We will do everything to protect you.
There are many ears listening on the Internet, which is why all our services require mandatory SSL/TLS-encrypted data transmission. For additional security, we also use security certificates by DigiCert (Check the padlock symbol in your web browser's URL field). But this is just the beginning – there is so much more that we do:
-
Our crypto experts constantly keep up-to-date on all significant developments, will always implement the best crypto-algorithms available,and retire any mechanisms that are deemed unsecure. Further, we exclusively employ (EC)DHE algorithms that use Perfect Forward Secrecy (PFS) to prevent the future decryption of recorded data traffic.
-
In order to rule out any data manipulation by third parties, we were one of the first providers to secure our domain with DNSSEC and DANE/TLSA. Moreover, whenever there is an opportunity to increase communication security further, we will do so. For example, we use mechanisms such as HSTS, CAA, CSP, MTA-STS and X-XSS to effectively prevent "man-in-the-middle" attacks. This helps us make sure that your communication with our servers via SSL/TLS is truly secure.
-
Our systems will protect your privacy by removing from all outgoing mail any metadata about your web browser or e-mail client, as well as the private or public IP addresses of the user host (a.k.a. "IP stripping").
-
We support anonymous use of the Internet and want to protect our users from needless data retention activities. For this reason, we offer advanced users a dedicated Tor Exit Node with Hidden Onion Services available at our data center.
Too many technical abbreviations for your taste? Don't worry about it – it's not necessary to know everything about the technical details to be able to use mailbox.org. What is important is that we know what we are doing and that you can always wholeheartedly trust our expertise and experience.
We get only the best grades from external security experts
The Snowden revelations have shown that nobody can really trust SSLv3 connections or any cryptographic mechanisms that have been broken in the past, such as RC4, MD5 or 3DES. If your provider uses any of those, you can not rely on your communication to be private. Check and compare us with different providers on different independent technology outlets: These are people who will not let anyone get away with using weak security measures. When it comes to matters of security, mailbox.org is constantly striving to achieve the best results.
The SSL test laboratory Qualys SSL Labs has awarded mailbox.org the grade A+.
Read the report
The DANE SMTP Validator checks the DANE/TLSA encryption of our mail servers.
Read the report
The Mozilla Observatory has awarded mailbox.org the grade A+.
Read the report
Our BSI IT Security Labels
We were also able to impress the Federal Office for Information Security (BSI) with our offer. The IT Security Labels confirm that we meet the consumer protection and security requirements of the BSI for email providers. In accordance with the requirements of the Technical Guideline "Secure E-Mail Transport" (BSI TR 03108, in German), the PREMIUM, STANDARD and LIGHT price plans bear the IT Security Label of the BSI, which can be checked by means of a QR code.
mailbox.org PREMIUM
mailbox.org STANDARD
mailbox.org LIGHT
Security with good usability – developed by mailbox.org
We are frequently reviewing and rethinking existing approaches to e-mail communication and security to identify opportunities for improvement, and then go and implement them! At the same time, we are making sure our users have a say when it comes to their personal security preferences. Some of the innovations we introduced in previous years demonstrate this very well and the fact that other providers have started copying our developments is a sign of our success:
TLS check
The mailbox.org web-mail client supports our TLS check, which reveals if an e-mail that is to be sent will be transmitted over secure SSL/TLS-encrypted connections – before it is actually sent! The check will also confirm the encryption quality level of the receiving server, and guarantee that this level cannot be manipulated to drop anywhere along the way. Find out more about the mailbox.org SSL/TLS check in our knowledge base.
secure.mailbox.org
In addition to your ordinary e-mail address me@mailbox.org, we offer the alias me@secure.mailbox.org. Use this address whenever you wish to make secure transmission with SSL/TLS encryption mandatory. If secure transport to the destination is not possible, then the message won't be sent at all. Find out more about @secure.mailbox.org in our knowledge base.
PGP with your web-mail client. Anytime and everywhere.
PGP e-mail encryption has to work reliably but it must also be easy to use – on the go, when you are on holiday, on your mobile devices, as well as on that strange computer in your hotel lobby. mailbox.org offers the technological means to provide truly comprehensive PGP support with the added benefit that it is extremely easy to use without requiring users to have extensive technical skills. Security with a few mouse clicks is reality at mailbox.org.
Guard:
PGP with Web-mail
PGP works with our web-mail interface and does not require the installation of any additional software. Users can access their e-mails securely wherever they are, even from public computers. If any of your communication partners do not use PGP, our Guard will automatically provide for them https-secured guest inboxes on our servers.
Mailvelope:
PGP browser plugin
Do you prefer storing your PGP key locally? No problem. As an alternative to Guard, our webmail client fully supports the browser plug-in "Mailvelope", which works with Mozilla Firefox and Google Chrome, for example.
The encrypted inbox
Have you been sending or receiving any non-encrypted e-mails with security-sensitive content? Then the encrypted inbox may be something for you. Once enabled, it will use your existing PGP key to encrypt all plain-text e-mails that were sent and received by you. Doing this will protect your e-mail data even if someone manages to steal your password.
The PGP key server at mailbox.org
In order to make secure e-mail communication more convenient, mailbox.org operates a dedicated PGP key server (HKPS). In the past, PGP suffered from an acceptance problem as users found the process of exchanging keys with their communication partners too cumbersome. At mailbox.org, the verified public keys of our users can be retrieved automatically from our key server by anyone, including non-mailbox.org users. For more details, please refer to the knowledge base article „The mailbox.org HKPS key server“.
