Hacker News new | comments | show | ask | jobs | submit login

I tried using Sendgrid and was surprised to find out that unless you buy an expensive plan, then:

* You get IPs from a shared pool, and the reputation is nowhere near guaranteed. In fact, many of my mails were blackholed or rejected.

* The "bad" IPs that were used by someone for spamming are not immediately removed from the pool, so you will encounter them.

The net result for me was that Sendgrid is not a solution for my transactional E-mail, because of the high risk of my E-mails getting blackholed/rejected. I use it for newsletters/marketing only.

I had exactly the same experience. For context I run a SaaS targetting small/medium businesses, who usually have in-house email servers with extremely restrictive spam filters. The IP was on a blacklist, so some of my customers just couldn't use my service. I contacted SendGrid and their only solution was to upgrade from a $20/mo plan to a $80/mo plan with a dedicated IP - they wouldn't even move me to another IP in the pool.

Given this, and my volumes of mail were increasing (once you go over 100k emails/mo SendGrid's pricing goes up a lot), I setup my own mail server using Cuttlefish [0]. I set it up on an OVH instance that I pay £2.50/mo for. I contacted them to enquire about spam policies before opening an account, and they said they take it very seriously and monitor outgoing SMTP for spam.

The IP address I ended up with was still on one blacklist, but the process to remove it was pretty easy (fill out a form, and explain the situation) and took about 1 day. I set this up around 6 months ago and have had no problems with deliverability since then, I'm now up to sending around 300k emails per month.

[0] https://github.com/basho/cuttlefish

Unless you are doing a TON of sending, you are better off with a shared ip since it will have a known reputation. That is assuming that the provider is maintaining the integrity of those allowed to send with that ip. I haven't used sendgrid, but mailgun has been good about moving me off of any ip I don't like. Although I wish they were more proactive about it, I have setup a weekly monitoring script to check a bunch of the blacklists. If there are any issues, I will have them move me. And I am still on the free tier so I can't complain.

I've been doing this for 6 months now, and haven't had any issues. Over the last 7 days my deliverability of 64k emails has been 99.5%. The only bounces I have are because of invalid email addresses or mailboxes being full. I didn't do any 'warming up' of the IP when started, I just started sending.

I've heard this many times, and maybe it was true before but it doesn't seem to be any more. I suspect now companies like Sendgrid still spread this FUD so people are more willing to buy their services and assume it's the only option.

I'm curious to know what type of customer you have? My customer base is made up of quite a few less tech-savvy types and we get a lot of issues with spam for AOL and MSN accounts.

And I don't show any bounces either. Stuff getting sent to spam doesn't give you a bounce message usually. It will appear to have been delivered successfully.

As for needing to warm up the IP, I think there is still something to that. I am surprised you were able to just start right off sending large volume. My guess would be that that you lucked out and got a gently used IP address by chance. The fact that it was on a blacklist would indicate that it probably was previously used rather heavily... just enough to get blacklisted at one place. But not abused in a way that got it blacklisted other places.

Oops :D

We really need a better solution to fighting spam.

https://github.com/jimktrains/email_ng is an overly complicated idea I had once, but the basic gist is that the receiver could give the sender a signed receiver email address that is for the sender's email address. This way, transactional email (and sure, I guess marketing from your company) would be able to get through and the email given out wouldn't be able to be used if sold or stolen, as the receiving mail server would reject it because of a bad signature (bad sender, and coupled with DKIM and SPF, a malicious user wouldn't be able/allowed to spoof the sender's email).

This sounds like a cryptographic way to achieve the aliasing scheme many people already use, e.g "chatmasta+hackernews@gmail.com".

Your proposal requires at least the status quo (aliased email address at signup), but the problem is it also requires cooperation of the receiver's email provider (e.g. gmail) and the sender's email provider. You are unlikely to ever see any new standard adopted by all major email providers, unless it came through a standards committee.

