How I set up private email hosting for my family

Here's how I actually set up my own private email hosting—sanger.io! I already finished choosing a private email hosting provider. So what was the next step?

I still had to choose a plan with my chosen provider (InMotion Hosting, which didn't pay me anything for this) and make it official. The details are uninteresting; anybody could do that part.

Now the hard work (such as it was) began. I...

(1) Read over the domain host's getting-started guide for email. InMotion's is here, and if you have a different host, they're bound to have some instructions as well. If you get confused, their excellent customer service department can hold your hand a lot.

(2) Created a sanger.io email address, since that's what they said to do first. In case you want to email me, my username is 'larry'. (Noice and simple, ey?) InMotion let me create an email address, and I was rather confused about how this could possibly work since I hadn't pointed any DNS, hosted by NameCheap, to InMotion.

(3) Chose one of the domain hosts's web app options. For a webmail app (InMotion gave me a choice of three), I went with Horde, which is, not surprisingly, a little bit clunky compared to Gmail, but so far not worse than ZohoMail; we'll see. Unsurprisingly, when I tried to send an email from my old gmail account to my new @sanger.io account, the latter didn't receive it. Definitely need to do some DNS work first...

(4) Pointed my domain name to the right mail server. In technical jargon, I created an MX record on my DNS host. This was surprisingly simple. I just created an MXE Record on NameCheap, my DNS host for sanger.io, and pointed it to an IP address I found on InMotion. So basically, I just found the right place to paste in the IP address, and it was done. Now I can send and receive email via sanger.io (at least via webmail).

(5) Created email addresses for my other family members. Very easy.

(6) Installed a desktop email client. Why? I wasn't using one before because I just used Gmail in a browser and Apple's mail app on my phone. I could keep using webmail (on InMotion) but a desktop client is apt to be nicer. I'd tell you which one I used, but I'm not confident it's particularly good.

(7) Installed a new email client for my phone. As I no longer trust or want to support Apple if I can at all help it, I wanted to stop using their email client. I paid $10 for a privacy-touting mail client which is quite good so far: Canary Mail.

(8) Change the mail address registered with the big, consequential apps and services. This is the most labor-intensive step, and the step I most dreaded. Sure, it was a pain. But it turns out it was tremendously satisfying to be able to tell them to stop using my wretched Gmail address and instead to start using my slick new permanent and personalized address. Was that fun? Heck yeah it was! Anyway, such apps and services include

  • The massive Internet and tech services: Google, Microsoft, Apple.
  • The big social media/community accounts: Facebook, Twitter, YouTube, Quora, Medium, LinkedIn.
  • Companies I pay money to: Amazon, Netflix, PayPal, Patreon, InMotion, GoDaddy, NameCheap, Heroku, LifeLock, The Great Courses, any other bills.
  • Important stuff: my employer, the bank, medical info systems/apps, dentist, Coinbase.
  • Family, friends, and work and business people. Send them the message three times spread over a month or two, because if they're like me, they ignore such emails or don't act on them right away, and some old aunt of mine will keep sending mail to my gmail address for years and years. (I haven't actually done this one yet, but will soon. Gmail makes exporting of all your relevant contact info surprisingly difficult.)

(9) Create a Gmail forwarder! Buh-bye, Google! No need even to visit your crappy, biased, would-be totalitarian service for email any longer.

(10) Clean up and consolidation. There are a zillion little consequences when you change your email on all these big services, and I expect I'll be dealing with the consequences (nothing major!) for a few days or weeks to come. Among the things I know I'll have to do: (a) Install and configure mail clients on my laptop and iPad, and in other ways get those other devices working as expected again. (b) Update various email clients with address book information, as needed. (c) Actually collect my contacts from Google and Apple (harder than it sounds). (d) Change entries in my password manager from @gmail.com to @sanger.io. (e) Actually, get a new password manager...but that's a whole nuther thang. (f) Get Microsoft and Google and whatever else to forget my contacts...ditto.

This was installment three in my series on how I'm locking down my cyber-life.