We are also widely involved in projects and initiatives that promote e-mail security: We are a founding member of the "TES - Transport E-Mail Security" initiative, and contributor to the project "Keys4All" together with other partners such as the Fraunhofer Institute, the Landeszentrum für Datenschutz (independent center for data protection), the University of the Arts in Berlin, and the University of Kassel. The objective of the project was to develop new mechanisms for the reliable and automatic public PGP key exchange between e-mail providers. The results have also contributed to the WKS/WKD standard that is part of the GnuPG project.
Video: How does PGP work?
Video: The encrypted inbox
Data protection is in our DNA
Germany has one of the strictest data protection laws in the world. And we like that, because thorough and honest protection of your private and business-related data is our mission at mailbox.org. We take data protection very seriously and will only ever elicit the data that is absolutely necessary for the technical operation of our service. Whenever there is an opportunity to make do without asking for your data, we will do so. If you want to find out what data exactly we need for providing a secure e-mail service, check out our Data privacy statement.
Our servers are exclusively located in German data centers and are thus subject not just to German data protection legislation but also the European General Data Protection Regulation. We have a German TÜV-association-certified data protection officer who watches over our operations and makes sure that data protection compliance is not just an empty phrase but ingrained in all processes and partners - at mailbox.org and also at our external service providers, including our tax office, the cleaning service, and site security.
How we protect your data
- Anonymous registration possible
- Ad-free service and no revenue from user data
- Anonymous payment methods including cash by mail or cash pay-in directly to our bank account
- Clear and unambiguous communication about storage expiry / deletion deadlines for user connectivity data and log files
- Anonymised mail headers where information about users, IP addresses, or software clients used has been removed
- Aliases and one-time e-mail addresses
- State-of-the-art encryption technology
- Certified data protection officer
This is how we protect you from spam, viruses, Trojan horses, and other nasty stuff: Our team of about two dozen administrators works in the background not just to maintain our systems, but to also analyze any incoming spam and virus-infected messages and keep our protection filters up-to-date. If desired, suspicious e-mails can be rejected right away from getting anywhere near your inbox. This provides not just peace of mind but also legal certainty if you are worried about compliance.
Your spam-free inbox
At mailbox.org, users benefit from our innovative spam filter technologies. There are several stages of filtering in place that make sure spam does not enter our systems and is prevented from cluttering your inbox. This makes for efficient use of server resources and reduces the amount of electricity we use.
Super-charged virus protection
We use multiple methods to check all e-mails for malicious software. We do not just check for known signatures but also take into account various meta data, such as sending methods and sender identities. This allows us to detect dangerous messages that an ordinary anti-virus software might currently miss.
Legal compliance
People will generally want to avoid spam e-mails from entering their inbox, as any virus infection may result in loss and responsibility for legal liabilities. This is a risk that our users are able to avoid, as our systems can check messages that contain spam or viruses as they arrive and reject them outright. This provides better legal certainty for our users as they cannot be held legally responsible for opening malicious e-mails if those e-mails never entered their inbox in the first place.
At mailbox.org, you don't pay for your inbox with your personal data
Our revenue comes exclusively from the monthly subscription fees we collect from our users. Therefore, we do not need to rely on selling your data to third parties. Our loyalty is entirely with our customers and not with any spying data-collecting marketing partners.
No ads
You will never receive any commercial advertising communications from us or any third parties we work with.
No content analysis
We are not interested in the content of your e-mails. There is no analysis of e-mails, not even for statistical reasons.
No unauthorised data access
Your data resides on our systems and we will not give data access to any unauthorised third parties.
Experience you can trust
mailbox.org is run by the Linux experts of the Heinlein Support GmbH, a German limited-liability company. Throughout our history, we have supported more than 5.000 businesses large and small around all questions of secure Linux server operation. Every year, hundreds of Linux administrators from the German-speaking countries attend the courses we offer in our Linux Academy in Berlin. We are actively presenting and sharing our expertise at technical conferences and our know-how has contributed to a number of books. You can rest assured that we know how to run servers securely and reliably.
We are small in size but big in security
Two admin teams
We have two separate teams of administrators who support each other in the administration of our systems and who staff our 24/7 emergency service. Our internal 24h service level response time across the 365 days of a year is less than 10 minutes per case on average.
Dedicated infrastructure
Our systems do not run on rented servers but on dedicated infrastructure, located in secure data centers. Our computing and network hardware is ours, and run and maintained by us. Access to the data centers is secured by key cards, PIN codes, and biometric checks. Finally, there is security personnel on site to keep an eye on everything.
Separate locations
Our infrastructure is set up geo-redundantly on two different locations in Berlin, Germany. Of course, there is also an independent power supply in place. We maintain weekly backups of all servers and data to prevent and minimise data loss.
Excellent service history
In addition to automatic monitoring and system checks, our servers are frequently inspected by our administrators, who keep separate service protocols and reports on every system and make improvements whenever necessary.
24/7 Monitoring
Our trained specialists are watching over server performance around the clock, with more than 15.000 key indicators automatically monitored. This makes sure any unusual activities, anomalies, or attacks are spotted quickly and appropriately dealt with.