But your idea is interesting. Perhaps you could lower the cost of adoption by replacing the dependency on TLS/SSL with some sort of pgp signing scheme. This way all the "protocol" happens within the message body, so email providers do not need to adopt a new standard. As long as at least one website and one user implement the protocol, it can work without any cooperation from third parties.

As an aside, it would also be nice if password managers included functionality around generating temporary/isolated email addresses.

There are services like 33mail.com, which I've used for years, which do exactly that. You give a service an email like servicename@chatmasta.33mail.com (or a custom domain, if you're on a paid plan), and then you can block/unblock/track emails per username.

Actually curious, so if I understand you correctly what you are saying is that a receiver had some software generated an address like johndoe+A16789HFF...@gmail.com and then sent it to the sender for use, that would require email providers cooperation. I am not clear on the "cooperation" parts work. I THINK its basically that email providers block emails based on other criteria like DNSBL. And the "cooperation" bit is to get the providers to manage these cryptographic email addresses like guard against their possible misuse?

That's more-or-less what I was thinking. The receiver would require understanding of the signature to white-list the message; the sender just sends to an email address as they would normally. No or invalid sig would fall back to our current anti-spam methods.

why not just add +sitename to your email when you sign up..... eg me@example.com becomes me+flickr@example.com ? it's just a comment that will be ignored. I don't feel that we need software support to help with that. Your password manager will store that address (since it's probably your username) and help you fill it in / remember it when you come back to the site.

> it's just a comment that will be ignored.

It’s not a comment. Some mail services allow you to have aliases in the form of normal-username+something@service.com but that doesn’t mean all do. If it were a comment the address +@example.com would be invalid but it’s not. Comments in email addresses are written in parentheses like username(i'm_a_comment)@example.com.

> We really need a better solution to fighting spam.

I rarely receive email spam these days. The spam I get is on my voice line. I'm getting several robocalls per day. If you have the skills to work on this stuff, I'd love to see a solution to phone call spam because email spam feels solved.

yes, but as someone who's worked on the sending of emails side of this i can assure you that the techniques for fighting spam are TOO effective. There are many legit emails that go into black holes before any standard idea of spam filtering comes into play. I wrote an embeddable smtp server so that you could have an app that sent email without ever asking your users to put in their SMTP server info... it was USELESS because of SPF filtering. The blacklisting of whole IP ranges means that no app could use it on a home computer because all those IPs are banned.

we definitely need a better solution to fighting spam.

I hear this all the time, but the culprit is always someone sending spam, who does not consider it spam. Usually stuff like missing unsubscribes, spammy language, sending bulk to bought email lists, etc.

As someone running a personal email server for >10 years I can promise you this is a legitimate problem and the false-positive issue is not even close to solved. It's just that most people use a big provider to send personal email, so nobody is incentivized to care about solving it.

For a company I worked for, it was transactional emails (recipes) that would get blackholed. So while you're probably right that a lot of people doing legit marketing, but not 100% correctly often complain, it's also people doing legit work as well.

I assume you mean rarely receive spam that ends up in your inbox. Or does your email someone not receive any spam at all?

It's the former. I use gmail and for me, they are almost perfect. It's been probably three or four years since my last false positive and less than 1% of the email I do see is spam that was missed.

For phone calls, somewhere between 30 and 50 percent of my calls are robocalls or other telemarketing (I receive far more emails than phone calls).

If there were an easy way to tell my phone to just drop callers if they aren't in my phone book, I would. Right now, my phone lets me know if a caller is a suspected spammer, but when I hit dismiss, it goes to voicemail. I'd rather have the call just dropped or for the caller to get a busy signal. That reminds me - I can't remember the last time I heard a busy signal.

My only phone number that people have is a Google Voice number and it's really funny when I have five five-second silent voicemails every day. Because none of them ever go through to my phone...

I get more spam and more robocalls every single day. I can't rely on even Gmail's spam filter, because it has a non-negligible amount of false-positives.

