
Ask HN: What's your email setup? - 6ak74rfy
Do you use Gmail like almost everyone out there?<p>If not, you must be someone who cares about their privacy. How do you cope with the fact that almost everyone you email to uses Gmail? In other words, if the people you interact with on email don&#x27;t use secure&#x2F;encrypted email, how does whatever effort you put into help?
======
kotrunga
I use ProtonMail, and tell people that if they care about secure email, they
should too.

I looked in to other services, like FastMail, but from what I've seen, they
aren't as secure. I'm no security master, but according to these:

[https://www.fastmail.com/about/privacy.html](https://www.fastmail.com/about/privacy.html)

[https://www.theguardian.com/technology/2013/oct/07/australia...](https://www.theguardian.com/technology/2013/oct/07/australias-
fastmail-secure-email-nsa)

FastMail is subject to the Australian government, so if a "properly authorised
Australian law enforcement" person comes, there goes your privacy.

Do others use ProtonMail? Or is there another email service that's as secure?
I'm no master, just trying to go after security. However, email is email, so
you can only be so secure, especially when emailing people with gmail
accounts, etc.

~~~
invalid_
Protonmail when under DDOS attacks routes their traffic through servers owned
by mossad. Which again is an "observer" in the global five eyes surveillance
network

~~~
bartbutler
It's BGP routing, and requests only (not responses). Radware, which is not
Mossad, does not do our TLS termination--we do.

------
johnklos
I've run my own email server since the mid 1990s. While it's not trivial, it's
certainly not all that difficult. What I find strange and suspicious, though,
is how quickly and readily people go out of their way to actively discourage
others, and how there's this crazy push to move everyone and everything in to
the "cloud". This even happens in places where running one's own email server
is expected, such as the selfhosted reddit channel.

There are two problems with that, broadly speaking. One, if we care about
privacy and security, the "cloud" doesn't have that. Google can genuinely try
all they want to keep things secure, but we know without doubt, thanks to Mr.
Snowden, that people who actually work for TLA agencies are working at Google
(and Amazon, and Microsoft, and Yahoo, et cetera). So is our data REALLY safe?
Even if they're not interested in our data specifically, the data can't be
said to be safe.

The other problem is that email with Gmail and others is not deterministic. In
the real world of email, you either get an email or you don't. If you don't,
you can look at your logs and see why. You'll end up with a precise reason why
delivery failed. With Gmail and friends, though, they might simply not like
the choice of subject, or they might not like the attached picture, or they
may simply not like the cut of the sending server's jib. I've been told that
access to email logs for businesses is better than it used to be, but do you
think a user who gets free Gmail gets to know why a specific email wasn't
delivered?

Finally, I think Gmail accounts shouldn't be usable for WHOIS and for abuse
addresses because they can't accept abuse complaints. I consider any WHOIS or
any Internet service provider which uses Gmail to be amateurish and
unprofessional. There's nothing less professional than setting up an email for
incoming abuse complaints that filters abuse complains.

~~~
johnnycarcin
You were probably waiting for this, but how do you handle IP reputation?

I REALLY would like to host my own e-mail server but when I've previously
tried this on the various vendors platforms (Digital Ocean, AWS, Azure), I
naturally end up with an IP that has either no rep or bad rep. I did
everything I could with regards to proving my mail server was legit but still
ran into issues with my e-mails being flagged as spam.

I know I could use someone like SendGrid or whatever to handle my outgoing
e-mail, but now I'm back into the whole privacy concern area...

~~~
johnklos
In most instances, you get what you pay for. I handle IP reputation by
colocating with good, if somewhat conservative, colo providers. The most
recent colo provider contacted me after placing my order to ask what services
I intended to run, to match my provided address with WHOIS on the main domain
I planned to use, and to ask me to explain the discrepancy between the IP from
which I filled out their web form and my given address. Some people would be
indignant about this. I certainly was not. I'd rather ALL people have to jump
through many stupid hoops, myself included, than have a network where money is
the only prerequisite to joining. That provider, if anyone is looking, is
Turnkey Internet. They're definitely worth considering if you want to deal
with real people.