How I chose an email hosting service to replace Gmail

I want to lock down my cyber-life. One basic constraint is that I want to replace Gmail, and when I do so, I never want to change my email address again. My biggest concern is that I never again want to be beholden to any major Internet corporation that has shown its contempt for privacy and censorship concerns. But if I can get "the last email address I'll ever need" while I'm at it, all the better.

The natural solution is to own my own domain name and seek out email hosting. This is not as difficult as it might sound, but it isn’t as easy as registering a new Google account. But then, that is exactly what Google is counting on: your laziness.

My new address will live at the newly-registered sanger.io domain. I and my family members can have unique and easy to remember email addresses for all the rest of our lives. After purchasing sanger.io (from NameCheap), I listed a number of features I knew I wanted: reasonable price, unlimited (or more than I could reasonably need) email storage space, IMAP support, a webmail app built in to the hosting provider (or else software that they make it easy for me to install on my new domain), and finally, enough email addresses for my purposes.

I ended up weeding out a fair few on grounds that they were too expensive (e.g., ProtonMail) or didn't offer enough storage space or accounts (e.g., NameCheap). I also weeded many out because their Alexa rankings were above 10,000, and while that isn't a total deal-breaker, I didn't want my email host to quit on me, which would be a pain.


Private email hosting comparison (Jan. 2019)

 PriceSpace limitIMAP supportWebmail app# of addressesWeb Hosting Geeks.com ratingIncludes web hosting
BlueHost Plus$5.95/moUnlimitedYesYesUnlimited2.5Yes
InMotion Hosting$6.39/moUnlimitedYesYesUnlimited4.5Yes
Rackspace Email$2/user/mo (so for me, $6/mo)25GB/ accountYesYes1/$2 accountnot reviewedNo
Zoho$3/user/mo (so for me, $9/mo)30GB/ accountYesYes1/$3 accountnot reviewedNo

I also discovered that some competitive email hosting (in the case of BlueHost and InMotionHosting) comes packaged with shared web hosting, which would be handy. I mean, then I could finally ditch GoDaddy, which I've used since time immemorial. (I dislike their upselling and bait-and-switch tactics, and detest their clunky user interface.)

I use Zoho Mail for work, and it's quite decent, but it costs half again as much and doesn't bundle shared web hosting. RackSpace email hosting seems high-quality, but it fails by comparison with BlueHost and InMotionHosting, in that those two offer unlimited email addresses and unlimited email storage space. And between the latter two, InMotionHosting seems to be the better reviewed by WebHostingGeeks.com and in other reviews. Besides, it supports Ruby; I could host my Rails projects there.

I looked at a number of other reviews of InMotionHosting, and it does indeed look good. It also has spam protection (which I didn't think to check on at first), lots of PostgreSQL databases if I want them, and free website data migration from GoDaddy.

I understand that this is not a route that most people will take. Paying for email seems unnecessary, many people would say. And certainly most people don't need their own domain name for email, they think. But just imagine: you can have the same, perfectly appropriate email address for the rest of your life. And you no longer have to feel beholden to the privacy practices of an Internet giant like Google.

Look, you don't have to be an uber-geek to do this. If you can't do it yourself, and you can get a geeky friend to set this up for you—it's not that expensive, and then you'd have your own address forever.

And you'd no longer have to support the growing monster that is Google. Gmail is admittedly a pretty awesome web app, but frankly I find I haven't missed it much when using ZohoMail for work, and I don't even use the Google email client on my phone. So the slightly slicker quality of the Gmail web app really doesn't make that much difference after all.

Next: how I set up my new private email hosting.

This was the second installment in my report about how I'm locking down my cyber-life.


How I'm locking down my cyber-life

Drafted Jan. 4, 2019; updated occasionally since then; most recently updated May 11, 2019

Three problems of computer technology

My 2019 New Year's resolution (along with getting into shape, of course) is to lock down my cyber-life. This is for three reasons.

First, threats to Internet security of all sorts have evolved beyond the reckoning of most of us, and if you have been paying attention, you wonder what you should really be doing in response. My phone was recently hacked and my Google password reset. The threats can come from criminals, ideological foes and people with a vendetta or a mission (of whatever sort), foreign powers, and—of special concern for some of us—the ubiquitous, massively intrusive ministrations of the tech giants.

