I have now replaced Mailbox with Gandi

August 5, 2021

I have been using since January 2021, and while their service succeed with the core features as a reliable privacy-friendly email service, with support for all the basic features like two-factor authentication and filters, they still leave a lot to ask for.

One of the alternatives to Mailbox that I’ve checked out in the past is Gandi. It’s where I’ve housed my domains since 2015, and it would have been rather convenient to have my email there as well, especially since they offer two free email accounts with all their domains.

The reason I haven’t used their email service in the past is simply because they didn’t support two-factor authentication and filter rules. This is now something that they support and I decided to give them a chance right away.

It took me less than a day for me decide that I wanted to switch over to Gandi. That was about a week ago now, and I still feel just as happy with the switch. I have now decided that I wanted to share my thoughts about it. So. This is not meant to be a proper review of some sorts, it’s just my rambly thoughts.

My thoughts about Mailbox

I don’t want to get too nitpicky or sound too negative here, so I decided to not included all the weird quirks with Mailbox. Quirks like the fact that some settings are randomly split behind two different menus and only one of these menus are mobile friendly, or the fact that the web interface is sometimes utterly horrible to use. It contains bugs that actually make you feel like that they’re not using the web interface themselves.

The good

  • Environmentally friendly.
  • Based in Germany. This is good from a privacy standpoint.
  • They use some opens source software. They use software like Postfix, Dovecot and Open-Xchange, which are all open source software. Things that they’ve written themselves is not open sourced though, which doesn’t rhyme well for me though, but at least use some open source software.
  • Affordable. They used to be more affordable, but they recently deiced to up their prices a bit. Custom domains is no longer available in their €1 tier and you now have to pay €3 to get access to custom domains.
  • Support for CalDAV and CardDAV.
  • Catch-all aliases.

The bad

  • They’re mostly privacy-friendly. I think they want to do good, but they do stupid things that makes you question their integrity:
    • They use Gravatar for their comments on news and FAQ articles. Gravatar allows mass collection of user info and is considered unethical and not privacy-friendly.
    • They use Google reCaptcha for the registration form!? If you’re selling a product that you claim to be even remotely privacy-friendly, do not use any service from Google, especially not their reCaptcha service. It’s a well known unethical and privacy invasive service[1][2][3].
  • Minimum contract period is 12 months for new customers. If you’re an older contract like I was—who didn’t “upgrade”—you can still pay per month and you still get access to their old and cheaper plans.
  • The referral doesn’t benefit the referee at all. The person you invite get 3 months for free though. And to make things worse; you’re also forced to invite them by inputting their current email via the control panel on Mailbox, which means that they already need an email account to begin with. Every sane person knows that using a referral link and giving the referee some kickback would have been a much better choice.
  • Not all features are available in the mobile version of, like managing filters.

The ugly

  • Filters are unreliable. I have added multiple rules that seems to get randomly ignored.
  • Their two-factor authentication could have been a lot better. It looks like the people behind Mailbox can be a bit ignorant, and they don’t seem to care that a lot of customers have requested proper two-factor authentication for years now[1][2].

    When you activate two-factor authentication with Mailbox, you can no longer use your password and your TOTP as expected, because your password is now replaced with a 4 digit PIN. They outright refuse to implement proper two-factor authentication support because it’s according to Mailbox themselves “insecure and unsafe” and the customer are basically too stupid to understand basic security.

  • No support for application passwords. This will ever be a thing for Mailbox either, due to their “high security level”. I don’t work with security, so I don’t claim to be a know-it-all here, but how is it less secure to use your actual master password with an email client, rather than a unique and revocable application password for just that one email client? Other email providers like Fastmail, even lets you choose what each application password should be limited to, if the password should have access to just IMAP and/or POP3, CalDAV et cetera.

My thoughts about Gandi

I’ve had my domains at Gandi since 2015. I’ve always been happy with their service, and it’s nice to see that they’re actually actively working on improving their service as well. Their control panel and their services has been noticeable improved over the years. Not that I have ever been unhappy with their service.

The Good

  • You get two free email accounts (with 3 GB of storage each) with any domain. You can get 50 GB if you’re willing to pay 1.75 EUR (excluding VAT) per month.
  • They use SOGo and Roundcube for their webmail. Both are open source and commonly used by others.
  • Unlimited aliases.
  • Filters that works.
  • Catch-all aliases.
  • Affordable. This depends on what domain name you get, but it’s possible to find top domain names like .eu for about 12 EUR (exluding VAT) per year. And if you pay 3 years (or more) in advance, you get a discount and the yearly price is then 10.02 EUR.
  • They promote open source.
  • Privacy and environmentally friendly. They help and support associations, companies, and alternative projects that share their ethics and values, including environmentalism, open source projects, and those who are helping democratize the internet and technology by protecting our digital rights.

    They support a lot of different projects and organizations like Ubuntu, OpenStreetMap and the Electronic Frontier Foundation. You can read more about it here.

  • Support for CalDAV and CardDAV.
  • Proper support two-factor authentication.

The bad

  • No support for application passwords.

The ugly

  • Nothing.

If you like what I had to say about Gandi, and if you decided to give them a chance, feel free to use my referral link:

You get 75% off a Simple Hosting S+ pack and 20% off the purchase or transfer of a domain name. In return, I get a €5 promo code when you create your new account and complete your first order.


No Comments

Use the e-mail form, if you wish to leave feedback for this post. Markdown is supported. [Terms of service]