- cross-posted to:
- tech@links.roobre.es
- cross-posted to:
- tech@links.roobre.es
Email is an open system, right? Anyone can send a message to anyone… unless they are on Gmail! School Interviews uses two email servers t…
You must log in or register to comment.
And this is how you kill an open standard. Good resource to share with people cheering for Meta to adapt ActivityPub etc.
@Jo Oh god, that reads horribly like this article about Google killing XMPP that spread around last week: https://ploum.net/2023-06-23-how-to-kill-decentralised-networks.html
For anyone interested: https://www.youtube.com/watch?v=mrGfahzt-4Q
This gets little in depth on this issues.
And this is happening after SPF, DKIM and DMARC provided a solution to the spam problem.
Any mail system can remove practically all spam by insisting messages conform to those three standards
But that is not true at all. Spammers can easily send mail with all proper SPF, DKIM and DMARC records and signatures. A lot of spam is and will be sent like that. Those extensions do not make spam impossible, they just make it easier to track and block.
But this does not change the point of the article – in this case it is a specific domain sending very specific non-spam messages. SPF/DKIM/DMARC prove it is not someone else – GMail has no ground for blocking these (unless were are not told something).
And GMail has been breaking mail for years now. E.g. I hate them for breaking message threading by ignoring threading headers and forcing own view on how messages should be grouped.
How does one send a spam email that passes SPF and DKIM if one doesn’t have access to the DKIM private key, or the DNS server to edit the SPF or DKIM records?
- Open a Gmail account, send spam.
- Buy a domain, setup SPF and DKIM, send spam.
- Hack an SMTP server, send spam.
You can’t… But you can register a domain and set up your own DKIM key and DNS records and then use it to send spam (until you get blacklisted, anyway). There’s a cost to doing that, though, so it’s less appealing.
I always just assumed spammers could make a DKIM private key and access a DNS server as easily as any of the rest of us.
Spammers were the first to adopt SPF, DKIM, and DMARC for their operations when they were first introduced. Monitoring a couple of “online mass marketing” forums was where a lot of us learned how to set it up ourselves, because spammers’ howtos were better than the documentation for any of those measures.
In my experience Office 365 is even harder to deliver to. The email envelope can be in perfect shape and sent via sendgrid (their recommended partner) and it will still silently drop mails for no obvious reason and if it does deign to deliver them it will often mark them junk.
I’m only sending low volume transactional emails. The amount of time I have to spend tweaking the email content just to persuade Microsoft to deliver the mail is absurd.
In my experience Office 365 is even harder to deliver to.
Yep, this is my experience as well.
I’ve had some issues with google, but at least they tend to put them in Junk, or tell me the messages are being rejected.
Microsoft will give me a 250 message, and then route the message to /dev/null.
That’s contrary to the RFCs, and really annoying. Since it doesn’t end up in Junk, the receiver can’t say ‘not junk’, and since it doesn’t bounce, the sender thinks it has been sent.
I’m signed up for Microsofts junk mail reporting, and when this happens the UI shows no issues with my ip, and doesn’t admit to any e-mail filtering. The only way I can detect it is by sending messages to my test accounts, or waiting for users to yell.
Fwiw, anyone else who runs in to this scenario, expect your first support ticket with microsoft to be rejected. Keep responding to it. On the second or third try they might end up removing the silent ban.
Outlook showed really weird behavior on my end. The first email I created was on hotmail and in the last year it exceedingly treated mails as junk. Sometimes even Microsofts own emails would land in the junk folder. Marking them as safe or adding them as contact did not help.
Then I created a new account and suddenly the same emails would be treated properly. No idea what is wrong with the old account.
Yeah, I think this is done to provide the illusion of choice. The rate limits are high enough to allow personal emails through, but for any mass emails or corporate emails this forces you to use Google. Unfortunately a standard corporate strategy, it’s why corporate office suites are so generic and tend to be from one of the big companies.
When I went to the DMV my independent mail server was immediately filtered into spam when I tried to email them my proof of insurance. It was no trivial thing for them to get it out of the spam filter, either
This has been my observation as well. The lowest priority notifications from my exocortex use e-mail, and they don’t seem to have any trouble getting through. I haven’t tried to run a mailing list or anything like that, though, so it wouldn’t surprise me.