Second, the Silicon Valley behemoths have decided to move beyond mere moderation for objectively abusive behavior and shutting down (really obvious) terrorist organizations, to start engaging in viewpoint censorship of conservatives and libertarians. As a free speech libertarian who has lived online for much of my life since 1994, these developments are deeply concerning. The culprits include the so-called FAANG companies (Facebook, Apple, Amazon, Netflix, Google), but to that list we must add YouTube, Twitter, and Microsoft. Many of us have been saying that we must take ourselves out of the hands of these networks—but exactly how to do so is evidently difficult. Still, I'm motivated to try.

A third reason is that the same Big Tech corporations, with perhaps Facebook and Google being the worst offenders, have been selling our privacy. This is not only deeply offensive and something I refuse to participate in, it again puts my and my family's safety at risk, creating new "attack surfaces" (to use the information security jargon) that corporations must protect on our behalf. They may not do a good job of that. Similarly, governments have taken it upon themselves to monitor us systematically—for our safety, of course. But if you're like me, this again will make you feel less safe, not more, because we don't know what bad actors are at work in otherwise decent governments, we don't know what more corrupt governments might do with the information when we travel abroad, and we don't know the future shape of our own governments.

At the root of all problems is simply that the fantastic efficiency and simplicity of computer technology has been enabled via our participation in networks (especially cloud networks) and agreement to user agreements offered by massively rich and powerful corporations. Naturally, because what they offer is so valuable and because it is offered at reasonable prices (often, free), they can demand a great deal of information and control in exchange. This dynamic has led to us (most of us) shipping them boatloads of our data. That's a honeypot for criminals, authoritarians, and marketers, as I've explained in more depth.

The only thing we can do about this systematic monitoring and control is to stop letting the tech giants do it to us. That's why I want to kick them out of my life.

The threats to our information security and privacy undermine some basic principles of the decentralized Internet that blossomed in the 90s and boomed in the 00s. The Establishment has taken over what was once a centerless, mostly privacy-respecting phenomenon of civil society, transforming it into something centralized, invasive, risky, and controlling. What was once the technology of personal autonomy has enabled—as never before—cybercrime, collectivization, mob rule, and censorship.

A plan

Perhaps some regulation is order. But I don't propose to try to lead a political fight. I just want to know what can do personally to mitigate my own risks. I don't want to take the easy or even the slightly-difficult route to securing my privacy; I want to be hardcore, if not extreme.

I'm not sure of the complete list of things that I ought to do (I want to re-read Kevin Mitnick's excellent book The Art of Invisibility for more ideas), but since I started working on this privacy-protection project in January of 2019, I have collected many ideas and acted on almost all of them as of the current edition. I will examine some of these in more depth (in other blog posts, perhaps) before I take action, but others I have already implemented.

