I know it's in it's infancy here, but if it's a solo passion project I'd consider open-sourcing it so the E2EE can be verified.
If you plan on launching this as a monetized project of some sort, I, as a potential customer, would suffice for audits but I'm sure they can get pricey.
I'd like to know more about the operator, besides them being from USA. Having the data in Iceland sounds great, but we should be wary of any new service designed specifically to attract confidential conversations.
You defeated https://www.emailprivacytester.com straight off. Which is more than most new email services. You seem to be relying on CSP entirely for this, but it works.
You declare HSTS preload, but you are not in the preload list. You can not be added to the preload list at https://hstspreload.org/ because www.rootshell.is exists but has an invalid certificate.
Your MX TLS configuration supports various anon ciphers. These should be disabled.
Your DANE is broken. Try any of a number of freely available online validators.
Nice, the more stand alone non corporate email providers the better. You have it on a good host. I've never tried to email from their CIDR blocks, curious how it works out.
I’m never hosting or dealing with any companies in Iceland. I had a run in with a hosting company there who was DoS attacking us from compromised nodes. I emailed them and they told me to get a letter from a local lawyer telling them to stop and they’ll look at it. In the end we contacted our DC provider and they dumped all traffic from their entire blocks.
A year later same attitude from a different one hosting a web site for Covid misinformation which was against their own AUP.
Another company tried the Iceland root, and after growing steadily and without reporting issues (at least I never saw anything reported) just shut down one day.
If you plan on launching this as a monetized project of some sort, I, as a potential customer, would suffice for audits but I'm sure they can get pricey.
I'll give it a shot either way, just my two cents
Your MX TLS configuration supports various anon ciphers. These should be disabled.
Your DANE is broken. Try any of a number of freely available online validators.
A year later same attitude from a different one hosting a web site for Covid misinformation which was against their own AUP.