Once you have an address (or a new-to-you address), you have to break it in,
so to speak. I did this by setting up reverse DNS (of course) which
unambiguously matches the hostname, the primary IP, and the HELO / EHLO name
given by the server. I then set up SMTP-auth so I could use it for little bits
of email here and there. I did this for several weeks before I started
increasing the volume. At the same time, I configured a long running server
elsewhere to allow relaying from this machine and started sending email list
traffic through the new server, which relayed through the long running server
so that services like Google, Yahoo, Hotmail and others would get more
exposure to the new server, albeit indirectly.

I also took the time to proactively register the new server and IPs with anti-
spam sites and blocklists. This usually involves providing proof that the
contact information is real and works, but it helps lots.

Barracuda gave problems - they listed my new IPs even after requesting
delisting TWICE, but an email that got to a human fixed this more permanently.
While frustrating at first, the fact that you can correspond with a human is
always a good thing.

After more than a month of this, I started sending directly from this new
server. As anyone who has done it can tell you, running a mailman list these
days is hardly trivial considering how quick most services are to consider
mail lists spam. But regardless of how much time it takes, it's worth it to
take the time, to be careful and deliberate. I've only had to do this four
times in the last decade, but not rushing is always worth the extra energy.

Of course, VPS IPs are often much more "beat up" and are usually considered
undesirable neighborhoods, more so than colo networks. That's partly due to
the more transient nature of VPSes. When you colocate, you're more invested,
generally speaking, so you're more apt to keep the IP for many years.

~~~
nikofeyn
i have some honest questions for you though. i write software daily yet don’t
have much knowledge of what you have described here and have even less inkling
to want to do any of that. so i think setting up an effective e-mail server is
simply beyond the scope of nearly everyone. moving to the “cloud” isn’t some
fad for e-mail, it’s just not everyone has the IT knowledge and even less want
to have it. what is the _real_ benefit beyond not having your e-mails crawled?
is your server really more secure than google’s or microsoft’s?

~~~
johnklos
Saying that setting up an email server is "simply beyond the scope of nearly
everyone" is... Well, it's a bit sad, if you honestly believe that. At the
same time, it's also pessimistic and disingenuous. It's disingenuous because
you do a thing that some people might incorrectly generalize as, "simply
beyond the scope of nearly everyone," even though we all know that there are
lots of six year olds are learning Python. Granted, there are likely more six
year olds learning Python than people in general learning from scratch to
stand up email servers, but we both know that your characterization is quite
stretched.

So let me ask you, since your post carries a similar sentiment as many others:
Why do you feel that you should express a dismissive opinion about the
practice when you've also made it clear you have no inkling to want to do it?

For your information, I set up a how-to to show people how to set up an email
server from scratch. No, it's not wildly popular, but several people have used
it and have written to thank me, so I don't agree in the least that it is
"simply beyond the scope of nearly everyone," and I also have evidence that
this is clearly not the case.

To answer your questions, not having my emails crawled is just one benefit,
but it's a very important one. Plenty of people say crazy and ignorant things
like, "I have nothing to hide," not realizing that it's not about that - not
even a tiny bit. If we dismiss the fundamental right to privacy because we
have "nothing to hide" right now, we can't later on get privacy back. But,
obviously, this isn't a concern of yours, and most people can't consider how
the principle applies to historical lessons or how it applies to a possible
path to totalitarianism.

So what ARE the benefits? I mentioned that my email servers are deterministic.
I can say with precision why a thing happened or didn't happen. Now it may be
true that writing Sendmail rules is "simply beyond the scope of nearly
everyone," programmers included, but the option is there to decide, again with
precision, what I want my servers to accept or reject. I even wrote my own
Sendmail rules to refuse email from servers that lie about their HELO / EHLO,
or, optionally, only accept from servers where the HELO / EHLO name resolves
to the connecting IP. Add procmail to the mix, and now you can have rules than
programmers can easily create and change.

Another benefit is precise control of all of my email information. If I delete
something, I can be sure it's deleted. It's my information, and I want to
control it.

Is my server (well, servers) really more secure than Google's or Microsoft's?
Unambiguously yes. Microsoft only ever ends up in a state of relative security
after long periods of trial-and-error while non-technical managers come up
with design goals which are antithetical to security, bad things happen, then
those same non-technical managers demand adding security as an afterthought.
Google, I believe (and really, we never can know all that much), genuinely
tries to get security right, but how many employees do they have? How many
have access to private data?

