How it works
Mailfence runs as a hosted webmail and productivity suite from Belgian operator ContactOffice Group SA. New users register a @mailfence.com address with a password and an external recovery email; phone numbers and government ID are never requested. Servers sit in Belgium, behind the country's privacy statute and GDPR. Beyond the inbox, the same account exposes a calendar, contacts manager and a 500 MB document store, plus POP3S, IMAP and SMTP for desktop clients and ActiveSync for mobile sync. OpenPGP is built into the webmail keystore, with the option to import existing keys or generate new ones server-side. Where Proton Mail and Tuta encrypt every message zero-access by default, Mailfence treats end-to-end encryption as a deliberate per-message choice — convenient for plain-text exchange with the rest of the internet, less protective when users forget to flip the switch.
KYC & privacy
There is no KYC. Account creation needs a username, a password, an external recovery email and an acknowledgement that the user is at least sixteen — a GDPR requirement. Mailfence blocks known disposable-email domains, and the operator says it can throttle registrations by IP or country during abuse spikes. The privacy policy is unusually candid: it lists IP addresses, message IDs, sender and recipient addresses, subjects, browser versions and timestamps as data the service collects, with mail and document backups retained for forty-five days. The company publishes a transparency report every six months alongside a warrant canary. The H1 2025 disclosure recorded seven user-identification requests, one of them honoured under a valid Belgian court order. Belgian law has no equivalent of US National Security Letters, so the canary is genuinely informative rather than ornamental.
Strengths and limits
The headline strength is jurisdictional posture and longevity. Twenty-six years of clean operation under Belgian law, half-yearly transparency reporting, and OpenPGP support that interoperates with any standard PGP client — Thunderbird, K-9 Mail, GnuPG on the command line — give Mailfence a clarity that many newer rivals lack. Bitcoin and Litecoin are accepted for paid plans, which keeps the payment trail thin. The limits are real, however. The codebase is closed-source, and there is no published audit from a named security firm; the operator only says the code is open to scrutiny by recognised experts, which is not the same thing. Encryption being opt-in rather than default means the threat model is closer to a careful provider than to a zero-knowledge mailbox. The webmail still carries a late-2000s look, and small modern conveniences such as scheduled send are missing. IP logging without a stated retention window is the policy item most reviewers flag.
Verdict
Mailfence is a competent, long-running, Belgian-law-bound email and productivity suite for users who want OpenPGP interoperability and a transparent operator — not for users who want default zero-access encryption or an open-source stack. Trust comes from the track record and the disclosure cadence; the privacy ceiling is set by the opt-in encryption model. Grade: B (7.3/10). Trust: TRUSTED.
Belgian-jurisdiction email and productivity suite with OpenPGP interoperability and twenty-six years of clean record. Encryption is opt-in and the codebase closed-source, which keeps the privacy ceiling below default-zero-access rivals. Grade: B (7.3/10). Trust: TRUSTED.
