Closed lholota closed 3 years ago
shaunwarman
commented
3 years ago Thanks @lholota - This is a great idea! One issue I'm trying to think through is the need for cert expiration management and along side that, the ability to properly mitigate failed emails during a time when keys need to be rotated either on our side (invalidating the TXT record entry) or on client side where the user needs to rotate their keys and update the TXT record.
levifig
commented
3 years ago Isn't this the whole point of the "Enhanced Protection" plan? You pay $3/mo for unlimited domains if you care for this level of privacy, which I feel is a fair price for a super flexible and powerful service like this… ¯\_(ツ)_/¯
securingmom
commented
3 years ago These projects create and manage asymmetric keys for users:
https://github.com/mailvelope/mailvelope https://github.com/autocrypt/autocrypt https://github.com/deltachat
levifig
commented
3 years ago @securingmom Like stated above, ForwardEmail seems to very clearly position itself as an open-source product, free as in speech, not as in beer. It offers a free (as in beer) plan, for simple use cases, and a paid one, that finances the service.
Most registrars and/or DNS providers have email forwarding services. Some free, some paid. If you need a free service, you can pick a registrar/DNS provider that offers that service. Same with WHOIS privacy: some registrars offer that "free of charge", some charge for it.
I'm honestly not sure why you downvoted my comment, which was a direct reply to this thread. Regardless, have a great day. 👍
niftylettuce
commented
3 years ago I will be supporting a legacy free version that's purely DNS based and also supporting a new version for free in the future that uses our alias manager.
titanism
commented
3 months ago Hi folks :wave: We now support encryption on TXT records for free! 🎉 🚀
As of https://github.com/forwardemail/forwardemail.net/issues/254#issuecomment-2253687505 (two weeks ago) we now allow you to encrypt records even on the free plan at no cost. Privacy should not be a feature, it should be inherently built-in to all aspects of a product. As highly requested in a Privacy Guides discussion and on our GitHub issues #254 and #251, we've added this!
Visit https://forwardemail.net/encrypt or click the "Encrypt Plaintext TXT Record" link in the nav/footer of any page on our site. We've also mentioned this tool in our FAQ as well.
Behind the scenes we encrypt your input with ChaCha20-Poly1305 and then convert it to a Base64 string.
Thank you for your patience, we've been hard at work! Our IMAP/POP3/CalDAV service is snappy now – and we're going to integrate iOS Mailbox IMAP Push support sometime soon too.
Here is a screenshot of the encrypt plaintext TXT page in action:
I have been using the freeplan for quite a while and the only thing I would like to improve a bit is the fact that the configuration is exposed in the TXT records in plain text. I know the paid plan has a feature that fixes this, but there is another option:
Store the configuration in publicly exposed DNS records, but in an encrypted form. The DNS record could then look for example like this:
Option 1 - Symmetric algorithm
Given that the key for symmetric encryption must be kept secret, the encryption would have to be done by the site. The user would sign into their account in forwardemail.net, enter the desired value and the website would return an encrypted version of the value. User would then just copy-paste this value into their DNS configuration.
Option 2 - Asymmetric algorithm
In this case, the public key could be really publicly exposed and therefore the encryption could be done by the users manually, it can be done on users' machines, it could be used in automated scripts etc. Decryption of asymmetrically encrypted data is usually more complex though.
I know this means development of new functionality (e.g. encryption key storage), but it does not require additional storage which would grow with the number of users (you can just rotate the keys every couple of weeks/months and the keys can be shared) and it does not require additional network calls when processing a forwarded e-mail.
Another benefit of this feature is that DNS records for webhooks could then also contain shared secret for signing the payload (like GitHub uses for their webhooks) which makes security the webhook consuming endpoint a lot simpler.
I case you decided to give this one a try, I am happy to assist.