- Man-in-the-middle attack protection for SSL/TLS
- Built-in password manager
- USB authentication
CounterMail Review
CounterMail is a secure email provider that nails the basics beyond a doubt, but just doesn't have the bells and whistles to compete with market leaders like ProtonMail and Tutanota. Still, though, it may hit the spot for you; read our full CounterMail review to find out.
CounterMail has been around for a while, founded some 12 years ago in 2008 by Simon Persson. The development team behind it has kept up since then, with no more than a few months between each major update. From what we can tell, though, very little has changed about the service since its debut.
In this CounterMail review, we’re going to see if the service has what it takes to make it onto our most secure email list. We’ll detail our experience after spending some time with it, covering features, pricing, security, privacy and ease of use. At the end, we’ll give you our verdict.
The short of it is that, although CounterMail gets the basics right — with a few unique features, to boot — it’s too far behind the competition. If you want a modern email service that doesn’t compromise on usability or security, make sure to read our ProtonMail review.
Strengths & Weaknesses
Pros:
- Man-in-the-middle attack protection for SSL/TLS
- Built-in password manager
- USB authentication
- Custom domain support
- OpenPGP encryption
Cons:
- No native apps
- Not open source
- Expensive
- No free plan
Features
CounterMail doesn’t have too many features, outside of a few extra security goodies, which we’ll get to in the appropriate section below. You can use multiple aliases on your account, there are message filter settings, spam settings and an autoresponder. Some other email features we’ve become accustomed to, such as a secure calendar, aren’t included, though.
There are two standout features, even if they’re not all too relevant. The better of the two is support for forms. You can create forms for your website, encrypt the responses and tie them to your CounterMail account. Tutanota, another service with this feature, charges for it (read our Tutanota review). With CounterMail, it’s included with your subscription.
However, CounterMail’s implementation is nowhere near as fluid. You’ll need basic HTML knowledge to get started, and you’ll have to build your form from scratch. For reference, here’s the page that explains how to set up a form.
The other feature is a password manager, which CounterMail calls the “safebox.” It’s secure, at least based on the limited security information CounterMail provides, though it pales in comparison to our best password manager, 1Password (read our 1Password review).
Although it’s nice to see a password manager, it’s better to use a third-party one, especially with so many free options floating around.
Not Open Source
CounterMail has a clear dedication to open-source tools, which is always great to see. The website has proper licensing to open-source projects and proudly labels the tools that CounterMail uses. However, CounterMail itself is not open source.
We’re not questioning CounterMail’s security, but having more eyes on the code is always better. In a market where other secure email services almost immediately publish their codebase, CounterMail is behind.
No Native Apps
One of the biggest issues here is that CounterMail doesn’t have any native apps. Most other secure email services skip out on either mobile or desktop (usually the latter), but we rarely see a service with no native apps at all. You’re reserved to using the web app or a third-party app with IMAP.
This is beyond confusing, considering CounterMail lists “Android phone compatibility” as a key feature of the service. Worse, when you click the “info” button next to this feature, it shows you how to set up CounterMail specially with the open-source K-9 Mail application. K-9 Mail is a fine email app, we don’t have a problem with that, but it’s not the only Android email app with IMAP support.
As we’ll see throughout this review, CounterMail is an email service that feels like it should be free. If it were, we’d have no problem with the rough edges. However, in addition to being a paid-only service, it’s also pretty expensive.
CounterMail Features Overview
Encryption | RSA, AES, OpenPGP |
End-to-End Encryption | |
Zero Knowledge | |
Custom Domain Support | |
Supported Platforms | Web |
Open Source | |
Free Plan | |
Knowledgebase | |
Email Support | |
Live Chat Support | |
Phone Support | |
Forum |
Pricing
CounterMail doesn’t have a free plan, which automatically places it in the same category as Hushmail (that is, below ProtonMail and Tutanota). All new accounts are entitled to a one-week free trial, but after that, you’ll have to pay up. CounterMail certainly isn’t cheap. However, it justifies the subscription cost.
There’s only a single plan, and it’s available in three durations. CounterMail offers a slight discount for the longer durations, but it’s not huge. Prices range from just under $5 per month on the six-month plan to just over $3 per month on the two-year plan.
Still, CounterMail allows you to buy two years of service at once, which is something most other email services don’t offer.
CounterMail also offers tiered discounts, which most other email services don’t provide. The prices above are for a single account (the only difference between them is duration).
If you want to buy multiple accounts, you’ll get a discount. Five accounts is the minimum, offering a 15-percent discount overall. However, you can get as much as 45 percent off if you need 100 accounts or more.
Despite CounterMail’s upsides, there are a few problems with the pricing. First, there aren’t any multi-user plans. You can purchase multiple accounts, but those are separate accounts; there isn’t a local way to manage them all. Furthermore, there isn’t a monthly subscription. The lowest amount you can possibly pay is $29.
The problems don’t stop there. If you want to use your own domain, there’s an additional $15 setup fee. If you need multiple accounts — not email alias — you’ll have to go through the whole process again, separately.
Thankfully, you don’t just have to buy CounterMail in the dark. There’s a 14-day money-back guarantee on top of the week-long free trial. That’s just for the core service, though. One-time fees for domains and extra storage space aren’t refundable.
Ease of Use
A quick look at the CounterMail website all but proves the service isn’t for newcomers. Frankly, the website is a nightmare. There are links everywhere, half of which don’t lead anywhere. The other half lead to live pages, but the same recycled few on the CounterMail website, as well as some Wikipedia entries. It’s clear software developers created the website, not website designers.
Thankfully, signing up isn’t too difficult, with multiple links to the register page plastered around the website. However, they do have the same olive-green color as all of the other links, so finding them is a trial in patience.