My situation is the exact opposite. I almost never get robocalls but email spam is getting worse every month!

I think overall ISPs do a very good job at fighting spam. Compared to a decade and a half ago, I would call it a minimal problem.

My greatest fear is that Google and Facebook will co-opt email and charge money for companies to get access. Google has already made some progress with this by selling ads in Gmail that look like email while pushing commercial messages in to other inboxes.

This is bad because it penalizes companies with low margins while shifting the advantage to those who are able to squeeze more money out of the users (you can see the effect of this on Google Search, Facebook, and now Amazon. It isn't pretty.)

Correction: large^W giant mail systems, that can observe a significant portion of world's mail, and have a lot of R&D resources, do a very good job at fighting spam (in their own systems).

A DIY home mailserver will still let, like, 5-15% of spam emails slip through.

Even with Gmail I still find enough false-positives on spam to make me troll through it daily to make sure important emails don't get sent there.

Gmail does an incredible job.

The last few times I went to spam and saw emails that shouldn't be in there, a careful inspection revealed they were actually very well crafted phishing messages.

Ever since, I don't bother checking the spam folder. Too dangerous. Gmail is smarter than me.

No, legit emails end up there every day for me.

Same, usually newsletter stuff that I don't super care about but still somewhat annoying.

I pondered something similar once.

I'd start with the "email postage" proposal—the one where either a proof-of-work or physical payment (which can also be digital, e.g. a Bitcoin private key) is required to get an MTA to take your message. This proposal was declared unworkable due to rendering high-volume transactional email impossible.

But then:

1. as you say here, divide everyone's email account into a set of "channels" (i.e. subaddresses in a+b@c form, that each have a corresponding message signing key), with one or more published or well-known channels, and then individual private channels for each contact/list, or for each conversation(!);

2. make MTAs aware of "channels", and extend both SMTP and email web services to allow users to configure their provider's end-of-line MTA, over-the-wire, to set the amount of "postage" required to message each channel they own. (This way, the MTA doesn't have to be aware of the distinction between private and public channels; they're just destination addresses with a stored config parameter.)

3. make the MTAs that use channels, reject any Internet message directed to the base address without a channel. (Messages generated by the MTA itself can arrive without a channel.)

4. Set the clients' default new-channel configurations such that public channels have a cost, and private channels are free.

5. In email clients, add a "Subscribe" or "Allow" action-bar item to messages that identify themselves as email-confirmation/newsletter-opt-in emails (presumably with a header), that, when clicked, creates a new channel for the sender, and replies to the message with the signing key you want them to use attached. (All this would be hidden from view; the reply message wouldn't end up in your Sent Items.)

6. In transactional-email-sending services like Sendgrid/Postmark/etc., create a distinction between "opt-in messages" and "ongoing transactional messages"; allow each account to send one "opt-in" email to each previously-unknown destination-address (and charge for this); but then, for that account, put that destination-address into holding state, where the account can't send them any "ongoing transactional messages", until the email-sending service receives the user's conversation key. (You probably want to allow accounts to re-send the opt-in email after a 24-hour-cooldown, though. Though they'd have to pay again!)

7. In any product/service backend that uses a transactional-email service, consider new signups unconfirmed until the transactional-service reports (by polling or webhook or whatever) that the user has replied with a key and is now in the "authenticated and free to send to" state.

A bit complicated in the initial changes, but in the ongoing state it's nearly ideal: it costs money to initiate contact with an address, or to continue pestering an address that doesn't want to speak with you, but not to send messages to someone that wants to hear from you. (Though, a user can "unsubscribe" from your list simply by telling their MTA to begin charging you to deliver to their channel again—maybe, UI-wise, by just deleting the channel. Transactional-email sending services could detect the bounced-with-payment-required delivery error, and put the user automatically into an "unsubscribed" state, which could webhook you to let you know!)

