Runbox, email privacy, and the recent news

In the last few days we have seen an increase in inquiries about privacy and security, and particularly whether Runbox could be involved in programs similar to those outlined in the recent allegations about interception of communications data by law enforcement agencies.

As a Norwegian company and service, Runbox is protected by Norwegian law and privacy regulations because all our email servers are located in a secure facility in Oslo, Norway. No entity, domestic or foreign, can access email or files stored in our data center without a Norwegian court order.

You can read more about US, European, and Norwegian privacy regulations here: Email Privacy and Offshore Email

Email encryption

To protect data being transferred to and from the Runbox servers in Norway, it’s important to use encryption such as SSL (Secure Sockets Layer) which is available both in the Runbox Webmail and in email clients.

When using Webmail, make sure that the SSL padlock icon is visible in the browser’s address bar and that the domain’s identity is verified as

In email clients such as Outlook and Thunderbird, set up your Runbox account with SSL according to the instructions found on our IMAP help page.

Runbox plans to extend our encryption support in the near future to allow complete encryption of messages all the way from sender to recipient.


15 thoughts on “Runbox, email privacy, and the recent news”

  1. Guys, everything’s nice and all. We all think you’ve been doing a great job despite the current market conditions but, please, if you really want to be serious about security and confidentiality:

    1. Enable OTP access
    2. Come up with per-application passwords
    3. Login reports: users are only able to check access logs for webmail, not all the clients
    4. Disable non-SSL access alltogether
    5. Opensource as much as possible of your infrastructure, mostly the webapp which needs serious further development.

    These are suggestions from a loyal customer and I’m sorry if I voice these with too much emphasys but I would love to see you thrive with a better and better service.

    1. Thank you for the comments and suggestions — some of them are already on our list, and we’re also planning to add PGP encryption support in the near future.

  2. Thanks for the info regarding email servers location. Planning on moving to your mail service ASAP.

  3. I understand most of those items are already on your list, also because it’s not the first time I read that kind of answer.
    What I wonder about is the ETA to accomplish some (if not all) of them.

    Obviously you have many more things already on the pipeline but it’s pretty obvious that the service has been growing stale for a lot of time now, while no consistent development push seems to be coming from your part. Though, I really hope to be totally wrong on this.

    Perhaps having an open backlog would be a good solution: users might help you prioritize what to do, in clear development cycles.

    IMHO: PGP/GPG integration, while a good feature, should have a tight dependency on more urgent features, such as the the consolidation of the current codebase with great attention on security and confidentiality (about this, see the first comment).

    Again, please excuse me if I seem to be voicing this too loud.

  4. Over the past 1-2 years we’ve invested heavily in hardware, infrastructure, and security. This is and will continue to be our top priority, and you can read more about that here:

    We also recently launched Runbox 6, which is a major upgrade of the RMM codebase and sports a few new visible features such as message tagging and sub-account administration.

    Furthermore we’ve spent considerable time building a deployment system for RMM that will automatize the upgrade and deployment of program module dependencies. This will significantly improve our ability to implement new features.

    Besides privacy features such as PGP support, improved domain registration and calendaring are currently near the top of our list.

  5. From point of data security…..
    1. from client – to your server(s) the way is secure (ssl, tls ok)
    2. from your server to another is not, only if data is encrypted by the sender (pgp, etc.)
    3. don’t know how, but would be satisfying from our point of view if all your server(s) would have been fully encrypted

    The calendar is very important, I use it for everything, so I hope it will be accessible on mobiles too (please develop it not only for ioS and android, but WP8 too)

  6. 1. Correct, by using SSL or TLS in your web browser or email client, messages are encrypted on the way to the Runbox servers.
    2. If the recipient server supports it, Runbox will by default encrypt sent messages with TLS.
    3. As mentioned we are planning to implement PGP support, which implies end-to-end encryption.

    We will naturally follow established standards when implementing calendar functionality so that it will be accessible on as many types of devices as possible.

  7. I have a request as well, regarding IP addresses in headers. Several email providers either remove or use a generic IP address in message headers. This feature is a significant help for privacy enhancement. Are there plans to do this for runbox?

    I know that neomailbox, swissmail, jumpship services, countermail,, etc. are some companies that do that, even hushmail does. Thank you.

    1. When sending email with the Runbox 6 Webmail, your IP address is no longer included in the message headers.

  8. “2. If the recipient server supports it, Runbox will by default encrypt sent messages with TLS.”

    Yes, thats true and one of the main reasons why i host my domain here now 🙂

  9. I’m a U.S. citizen and ALL of my personal email will be done through Runbox. For anything highly sensitive, PGP will be used. I’ll never use another U.S. based email service again.

    1. We are evaluating this, but removing all client IP addresses will make Runbox much more vulnerable to blocking by other services in cases where spam is perceived to be sent from Runbox accounts.

  10. Any updates on stripping originating IP adresses from email clients?

    If sent by webmail, the originating IP is not shown

  11. We still prefer to include the client’s IP addresses in outgoing messages sent via SMTP, while the Webmail is much less prone to be used to send spam.

    The originating IP address of spam is likely to be blacklisted by other services, and Runbox’ own IP address is protected from being added to blacklists when the client’s IP address is included in outgoing messages.

Leave a Reply

Your email address will not be published.