Once you’ve chosen a username and set your password, you’ll be booted to the webmail screen. The layout is fairly standard, though the design is woefully out of date.
Like the website, the email application adopts a color scheme and design reminiscent of Swordfish, like you’re piloting some sort of hacker super program. By modern standards, though, it doesn’t reach any heights above passé.
Outside of the design, navigating the web app isn’t too difficult, though it’s not as responsive as we’d like. The main problem — which we also experienced during our Mailfence review — is that CounterMail doesn’t explain how to properly encrypt your messages. The setting is enabled by default, and between OpenPGP services, CounterMail works without any issues. With other email services, though, it’s a hassle.
There are some other, smaller issues with the web app, too. For instance, emails sometimes show up with different fonts. Some sport a rougher, Courier-style look, while others appear much more rounded, similar to a font like Arial or Roboto. It seems like this is to differentiate encrypted versus nonencrypted messages, but again, CounterMail doesn’t explain any of this.
For those who’ve used OpenPGP email services before, CounterMail is fine, so long as you’re willing to look past its dated sensibilities. For usability, the biggest problem comes from the fact that CounterMail is disinterested in walking you through the application. If it were a free program, we’d understand, but it’s not.
Services like ProtonMail and Tutanota not only have a more modern look, they also have free versions, and they’re much more accessible for newcomers. You may like the look of CounterMail, and that’s fine. However, there’s no denying that it’s behind the curve from a usability standpoint.
Security
CounterMail touts security above all else, though it has a fairly standard setup. It uses OpenPGP for true end-to-end encryption, with an SSL/TLS layer for transferring messages across the internet (standard stuff for email security).
To protect against any exploits during transit, CounterMail also uses AES and RSA to encrypt the session before sending it over the SSL/TLS channel.
Before any of this can happen, though, you need to log in to your account. CounterMail doesn’t store your login credentials, rather verifying your password as derived from a hash (read our description of encryption for more). This type of zero-knowledge model ensures that CounterMail can’t decrypt your emails, even if it wanted to.
We have some questions, though. For instance, CounterMail says it uses 4096-bit keys on the homepage, but on the “how it works” page, it references 2048-bit encryption. Practically, the key size makes little difference, but still, the inconsistency brings up questions that wouldn’t be there otherwise.
Then there’s the man-in-the-middle protection (the extra encryption before the SSL/TLS channel). If someone is using a fake certificate, they could spy on your connection, which is true no matter if you’re using CounterMail or transferring money with an online banking service. It’s not a problem unique to email.
The extra protection really shouldn’t matter, though, considering CounterMail encrypts your data at rest. Like the diskless servers, which we’ll get in a minute, the extra encryption on the SSL/TLS connection is welcome, though its relevance seems niche, at best.
Diskless Web Servers and USB Keys
The two big security features for CounterMail are diskless web servers and USB key support. Starting with the former, CounterMail operates its web servers without any hard drives.
It’s important to call it a “web server” and not a “mail server.” CounterMail still uses hard drives to store your messages. It just doesn’t use hard drives on the servers that are actively communicating connections over the internet.
Considering the emails are encrypted locally, this extra step seems a little unnecessary. Still, we’ll never fault an email service for extra security features, even if their relevance is unclear.
The more relevant feature is USB key support. In short, you can store a key file on any USB 2.0 or 3.0 storage device you own, so long as it’s formatted to FAT32. This 512-bit keyfile serves as a form of hardware two-factor authentication, where you’ll need your password and the key file to unlock your account.
CounterMail supports time-based SMS two-factor authentication, as well, though not the best 2FA apps.
Privacy
There isn’t much to talk about with privacy because, well, CounterMail doesn’t talk about it much. The privacy policy link in the footer of the website leads to a rather empty webpage, fit with only a few bullet points about what CounterMail does and, more importantly, doesn’t do to protect your privacy.
Outside of the fact that CounterMail doesn’t use cookies — something Tutanota also doesn’t do — the “privacy policy” is stock. No IP address logging, encrypted email at rest, no information inside the email header.
The only other unique point is that CounterMail uses diskless servers, which has some relevance for privacy, though as long as CounterMail isn’t logging anything, that’s more relevant for external attacks.
We can’t help but feel a little misled by this page, though. CounterMail only lists its strong points, none of its weak ones. For instance, it uses OpenPGP encryption, which, as laid out on the privacy page, is strong and open source. OpenPGP doesn’t encrypt subject lines, though, and there’s no mention of that.
Excessive legal jargon doesn’t do anyone any favors. However, properly written privacy policies can add clarification to otherwise vague topics (for instance, the fact that OpenPGP is secure but it doesn’t encrypt subject lines). CounterMail doesn’t seem like it’s being intentionally misleading. It’s just stacking the deck in its favor, which makes sense on a product page, but not in the privacy policy.
Just to drive this point home: there are more security and privacy features listed on the “services” page than there are on the privacy page.
The Verdict
If there were a free plan, we’d recommend CounterMail as a competent — if a bit clumsy to use — email service. There isn’t that option, though. It’s hard to justify spending any amount of money on the service in its dated state, much less for the price CounterMail asks. Put simply, other encrypted email services (like ProtonMail) do the same job better and for less money.
What do you think of CounterMail, though? Are you going to give the free trial a shot? Let us know in the comments below and, as always, thanks for reading.
CounterMail FAQ
- CounterMail is an encrypted email application that provides true end-to-end encryption with OpenPGP. It allows you to encrypt your messages before they leave your computer, protecting them as they transfer across the internet.
- CounterMail uses OpenPGP, which has been the standard for secure email providers for a while. Additionally, it offers protection from man-in-the-middle attacks, as well as USB authentication, making it one of the most secure email services around.