  1. Stop using Chrome. (Done.) Google collects massive amounts of information from us via their browser. The good news is that you don't have to use it, if you're among the 62% of people who do. I've been using Firefox; but I haven't been happy about that. The Mozilla organization, which manages the browser, is evidently dominated by the Silicon Valley left; they forced out Brendan Eich, one of the creators of Firefox and the JavaScript programming language, for his political views. Frankly, I don't trust them. I've switched to Eich's newer, privacy-focused browser, Brave. I've had a much better experience using it lately than I had when I first tried it a year or two ago and when it was still on the bleeding edge. Brave automatically blocks ads, trackers, third-party cookies, encrypts your connections—and, unlike Google, they don't have a profile about you (well, it never leaves your machine; the Brave company doesn't have access to it). As a browser, it's quite good and a pleasure to use. It also pays you in crypto for using it. There might be a few rare issues (maybe connected with JavaScript), but when I suspect there's a problem with the browser, I try whatever I'm trying to do in a locked-down version of Firefox, which is now my fallback. There's absolutely no need to use Chrome for anything but testing, and that's only if you're in Web development. By the way, the Brave iOS app is really nice, too.
  2. Stop using Google Search. (Done; needs more research though.) I understand that sometimes, getting the right answer requires that you use Google, because it does, generally, give the best search results. But I get surprisingly good results from DuckDuckGo (DDG), which I've been using for quite a while now. Like Brave and unlike Google, DDG doesn't track you and respects your privacy. You're not the product. It is easy to go to your browser's Settings page and switch. Here's a trick I've learned, for when DDG's results are disappointing (maybe 10% of the time for me): I use another private search StartPage (formerly Ixquick), which reportedly is based on Google search results, but I see differences on some searches, so it's not just a private front end for Google. You might prefer StartPage over DDG, but on balance I still prefer DDG. Still, I should research the differences some more, perhaps.
  3. Start using (better) password management software. Don't let your browser store your passwords. And never use another social login again. (Done.) You need to practice good "password hygiene." If you're one of those people who uses the same password for everything, especially if it's a simple password, you're a fool and you need to stop. But if you're going to maintain a zillion different strong passwords for a zillion different sites, how? Password management software. For many years I used the free, open source KeePass, which is secure and it works, but it doesn't integrate well with browsers, or let me save my password date securely in the cloud (or maybe better, on the blockchain). So I'm got a better password manager and set it up on all my devices. I switched to EnPass. This is essential to locking down my cyber-life. Along these lines, there are a couple of other things you should do, and which I did: set my browsers to stop tracking my passwords, and never let them save another one of my passwords. (But be aware that your ability to log in to a site is more secure if a site ue a cookie, called a token, to do so; that doesn't include a plain-text stored password. When a website asks me if I want to log in automatically, with checkbox in the login form, I say yes; but when a browser asks if I want it to remember my password, the answer is always no. Finally, one of the ways Facebook, LinkedIn, et al. insinuate themselves into our cyber-lives is by giving us an easy way to log in to other sites. But that makes it easier for them to track us everywhere. Well, if you install a decent password manager, then you don't have to depend on social login services (based on the OAuth standard). Just skip them and use the omnipresent "log in with email" option every time. (I haven't encountered a website that absolutely requires social media logins yet.) Your password manager will make it about as easy to log in as social media services did.
  4. Stop using gmail. (Done.) This was harder, and figuring out and executing the logistics of it was a chore—it involved changing all the accounts, especially the important accounts, that use my gmail address. I had wanted to do this for a while, but the sheer number of hours it was going to take to make the necessary changes was daunting (and I was right: it did take a quite a few hours altogether). But I was totally committed to taking this step, so I did. Another reason is that I figured that I could get a single email address for the rest of my life. So my new email address resides at sanger.io, a domain (with personalized email addresses) that my family will be able to use potentially for generations to come. Here's how I chose an email hosting service to replace Gmail. And here's how I set up private email hosting for my family.
  5. Stop using iCloud to sync your iPhone data with your desktop and laptop data; replace it with wi-fi sync. (Done.) If you must use a smartphone, and if (like mine) it's an iPhone, then at least stop putting all your precious data on Apple servers, i.e., on iCloud. It's very easy to get started. After you do that, you can go tell iTunes to sync your contacts, calendars, and other information via wi-fi; here's how. And I'm sorry to break it to you, but Apple really ain't all that. By the way, a few months after writing the above, I looked more carefully at the settings area of my iPhone for data stored in iCloud; it turns out I had to delete each category of data one at a time, and I hadn't done that yet. They don't make it easy to turn off completely, but I think I have now.
