CounterMail Review | How secure is this secure email provider?

CounterMail is a secure email supplier based mostly in Sweden. This is a nation where the government is slowly turning into more invasive, and the place it is attainable for privateness providers to be compelled with a warrant to reveal details about their users. It is also a nation that has been uncovered for working with the US authorities.

Regardless of this, this email supplier has a robust popularity. The firm claims to concentrate on providing a simple Webmail service that is each secure and straightforward to use. In principle, this makes the service good for learners trying to transfer over to encrypted email from Outlook or Gmail.

What’s more, an off-the-cuff take a look at its web site seems to reveal a provider that places knowledge privateness and security first. So, is this email provider all it is cracked up to be? And is it value spending your hard-earned money on?

How a lot does CounterMail value?

CounterMail lets customers attempt the service for seven days without spending a dime Nevertheless, the agency does point out at that there are specific limitations:

countermail trial accounts

Premium accounts could be purchased for three subscription durations, all those plans include the same features and four GB of encrypted space for storing. A six-month subscription costs $29, a one-year subscription costs $49, and a two-year subscription will set you again just $79.

These prices usually are not excessively expensive. Nevertheless, they’re more pricey than other notable providers like Tutanota and Posteo; which each provide their providers for $13.68 per yr.

Anybody who needs to use a custom domain will need to pay a onetime payment of $15. This is commonplace, as many secure email providers do cost a flat fee for bringing throughout (or establishing new) custom domain identify inboxes.

Any consumer who struggles with the 4 GB storage capacity has the choice to increase their inbox. Users can go for between 250 MB and 1.75 GB of additional area. This is charged as a one-off flat price to broaden the storage capacity, and prices $19 for 250 MB, $35 for 500 MB, $59 for a GB extra, and $89 for 1.75 GB. This is not massively concerning contemplating that it is a one-offfee.

Funds for subscriptions could be made by way of bank card, Paypal, wire switch, or Bitcoin. The option to make use of Bitcoin can permit individuals to subscribe privately as long as additionally they use a VPN to hide their IP.

countermail website

Options Overview

  • OpenPGP encryption
  • Help for PGP/MIME
  • Diskless net servers
  • Secure varieties
  • Android, Home windows, MacOS X and Linux help
  • Dynamic aliases
  • Message filter / Autoresponder
  • Anonymous email headers
  • IMAP for using third-party shoppers
  • USB key choice
  • Password supervisor
  • Customized domains supported
  • XMPP chat server
  • Bitcoin payments accepted
  • XMPP chat server


CounterMail is a secure email provider based mostly and hosted in Sweden, a location that is not thought-about sensible for privateness resulting from ongoing obligatory knowledge retention directives that pressure ISPs to retailer net shopping histories and metadata for six months. Nevertheless, it is value noting that these directives do not immediately affect email suppliers, and it truly seems that Swedish ISPs are refusing to cooperate anyway.

Sweden is a part of the higher 14 Eyes surveillance settlement, which means that it does cooperate with 5 Eyes members to carry out surveillance. What’s more, a regulation passed in 2009 (Försvarets radioanstalt, FRA) permits the Nationwide Defence Radio Authority to wiretap all phone and Internet visitors that crosses Sweden’s borders for national security reasons. Whereas the regulation is supposed to apply solely to international net visitors, FRA has been used to justify indiscriminate bulk knowledge assortment.

Swedish authorities also have the facility to pressure a provider of encrypted providers to “order a person with knowledge of a computer systems’ function or of measures that are used to protect the [desired] information, to provide information that is necessary to enable the execution of the warrant.” So, it is potential that CounterMail might theoretically be served a warrant that forces it to decrypt any emails which are encrypted at relaxation.

Thankfully, CounterMail supplies full end-to-end encryption for its service, which means that customers can choose to regulate the keys to their email knowledge themselves. This takes the facility to decrypt emails out of CounterMail’s palms and signifies that the Swedish government would not be capable of compel the firm to offer entry to that email knowledge.

Then again, you do need to trust that CounterMail is doing what it promises together with your encryption keys (and that the software doesn’t covertly move your password and keys to the agency). Unfortunately, that is a blind leap of religion, because CounterMail runs on closed supply software that is not publicly out there and has by no means been audited by a 3rd social gathering. As is the case with all closed supply privacy providers, this could also be enough to place some individuals off the service.

What’s extra, CounterMail does require users to delete their personal key from its servers (which suggests it is there to start out with, which undoubtedly rings some alarm bells). Additionally, we asked the firm about updating my PGP keys to ones we already hold, and the firm advised me:

counter mail customer service

The mere suggestion that they want us to email them our personal key is bizarre, the whole level of PGP is that solely you maintain your personal key, eliminating the need to trust any third events. So, why does CounterMail appear intent on introducing that component of belief?

