Table of Contents
- Why email privacy is harder than it looks
- Self-hosting reality check
- ProtonMail deep-dive
- Fastmail deep-dive
- Comparison matrix: 10 criteria
- Real TCO calculator for self-hosting
- Recommendations by profile
Why email privacy is harder than it looks
Email is a 40-year-old protocol designed in an era when network nodes trusted each other by default. SMTP, the transport layer, was defined in RFC 821 in 1982. IMAP appeared in 1986. Neither was built for confidentiality — both were built for delivery.
The practical consequences are still felt in 2026. An email in transit passes through at minimum two SMTP servers (sender's outgoing relay, recipient's incoming MX) and often three to five (intermediate relays, antispam gateways, archiving appliances). At each hop, the full message — headers, body, attachments — is accessible to the server operator unless TLS encryption protects the hop and zero-knowledge encryption protects the payload.
Headers are not protected by S/MIME or PGP. Metadata — sender, recipient, subject, timestamps, IP addresses recorded by mail servers — travels in plaintext in the SMTP envelope even when message body encryption is active. A government agency with lawful access to a single relay can reconstruct communication graphs without ever reading message content.
Attachments magnify exposure. A 10 MB PDF attached to an unencrypted message sits on the recipient's IMAP server indefinitely in plaintext. Most corporate email systems never expire attachments. Legal holds routinely preserve email attachments for 7–10 years.
Government compelled access has become the operational baseline for threat modeling. The US CLOUD Act (2018) allows US authorities to compel American companies to produce data stored anywhere in the world. Australia's Assistance and Access Act (2018) can compel providers to build access mechanisms. The UK Online Safety Act (2023) creates similar vectors. Jurisdiction is not a footnote — it is a primary technical variable.
The three options this article covers — self-hosting, ProtonMail, and Fastmail — address these threats in fundamentally different ways. Understanding the tradeoffs requires looking at the stack, not just the marketing page.
Self-hosting reality check
Self-hosting email means you operate the SMTP and IMAP servers. The most common stack in 2026 is Mailcow (Docker Compose orchestration of Postfix, Dovecot, Rspamd, ClamAV, SOGo, Nginx) or Mailu, a lighter alternative. Both are maintained open-source projects with active communities.
The setup is documented. The maintenance is not.
IP reputation is the highest ongoing cost. Fresh VPS IP addresses from Hetzner, Vultr, or OVH start with neutral reputation. Within weeks of sending, reputation is built or destroyed by delivery metrics. A single spam complaint rate above 0.1% causes Gmail to throttle your outbound mail. Outlook/Hotmail uses IP blocklists that require manual delisting requests with 48–96 hour turnaround. In 2024, Google and Yahoo mandated DMARC enforcement for bulk senders. Non-compliant senders face automatic rejection, not spam-folder delivery.
The DNS record stack you must configure and maintain:
| Record | Purpose | TTL recommendation |
|---|---|---|
| MX | Directs inbound mail to your server | 3600 |
| SPF (TXT) | Authorizes sending IPs | 3600 |
| DKIM (TXT, 2048-bit key) | Cryptographic sender authentication | 3600 |
| DMARC (TXT) | Policy for SPF/DKIM failures | 86400 |
| BIMI (TXT, optional) | Brand indicator in inbox | 86400 |
| PTR (reverse DNS) | IP → hostname, set with VPS provider | varies |
Getting all six right at launch is achievable. Keeping them correct through server migrations, key rotations, and IP changes requires sustained attention.
Time tax: honest estimate. Based on community data from r/selfhosted and several sysadmin forums surveyed in Q1 2026:
- Initial setup (Mailcow on a clean VPS): 8–12 hours for an experienced Linux user, 20–30 hours for a first-timer
- Monthly maintenance (updates, spam rule tuning, queue monitoring, certificate renewal, blocklist checks): 3–7 hours for a quiet server, 8–15 hours during deliverability incidents
- Annual key rotation and security audit: 4–6 hours
Total annual time cost: 55–100 hours/year for a single-domain personal deployment.
What you get in return: complete data sovereignty, no vendor dependency, arbitrary storage limits, custom spam filters, and the ability to run additional services (mailing lists, transactional mail) without per-message fees.
What you risk: deliverability failures when IP reputation degrades, data loss if backup procedures fail, and becoming a liability if the server is compromised and used to relay spam.
ProtonMail deep-dive
ProtonMail was founded in 2013 by researchers from CERN and MIT. Proton AG is incorporated in Geneva, Switzerland. The servers operate under Swiss federal law, specifically the Federal Act on Data Protection (revised FADP, in force September 2023) and penal code provisions that require a formal Swiss court order before any data can be disclosed.
