What's the best approach to email today?

Never use email for anything requiring privacy. Email is for paper trails. That's it. Sometimes for you, often times against you. It doesn't matter if you use Proton, Tutanota, FastMail, Gmail etc. The other person probably isn't and they + their provider will share anything you send so be on your best behavior.

Correct answer
Certified email would solve this, if it was possible to self host it.
Unfortunately running it requires government approval and the resulting emails are legally binding, so I assume hosts will have to go through all kinds of security controls and audits.
- I think that misses the point. Emails are kind of antithetical to transient and private communications. People are much better off using a generally respectful service that doesn't scan their mail for normal use and turn to better tools like Signal (which require both receivers to use an agreed-upon/enforced and privacy-focused infrastructure) or any other messenger with disappearing chats that limits metadata retention.
Both hands in favor!
- What is the sound of one hand in favor?

I use Protonmail

Proton mail with your own domain + catchall.
Has quite a few benefits over other options.

A privacy email provider and email aliases for everything you sign up for.

Email Providers

Protonmail

Tutanota

Email Alias Providers

Simplelogin

addy

Proton pass does e-mail aliases if you pay up for the high tier subscription
- Which is through SimpleLogin, which Proton bought.
- Theres plenty of good reason to keep your alias provider separate from your email provider.
  The first being you can lift and shift to another email provider very easily.
  Secondly if something happens to your account you don't lose the lot.
  Thirdly, just get a domain with alias provider and it matters not what email provider you use ever.
- They do but it's a limited kind of alias. You can't set up reverse-aliases (you send first) for example which the regular SimpleLogin can.
- But its though SimpleLogin, not ProtonMail itself.
I am new to the alias world so I've a question. How can I be sure that an alias provider doesn't have access to my emails when they are forwarded?
- Unfortunately there is no way, it requires trust. Just like you need to trust your email provider to not have access to your emails.

There isn't really privacy in email unless all recipients are encrypting the email body itself. Email leaks a lot of metadata even with GPG use, and it's typically stored at rest in plain text.

There are tweaks you can do that will accept the unencrypted email, then immediately encrypt the message with your key so only you can read it. Then it would be safer at rest, but less convenient. It really depends on your threat model.

Privacy is a spectrum…. A journey not a destination…

Yes self hosted is the most private to a point… ie you are responsible life configuration and security, and even good admins screw it up.

Proton is good as far as we trust them, how paranoid are you do you trust them a nS their audits?

Sigh. It is hard. Email isn’t that secure. Treat as though it will be and can be exhibit A in court…

Use signal for anything that needs to stay “that” private

Ymmv

I own a custom domain and actually use Tutanota as my host. Self hosting is a nightmare and easy to fuck up, which leads to your emails getting sent to spam or just not receiving. I use custom domain support in Tutanota that costs me $12/yr (2 custom domains) and my domain is $15/yr. Since custom domains stick out like a sore thumb, if I need privacy then I will use AnonAddy to forward to my email with an anonymous forwarder.

Like 99.9% of my emails aren't encrypted but that's not the point. Tutanota removes a lot of the privacy leaks via metadata and has privacy protection measures by default like disabling images from automatically loading. Also it's calendar/contacts/email all rolled into one and everything is e2ee. Not to mention, unlike ProtonMail, they have their own push service that works on DeGoogled Android and can be installed from fdroid.

this is a very sensible alternative to actually going all-in on self-hosting mail, which is a total pain in the ass.
Oh wow. Maybe I will migrate to Tutanota from Proton then. That price, function, and dedication to privacy sounds quite attractive to me.
- I'll just say though, the client is kind of rough and may be missing a lot of features you're used to.

I use fastmail.com to generate e-mail aliases. Creation is rate limited, but they are virtually unlimited; I have 500+ and counting. Aliases are randomly generated as wordone.wordtwo1234@fastmail.com, so they aren't identifiable to your account.

If you want to self host, I recommend mailcow. It is not that hard to install and if you follow the instructions you'll have a working solution whose mails are not considered spam by every other sane server. Sadly, some operate with whitelists.

I have looked at it and its system requirements are just insane. No way it would run on my cheap 1 GB VPS. I use a script for setting everything up, but less because I want to (I was warned about complications) and more because I cannot afford a second subscription.
- 6GB of RAM is for up to 8 concurrent users.

Anonaddy/Addy.io to create aliases, then PGP encrypt it before forwarding to my Google mailbox.

I also use Proton but considering ditching it in favor of Anonaddy.

FWIW, self hosting email is such a pain in the arse to get to a working state, I'll join the rest of the comments and say proton

I think if somebody does want to self host email we really shouldn’t discourage them. It’s a bit more complicated than somebody might expect going in, but you really don’t need that much to get everything in a working state, and it’s something that will get better the more people do it because more people will write tools and guides and make saner defaults, and large mail companies will have to take independent mail servers more seriously.
Totally cool if it isn’t for you of course, and people should be aware that it’s important to set up rDNS, dkim, DMARC, and SPF (most of these are just simple DNS entries that you need that help with interacting with other mail servers), because otherwise their emails are going to be sent to the spam zone… But these are not insurmountable obstacles if you really do want to do it!
- No you're right, I shouldn't discourage, just wanted to warn it's not the same as most other self hosting projects, where often you just need to spin up a docker container.
  FWIW hasn't DNSSEC/DANE been added to the prerequisites these days or is that still optional?

self host. Don't trust random "privacy" companies

Elaborate

I'm using Skiff Mail with two custom domains.

Do not use proton, get yourself a domain and then use something like Migadu to host it for you on that domain. Then you can also use anonaddy to add anonymous addresses where needed.

Tutanota with own catch all domain