Several months ago, I tested a new end-to-end encrypted (E2EE) email provider called Skiff. They had a great interface and promising product. I never promoted them, aside from a brief mention in the eBooks, because the service was too new. I had learned my own lesson from adopting CTemplar before it had matured, and I did not want to invest my digital life into Skiff until I could see how things developed. Recently, Skiff announced they had been sold to a documents workspace provider called Notion, and that all Skiff email addresses would be terminated in six months.

Fortunately, I had never used my test Skiff accounts for any communication or account creation. However, many people in this community adopted Skiff heavily and are now concerned about the inability to access these accounts in the near future. I want to present some ideas about email adoption, much of which I have already published in previous books, to serve as a reminder for personal email policy.

Password Manager: This is not just to generate and store passwords. You should also store any email address used within a service. When I place a username and password within my password manager, I always record any current or previous email addresses which I provided during signup, or changed after creation. This way, I can always search an email address or email domain to identify any accounts which could be at risk. When CTemplar shut down, I was able to quickly see the five accounts which possessed a CTemplar email address; sign into them and change the address; then not worry once CTemplar shut their doors.

Domains: I have always preached using your own domains for all vital email. Sure, we all have burners with various providers for all of the junk, but I would never use a Proton Mail, Tuta, or Fastmail domain for anything which is important to me, such as a financial institution or work communications. ANY service could shut down or kick you out tomorrow. When you use your own domain, you can easily forward it to another service within an hour.

Redundancy: If Andy gets tired of my weekly emails asking for a new feature at Proton Mail and suspends my account, I can forward my domains to Tuta within a few minutes to keep receiving email. If Hanna over at Tuta decides I am shady and suspends my account for review, I can switch those domains over to Proton Mail (Don't get any ideas you two). I maintain a paid package through Proton Mail, Tuta, and Fastmail at all times. I can store all of my domains at any of them whenever needed. While I doubt any of them are going away any time soon, I have redundancy. Both Proton Mail and Tuta offer secure E2EE, and both have proven their intent at longevity in this space. While I originally focused on Proton Mail due to high adoption within my circles, I now see many more Tuta addresses in my inbox, which encourages me to communicate directly with those people through one of my domains on Tuta.

Business: I see a lot of Skiff bashing online. People say they are sellouts, traitors, liars, etc. They are a business. Businesses pivot, become acquired, and sometimes go broke. We should never rely on a free service to provide us with a lifetime of communications. This is why we should focus on reputable and established paid services, own our own domains through a third-party provider which can be transferred when needed, and possess redundant services which are ready for our communications within an hour of bad news.

Skiff is shutting down. We should get over it. We should move on. We should find a better provider. If their closing forces us to adopt a better email protocol, then we should be thanking them.

Hopefully, we are all using secure unique passwords and proper two-factor authentication (2FA) on every account which supports it. This alone will stop most online attacks. However, I believe login notifications are just as important. Unfortunately, many services do not provide this feature, which I hope changes soon. A login notification gives you a warning that someone (possibly you) has accessed one of your online accounts. A great example of this is Standard Notes. Any time I log into my account from a new device or browser, I receive the following alert.

This is vital to me since I use Standard Notes as my primary 2FA token solution. Some may view this notification upon every new login to be an annoyance. I find it reassuring. If someone is able to access my account via credentials and 2FA, I have a big problem. I have comfort knowing that Standard Notes will alert me if this happens, even if that means a false alert when I access my own account. You may already have this feature enabled, but this can be confirmed in the following setting.

Make sure the mute option is disabled to receive alerts. This behavior is on by default with secure messaging service Wire. Upon every login, I receive the following.

Again, if someone successfully accesses my account I receive a notice. Some financial institutions provide similar services, but there can be settings which block the notification. With one financial institution, notifications are blocked throughout the night by default. I assume this is to prevent waking you up, but it offers an open schedule to criminals. The following default settings should be changed to "Send messages any time".

Proton offers this service, but in a different way. You must have the mobile app installed on a device to receive the notification. Upon successful login, a system notification from Proton is presented on your mobile device, which opens a browser to display a website with generic details.

If you host a web site, you should enable notifications on the host account page and within cPanel. After configuring the following menu in the "Contacts" setting, you will begin receiving new notifications via email of every login, FTP access, etc.

Knowing the IP address of the access is great. I wish all services offered this feature. The following is my email notification during testing.

Proton offers the ability to capture the IP address of every login, but I do not enable the feature. I only enable "authentication logs" without "advanced logs", as seen below. I do not want Proton storing my access IP addresses, even if they are encrypted. Besides, anyone who successfully accessed my account would be using a VPN anyway.

Throughout a typical day, I receive many of these alerts since I wipe my stored logins every night. I am never annoyed. I wish more services offered a similar service. Receiving false alerts due to my own actions is justified. If a notification arrives without my action, I know I have a problem. The absence of alerts gives me comfort as I know those accounts are currently safe. Please consider researching your own accounts to see what options are available. Make sure your settings are optimal, and check them again every few months. When you find a high-risk account which does not offer any login notification option, let the service provider know you want it. If enough of us demand change, we just might get it.