I have a couple of goals for my email setup:

• It should be reliable
• It should help protect my privacy by:
  • not unnecessarily exposing the contents to my discussions*
  • allow aliases to prevent easy cross-correlation between different sites**
• Managing aliases should be easy
  • It should be easy to set up new aliases (possibly with a “catch-all” address, where all emails for the domain go)
  • Replying from an alias should be easy (or at least possible)

Which leads me to my current setup: use simplelogin.io from Proton with a fallback to Cloudflare Email Routing.

Advantages of this setup

• Both Proton and Cloudflare are trusted companies (though this can be subjective, but I certainly rank them higher than the FAANGs)
• The simplelogin software stack is open source, which means that it’s better audited and theoretically I could run it on my own if it makes sense
• Both providers promise to only forward, never store your email
• Simplelogin also provides some generic domains, which means that I can hide even more “in the crowd”, but using those generic domains when creating low-value accounts
• Replying through a simplelogin account is simple (you “just reply” to the email), though it has some funkyness to it (simplelogin rewrites the email address to “man in the middle” the communication to achieve this – then again, it also includes the original email address in a custom email header)
• Simplelogin has some advanced features (like “send email from this address to multiple recipients) that can be useful for families for example (where both parents want to get the communication from the school)
• Simplelogin also has Bitwarden integration

Details of the setup

The description of the setup is probably shorter than the list of advantages, which is probably a good thing 🙂

• Get a domain and “link it” to Cloudflare (aka. point the nameservers to the Cloudflare ones)
  • I’m assuming here that you already have a Cloudflare account
  • I’m also assuming here that you want to have a custom domain. If not, and just want to use the domains provided by Simplelogin, just create an account with them, done
  • Since I would like to separate my (little bit public) persona from my private persona (ie. why should Amazon know that the person ordering a book from them also runs a blog?), I also have a secondary, more private domain set up this way, in addition to grey-panther.net.
• Enable Cloudflare “Email Routing” for your domain
• Enable “Catch-all” for Cloudflare Email Routing and configure it to send to the preferred email address
  • Remember that this is just a fallback / backup solution, normally emails wouldn’t be routed here
• Enable DMARC in Cloudflare to get some reports about bouncing emails. Alternatively you can use a third-party DMARC service like easydmarc.com to get periodic reports about potential email problems
• Now go to your Simplelogin account and start setting up the domain
• To set the MX records for the domain, you’ll need to go to Email > Email Routing > Settings in Cloudflare and click on “Start disabling”
  • Click “Unlock and keep DNS records”! This will allow us to use the Cloudflare email servers as backups later
• Now continue with the Simplelogin DNS setup
  • Since the Simplelogin MX servers are added with priority “10” and “20” respectively, it means senders will generally prefer them and only fall back to Cloudflare if the simplelogin servers are not available
  • After you finish the setup of the domain in Simplelogin, you probably want to go to said domain > settings in Simplelogin and enable “Auto create/on the fly alias” (Catch-all)
• Now we want to do a bit more tweaking to the DNS entries in Cloudflare:
  • We should update the SPF record to: v=spf1 include:simplelogin.co include:_spf.mx.cloudflare.net -all
  • (this allows Cloudflare to also forward emails when it acts as a fallback email server. Also, this says that emails for the domain not coming from the enumerated set of servers should be dropped. If you want to be less strict, you can use “~all” instead of “-all”. You can use tools like the SPF Record analyzer to double check that the SPF record is well formed)
  • Update the _dmarc record if you want to use EasyDMARC.com as instructed by the site. You probably want to set “p=reject” here.

That’s it! Here is again a the relevant DNS records for grey-panther.net:

;; CNAME Records
dkim02._domainkey.grey-panther.net. 1 IN CNAME dkim02._domainkey.simplelogin.co.
dkim03._domainkey.grey-panther.net. 1 IN CNAME dkim03._domainkey.simplelogin.co.
dkim._domainkey.grey-panther.net. 1 IN CNAME dkim._domainkey.simplelogin.co.

;; MX Records
grey-panther.net. 1 IN MX 20 mx2.simplelogin.co.
grey-panther.net. 1 IN MX 10 mx1.simplelogin.co.
grey-panther.net. 1 IN MX 147 amir.mx.cloudflare.net.
grey-panther.net. 1 IN MX 119 linda.mx.cloudflare.net.
grey-panther.net. 1 IN MX 163 isaac.mx.cloudflare.net.

;; TXT Records
_dmarc.grey-panther.net. 1 IN TXT "v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1;"
grey-panther.net. 1 IN TXT "v=spf1 include:simplelogin.co include:_spf.mx.cloudflare.net include:sites.nearlyfreespeech.net -all"
grey-panther.net. 1 IN TXT "sl-verification=xznetmbmfgmkinlnopzlakneigjhzk"

Who can spy on me? (aka. threat model)

Nothing is perfect, and I’m enabling quite some people to spy on my in the worst case:

• Both Proton and Cloudflare can decide to log my emails
  • Although Cloudflare is only a “low priority backup server” in this setup, if we assume that they are acting maliciously (or somebody took control of my Cloudflare account), they can remove the Simplelogin MX records and force email to be forwarded to whatever system they control.
• If the hardware that runs Proton / Cloudflare services is compromised, I have the same problem
  • Although, hopefully, I’m too small of a fish for somebody who pulls that off to target me specifically (this goes back to “hiding between all the people)
• My domain registrar (or somebody who gets access to my account there) can decide to repoint my domain to different nameservers that serve different MX registries
  • Not too much to do – just have complex passwords, 2FA and hope that the security of the registry / registrar is good enough
• The final destination of the emails
  • I host the final address everything is forwarded to in the cloud, so that means that the specific cloud provider also has access to everything. I could use a different solution, but for now the sync-in between devices is just too convenient…

Alternatives considered

• Self hosting email infrastructure
  • This would have given me the ultimate flexibility, but it would have also tasked me with monitoring and updating the service
• Using a “catch all” email address with Google Workspace / Google Apps / whatever it’s called this week
  • It’s not all to difficult to set up
  • However, it requires a separate Workspace account that doesn’t work well with many other Google products
• Migadu
  • Run out of Switzerland, just like Simplelogin/Proton
  • Can pay for it, just like Proton, to hopefully ensure that they’re around longer
  • However less well known, so I don’t feel like I have a good insight into “how they tick”
  • They’re more a “let’s make email hosting simple” kind of company, rather than focusing on privacy, which means they don’t provide additional “generally used” domains (which could be used to better hide in the crowd)

* Yes, unencrypted email can be considered mostly public anyway – still, basic security precautions like making sure that your email server speaks SSL/TLS for incoming and outgoing emails is useful.

** So, if I sign up with [email protected] for two different sites, it’s easy to conclude that it’s one person who owns both accounts. However if I use [email protected] for one site and [email protected] for the two different sites, it’s much less clear that there is the same person behind them.