Take a clean, concise, easy to understand OS, install it on a non-x86, non-
IPMI, non-VM computer, install a minimum of things to run only what it's
intended to run, do so cleanly without extra cruft or OS specific
idiosyncrasies, keep up to date with security vulnerability announcements, and
colocate in a trustworthy place, and yes, my servers are definitely more
secure than Google's or Microsoft's.

~~~
nikofeyn
i didn’t dismiss it at all. it’s okay for me to wonder why i would want to do
such a thing, especially when people claim it as such a simple thing and is
instead a rather subtle thing that requires time and attention. i have other
interests.

and how is it disingenuous or stretched? i count nearly everyone as, say, 95%
of people. if you seriously think even 5% of people have both the skills and
want to setup and maintain their own e-mail sever for many years, then you and
i are on different planes of thought and experience.

i can understand the crawling thing, although you make a lot of incorrect
assumptions. i don’t like it either, but i also don’t enjoy spending my time
on things that other people have made trivial.

it’s good people have found your setup posts helpful. if it can be made easier
to be self-sufficient, thne more people will do it.

------
rfreytag
I use mail-in-a-box: [https://mailinabox.email/](https://mailinabox.email/) on
a small linode.

Has been serving me well for years.

For one other email I use Rackspace Email at $2/month:
[https://www.rackspace.com/email-hosting](https://www.rackspace.com/email-
hosting)

~~~
SkyLinx
I've had a bad experience with Rackspace Email. I found their service to be
very limited IMO

------
K0nserv
I use Fastmail after switching away from Gmail and Google pretty much
entirely. The core issue with Gmail and other free services is that since you
aren't paying for the service they need to sustain in some other
fashion(mining your data for example). With Fastmail I know that it's in their
best interest to do what's right for their customers.

I use an alias system so I can have email addresses for specific purposes and
signups. Also have a bunch of other assorted email addresses.

~~~
wilsonnb
Google does offer a paid email service through their G Suite product.

It's generally aimed at businesses but the cheaper options are $5 and $10 a
month which is comparable to Fastmail.

~~~
_RPM
The problem with the G Suite product, is that it's overwhelming. You get
access to the entire suite of Google products. When you only need Email,
Calendar, Contacts.

~~~
webmaven
If you use G Suite For Your Domain, then the admin can enable/disable most of
Google's services (I think only the user directory service can't be disabled)
for those users (globally, individually, departmentaly):

[https://admin.google.com/ac/appslist/core](https://admin.google.com/ac/appslist/core)

[https://admin.google.com/ac/appslist/additional](https://admin.google.com/ac/appslist/additional)

There is also a setting that determines whether new services are turned on or
off by default when Google adds them:
[https://support.google.com/a/answer/82691](https://support.google.com/a/answer/82691)

------
Philomath
I use namecheap for email hosting. A while ago I read quite a lot and it was
my preferred option. Maybe there is something better now. Regarding your other
concern, although theoretically they shouldn't map my custom email with my
usage of chrome or Google maps, I have to admit that most likely they can do
some correlations and target me anyway. Still, they will not know about what I
buy or where I go (flight emails etc)I, and that's already something.

~~~
Jamescarlsen21
Still namecheap is the best eamil hosting service provider.

------
feistypharit
I use migadu.

