I’ve been asked to compare Mailbox.org and ProtonMail ever since I published my review of Mailbox.org. Both of these email service providers focus on customer privacy. Both offer webmail front ends with support for Pretty Good Privacy (PGP) end-to-end encryption in addition to PGP for at-rest encryption of all messages directly from the web browser.
So how do these two services with similar goals compare head to head?
The two services at a glance: Mailbox.org is a general purpose feature-rich budget email service provider that offer optional privacy features comparable with ProtonMail. ProtonMail is a more basic service that focus more on providing privacy by default at the expense of standards and compatibility.
I’ll start by comparing prices before I begin comparing the feature sets as this will be the deciding factor for many prospecting customers.
ProtonMail puts a premium price on privacy that makes it a luxury commodity compared to Mailbox.org’s more affordable prices. I’ve put together two comparable price comparison examples based on my own needs (3 custom domains, 3 address aliases, and catch-all addressing).
The daily cost of ProtonMail in this price example is equivalent to a single Nespresso coffee capsule, and Mailbox.org costs the same as 3 cups of plain-old instant coffee. Which may sound like a bad analogy, but the coffee capsule system provides the drinker with a cleaner experience while having a worse impact on the environment. Mailbox.org may not provide the same packaged experience as a coffee capsule system but you get the same job done and more value for your money.
Mailbox.org only uses renewable energy and its interoperable with any standard compliant coffee maker email client. ProtonMail feels more like a coffee capsule system that locks you into their more expensive product that doesn’t really do anything extra with an a more negative impact on the environment.
ProtonMail does offer a cheaper plan but then you can’t use catch-all addressing and is still more than double the cost of Mailbox.org’s plan. Mailbox.org’s cheapest plan is only 12 Euro/yr.
ProtonMail is over three times more expensive than Mailbox.org with these requirements. If you need additional domains, aliases, or storage the next level up makes the price discrepancy become even more obvious.
At this service level, ProtonMail costs almost seven times more than Mailbox.org, and you get 5 Gigabytes less storage but double the number of aliases. You can pay 18 Euro/year more at Mailbox.org and get 50 Gigabytes. ProtonMail’s plans stop at 20 Gigabytes.
You don’t get anything other than additional storage at Mailbox.org, but ProtonMail bundles in their ProtonVPN service, a Virtual Private Networking (VPN) service.
Super brief PGP — the industry standard for email encryption — primer: Each person needs to have a private key that only they have which is used for decryption, and a public key which they can give to others who can use it encrypt things that only the corresponding private key can decrypt.
ProtonMail encrypts your own copies of sent and received emails when it’s stored on their servers using PGP. ProtonMail also end-to-end encrypts emails between ProtonMail customers. This is all done automatically since ProtonMail both manages customer’s private keys and maintain a database of the public PGP keys for each of their customers.
This does mean that incoming emails from other email services are unencrypted before they arrive in your ProtonMail inbox, and it also means outgoing emails to other email services by default are sent unencrypted. You can manually setup encryption to other recipients by giving someone your public key and adding their public key to your ProtonMail address book. After having completed that hideous process, you can send end-to-end encrypted messages to recipients on other email services.
ProtonMail handles all of the above in their webmail and mobile apps. However, you can’t use standard email clients without running a copy of their ProtonMail Bridge program (available for macOS and Windows only) on your local computer. Bridge will handle the PGP key management on the your behalf assuming the correct keys are known to ProtonMail. I other words, you don’t always know whether emails to other email services will be encrypted or not as you have no indicators for this before your send the email with a standard email client.
The manual key management process described above is the default trust model which PGP relies on when you use any other email service or email client. It’s the method you can use with Mailbox.org’s webmail and with any standard PGP capable email client.
Mailbox.org doesn’t do any PGP management by default. You can enable a feature they call Mailbox.org Guard and another feature they call Inbox encryption. When you enable Mailbox.org Guard you need to either upload a private/public PGP key pair of your own or let Mailbox.org create one for you. To enable inbox encryption, you’ll need to set a public PGP key which Mailbox.org will use to encrypt all incoming emails before storing them in your inbox. You can use the same public key for inbox encryption as you use with Guard.
When you’ve enabled Guard you can manually import your contact’s public keys and start sending them encrypted messages from Mailbox.org’s webmail. You can then also use the same PGP key pair you use with Guard in your preferred email clients and apps.
The most expensive plan at ProtonMail (the second price example provided above) also includes their ProtonVPN service. This can be useful if you need to access the internet via untrusted network such as a café or at an airport.
Every plan with Mailbox.org includes a full suite of productivity tools including an office suite (word processing, spreadsheets, and presentations) in addition to some private hosted storage space, notes and task tracking, a calendar, and even XMPP (“Jabber”) chat services. These things make Mailbox.org more useful if you want to replace the services of another online giant like Apple, Google, Microsoft, or Yahoo.
Both Mailbox.org and ProtonMail can optionally encrypt messages to non-PGP recipients and send them a link to a temporary mailbox on the web were they can decrypt the message. This requires you to have another, presumably secure, way of delivering the decryption password for those messages.
I can’t really see any use case where this would be useful, however. If you already have another secure communications channel that you trust enough to send them a decryption password; why would you ever want to send them an email with a link to an encrypted message?
You’re ultimately paying for pretty much the same email service whether you pick Mailbox.org or ProtonMail. Whichever service you chose, you’ll need to learn how PGP works as neither services can magically make this complicated technology easy to use.
I personally value open standards and data portability, and for this reason alone I’d choose Mailbox.org over ProtonMail as the latter has sacrificed interoperability in some areas for design and a modest improvement in convenience.
ProtonMail may be the better choice if you intend to only use their app and webmail as I find their user interfaces are better designed than Mailbox.org’s but you’re also a hefty premium to get locked into one vendor’s products. You’ll definitely get more for your money with Mailbox.org than you do with ProtonMail.
A complete guide to Internet privacy