How can you check if an IP is good or spammy? It would be nice to get an elastic IP in the cloud, test it for spamminess, and give back the bad ones. Catch and release fishing for IPs.

In practice, while there are some services which will purport to tell you an IP's reputation, their output isn't well correlated with actual delivery outcomes at scale (depending, to some extent, on what domains you're sending to).

This is because the big consumer mailbox providers often don't rely on public datasources for assessing reputation, and because reputation is tracked at the domain level, in addition to - or sometimes instead of - the IP level. For example, there have been some indications from Gmail that they no longer use IP reputation at all, starting a year or two ago.

And re: blacklists: +1 to Spamhaus, but in practice it's one of very few blacklists that have meaningful impact to net delivery.

> there have been some indications from Gmail that they no longer use IP reputation at all

I can believe it. I posted already about my experience with the free tier of Mailgun's service. I went through all their instructions about setting up the service and verifying my domain etc. but still had a lot of email rejected, especially by yahoo.com but also hotmail.com due to poor reputation IPs

Gmail.com typically delivered everything.

You can check the Spamhaus lists. It's a non-profit org dedicated to all-things-spam. https://www.spamhaus.org/

I found this service a few days ago to monitor our own deliverability. It allows you to test if your emails are delivered by the most common ESPs: https://glockapps.com

(I do not have anything to do with the product or team behind it)

Similar service here:


(I am likewise unaffiliated.)

Even so, this may not be very beneficial.

In years past, many RBLs would categorize IP Addresses by type. e.g. dynamic IPs assigned to DSL/Cable subscribers. This would enable a receving SMTP server to check if the email came from an ISP subscriber, rather than an email server. If so, it was usually a good guage that the email was "spammy", because it was sent by a subscriber's infected computer.

In this sense, it was (and may still be) possible to simply block, or at least score differently, email from any/all AWS Elasic IPs.

The term to search for is "RBL" (real time blacklist). Search for "check rbl" to find interactive sites, or maybe "check rbl github" for code that you can use yourself (though you may have to sign up for several services if you go that route).

Neither, though, helps with checking if one of the big providers, like Google, would not like your IP. For those, you have to send an email and watch/parse the SMTP error responses.

Same experience with Mailgun. The "free" tier servers do not have good reputations. As you can imagine, being free, they are used by spammers. I found it impossible to send to yahoo.com recipients. Gmail, interestingly, did accept and deliver almost all messages.

I use sendgrid for transactional email and I have had no problems regarding that in the year I've been using them.

I have found their nighttime support team to be terrible though, resulting in 14hrs downtime because they didn't have authority to re-enable my account.

I generally don't believe these anecdotes when pertaining to successfully companies with 10s of 1000s of staisfied business users. Most are far better off with shared IP addresses. After you establish a sterling domain reputation you can think about your own IPs.

I second to that. For a few years now my opinion was that Sendgrid is a good guys of sending email... until I realized most of the spam I'm getting is from Sendgrid IPs, including for example continuance of work offers from Uber (I am disabled and I cannot even drive a car)

I'm unsure what problems Sendgrid is battling but their customer support staff is certainly understaffed or they simply gave up on fighting spam. So yes if you want to send spam and can start with highest paid account they offer, probably Sendgrid is your best bet.

Also their spam@ and abuse@ is a waste of time. It came to point that they simply started ignoring my inquiries at all! Here is example of one of my emails that is not getting any response, if Sendgrid is actually reading this: support+id1021573@sendgrid.zendesk.com

As sending spam is a Federal Crime, I have already reached out to FBI, FTC and next plan to write my State Attorney General.

Spam sucks, but don't waste your time reporting it to federal agencies. In practice, 'unsolicited' isn't a high enough bar for them to care - it has to be overtly fraudulent, malicious, etc. in order to have a shot at getting attention.

I disagree. This would be a very bad concept to ignore not high enough crime to be reported.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact