Hacker News new | past | comments | ask | show | jobs | submit login
Running your own email is increasingly an artisanal choice, not a practical one (utoronto.ca)
664 points by throw0101a 25 days ago | hide | past | favorite | 510 comments

I would really say that "running your own email" is a set of things that can be done independently:

- Getting your own domain and using a provider such as fastmail or proton is a first step that gives you lots of security fom arbitrary. Because you own the doorstep, you can change provider without having to inform all your contacts of the move. You're also more secure from unilateral moves from your provider.

-Hosting your own mail server means that you are responsible for the persistence of your mail. It's a nice artisanal thing to do, and you may be satisfied to know that no one is reading your mail.

-Sending your mail yourself is the real hard part, because you need a stable IP that is accepted as a legitimate mail sender. Moreover, you need to monitor this property in the long term. Every mail server has their own way to choose who is a legitimate mail sender, and it's an ongoing pain to check that.

You're not forced to go all the way, you can simply pick a domain to secure the frontdoor, or you can host your mail server without sending mail by yourself, etc. You can also self-host, and change your mind later without much impact.

I personally would incite everyone to do at least #1 for safety reasons, #2 if you want to fiddle with the system to know how it works, and to avoid #3.

Internet was meant to be decentralized. Lets leave it this way.

I am running my server for 15 years and couldn't be more happy with "artisan" infrastructure.

I don't want or use webmail (sluggish), I don't want others fingerpoking my emails, I don't want various compulsory registration systems (like requiring my phone number out of """security""" reasons like google), giving others the ability to kill my account and do me a huge amount of work and on the top of that, it breaks the sites registration schemes, I have set up a script that accepts any email with some special structure and each and every registration gets a specially customized mail address (that I can calculate in my head, no configuration needed) that can be resolved back to the registration.

Getting spam? I am sick of you, whatever? No issue, just REJECT the whole address. It is used by only one site, like smart people don't reuse passwords, I don't reuse email addresses.

And you would be surprised, how many sites sell email addresses to others, and I know it as every one gets its own email address.

Rspamd eats the spam just as good as "ai infrastructure" /s

Even if you go for 3rd party email infrastructure, registering a domain is a must, so you can switch the provider fast if it gets vampirized.

Out of my whole infrastructure (100% self hosted, as said, for 15 years, actually more but not 100%), the email server is the part that needs the least attention.

The response to the author would be: nice that large providers have webmails and some other quirks that I don't want or need. Feel free to use them, but I have freedom.

postfix. dovecot. rspamd.

The internet was meant to be used by people who knew how the internet worked. Herein lies the problem.

This might sound like gatekeeping, and maybe it is. When these systems were designed, they were not designed to be used by everyone. They were not designed to be commodities that are bought and sold, with the most valuable trinket available being the attention of the user. But this is where we are.

Few are capable of running their own _anything_ on the internet, and even fewer have the desire to do it, because if you run it well for yourself (as an individual), someone else will want you to do it for them because you are already doing it, so it's not that much more work, right? \s

Decentralization limits monetization of anything, so that is going to be a non-starter for investment of resources. Unless you are trying to have your infrastructure survive a nuclear war, no one is going to provide the means to build anything big unless you can sell it or the users of it.

The notion that anything really works on the internet with the assumptions that were made in the 70s and 80s, and the realization that what holds most of it together is the blood and sweat of ops, duck tape, and fever dreams consistently astonishes me. In the not so distant past, someone paid me to write them a custom FTP server. In the 21st century. It's like being asked to whittle an engine block out of a tree.

> Decentralization limits monetization of anything, so that is going to be a non-starter for investment of resources. Unless you are trying to have your infrastructure survive a nuclear war, no one is going to provide the means to build anything big unless you can sell it or the users of it.

I'll go further: centralised systems can emulate decentralised systems, but not vice versa. Thus, ultimately, the only USP of a decentralised system is that it is decentralised for the sake of being decentralised, and nobody cares much about that. Centralisation is inevitable, and wins out every time.

