
Unicorns, Startups and Hosted Email - mh_
http://blog.thinkst.com/2015/10/unicorns-startups-and-hosted-email.html
======
jkldotio
Gmail is good, but it's not the features so much as the complexity of running
my own mail server that's stopping me moving off it (to say nothing of the
fact I am not a "Unicorn"). The current DIY offerings are far too heavy and
complex. It's a pity because there are a lot of apps that could use the
identity/data layer of email if it was simpler to use. By simple I mean if we
were inventing it today then a simple JSON under the protection ssl would be a
decent starting point. Extensions over the basics could be flagged in the
subject header with the payload as another JSON file in the basic attachment
infrastructure. While it would be more complex it shouldn't be too many times
more complex than the dime a dozen "IRC client in language X" or a REST
interfaces.

Maybe I am wrong regarding traditional email though, is there a simple and
easy DIY email stack around these days?

~~~
peterwwillis
E-mail software is not complex. It's all based on a simple line-based text
protocol. The stack is also pretty simple to learn if you spend an hour on it.

The administrative headaches range from general user woes to networks that
don't want your mail or have various ways of handling it, and you regularly
have to address new and unusual problems. But this has nothing to do with the
stack or protocol. This is because not all mail is made the same, not everyone
does it right, and spam is really god damn annoying.

Don't run your own mail server unless you want to find out what makes BOFHs
cry.

~~~
arethuza
At one point I "inherited" an email system that had ~120 different domains
hundreds of servers worldwide and pretty much every email program known
(including Lotus Notes) - migrating that to one email system while keeping the
whole thing running was no fun at all - largely as nobody cares that much
about email until it doesn't work then they get very upset and shouty.

------
stkni
I don't think this is that surprising. A lot of those firms would already have
large-ish engineering teams already but managing the complexity of the mail
servers is just not a good use of that resource.

Mail is a mostly solved technical problem, and having 'better' mail servers
than the next guy isn't going to put food on the table any more.

~~~
gadders
Mail is a commodity now. It would be like trying to program your own
switchboard or run your own phone lines,

~~~
darkr
> It would be like trying to program your own switchboard or run your own
> phone lines

You mean like a PBX? Most companies with >= 50 employees do this.
Smaller/newer ones will definitely tend towards a managed service for this
though.

------
acqq
The comment there by Anonymous:

"Reminds me of this: "The Hostile Email Landscape," by Jody Ribton
[http://liminality.xyz/the-hostile-email-
landscape/](http://liminality.xyz/the-hostile-email-landscape/)

In summary: Start sending email from a new mail server and the established
players will likely mark it as spam. Market captured."

~~~
efesak2
I am often installing whole new email servers (author of
[https://poste.io](https://poste.io) here)... And thats not true, at least
from my experience - well unless your first email is not "super promo
whatever"...

~~~
kraftman
Just so you know, there are quite a few typos and grammar issues on your
homepage.

~~~
acqq
Indeed, and at least the typos (like the "interenet") can be easily detected
with the free spell checkers (and even some grammar issues!) It can help
efesak2, but it's off topic to what we discuss here.

------
_Codemonkeyism
Will be interesting times for EU startups when at the end of January 2016
model clauses and corporate bindings break down due to the 29 Working Group
and EuGH decisions.

~~~
tinkerdol
Could you please elaborate and provide links about what happens then? This
sounds important, yet I have never heard about these things...

~~~
_Codemonkeyism
IANAL.

The EuGH court made it's decision that safe harbor is no longer considered
lawful (triggered by a law suit by an Austrian against Facebook in Ireland).
It basically says that EU data protection agencies can investigate companies
for data protection issues even if the EU company uses an US company that is
Safe Harbor certified.

This is due to the fact that the EuGH considers NSA snooping unlawful,
especially that EU citizizens do not know about the spying and have no legal
way in the US.

Beside Safe Harbor US companies provide data protection for EU companies based
on EU model clauses. US enterprises share information about their employees
back into the US based on 'corporate bindings'.

The 29 Working Group of EU data protection agencies issued their opinion last
week on the EuGH decision

[http://ec.europa.eu/justice/data-
protection/article-29/press...](http://ec.europa.eu/justice/data-
protection/article-29/press-material/press-
release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf)

Interesting parts:

\- Safe Harbor is unlawful for EU companies ("In any case, transfers that are
still taking place under the Safe Harbour decision after the CJEU judgment are
unlawful.")

\- Model clauses and corporate bindings can only be used until the end of
January 2016

"In the meantime, the Working Party will continue its analysis on the impact
of the CJEU judgment on other transfer tools. During this period, data
protection authorities consider that Standard Contractual Clauses and Binding
Corporate Rules can still be used [...]

If by the end of January 2016, no appropriate solution is found with the US
authorities and depending on the assessment of the transfer tools by the
Working Party, EU data protection authorities are committed to take all
necessary and appropriate actions, which may include coordinated enforcement
actions."

Most unlikely those will be extended beyond January 2016 if one reads the
opinion of different national agencies.

PS: Gmail is based on these legal frameworks.

------
notacoward
The people saying the software isn't that complex are missing the point.
Everything's easy for the person who has never done it. Even if you include
all of the DNS/SPF/DKIM garbage the initial setup can be done quickly. Then
the support time sink begins. One person's outbound email bounced. Another
person is getting too much spam. A third person is missing perfectly valid
email because it keeps getting marked as spam. Third parties are complaining
at you, or trying to hack you, or both. Oops, time to upgrade because of
another TLS bug. You get the idea. Burning a couple of hours one time is no
big deal. Burning half of someone's day, every day, is a problem.

Still, a lot of developers' addiction to gmail in particular continues to
mystify me. I work on open source, so I don't care if people see what I put up
on Google Drive for discussion, but there's no way I'd choose to put company-
confidential email on a competitor's servers. Google competes with a lot of
other companies. I guess infosec just isn't as important to some people as
aesthetics.

------
Sir_Substance
The frustrating thing about this is that we're starting to see companies that
make google accounts mandatory.

I've already been in the position of being told "make a google account or lose
your job" once. I chose the job, I have rent to pay. But I really don't want a
google account, and critically, I _do not_ agree with googles terms of use.

Unfortunately, there's no way for me to flag to google that I have made the
account under duress, and thus I will be subject to their data fracking
techniques against my will.

Facebook was talking a few years ago about developing Facebook for business, I
can see that taking off like a rocket too.

I'd really like to see some federal level intervention on the topic of
employers strong-arming employees into legally binding agreements with third
parties.