  6. Subscribe to a VPN. (Done.) This sounds highly difficult and technical on first glance, maybe, but in fact it's one of the easiest things you can do. I set mine up in minutes; the thing that took a few hours was researching which one to get. But why a VPN? Well, websites can still get quite a bit of info about you from your IP address and your ISP (or governments that request the data) can listen in on any data that happens to be unencrypted via your web connection. VPNs solve those problems by making your connection to the Internet anonymous. One problem with VPNs is that they slightly slow down your Internet connection; in my experience so far, it's rarely enough to make a diference. They also add a little new complexity to your life, and it is possible that the VPN companies are misrepresenting what they do with your data (some of the claims of some VPNs have been tested, though). But it's a great step to take if you're serious about privacy, if you don't mind the slight hit to your connection speed. A nice fallback is the built-in private windows in Brave that are run on the Tor network, which operates on a somewhat similar principle to VPNs.
  7. Get identity theft protection. (Done.) After my phone was hacked, I finally did something I've been meaning to do for a long time—subscribe to an identity theft protection service. The one I use is LifeLock, and so far it seems to be quite good. If you don't know or care about identity theft, that's probably because you've never seen weird charges pop up on your card, or had your card frozen by your bank, or whatever. LifeLock doesn't prevent these issues by itself, but it does make it a lot easier to deal with them if they happen.
  8. Switch to Linux. (Done.) I used a Linux (Ubuntu) virtual machine for programming for a while. Linux is stable and usable for most purposes. It still has very minor usability issues for beginners. If you're up to speed, in which case, it's simply better than Windows or Mac, period, in almost every way. On balance the "beginner" issues aren't nearly as severe as those associated with using products by Microsoft and Apple. I've put Ubuntu on a partition on my workstation, and switched to that as my main work environment. I also gave away my Mac laptop and got a new laptop, on which I did a clean install, also of Ubuntu. Linux is generally more secure, gives the user more control, and most importantly does not have a giant multinational corporation behind it that wants to take and sell your information. Read more about how I switched to Ubuntu on my desktop and also my laptop.
  9. Quit social media, or at least nail down a sensible social media use policy. (Done.) I'm extremely ambivalent about my ongoing use of social media. I took a break for over a month (which was nice), but I decided that it is too important for my career to be plugged in to the most common networks. If I'm going to use them, I feel like I need to create a set of rules for myself to follow—so I don't get sucked back in. I also want to reconsider how I might use alternative social networks, like Gab (which has problems), and social media tools that make it easy both to post and to keep an easily-accessible archive of my posts. One of my biggest problems with all social media networks is that they make it extremely difficult to download and control your own friggin' data—how dare they. Well, there are tools to take care of that... Anyway, you can read more about how I settled on a social media use policy.
  10. Stop using public cloud storage. (Done.) "Now," you're going to tell me, "you're getting unreasonable. This is out of hand. Not back up to Dropbox, iCloud, Google Drive, Box, or OneDrive? Not have the convenience of having the same files on all my machines equally available? Are you crazy?" I'm not crazy. You might not realize what is now possible without the big "public cloud" services. If you're serious about this privacy stuff and you really don't trust Big Tech anymore—I sure don't—then yeah. This is necessary too. One option is Resilio Sync, moving files between your devices via deeply encrypted networks (via a modified version of the BitTorrent protocol), with the files never landing anywhere but on your devices. Another option is to use a NAS (network attached storage device), which is basically your very own always-on cloud server that only you can access, but you can access it from anywhere via an encrypted Internet connection. There are also open source Dropbox competitors that do use the cloud (the term to search for is "zero-knowledge encryption"), but which are arguably more secure; at any rate, you're in control of them. Yet another option is to run a cloud server from your desktop (if it's always on), using something like NextCloud. At first, I decided to go with Resilio Sync. Then I changed my mind, because it was a pain to be able to sync only when both devices are on, so I took the plunge and got a NAS after all. It took quite a while both to deliberate on what type of solution to go with (after Resilio), and to choose a specific NAS. It took quite a few hours altogether, but it turns out to be so useful. If you want to consider this more, check out my explanation of why they're such a good idea.