They can pretend to be decentralized, but they can't emulate the lack of centralized authority.

People certainly care enough about centralization once it's consistently abused in ways that hurt them (which always happens eventually, given enough time). Our existing anti-monopoly laws came about like that.

Signal jumps to mind.

Plus I don't see much evidence people care. This argument reminds me of Accelerationism, which doesn't seem to work either.

People start to care on the edges (e.g. social networks), but there simply isn't enough abuse wrt email yet for opposition to register.

> And you would be surprised, how many sites sell email addresses to others, and I know it as every one gets its own email address.

So much this. I've actually contacted companies to tell them they've been compromised because I started getting phishing emails. I quit after the third time of reporting it and being told "we haven't been hacked, someone in your friends group has and you just can't read email headers".. right because someone in my friends group emails "mylocalgym.com@mypersonaldomain.com" to schedule group activities.. then six to twelve months later I get an email from HIBP telling me said website was hacked and my email was compromised.

It's funny to hear this experience. I've been doing this consistently for about 5 years now and have noticed 2 instances where this occurred, and in both there were prior disclosures about a security failure.

I tend to sign up for a lot of things (I'm seeing over 150 unique email addresses I receive emails from using this scheme), but I guess I'm just getting lucky.

Also, just out of curiosity, where does one sell email addresses, and how much are they worth? I take signups on a few websites, and I'd never sell my users' email, but I'm just curious to learn more.

I used to trade e-mail addresses with various banks, some 15 years ago. I'd just call up their marketing departments and offer those as 'financial leads'. I had a network of people who had various ad campaigns running where a customer could win something if the'd leave their personal (financial) data.

I did it in the early 2000s with a domain I picked up just for that purpose, which I'm almost positive was "myspamstopper.com", but I let the registration lapse and it was snapped up. It's amazing what was still available back then to easily register.

Not the GP, but I’m experiencing this mostly with small to mid-sized online retailers.

Side note: I've seen some MTA systems having weird filters for receiver's domain name or company name being part of sender's local-part.

When I'm opening an account at Example Bank which uses example.com domain, I avoid creating dedicated mailbox or alias with words "example" and "bank". exmplbnk@, xmplbnk1234@ or similar seems to have better deliverability when I'm attempting to contact the other side.

> weird filters for receiver's domain name or company name being part of sender's local-part

Likely to help cut down on phishing.

Perhaps there should be a system that lets [1] ordinary people record that they notified a company that said company had been hacked together with timestamped evidence of said notification. [2] people/organizations who sue/regulate said companies wrt said hackage have access to said timestamped evidence.

I don't know how to monetize said system but it would produce both social and economic value.

I've discovered two previously unknown data breaches this way. I was gratified when the operators of the sites thanked me for reporting it. Most times, though, I get the treatment you're describing.

Honest and non-rhetorical question here: Have any of your customers had an e-mail they've tried to send not arrive because the recipient's system was using a black-hole list that, for some erroneous reason, had you blocked? If so, were you able to successfully communicate with and/or reasonably work through whatever issue got you black-holed?

I haven't administered e-mail servers for 20 years, but back when I did, this started to be a problem that eventually became insurmountable. I used to manage a small business oriented ISP. We were multi-homed with a /18 that we used for everything. I had a customer that was a reasonably sized organization that dealt with tourism and conventions for a major city. On one of their websites, (which we hosted with IPs that came out of the same /18 as their mail server,) they had a directory of vendors who were associated with them. ONE of those members had a website that had been hacked/defaced. This got our entire /18 on a blac-khole list. They had an employee that was trying to send e-mail to someone on a system that was using this black-hole server to filter spam.