The rate limits are high enough to allow personal emails through, but for any mass emails or corporate emails this forces you to use Google
Not really, we deliver 200k emails daily to @gmail.com without any issues. Sending 1 email a day from my personal server to my personal gmail account though - I need to use brevo for that.
Google is evil.
Ever since “we will not share or sell your data,” I just assume everything that google does is a potential bait and switch
I’d presume someone like EU would be interested in this.
Thinking about starting my own personal email server, but to use it seriously I’ll have to weigh the pros and cons. If anyone has anything on this to share I’d appreciate it.
Short answer: Don’t.
Long answer: It is a massive amount of work, not just to setup, but also to maintain. On top of the fact that the big email providers block smaller email servers like crazy. Even if you had business class Internet service at home, the IP range is most likely already in their block lists. And if you have it on a VPS, the amount of time and effort it takes to get the security and filtering going properly is nightmarish.
It really sucks, but it’s a fait accompli.
Would agree.
Even when done 100% by the book and correct. Companies like Google and Microsoft, in particular, will just randomly send the email to spam.
I gave up after years of fighting the good fight and went to googles free tier. That is now over and I probably just need to move to some other service.
Also dont use a gTLD or if you do, have a backup .com or .us as well. Many forms dont recognize things like .email as legit.
Even if you set up everything perfectly you encounter email providers that only have allow lists and you have to jump through hoops to be allowed to send emails to them (like publishing your whole name and address). I loved the fact that I had a mail server but in the end it didn’t make sense.
Additionally, these days the sheer amount of flak that a self-hosted mail server gets are enough to make a lot of providers ask you to either shut it down or go somewhere else. Probably 80-90% of the server’s inbound network traffic will be bots trying to brute force access (usually over POP3 or IMAP4, though occasionally SSH) to use it as a spam relay as well as relatively dumb bots just assuming that your server is an open relay and trying to send garbage through it. That kind of traffic hogs a lot of bandwidth and the hosting provider will have to do something about it to keep their infrastructure stable. Also, figure that you’ll be spending about as much CPU time on the server for anti-spam processing on a 24x7 basis.
I have to agree with other commenters, it’s just not worth the hassle and kinetic pattern baldness these days.
To anyone not scared off by this, my main mail server is based around this guide. I make some changes, but I think it does a good job explaining the various moving parts and a way of setting them up:
https://workaround.org/ispmail/bullseye/
There are also some easy to deploy dockerized projects that I hear are good like mailcow.
Or to for the simplest experience, you could use panel software like cpanel or plesk or something that does e-mail, web hosting, etc all in one package. I manage a plesk install that works… okay.
–
Managing e-mail is a bit of a pain, especially the initial setup, and finding clean IP spaces. But honestly I spend very little time managing mine. Months go by where I basically do nothing.
…then microsoft or google do something stupid, or a user gets infected and send some spam I don’t catch, and I’ve got a day of hecticly trying to get mail flowing again while users send me nastygrams
Thank you for saving me some wasted time.
THIS!
Managing mail servers is the worst. If you want your own email just go register email on something like Zoho. It’s cheap and the couple $$ you spend on it is money well spent to prevent the time and aggravation you’ll have running your own server.
Yeah, as someone who hosts a private email server, don’t do it. I don’t use my mail server for anything remotely important, because I don’t have enough monitoring in place to be sure it’s working 100% of the time. Silently dropping emails is a huge deal, especially if your monitoring is email-based… It’s 100% worth it paying for email hosting if you want to set up custom domains and mailboxes.
Incoming mail is the problem? What is the problem? Is it not in a data center? Or is it that you do not have at least two incoming smtp servers so the other can take over when one is down?
Just curious the root cause of the problem as it is not one I would expect. I found email fairly easy to setup on my VPS, but have not really used it much except for traffic related to my VPS.
As far as I know, I’ve never dropped incoming emails, but I have no way of knowing due to insufficient monitoring. My mail server is in a datacenter, but I don’t have any redundancy or failover. It’s not worth my time to set up vs paying someone to manage email for me. Google’s spam filtering and integrations are also better than I’ll ever be able to achieve for $6/month Google Workplace Gmail.
I use fastmail. I pay for it, and it works great.