Encryption model. ProtonMail uses asymmetric OpenPGP encryption for messages between ProtonMail users. Each account has a primary key pair generated client-side; the private key is encrypted with the account password and stored server-side in encrypted form. Proton cannot decrypt it without the password. For messages to external recipients (non-Proton addresses), ProtonMail sends standard SMTP — end-to-end encryption only applies within the Proton ecosystem unless you use the optional password-protected message feature, which generates a separate symmetric key shared out-of-band.
Zero-access encryption applies to all inbox storage: even forwarded external messages are re-encrypted with your public key on arrival. Proton cannot read stored messages regardless of legal compulsion, because they do not hold the decryption keys.
Limits of the model. The 2022 IP logging incident (Proton disclosed a French climate activist's IP to Swiss authorities under a valid Swiss court order) demonstrated that metadata — IP addresses, login timestamps — is not subject to the same zero-access protections as message content. Proton subsequently introduced a strict no-log option and mandatory VPN/Tor routing recommendation for high-risk users.
IMAP bridge enables use with any standard mail client (Thunderbird, Apple Mail, Outlook). The bridge runs as a local background process, decrypts messages from Proton's servers, and re-exposes them over localhost IMAP/SMTP. It works reliably on macOS and Windows; Linux support is solid as of 2024. Bridge is available on Mail Plus, Proton Unlimited, and Business plans — not on the free tier.
Pricing (2026):
| Plan | Monthly (annual billing) | Storage | Custom domains | Users |
|---|---|---|---|---|
| Free | €0 | 1 GB | — | 1 |
| Mail Plus | €3.99/month | 15 GB | 1 | 1 |
| Proton Unlimited | €9.99/month | 500 GB | 3 | 1 |
| Duo | €14.99/month | 1 TB | 10 | 2 |
| Family | €23.99/month | 3 TB | 10 | 6 |
| Business (per user) | €6.99/month | 15 GB+ | custom | ≥1 |
Calendar, Drive, and VPN are included in Unlimited and above, making it a competitive privacy suite rather than an email-only product.
Deliverability. Proton operates dedicated IP pools with maintained reputation. Outbound deliverability to Gmail, Outlook, Yahoo, and Apple Mail is consistently above 98% for transactional and personal messages in PrivSec Lab monitoring (Q4 2025–Q2 2026).
Fastmail deep-dive
Fastmail is an Australian company (Fastmail Pty Ltd, Melbourne), founded in 1999 — one of the oldest surviving independent email providers. It has never been acquired by an advertising company, which is notable in this market.
Privacy model. Fastmail does not sell data and does not run advertising. Privacy is contractual and trust-based, not cryptographic. Data at rest is encrypted at the storage layer, but Fastmail holds the keys. Under Australian law (Assistance and Access Act 2018, Telecommunications and Other Legislation Amendment Act 2018), Fastmail could be compelled to produce plaintext content or build interception capabilities. They have published a transparency report acknowledging this legal reality.
For threat models that do not include nation-state Australian government adversaries — which is the realistic scenario for most users — Fastmail's operational privacy record is clean.
JMAP. Fastmail co-developed and runs JMAP (JSON Meta Application Protocol, RFC 8620), the modern replacement for IMAP. JMAP is stateful, supports push notifications, batches operations efficiently, and typically reduces sync latency by 40–60% compared to IMAP for mobile clients. On iOS and Android, Fastmail's native apps feel meaningfully faster than Proton's bridge-dependent workflow.
Search is a significant differentiator. Full-text search on Fastmail returns results in under 300 ms for mailboxes under 50 GB. ProtonMail's search requires client-side decryption and is limited to metadata unless you enable encrypted search indexing, which stores an encrypted local index — functional but slower, particularly on mobile.
Standards compliance. Fastmail supports IMAP4rev2, CalDAV, CardDAV, JMAP, Sieve server-side filtering, and SMTP submission. It integrates cleanly with virtually every email client, calendar application, and contact manager. No bridge or special software required.
Pricing (2026):
| Plan | Monthly (annual billing) | Storage | Custom domains |
|---|---|---|---|
| Basic | $3/month | 2 GB | 1 |
| Standard | $5/month | 30 GB | 3 |
| Professional | $9/month | 100 GB | unlimited |
| Teams (per user) | $5/month | 30 GB | shared |
Fastmail is priced in USD. At current EUR/USD rates (~1.08), Standard is approximately €4.63/month — slightly cheaper than ProtonMail Mail Plus for more storage.
Deliverability. Fastmail's IP reputation is consistently strong. PrivSec Lab monitoring shows outbound delivery rates of 98.5–99.2% to major providers. Custom domain SPF/DKIM/DMARC setup is handled via their control panel with guided wizards — no manual DNS record construction required.