When we explained to them what the problem was, we got glassy-eyed stares back at us and a, "just fix it." I told them that, they would need to remove the link to their partner's site from their website in order to get them AND all of our other customers using numbers inside our /18 de-listed from this particular black-hole. They asked, "We have hundreds of partners who pay for membership in our organization and being listed on our website is one of the benefits. How can we possibly police every one of those websites every day to make sure there's no defacement or serving of any problematic material from any URL in any of those domains?" That's a decent argument in my opinion. And I tried to explain that different black-holes have different policies and no black-hole is demanding that anyone use their system for filtering. I tired contacting the organization that was using that black-hole to explain the situation to them, but they weren't interested in discussing it. As far as they were concerned it was our problem to deal with.

This kind of problem happened dozens of times with varying degrees of severity but with increasing regularity and it was one of the primary reasons we quit hosting e-mail and started re-selling another vendor's solution. That was a long time ago, and maybe black-hole lists aren't a thing anymore.

(Running a email system for a few thousand users)

> If so, were you able to successfully communicate with and/or reasonably work through whatever issue got you black-holed?

Yes. Practically all black-lists have a de-list form that one can use, and most seem to auto-delist fairly fast as soon they don't get any more reports from honey-trap and other sources.

We do have a few custom written ways to detect hacked accounts, and we don't allow users to set their own passwords. We also tend to discourage/deny users who do newsletters and other "higher risk" form of email. All emails sent by websites is sent through different servers, which also mean that a hacked website does not impact the reputation of the email servers.

Events with black lists maybe occur once a year and as I mentioned above, fixed fairly fast. One good tip is to keep an automated eye on the mail queue and react quickly when things start to look wrong.

It's better now, but in the early days of organized blacklists (more than 20 years ago) it was somewhat chaotic. Many large ISPs ran their own blacklists and some were poorly managed. AOL was the worst of them all. Their admin staff was unprofessional and unresponsive when I provided a PoC for their defective spam control system.

There are a few sites where you can plug in an IP address to see if it's on any blacklists. A handy thing to do before setting up a new server is to work with your provider to find a clean IP address beforehand. Here's one that I have used: https://mxtoolbox.com/blacklists.aspx

Thanks for the link, I see my email server is on a few lists. I’ve heard that DigitalOcean isn’t good for email servers but I’ve been lax on investigating.

Now I have incentive, this is annoying. Maybe I need a static IP as well.

For what it's worth I've run into the same set of issues at corporations using Google and Microsoft's hosted offerings. Hell, sometimes you can't even send it mail between customers!

> Have any of your customers had an e-mail they've tried to send not arrive because the recipient's system was using a black-hole list [...] ?

Yes. Twice.

In the first case, the mail provider was our ISP; and they got themselves in some mainstream blacklists. The problems getting that sorted out were part of the motivation for bringing mail in-house.

In the second case, there was some academic departmental mailserver and they were using some list incorrectly; using an extremely-opinionated list to block when it should at best be used to score.

This wasn't in itself a big deal, but one of my boss's correspondents was a senior professor in this department and they had some important business; and the postmaster was a dick, and wouldn't help. Boss didn't want to use some secondary email address; I had to show him how to set up an alias on some commercial server, which was second-best, but he was in a hurry.

Boss was angry with me and barked at me. If you run a mailserver for some group, one you assembled yourself, then people expect you to take responsibility for sorting out any mail problems. Well, they're right: you have taken on that responsibility. You made it, and you're running it: who else can they complain to?

[Edit] My point is that it's not hard to set up an artisan mail system; what's hard is that you create a job for yourself that is at the same time networking, user-facing, and technical. It's an interesting learning point, and I recommend it. But don't underestimate what you are taking on.

> [Edit] My point is that it's not hard to set up an artisan mail system; what's hard is that you create a job for yourself that is at the same time networking, user-facing, and technical. It's an interesting learning point, and I recommend it. But don't underestimate what you are taking on.

This. So much this.

I will happily run my "artisinal" mail system for myself. Would I put customers on it? Oh, hell, no.

I, sadly, always recommend that companies pay money to Microsoft for email. You are really paying for the customer support service rather than the email service.

Microsoft's email behaviour seems like anticompetitive abuse - you can whitelist an address and they overrule you and block incoming email for obscured reasons.

Customers still have problems occasionally _sending_ email to one domain, which is over 15 years old and sends <1 email per day. If they initiate and email us we can't send them a reply (if they're on MS email, sometimes). We use an outlook.com email nowadays as a relay and have to treat MS using customers differently still despite using a relatively large supplier.

Some years ago, I was lead to believe, you could pay a third-party to add you to what was effectively MS's whitelist.

Aside: back then I was doing some webdev and supporting IE5+ so I already hated MS about as much as one could.

Never paying to enable interoperability that is part of being a reasonable web citizen/company. Paying them just reinforces the negative behaviour.

Please don't recommend to people to pay money to have all their email communications read and stored by Microsoft, the US government and possibly other parties.

There are plenty of other email providers which are worth considering, and I'm sure some of them have half-decent customer support.

> I'm sure some of them have half-decent customer support.

You would, sadly, be wrong.

Microsoft customer support is "least bad" among the email providers.

That is a massive indictment of email providers, but it is what it is.

> Well, they're right: you have taken on that responsibility. You made it, and you're running it: who else can they complain to?

Assuming logic applies to humans is painfully wrong. I wish it wasn’t.

That question seems completely unrelated to running a personal mail server?

> Getting spam? I am sick of you, whatever? No issue, just REJECT the whole address

I started using that with Fast mail, they call that Masked address. Best spam filter ever.

It’s not so much that I want to go all the way and do it myself, but I’m interested to see the gold standard way and as per the OP, perhaps go part the way (ie not send) - do you have a resource you could point me at that you recommend or rate? Not trying to get you to do my dirty work, just wondering if you have a resource you use.

Exactly this. You make the wrong comment on Youtube and they take down your entire company's infra. Is this an acceptable risk to anybody?

While that’s true, and crazy…

Everybody know you show never even read YouTube comments. Posting them is just insane…

Using the same stack and have to agree. Once it’s up, it’s rather low maintenance. I wouldn’t start again from scratch, though today.

There is also a guy, Jar, who runs a rather his own email service, mxroute, quite successfully. Users love it and he seems to know his stuff.

> I don't want or use webmail (sluggish)

Serious question: what if you're on a network that blocks non-HTTP[S] traffic? How would you read your mail? This is a problem I hear of quite regularly.

That’d alert me to the fact I didn’t have my vpn running.

Im happy to pay for my own cellular data and vpn to avoid networks like that. Including tethering my laptop if needed.

Are there any guide or books available on how to setup something like this?

I assume you have a fixed IP. That's a non trivial part of the process.

What are the memory requirements for postfix, dovecot, and rspamd these days?

> What are the memory requirements for postfix, dovecot, and rspamd these days?

Approximately nothing. I run all my email infrastructure on the smallest available $5/mo Linode and it's way overprovisioned even so. I'd take a smaller VM if they offered one.

Hmm. Admittedly, I didn't use postfix, but dovecot was the largest process running on my 1G server and adding rspamd resulted in it doing the Out-of-memory mambo a couple of times a week. This was just for my domain, but I do get a crap ton of spam.

Very low for one person with a few emails per day. They almost never appear in top on a 3€/month VPS server (2 vCPU, 2G RAM).

They probably work well on quite limited hardware. But I guess it largely depends on traffic / on the number of hosted users.

Doesn’t even need that. I’ve run pretty much that stack on an original Raspberry Pi. You wouldn’t want to be trying to do a lot else, and GB sized attachments are gonna be limited by the usb Ethernet speed, but it’ll run just fine.

FWIW, someone is still reading your email. The owner of the infrastructure of your message recipients. If you've gone through the trouble of hosting your own email to avoid Google harvesting your messages, but you're exchanging emails with someone whose email is hosted by Google, then your emails are still being harvested and/or are harvestable.

Good point. But it is still one person/company less that reads your e-mail, if you and your correspondent used different e-mail providers previously.

There are also correspondences where you are only the receiver. For example, when you order things online. Gmail doesn't need to know what you are shopping for.

Unfortunately, they can still close the loop on purchase history and ad impressions through indirect, lazy association.

It's a very, very impressive edifice that's been created for identifying and tracking pretty much everybody irrespective of their direct, immediate interaction with the entity doing the tracking. I honestly think it's kind of funny that such a potentially insidious system was manifest for something as principally vapid as ad targeting.

Yes, quite the trojan horse.

True. But at least, you went out of your way to not inflict this to your recipients, should they wish to avoid this harvest. You made your part of trying to avoid this. You did your part to weaken this argument. Someone has to break the vicious circle.

There’s a midpoint at #1.5 where you control the domain and rely on an external host, but also have a continuous archive of your historical mails on your own server. Otherwise with a standard IMAP setup, if your provider locks you out, you’re limited to only the most recent N messages on connected devices.

Buy a domain for $20, get a GSuite account with it for $6 a month or similar, then archive all your mail via Outlook or your desktop email app of choice. You also get a lot of other tools and storage space for very low cost which I find useful.

It's still using Google but it allows plenty of control and management, and I can take my domain anywhere with minimal stress. It's a decent compromise.

Just make sure that you use a different domain registrar than Google Domains, and make sure your admin email address is not gmail. Because if Google bans your account, you will be totally screwed.

I used to do this but switched to iCloud Beta for custom domain this year. It’s $1/month (free with any paid iCloud plan) and integrates with iPhones/Mac, supports push email for iPhone, and is free of Google spying.

> $6 a month

Zoho has a $1/yr plan.

And Yandex has a $0/yr plan (unless they got rid of it and I’m just grandfathered, not sure..)

Can't find anything below ~1/month at zoho for just mails; care to share a link?

Yeah it's $1 a month, got confused, still a good deal!

Is zoho email any good? I've never heard anything about it.

you could argue dmarc, dkim, and SPF were all invented as barriers to entry for small mail servers as the majority of internet SPF is permissive and the majority of DKIM is misconfigured. imo, senderbase and other reputation/policy proprietary shit-lists used by anyone with a Symantec or Cisco email product only served to convert the unwashed to a corporate license as most of these mechanical turks just paid the same spammers by night to show up in a delhi office complex day job to identify their own campaigns. DMARC and DKIM/SPF just wrapped email in a mandatory layer of arbitrary complexity to "solve" a problem that RBL's had largely managed to tackle as an independent entity.

that they exist in part to force the hand of small companies and users to simply submit to a big player for their email is something i have long considered.

DISCLOSURE: I proudly run my own email server.

SPF/DKIM aren't meant to solve spam directly. They are aimed at sender forgery.

The real benefit of SPF is for outgoing mail. People no longer forge my domains. It stops backscatter. It has almost eliminated the mistaken spam reports to my ISP by people who don't understand mail headers.

How hard is it to actually get mail delivered?

I have the dumb idea of trying to make SMTP as cheap as http. Make spam expensive using proof of stake.

I find it frustrating I have to pay Amazon to send text for me. I was going to setup my own SMTP server but it seemed like too much work.

Check out the following pieces of software — it’s never been easier!

Maddy (https://maddy.email/)

Postal (https://docs.postalserver.io/)

Chasquid (https://blitiri.com.ar/p/chasquid/)

> Make spam expensive using proof of stake

That's already a thing. Hashcash [1], the PoW algorithm underpinning Bitcoin, was originally conceived as a method to prevent email spam.

[1] https://en.wikipedia.org/wiki/Hashcash

Huh? SPF, DKIM, and DMARC along with mta-sts/DANE require running some scripts and entering DNS records. If you are already capable of hosting a mail server at your own domain, then this should be rather straightforward.

How is this a "barrier to entry"?

It is surprisingly hard to get the cryptography right, and the cost of misconfigured DKIM in particular is nothing gets delivered to most providers.