I’ve rather just been using ProtonMail plus my own domain name. Of course the domain name is optional (and kinda expensive) but it’s wonderful to have multiple email addresses on my personal domain that I can use as, essentially, a hard spam filter and folder system.
Anyone got a different site covering this? This site’s HTTPS certificate is invalid or sth which doesn’t inspire confidence
Valid cert.
It’s hosted on blogspot, it’s a google issued certificate, to me seems valid
But the posted link is
http://nothttps://, so browsers will mark it as insecure.Ah I assumed that Google had enough engineers to set automatic https redirection on blogspot…
Going to https://www.igregious.com/ marks it as insecure as well.
Sorry about that. I have Firefox on high security settings and it didn’t give me any problems or I wouldn’t have posted it. I was going to post the text for you but it’s insecure for me too now.
Oh no worries, someone posted an archive link up there. I’m mostly curious why is it marked as insecure, thought it might be something with my local setup perhaps if it works for others. I’m also on FF, strict settings.
You: Your HTTPS certificate is invalid
Page: what’s this HTTPS you’re talking about?
What a surprise! (no)
Yah this is standard practice for google.
Anyone know a decent alternative at a reasonable price though? What if I have an @gmail today, and I want to move my storage elsewhere and have that just forward?
I switched to ProtonMail and have really enjoyed it. I was using my own domain with Gmail so my email address didn’t even change.
For those considering Proton Mail: There is one great benefit or disadvantage, depending on how you see it. As all traffic is encrypted, Proton Mail does not support standard IMAP or POP3. It’s therefore best used with the official Proton Mail app rather than third party apps. On desktop, you can use your favourite email client (Thunderbird et al) only if you install a “bridge” which decrypts incoming emails before forwarding them to the client: this bridge is, in turn, only available to paying subscribers.
That said, it’s a great service, and the fact that they have a viable business model which doesn’t depend on selling out their users might be a good thing.
IMAP supports TLS, what’s Proton’s excuse for enforcing their own delivery protocol?
Proton is end-to-end encrypted - they don’t have the keys themselves. With TLS, encryption is between you and the server, but the information can be decrypted on the server side.
At least that’s my understanding of it. If you want Proton’s own words, they wrote an explanation on their website. :)
I fail to see how the mails being encrypted stops them from using IMAP(s) like everyone else. IMAP doesn’t care what the contents of the email it’s sending/fetching are, and is perfectly compatible with other E2EE solutions like PGP/GPG which they say their solution is based on.
If IMAP is enabled on a provider, that provider can access your emails, unless you’ve encrypted the content of the email itself (with something like pgp or gpg). Proton only has access to emails in transit and after that, it can no longer access your email as it’s entirely encrypted. Since Proton doesn’t save the emails in transit, it has zero ability to provide those emails even if given an enforceable subpoena. Other providers that use IMAP can and do have access to your emails and can give them to a government authority if given an enforceable request.
The difference is the data at rest protocols on different providers. Proton has zero access encryption for data at rest. It only has access for data in transit and its ephemeral in that once it’s done with that transaction, it no longer has that data.
I presume ProtonMail markets this as a security feature? It guarantees your provider cannot sniff your email content and can’t be compelled to disclose user emails to law enforcement.
They’re not using a different protocol for delivery, they still use IMAP and SMTP, but other mail clients can’t decrypt the message content from Proton because they don’t have the keys (and nor do Proton). Proton do supply a “bridge” app if you want to use your Proton mail with a desktop email client, which handles the decryption between your computer and Proton by accessing the Proton encryption keys on your computer.
TLS is like a padlock on a box, and you have the key. Encrypted content is if the letter in the box is also written in code, needing another key to translate into plain language.
Proton doesn’t use IMAP. Your inbox isn’t quite like other internet mailboxes. You can’t access it with TLS. You access it via normal TCP/IP traffic. The contents are encrypted and can only be decrypted on your device. This is why IMAP doesn’t work. The Bridge acts as a Proton client, decrypts the data and then acts as a local IMAP server so you can connect to it via another IMAP client. Proton cannot read your email at any other time other than ephemerally at the moment it receives the email, which it then encrypts one way into your inbox. It cannot decrypt it. Only your devices can. Your devices get the private key from Proton’s servers, but they’re encrypted with your account password. So you grab the encrypted key and decrypt it locally on your device. It’s not the most secure, but it’s the most secure you can do without having to manage your own keys. It should be noted that you can possibly lose access to your email. This would require losing access to your physical devices and losing your password at the same time. As long as you have a device that has your key, you can restore access to your account which allows it to update the encryption on the key, etc. If you lose your physical devices and lose your password, you can only restore access to your account, but not any of your email up until that point.
