal) for a company to do just on a whim (assuming the sender and recipient are periodically deleting old emails), and I'd like to think that a judge would turn down a request for a warrant that covers data that won't be readable for a decade or more.

Yes, you have to bring your block cipher unless you are 100% sure all the MTAs are using your e2ee scheme.

>I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack

No, I'm saying when you send the email, the next MTA might not use encrypted transport and any mailbox/mail spool/cache might not store the data encrypted in any way.

You can of course get E2EE if you use GPG (you always could), but if somebody doesn't know how to use GPG or uses it wrong, that is problematic.

You can also just broadcast your gpg block message via public/ham radio or even hire a skywriter to spend his day tracing out your GPG cyphertext as a huge QR code in the sky :-)

> since you can easily inspect the envelope for evidence of tampering

Except that's not true. Often envelopes can be opened and resealed without any trace, meaning contents can be read or changed.

You are right, it is possible, but it is definitely a little bit harder and you still get a chance to notice an anomaly (delay, marks, intuition even)

> I basically decided to just give up. Email is an insecure protocol and there's not much that can be done about it. Choosing a "secure" email provider feels like choosing a "secure" VPN provider: it's impossible to verify the provider's claims so it's a kind of security theatre.

Notionally, I would imagine something that looks like "email" and acts like "e-mail" (to the end user) could eventually exist that provides the same (conceptual) security that the Signal protocol provides (and perhaps a hosting provider option that's the same level of user confidentiality that we get the Signal foundation), although you're correct that foundationally it would be a different protocol. Backwards-compatibility would be required, at least for seamless transition (perhaps represented as "secure" and "plaintext")

Wasn't Ladar Levison (the individual behind Lavabit) working on something like this? https://darkmail.info/

A number of features I expect from e-mail seem rather between hard up to impossible to achieve if you insist on the "your server cannot be trusted, either" model of operations, though:

- The ability to login from multiple devices (using both dedicated clients and webmail) and subsequently being able to immediately access all my old messages, too.

- Global filtering, tagging, folders, read/unread tracking etc.

- Full-text search that doesn't require downloading all messages to your local device beforehand.