It is a pretty solid example of market power at play - nobody but a big player would have the scale to force a change like that.

I'd like to see something to make it easy to address the case where you are doing #1, but your provider does unilaterally kick you off with short notice for some reason. The email equivalent of a bug out bag [1].

This would be something that provides in a single package an SMTP server, an IMAP and POP server, pre-trained spam filtering, and maybe a web server with a web-based email client, and a simple setup program that asks a few basic questions such as your domain name and configures everything on your end and provides help for configuring things elsewhere (such as with DNS, such as telling you what to put in your SPF and DKIM and DMARC records).

This is meant as something to handle your mail during the time it takes you to find another provider. It is meant to be something you can quickly install on a VM somewhere, point your MX record at it, get a Let's Encrypt or similar certificate for it, and not be losing mail while you are between providers.

It should have a quick start guide that includes details on signing up and getting a Linux VM up at major inexpensive VM hosting places. Amazon Lightsail, Hetzner, and such.

It should make minimal assumptions about your Linux environment. Probably it should not use the SMTP, POP, and IMAP servers that are packaged by your Linux distributor. It should use minimal servers that are written specifically for the emergency mail kit.

[1] https://en.wikipedia.org/wiki/Survival_kit

https://mailinabox.email/ does most of that.

I have my own domain since when I was about 15 years old and used that for a while on a digital ocean droplets. It's incredibly easy to set-up.

The only issue I had was that other people were not getting my mail and I sometimes it was not even reaching their spam folders. Probably because Google/Microsoft were blocking that IP range of Digital Oceans.

Nowadays I just pay for a personal Gsuite license and use Google Infrastructure.

Much simpler that way and I'm almost guaranteed that my mail will reach the recipients. You only need to set-up your DMARC / SPF records and point your MX records to the ones that Google provides.

We've been running a small mail host for ~10 years (less than 100 accounts, but outgoing monthly newsletter to a few thousand addresses) ... we had basically zero problem with delivering to Gmail. Their spam filter, while strict and applies throttling (and a bit of greylisting) is completely livable, compared to the balls-to-the-wall insane Outlook/Microsoft "protection" ( https://news.ycombinator.com/item?id=28982434 )

Don’t even get me started on outlook.co/o365.

If you put an address or domain in the safesenders list; they do literally nothing. Like you can just totally spoof the domain entirely.

However if you use transport rules as per their rec, there’s all sorts of stuff that will still get flagged, and you have to to reference ATP, anti-phishing, anti-spam policies. Much of which aren’t even in the Exchange admin panel, rather they are in “security” and buried in hamburger menus galore.

And what’s best. They don’t even have any documentation for how these modules interact or what order mail is processed in. I had a case open for months thst finally got escalated to someone that was able to explain the issues we had with specific list serves/domains getting flagged.

In the end my only option was to whitelist emails classes as phishing and route them to junk rather than keeping them in quarantine. Even though it was a 99% accuracy rate sans this single domain.

The guy was really only able to commiserate with me. We are but a number and not a big enough one to get Ms to change a thing. Their best recommendation was to deploy an edge device like proofpoint/proofpoint hosted and just handle it from there.

I get what they want to do. They are trying to make the crazy email RFCs easy for devops guys thst don’t give a damn about how e-mail works. But it’s still hard to keep up with as they constantly just move stuff around and change their own standards on a near monthly basis.

That safesenders list thing sounds insane. How many companies add their own domain to that?

Well....that's how I found out about it when I took on my current role. We had pretty solid phishing attempt slip through. I was able to spin up a VPS as test it on mine and some other known tenants as well (with their permission). And since o365 uses a predictable name for their SMTP receivers for a tenant (domain-com-net-whatever.mail.protection.outlook.com)its easy to kind of....select targets and test it out.

So even if its not listed on the domains MX record but you can suss out they are an office365 tenant receiving mail, you may be able to relay off it and spoof to high heavens (especially if the edge device reccomends you....ahem...whitelist your own domain and not use transport rules). In fact especially if you can do this.