Any advice or hints on how to switch over? I wanted to do it years ago but I dread having to change my main mail address on everything, from apps, tools and games to bills or RL document-related stuff, it sounds like a horrible mess and ton of work
My recommendation (assuming you have a normal @gmail addy and not a custom domain like I had) would be to use email forwarding. So you can leave your Gmail as is, but set it up (in the settings) to automatically forward all your email to your new protonmail address. Then you can gradually change the important contacts/sites to your new email at your leisure.
I do highly recommend buying a domain and setting up your own email address though, it gives you a lot more portability going forward. You can actually do a lot with your own domain, and it helps you maintain trust better.
Anyway, enough preaching lol, protonmail also maintains a guide to help people switch: https://proton.me/easyswitch
If you’re recommending setting up a forward/IMAP collection from a Gmail account, don’t forget to mention deleting the messages from the server as well! Emails left on a server for more than 30 days are considered “abandoned property” for the purposes of warrantless search.
What an insane fact, I had no idea thanks for sharing 😱
- argv_minus_one ( @argv_minus_one@beehaw.org ) 1•1 year ago
Do you have a source for this?
The most I could find is that the Electronic Communications Privacy Act allows for warrants to be issued for emails less than 180 days old. I’ve found vague references and snippets from articles no longer available that seem to claim some acts that have passed since then allow for simple subpoenas instead of full on warrants for said emails, but 180 days is the only threshold I’ve found and again, it’s for less than 180 days that’s at danger.
Does protonmail support custom domain email addresses?
They do, I have used them myself for years and have no complaints!
If you are setting up a forward/IMAP collection from Gmail though, be sure to set it to delete messages from Gmail after forwarding/collection. Any email you leave on a server longer than 30 days is classified “abandoned property” for the purposes of warrantless searches in the US (and if you’re European using Gmail, this applies to you too), even if you’re still actively accessing the email inbox.
Thanks for mentioning this provider. I’ve actually switched over now. You should ask for a referral fee :) After reading about it, I’m quite impressed with their implementation. It’s very thorough.
Buying a domain you mean going to a registrar like I did for my lemmy instance?
Or do I need to buy it from an email provider?
If you already have a registered domain there is no need to get a new one.
My recommendation for everyone is to use Fastmail and a custom domain.
Fastmail is extremely reliable, and since they charge money they also offer customer support. A few years ago I lost a lot of emails due to a client bug, and Fastmail support was very helpful recovering them from backup.
Use a custom domain so you can change providers in the future so you’re not locked into your provider and can change if you aren’t happy with them anymore.
I’m also using fastmail and I’m happy with them. Their native android email client is a little clunky but I still use it and I have the option to use other mail clients too.
Can you elaborate on the use of custom domain? The idea of not being locked in to one provider is fantastic!
Go to Namecheap (or similar) and buy a domain, then your email provider will give you two things to paste into their settings, and then shortly after that your custom domain will be online. It’s very easy.
Why use a custom domain? your email is the base of your digital identity and online security, owning your email is a huge improvement in security.
If you ever want to change email providers you can easily import your mail to any provider and you don’t have to update any websites or setup forwarding. You can also setup unlimited catch all emails.
The main example I point to is if you get banned from Google and use gmail then you lose access to all your accounts. Google has no customer service so you’re cooked if that happens. Or if you use your email through your ISP then you can never switch and they can charge you higher prices knowing this.
It isn’t all sunshine and rainbows, it’s more expensive, not all email providers allow custom domains and they may charge more for them, and you still need a secondary backup email in case you ever lose access to your domain.
There’s also the threat of someone scooping your domain, so buy it for a very long period with auto renewal enabled, transfer lock on, and WHOIS protection on. The threat is low but even Google has forgotten to renew their domains.
Personally, I think it’s worth paying for.