As is all the time the case with email, some metadata (the topic, IP tackle, to/from, DKIM signing info, References header, and so forth) is accessible to the email supplier so as to provide the service of sending the emails, and this knowledge might theoretically be harvested or handed to the authorities.

To considerably mitigate towards this drawback, CounterMail scrubs all IP handle from the header of emails. CounterMail also promises by no means to log buyer IP addresses on its servers. Thus it is one of many few email providers that may be thought-about no logs. To realize this, CounterMail makes use of diskless intermediary servers to wash IP addresses before passing encrypted messages alongside to its bare metallic servers. This “filter” system ensures that no IP addresses are ever recorded to an organization onerous drive accidentally.

We checked on-line for the firm’s privacy policy, however the hyperlink within the footer of the web site doesn’t link to a proper policy, which is greater than trivial. A full GDPR compliant coverage would make this service much easier to advocate, especially contemplating it is an EU company.

Lastly, the agency uses no cookies on its website, and Privacy Badger detected no trackers. The firm additionally guarantees to delete all transaction knowledge within two weeks. Nevertheless, in case you pay with PayPal or a card, evidence of the transaction will exist elsewhere.


CounterMail is stated to be a custom roll-out of SquirrelMail (which is open supply GPL). Nevertheless, the agency was fast to level out that their modified version is closed source.

The service permits users to sign and encrypt emails inside their browser using absolutely audited OpenPGP encryption requirements. Attachments can be encrypted. Plus Countermail all the time encrypts every part that is stored at rest on its servers (including plain textual content messages).

CounterMail uses an ordinary implementation of OpenPGP. Full key management is obtainable for contacts but is unorthodox for updating your personal. Countermail is simply interoperable with all other PGP email providers and is able to ship encrypted emails as quickly as you open an account. PGP keys are generated in your browser and saved on CounterMail’s servers encrypted.

It is value noting that CounterMail does store your personal encryption key by default (in an encrypted state).

Nevertheless, it by no means stores your password which is needed to decrypt the key to entry messages. That does sound affordable and is perhaps a good trade-off for convenience, though it is undoubtedly more secure for the key never to go away your personal desktop. Users can choose to delete their key from the agency’s servers to store it regionally if they prefer.

It is value noting, that it is unimaginable to recuperate a CounterMail account for those who lose your password. The personal key is encrypted using your password, and each are necessary to access the account. For this purpose, it is very important to all the time keep in mind your password.

CounterMail is a Java setting webmail software that runs in your browser. Which means the service is weak to sure Java assaults (a server operator can push malicious code which the browser will simply settle for). To be truthful on Countermail, this is true of all Java and Javascript webmail interfaces. To avoid any potential exploits, will probably be vital to make use of IMAP or SMTP to access the service with a standalone third-party email shopper resembling Thunderbird or Enigmail.

It is value noting that it is potential to arrange email aliases on your account, this lets you set up random addresses that ahead to your most important inbox. These could be created for or domains. These short-term aliases might be deleted whenever you wish and can be utilized to guard your main inbox tackle.

Nevertheless, there is a security difficulty that comes with aliases used with CounterMail. In contrast to some other suppliers which blacklist an alias from ever getting used once more after it has been created, CounterMail permits them to be recycled. Which means after you shut an alias down, someone else might create the identical alias and end up receiving emails initially meant for you. This carries vital security and privateness dangers.

Finally, we checked the service using Qualys SSL Labs to verify the standard of its SSL/TLS implementation and have been comfortable to seek out that the firm scores A+. The firm additionally supplies safety towards SSL Man-in-the-Middle assaults by adding RSA and AES-CBC encryption beneath the standard SSL-protocol. As such, Countermail supplies 4 layers of protection for consumer knowledge: SSL encryption, Session encryption, OpenPGP encryption, and Server-side disk-encryption for knowledge at relaxation.

Additionally value a mention; you possibly can choose to buy a USB stick containing a keyfile to login into your account. This ensures that even if somebody phishes or guesses your password, they’ll never be capable of entry your account without the bodily dongle. This is the only form of Two Issue Authentication that the agency supplies.

Ease of Use

Getting a subscription with CounterMail is straightforward, and no previous email handle, telephone number, real identify, or other personally identifiable knowledge is wanted to set up the free email account. As soon as the 7-day free trial is over, you will want to provide cost, and, in the event you achieve this, the agency will know who you’re. Nevertheless, it does promise to delete this transaction knowledge after just two weeks, which is good. As well as, you possibly can elect to pay with Bitcoin for added privacy.

