A few days ago, I looked into Posteo, an email service provider. I had heard many good things about this very privacy-councious service based in Germany and I had been getting curious about it.
While looking at the different features they were providing, I was not able to find any information regarding the possibility to use my own domain name, which is a deal breaker for me.
So I asked them about this point directly by email. I was then so surprised when they sent me a long and detailled answer!!
I also learned a few things by reading this reply, so I decided to share it here:
---
Hello Etienne,
Thank you for your interest in Posteo.
We understand your desire to have an all-in-one solution for both your emails and domain.
In Germany it's unfortunately not entirely possible to offer this without saving data. There have always been explicit exceptions for providers that exclusively offer email services regarding storage obligations that other types of providers are subject to. For example, there is an exception for email services in TKG (German Telecommunications Act) but also with the retention of data.
Because of this, we only offer services that can be realised without collecting and saving personally related inventory data or traffic data. This includes email addresses with Posteo domains as well as an address book and calendars.
As a matter of principle, we do not save any personally related data or traffic data to accounts in order to protect our customers (from data theft among other things). However, it is usually required for you to provide personally related data when registering a domain.
If you were able to use own domains with us, we would need to save inventory data to your account and create a respective interface for automated queries from the authorities. This goes against our concerns for privacy and security. Because of this, we can not support own domains and focus on private customers. Because of regulatory provisions, there are only conventional providers in Germany (that store data) for the usage of own domains. If a service explicitly advertises with "data economy" or "with as little data as possible", it's recommended to have a look at their privacy policy. The term is unfortunately often used incorrectly with misleading advertisements. Usually it means that data is collected and saved regardless - even if on servers located in Germany, for example.
Nevertheless, we have a few tips for you:
If you would like to use an own domain, you should make sure that security features like DNSSEC (and therefore also DANE) are taken care of. Usually the maintenance of various security relevant components like SPF, DKIM, DMARC or other delivery functions with own domains are usually left to the user. These can not/should not be exclusively guaranteed by the provider. Admittedly, maintaining these technologies is generally not possible for most users.
For example, DANE is very important. This technology exists since 2014 and it effectively prevents man-in-the-middle attacks. Without DANE, attackers (like secret services/hackers) can easily intercept the transport route encryption of your connection and read your emails.
DANE is also the basis for a directive of the BSI (German Federal Office of Security in Information Technology) for secure mail transportation, of which we were the first provider to be certified.
Should you still have a future interest in registering a Posteo address, we're happy to help.
Best regards,
Posteo Support.
---
I'll stick with my current email provider for now. But I'll definitely reconsider Posteo later in the future, when I need an email address not necessarily tied to a custom domain name.