~~~
chkuendig
I don't see the problem here. You use third party products and services all
the time in your professional capacity.

If your employer wants you to have a google account, i assume you'll use it
for some job-related things. So it doesn't need any of your private data/usage
profile (use company address/phone nr etc).

~~~
Sir_Substance
The difference is in who the legal agreement is between, from googles (and the
courts) perspective.

For example, I do, in my professional capacity, use perforce. However, the
agreement that perforce has is with my company. I'm just a number on the sheet
of "how many users".

A gmail account is a privately held account. The agreement is between me and
google. Any liability is mine, and google invests heavy effort into continuing
to track my via a plethora of cookies, fingerprinting techniques and other
methods even after I log out. They do that on the basis that I _personally_
have agreed to submit to it, my employer isn't involved.

It's on the same level as if an employer mandated which phone company you
could use. I don't mind my employer insisting on me using a specific provider,
if he is providing the phone and paying for the plan. I might choose to leave
that phone at work when I'm not on call though. But if it's my phone and I'm
paying for the plan, I should have the right to choose who I give my support
to.

The alternative road takes us down a dodgy path of corporate alliances, where
companies agree to have each others employees scratch their backs, and to hell
with consumer rights. We're already seeing it with companies in the US paying
wages on pre-paid visa/AA/mastercard cards. Inevitably, the employee ends up
paying all the fees. $5 to check your balance, $10 to transfer it elsewhere
etc.

~~~
TeMPOraL
In practice, there is pretty much zero chance you'd have any problems with
Google. But I support your stance as a general rule - an employee should not
force you to enter into personal commitments as a part of the job.

------
Tepix
Running a mail server isn't a black art. With projects like sovereign (on
github), it's even easier.

Companies and people throw away their privacy so lightly - it shows a puzzling
negligence.

The internet is at its strongest when it's decentralized. Stop using
proprietary services when decentralized alternatives are readily available!

PS: I think Hillary Clinton did the right thing by running her own mail
server, she shouldn't have used it for classified documents (if she did),
however.

------
Axsuul
Not surprising at all.

Hands down, Google Apps (not Gmail) is the best hosted email service for
businesses. That's why companies use it. It's so good that wasting precious
engineering resources on reinventing the wheel makes absolute no sense
whatsoever. Oh, and don't forget email deliverability, spam detection, and a
slew of other features that your cobblestone of postfix, dovecot, and
roundcube will never even come close to reaching feature parity with.

------
MVf4l
People focus on different priorities. I don't think it's hard to understand.
They just care less about privacy. Scaling is more important to them. And your
emails can be encrypted on your client side if you want to. Just make sure
those encrypted emails aren't so suspicious that they want to crack them.

------
lentil_soup
honest question, what's an "Unicorn"?

~~~
pmiller2
A startup with a $1B valuation.

~~~
venomsnake
Ok. I will invest 1$ in random startup for 1/1000000000 of the company -
congratulations we have a new unicorn.

~~~
arethuza
Reminds me of something Michael Lewis wrote:

“You have a dog, and I have a cat. … You sell me the dog for a billion, and I
sell you the cat for a billion. Now we are no longer pet owners but Icelandic
banks, with a billion dollars in new assets.”

------
peteretep

        > So every time a twitter executive sends an email,
        > people at Google can read it?
    

Can they, legally?

~~~
tallanvor
Legally I'm sure there's something in the TOS or contract that allows them to
access the data if necessary.

Realistically, the number of people who can actually access customer data such
as email and documents is probably quite small and heavily audited. Even
accessing scrubbed telemetry data is probably audited.

~~~
desdiv
>Realistically, the number of people who can actually access customer data
such as email and documents is probably quite small and heavily audited.

[http://www.theguardian.com/technology/2013/oct/30/google-
rep...](http://www.theguardian.com/technology/2013/oct/30/google-reports-nsa-
secretly-intercepts-data-links)

Realistically, Google had no idea who had access to their customer data back
then.