Once contained in the webmail interface, navigation is simple and customers are greeted with a welcome email that arrives encrypted with PGP. This message is decrypted routinely utilizing the PGP key that is generated whenever you enroll. Anyone that has an present PGP key can update their keys by emailing the agency and supplying their public key. This aspect of the service is nice for newbies.

Importing contacts is simply as straightforward. Merely, click on on contacts after which import them. CounterMail supports CSV and vCard formats with the intention to import from nearly any previous email provider. We discovered the perform to work and not using a hitch when using the CSV perform.

countermail import contacts

Importing and exporting encryption keys from inside CounterMail’s settings is also simple, and there are guides should you need them. Sending somebody an email utilizing Countermail will mechanically encrypt the message with the key present in your keyring. If no key is found you’re notified to let you understand that that you must add one.

What’s extra, sending messages to fellow Countermail users (or Hushmail users) doesn’t require you to already have the recipient’s key in your keyring. As an alternative, the service routinely fetches the important thing for you. This undoubtedly saves you time and permits you to ship secure emails to fellow users with ease, which, again, is perfect for newcomers.

It is value noting that in case you determine to delete your personal encryption key from Countermail’s server for safety causes, you will be unable to view message immediately within the webmail interface (main bug reported by customers). As an alternative, you will want to obtain the message as an attachment, reserve it as textual content, after which decrypt it regionally.

This is a bit time-consuming but is the only method to use the CounterMail with 100% management over your personal key. Again, this looks like CounterMail is forcing individuals handy over their personal key, which makes me uneasy.

If like us, you do want to delete your personal key from its servers you are able to do so by navigating to Settings > Preferences > Safety and Keys. Right here you possibly can choose to obtain your keys and delete the personal key.

countermail preferences

Whereas CounterMail is a bit brief on features when in comparison with many email providers, it does have a number of extras value mentioning. The Safebox function permits you to securely store notes, a Calendar is obtainable, and customers get using an XMPP chat server that is suitable with Jabba shoppers.

countermail safebox entry

Admittedly, nevertheless, it is a bit thin on the bottom when compared to many other providers (even ones that value round half).

Customer service

All clients are capable of ask the customer service workforce for assist utilizing the ticket system on its website. A notification for the response is despatched to your inbox. We asked a succession of straightforward and tough questions from the viewpoint of a beginner, to see how the workforce would react.

Responses often got here inside three to four hours, and the workforce appeared wanting to be both truthful and useful. This is a part of the service that is undoubtedly a plus. Nevertheless, do keep in mind that from our expertise customer help is only obtainable during European working hours, so depending on where you’re chances are you’ll need to wait longer.

An FAQ and Information Base is obtainable on its web site, which has numerous guides and solutions to necessary questions. Blogs that specify features of the service akin to its diskless servers and session encryption are nicely written and supply helpful info.


CounterMail is alleged to be straightforward to use, and in many ways it is. The automated allocation of a PGP key at sign-up is great and positively signifies that customers can leap in on the deep end and begin sending other CounterMail (and Hushmail) customers encrypted messages right out of the field.

Nevertheless, for anyone that already has a PGP key, changing the keys the agency mechanically allocates you – with one you could have already hung out sharing together with your contacts is not instantly obvious. The same goes for establishing CounterMail to work on a third celebration shopper by way of IMAP, it is attainable, however even following the instructions it might really feel a bit daunting.

Where additional features are concerned; the whole lot is out there within a number of clicks. Nevertheless, we will’t help feeling that there is one thing concerning the interface that doesn’t make a beginner really feel at house. It definitely doesn’t have the pleasing aesthetics of some of its rivals. Then again, it shouldn’t take long for anybody to rise up to scratch as a result of the firm does provide loads of help choices and guides.

On the entire, this service appears a bit thin on the ground when it comes to features considering the price. The truth that is closed supply is undoubtedly a disappointment, considering the emphasis that is positioned on privacy and safety all through its website.

If it all works as claimed, it is truthful to say that CounterMail is a particularly secure and efficient email supplier. The no IP logging is a non-standard function that places this provider in a relatively small group of secure email suppliers. But, you do should take CounterMail at its word, and, in case you are paranoid, this is a surefire deal breaker.

However, for those who want to de-Google and need a service that lets them start sending PGP encrypted emails without having to study something about key administration (so long as they will persuade all their buddies, relations, and contacts to also use CounterMail) this might present a very workable answer.