You purchase your own domain through a provider like Porkbun or Namecheap, something like clover333.com
Then you pay for a service like Fastmail (you need at least the Standard plan for custom domains). And you setup Fastmail to use your custom domain as the address. There are various ways to handle this, but if you just do the simple approach and use Fastmail as the nameserver it’s pretty straightforward.
allow me to second proton mail. First they’re in the EU, so fall under their privacy protection rules. Secondly, the service is technically an encrypted email service. They operate on a fremium basis, letting you have basic email for free, but also,if you upgrade, you can do lots of things (like they’ll manage your email server if you happen to have a domain)
They’re in Switzerland right? So for what I know even stricter laws (and the servers are in bunkers in the mountains or so I have heard :-)
I use proton mail and protonvpn (BTW!)
I feel like step 1 is just buying a domain so you can have control over your e-mail address, and then you can switch providers whenever you want (or host it yourself).
If you already pay for extra iCloud storage you can use a custom domain for e-mail with iCloud… Many people are already paying for this, and if not it’s only $1/mo. Apple’s still a pretty big e-mail provider, so maybe that doesn’t address all of your concerns, but it’s a really cheap way to use a custom domain that more people should take advantage of imo.
I host my own e-mail and it’s pretty care free these days (I don’t send bulk e-mails, though, so I don’t contend with rate limits at all). Honestly, more people should do it instead of buying into all of the fearmongering about e-mail… It’s a little tricky to set up right, but the impossibleness of the situation is somewhat exaggerated. The best defense for self-hosted e-mail is if more people actually do it… Otherwise you’re just capitulating to the large (and slightly less large) mail providers.
+1 on having your own domain. I was using gmail for a long time, and recently switched to my hosting provider’s included-with-purchase email. Having my own domain made the move transparent to everyone, and relatively painless.
Yeah, exactly! You also brought up something that I probably should have mentioned too — it’s not uncommon that your domain registrar or hosting provider includes e-mail or offers it cheaply too.
Having the domain seems pretty critical to me and gives you a huge amount of flexibility — even if you just plan to stick with gmail, it gives you the option to migrate to something else in the future relatively painlessly. Your e-mail is your primary online ID, and not having control of it is actually kind of scary!
I use posteo.de which is a german provider. It costs 1€ per month. Did not have any problem with them and I’ve been using them for years by this point
I’m a Proton Mail customer. It’s them or Fast Mail in my opinion
I don’t know if this fits your needs, but check out setting up a mailinabox instance.
Zoho is a good choice in my opinion. They offer everything google offers productivity-suite-wise, and it’s pretty cheap.
You could check out Tutanota, fastmail and mailbox.org. They aren’t that expensive and from what I’ve heard all work pretty well. Protonmail is another option, but is a bit more expensive. If you opt for an annual or semi-annual subscription the difference isn’t huge compared to the other ones I mentioned.
Others have mentioned ProtonMail but there is also mailbox.org which is cheaper.
I don’t know what it is, but there is just something about ProtonMail that seems… off… to me.
migadu.com works really well for me. I also have been using namecheap’s email service without any issue whatsoever.
Buy a custom domainname ($10-30 a year, do not use godaddy) and get a paid mail provider ($3-5 a month). Other commenters posted a few good ones. I like soverin.net
Can you elaborate on why you don’t recommend using GoDaddy? Beyond the fact that the options you just mentioned are way cheaper? My ass just bought two domain names through them last year; the pricing was obscene and the experience was very confusing to me… I got my first ever domain through them years ago so I just auto-piloted to going with them again, but…
Startmail
Proton or Tutanota are both encrypted free alternatives. I like proton better personally
Here’s another fantastic article related to this. It’s about someone who’s had to give up on selfhosting.
It’s actually far worse than the Igregious article makes it look.
I wish they’d gone into a bit more detail about the issues they had, where they hosted, how they tried to fix their ip reputation, which providers blocked them, etc.
I’ve experienced the same issues in the past, but didn’t find any of the insurmountable.
Though admittedly mine is more ‘small business’ than ‘self-hosted’, so I can afford to buy a small IP block and run on dedicated hardware.
Meanwhile I get spammed 100s daily from asian job posting systems that I mark as spam/unsubscribed and they still come through. Apparently it’s all a scam to show need for H1B visas?
I’m not really all that surprised. Google, Microsoft, and Yahoo aren’t incentived to design for a precise spam detection system, just one accurate enough to prevent spam from being a big issue.