Comparison matrix: 10 criteria
| Criterion | Self-hosted (Mailcow) | ProtonMail | Fastmail |
|---|---|---|---|
| End-to-end encryption | Manual (PGP optional) | Yes (Proton-to-Proton) | No |
| Zero-access storage | Yes (you hold keys) | Yes | No |
| Jurisdiction | Your VPS location | Switzerland | Australia |
| IMAP support | Native | Via Bridge (paid) | Native |
| JMAP support | No (Dovecot roadmap) | No | Yes |
| Custom domain | Yes | From €3.99/mo plan | From $3/mo plan |
| Mobile app quality | Third-party clients | Good (native app) | Excellent |
| Calendar / contacts | SOGo (CalDAV/CardDAV) | ProtonCalendar | Yes (CalDAV/CardDAV) |
| Search latency | Fast (server-side) | Slow (client decrypt) | Very fast (server-side) |
| Annual price (1 user) | €144–216 (VPS only) | €48–120 | $36–108 |
| Deliverability (est.) | 85–96% (IP-dependent) | 98%+ | 98.5%+ |
| Anti-spam quality | Rspamd (configurable) | Proton-managed | Excellent, Sieve rules |
| Time cost/year | 55–100 hours | ~0 | ~0 |
Real TCO calculator for self-hosting
The self-hosting cost calculation that most blog posts omit is opportunity cost of time. Here is the full breakdown for a typical single-domain personal deployment on Hetzner infrastructure in 2026.
Hard costs (EUR/year):
| Component | Annual cost |
|---|---|
| Hetzner CX21 VPS (2 vCPU, 4 GB RAM, 40 GB SSD) | €89.76 |
| Domain registration (.com, Porkbun) | €10.00 |
| Offsite backup storage (Backblaze B2, ~10 GB) | €14.40 |
| SSL certificate | €0 (Let's Encrypt) |
| Monitoring (UptimeRobot free tier) | €0 |
| Hard total | €114.16/year |
Soft costs (at €40/hour opportunity cost):
| Activity | Hours/year | Cost |
|---|---|---|
| Initial setup (amortized over 3 years) | 4–10 h | €160–400 |
| Monthly maintenance × 12 | 36–84 h | €1,440–3,360 |
| Incident response (blocklist, deliverability) | 5–15 h | €200–600 |
| Annual security audit | 4–6 h | €160–240 |
| Soft total | 49–115 h | €1,960–4,600 |
Total annual TCO: €2,074–4,714
At these numbers, self-hosting only makes economic sense if:
- You enjoy sysadmin work and would do it regardless (time cost = hobby, not cost)
- You have compliance requirements that prohibit third-party data processors
- You are operating at scale where per-user pricing becomes significant (typically 100+ users)
For a privacy-conscious individual or small team, ProtonMail Unlimited (€119.88/year) or Fastmail Professional ($108/year ≈ €100) is the rational choice.
Recommendations by profile
Paranoid — maximum privacy, no convenience compromise
Use self-hosted Mailcow on a VPS in a jurisdiction you trust, behind a WireGuard VPN or Tor hidden service. Generate a 4096-bit RSA or Curve25519 PGP keypair. Require all correspondents to use PGP or communicate via Signal instead. Accept that your email address will be mostly useless for receiving mail from non-technical contacts and commercial services.
This profile is appropriate for journalists working with confidential sources, activists in high-surveillance jurisdictions, or security researchers. It is not appropriate for anyone who values deliverability or convenience.
Privacy-pragmatic — strong protection, real-world usability
Use ProtonMail (Mail Plus at minimum, Unlimited if you want the full suite). The Swiss jurisdiction, zero-access storage, and E2E encryption between Proton users cover the realistic threat model for most privacy-aware individuals. Pair with ProtonVPN to protect IP metadata. Use the IMAP bridge if you prefer a desktop client.
Cost: €3.99–9.99/month. Time cost: near-zero.
Productivity-first with strong baseline privacy
Use Fastmail Professional or Fastmail for Teams. You get excellent deliverability, JMAP speed, CalDAV/CardDAV integration, Sieve server-side filtering, and a 20+ year track record of not selling user data. The lack of E2E encryption is a real limitation, but the Australian jurisdiction risk is theoretical for most users.
Cost: $5–9/month. Time cost: near-zero.
Minimalist — email is a necessary evil
Use a private email alias provider (SimpleLogin, addy.io, or Proton's own aliases) to forward to a throwaway address. Accept that you have essentially no email privacy for inbound mail from unknown senders, and use Signal/Matrix for anything sensitive.
Cost: €0–3/month. Complexity: low.
For a broader overview of how email fits into a complete privacy-tooling stack, see our State of Browser Privacy 2026 pillar report. For device-level lockdown configurations, refer to our iOS Lockdown Mode JSC analysis.
