Secure Email Client Canary Mail Joins Setapp

Subscription App Store, Setapp, is one of the first things I recommend new Mac new users these days. From inception, the apps included in a membership were always impressive. Setapp can meet the software needs of a large majority of Mac users, and the collection is constantly improving. The latest improvement is the addition of excellent, security focused email client Canary Mail.

Setapp’s other email clients don’t work for me. Boxy looks pretty, but it’s designed for Gmail, and I gave that vice up some time ago. Unibox is a contact focused client, which might be useful if your workflow is focused on particular people. but doesn’t work for a curmudgeon like myself.

Canary’s thing is security. It makes encryption more user friendly by integrating with the MIT and Keybase servers. End-to-end encryption is automated when both sender and recipient are Canary users, or can be initiated manually when sending to other clients. It is probably worth reiterating the point in my post yesterday, about the recently discovered PGP and S/MIME exploit. Using encryption is simply a good habit, and something an app like Canary can help with. However, nobody should be relying on email for genuinely sensitive information. If you need serous encryption for messaging, use Signal. But, securing the content of your mail is not the only security concern with email clients.

Protect yourself from Email tracking with Canary

A feature I really appreciate in Canary is the ability to block email trackers. With all the talk of web tracking, I’m surprised I don’t see more about the tracking that goes on in email clients. While an extension of what happens on the web at large, email tracking is potentially worse for violating privacy. A 2017 paper from Princeton University researchers revealed the extent of the problem.

About 29% of emails leak the user’s email address to at least one third party when the email is opened, and about 19% of senders sent at least one email that had such a leak. The majority of these leaks (62%) are intentional. If the leaked email address is associated with a tracking cookie, as it would be in many webmail clients, the privacy risk to users is greatly amplified. Since a tracking cookie can be shared with traditional web trackers, email address can allow those trackers to link tracking profiles from before and after a user clears their cookies. If a user reads their email on multiple devices, trackers can use that address as an identifier to link tracking data cross-device

It goes on, if you want to read the whole paper you can find it here.

Beyond Image Tracking

The most common form of tracking is via invisible pixels. This is why I advocate for switching off the ‘load remote images’ setting in whatever email client you use. The problem is, blocking images is a blunt tool, it can render some email unreadable. Canary is smart about blocking only the tracker pixel, so it doesn’t ruin the design of html email. Using Canary in conjunction with something like 1Blocker can mitigate many of the concerns raised about leaking your personal data via the seemingly innocent act of opening a newsletter.

I am pleased to see Canary turn up on Setapp. I struggle to see how the proliferation of single-app subscriptions is sustainable in the long run. The outrage might have died down, but the fatigue is starting set in. Macpaw’s setup is smart, it shows in the quality of the software they are offering. I cannot recommend it enough. Especially when a 50% discount for students means over a hundred apps are available for US$5 a month.

If you have no need for the full suite, Canary Mail is also available direct from the Appstore on both macOS, and iOS.