[https://www.migadu.com/en/index.html](https://www.migadu.com/en/index.html)

~~~
ac29
Had to drop them after a my first year due to lots of deliverability problems
(even with inter-organizational emails hosted on the same service). Its cheap,
but 98% reliability isnt good enough for business.

------
oblib
I also use mail-in-a-box:
[https://mailinabox.email/](https://mailinabox.email/)

Honestly, after 20 years of using 3rd party services I got tired of being
subjected to their whims and issues. The straw that broke my back was when
Mandrill was taken over by MailChimp.

Not that there's anything wrong with MailChimp, my problem was with investing
my time learning how to do things "their way" and exposing myself once again
to a 3rd party's whims and issues.

It took me some time to go through all the necessary steps to get mail-in-a-
box set up and secured but it was worth the effort and I learned a lot in the
process and got a lot more than just email for my efforts.

And it was a lot easier than I'd expected. The mail-in-a-box team has done
some great work on that project and the community support is solid.

------
corobo
I use Fastmail to punt all of my domains' catchall inbound mail into my Gmail
account.

> you must be someone who cares about their privacy

That's quite an assumption. I care about privacy but use Gmail. Email is not,
has never been, will never be private. It's a postcard protocol.

------
0kto
I am a posteo [1] subscriber. Superior set of features [2] (privacy, security,
encryption), runs on green power, no ads / tracking, groups in address book,
nice staff -- for 1€ per month. Also supports mandatory TLS transfer (or
doesn't send the email), if wanted. Couldn't be happier since ~5yrs!

[1] [https://posteo.de/en](https://posteo.de/en) [2]
[https://posteo.de/en/site/features#featuresprivacy](https://posteo.de/en/site/features#featuresprivacy)

------
stunpix
I setup my mail server manually from scratch with my own scripts. I never had
such experience before, so it was total pain and I spent about 2 weeks to get
fully working healthy server. Now I know what is behind curtains and how
complex mail serving nowadays. At the moment I'm deciding: stay with my own
server or trow this headache and buy a service like Migadu or fastmail.

------
SkyLinx
The past year I've tried to leave Google and have tried, in order, Zoho,
Rackspace Email, self hosting and am currently with Fastmail. However I've
planned moving back to Google this coming weekend. I just miss many features
and services and the integration between them.

~~~
Willox
May I ask why you stopped using Zoho? I'm using them currently, but only to
forward my emails to a google account. You mention a lack of features, but of
course with a forwarding setup that is not a problem.

------
Random_Person
I have old yahoo addresses that refuse to die. My "main" email is Gmail, but
all of my domains are hosted on Dreamhost and have email, so I have addresses
on all of them also, but forward to my Gmail for reading/cataloging. Work uses
a Microsoft account.

------
closed
Based on a recommendation from HN, I switched to fastmail.com. I create
aliases for most new services I sign up for, and treat the actual email
address like a secret. Being able to "turn off" annoying services is a
delight!

------
atsushin
I use Gmail for most things. I also use ProtonMail, and I want to migrate
things to there because I do care about my privacy but it seems to be too much
hassle and I don't have enough time.

------
Elect2
I'm using Gmail and considering host my own email server. But the only/big
thing stopped me to do that is how to filter SPAM. Gmail is really useful for
SPAM filtering.

------
dundercoder
I’ve been toying with the idea of a postfix/dovecot/spamassasin/opendkim
solution.

I don’t need one more thing to do, but the big G has me worried.

------
sosilkj
If you care about privacy, use PGP.

You can use PGP with a gmail account.

~~~
chmielewski
I agree that if you are located in the US, there is no difference between
doing this and using ProtonMail, for instance.

------
kdv
These days you pretty much have to choose between privacy (e.g Protonmail,
Fastmail, self-hosted) and security (Google). Account security should matter
more since your primary email address probably holds the keys to the kingdom
for the rest of your digital life. Oh, and privacy as you know it is
essentially dead.

~~~
333c
Why do you say that? My email provider (fastmail) supports two-factor auth.
Beyond that, I use a long password generated by my password manager. Why am I
less secure than a Gmail user?

I think security is much more dependent on user configuration. If my password
is "passw0rd" then I'll be fairly insecure regardless of my provider.
Likewise, since I have 2FA set up, I'm better off, regardless of provider.

~~~
kdv
That's a reasonable question. You're absolutely correct that security is often
highly dependent on account configuration, but Google has invested more into
security than any other mail provider and my ridiculous prediction is that
their anomaly detection powered by their all-powerful compute network is only
going to create a bigger gap there.

For most people, the biggest risk is a troll abusing account recovery or weak
2FA settings to hijack your email account, pivot to other accounts, and wreck
your online life. In those cases, you're probably safe w/ a strongly
configured Fastmail account (although there have been some recent issues
brought to light around Fastmail's account recovery practices [1])

[1]
[https://news.ycombinator.com/item?id=15855081](https://news.ycombinator.com/item?id=15855081)

------
buffaloo
I don't see a lot of love for Office365; any particular reason why?

~~~
TwoNineFive
In a word; Microsoft.

[http://www.zdnet.com/article/microsoft-tightens-email-
privac...](http://www.zdnet.com/article/microsoft-tightens-email-privacy-
policy-after-taking-fire-over-hotmail-incident/)