  11. Nail down a backup plan. (Done.) If you're going to avoid using so much centralized and cloud software, you've got to think not just about security but about backing up your data. I used to use a monster of a backup drive, but I wasn't even doing regularly-scheduled backups. In the end what I did was, again, to install a NAS. This provides storage space, making a complete backup of everything on my desktop (and a subset of files I put on laptop) and on the other computers in the house (that need backing up; perhaps not all of them do). It also keeps files instantly backed up a la Dropbox (see next item). But even this isn't good enough. If you really want protection against fire and theft, you must have an off-site backup. For that, I decided to bite the bullet and go with a relatively simple zero-knowledge encryption service, iDrive, that works nicely with my NAS system. It simply backs up the whole NAS. It bothers me that their software isn't open source (so I have to trust them that the code really does use zero-knowledge encryption), but I'm not sure what other reasonable solution I have, if I want off-site backup.
  12. Take control of my contact and friend lists. (Partly done.) I've been giving Google, Apple, and Microsoft too much authority to manage my contacts for me, and I've shared my Facebook and other friends lists too much. I'm not sure I want these contacts knowing my contacts and friends, period; the convenience and value I got out of sharing those lists was of very limited value to me, but evidently of great value to Big Tech. I don't know what they're doing with the information, or who they're sharing it with, really. Besides, if my friends play fast and loose with privacy settings, my privacy can suffer—and vice-versa. So I'm going to start maintaining my own contacts, thanks very much, and delete the lists I've given to Google and Microsoft. I'm glad I've already stopped putting this information on iCloud. The next step I need to do at present writing is to start using my NAS' built-in contacts server, which makes it possible to sync contact info across your devices using your own personal server. Then I'll permanently delete contact data from all corporate servers (as much as they generously let me do so).
  13. Stop using Google Calendar. (Done.) I just don't trust Google with this information, and frankly, Gcal isn't all that. I mean, it's OK. But they are clearly reading your calendar (using software, that is; that means the calendar data isn't encrypted on their servers, as it should be). So after I got my own NAS server, I was able to install a calendar server that could be accessed and synced from all of my devices. I had to transfer my data from Gcal to the server, which wasn't very hard. The hardest part was that I had to teach a colleague how to make appointments for me using the new system. Here are my notes on how I made the change.
  14. Study and make use of website/service/device privacy options. (In progress.) Google, Apple, Facebook, Twitter, YouTube, etc., all have privacy policies and options available to the user. It is time to study and regularly review them, and put shields up to maximum. Of course, it's better if I can switch to services that don't pose privacy threats; that's generally been my solution, but I have looked at quite a few privacy options and read privacy policies in order to do my due diligence about how my information is being used.
  15. Also study the privacy of other categories of data. Banking data, health data, travel data (via Google, Apple, Uber, Yelp, etc.), shopping data (Amazon, etc.)—it all has unique vulnerabilities that is important to be aware of. I'm not sure I've done all I can to lock it down. So I want to do that, even if (as seems very probably) I can't lock it all down satisfactorily, yet.
  16. Figure out how to change my passwords regularly, maybe. (Not started.) I might want to make a list of all my important passwords and change them quarterly everywhere, as a sort of cyber-hygiene. Why don't we make a practice of this? Because it's a pain in the ass and most people don't know how to use password management software, that's why. Besides, security experts actually discourage regular password changing, but that's mainly because most people are bad at making and tracking secure passwords. Well, if you use password managers, that part isn't so hard. But it's also because we really don't have a realistic plan to do it; maybe the main thing to do is to regularly change a few important passwords every so often, not all of them. I'll figure that out.
  17. Consider using PGP, the old encryption protocol (or an updated version, like GNU Privacy Guard) with work colleagues and family who are into it. (Not started.) Think about this: when your email makes the transit from your device to its recipient's device, it passes through quite a few other machines. Hackers have ways of viewing your mail at different points on its journey. Theoretically, they could even change it, and you (and its recipient) would be none the wiser. Now, don't freak out, and don't get me wrong; I'm not saying email (assuming the servers in between you and your recipients use the standard TLS, or Transport Layer Security, protocol) isn't perfectly useful for everyday purposes. But if you're doing anything reallyimportant and sensitive, either don't use email or use a higher encryption standard, because basic email is insecure. Now, I'm aware that some think PGP is outmoded or too complex (that's why I never got into it, to be honest), but the general idea of encrypting your email more strongly isn't going out of style, and improvements on the PGP protocol are still actively maintained. Still, when information security might matter quite a bit, then it might be easier to do what I'm doing now with my boys: using a chat tool with end-to-end encryption built in.
  18. Moar privacy thangs. Look into various other things one can do to lock down privacy. Consider the new Purism Librem 5 phone. Look into a physical security key for laptop and desktop. Encrypt my hard drives. Encrypt the drives on the NAS. Etc., etc.

What have I left out?

Are you going to join me in this push toward greater privacy and autonomy? Let me know—or, of course, you can keep it to yourself.