For example i think MS forced proofpoint to change their config recommendations as an outcome.[1]

from the page on [1]:

"Due to major complaints, Proofpoint has opted to change change to the format of ensuring Proofpoint mail is not scored via the O365 system. This rule will allow external email to come in still, but will follow O365 scoring. This is to ensure no mail is lost."

[1] https://web.archive.org/web/20200807173336/https://help.proo...

I've been running my own (and other) email servers for over 25 years. About four years ago I switched mine over from sendmail (with a bunch of add-ons like spamd/spamassassin, rbl, etc.) to mailinabox. Mailinabox is full-featured, secure, and reliable. It doesn't take anywhere near the level of effort required to maintain vs. other solutions.

Microsoft has blacklists the entirety of Digital Ocean and won't whitelist any IPs, even if it's a legit mail server. If I didn't know better, I would say that's anticompetitive behavior.

If true, that is probably the last excuse I needed to migrate my own email server off Digital Ocean to another provider. Oh well, it's been a very good run, DO.

I use a domain, registered at Namecheap, and I forward to my gmail account. If gmail “goes away” I simply configure my email to forward elsewhere. If I’m unhappy with Namecheap forwarding, I point my DNS at another forwarding provider. If I’m unhappy with Namecheap, I transfer my domain to another provider.

It gives me all the flexibility I need with almost no work or maintenance.

There are enough mail providers that I could easily switch to that I don’t need a piece of software. Switching from gmail to yahoo, proton, apple, outlook, or juno is a simple domain adjustment and has me back receiving mail within the TTL period.

Does gmail actually trust the incoming forwarded email? Or mark a lot of it as spam.

My understanding is that SPF makes forwarding like this no longer possible if the original sender's address is to be preserved.

If they are using GMail for work, the DNS just points to GMails actual server and authenticates using DKIM as well. Google for Work will provide you with the necessary DNS entries to set. Obviously this will not work with their free offering, you'll need to fork over $6/month for this.

Yes, though this isn't forwarding. The mail is actively being delivered into gmail, who must be programmed to accept mail for that domain.

Forwarding, on the other hand, made it possible to do a simple redirect of one address to another (eg. ~/.forward) but strict SPF rules will deny the forwarder as a valid source for the mails.

I used to do this but found every now and again I'd get multi-minute long delays before gmail picked it up. I've since moved to paying for Google Workspace to host my email (eventually hoping I'll move to something cheaper).

The goal is to get my personal domain to be my email domain for exactly this reason.

For my soon-to-be-born son, I'm registering him a personal domain immediately, and I'll turn it over to him when he's old enough to have email - save him some trouble.

But what if... the TLD owner decides to 10x the domain price?

As someone who de-googled about 5 years ago by buying a nice three letter .io address this hits right in the feels.

I could go through the process again (not fun) with some ridiculously long .com/.net or other OG tld which are probably somewhat more resistant to rent seeking practices like this or I just suck it up and hope it remains pricey but not egregious.

Are there any truly "community-owned" TLDs for the tech community? Would such a thing be possible and/or useful?

For Canadians, .ca seems a generally well behaved and managed TLD under community control.

EDIT: .ca is not particularly tech community related, but that doesn’t matter to me.

For personal domains, I bite the initial cost and buy the domain for 10 years, then every year top it up to 10 again. For a $20/yr domain that’s only $200 up front, and if the cost suddenly goes up or some other TLD policy changes that I hate, I have plenty of time to gradually move to a cheaper/better domain.

One thing I’m not sure of is what happens if I want to switch registrars in that time—will the full 10 years of ownership transfer to the new registrar?

Like you, I have domains registered for 10 years and extend it every year so that it always remains at 10 years.

If you switch registrars, your domain validity continues as before. Your registration information is with the registry for your TLD, not with the registrar alone. So your 10 years of (future) ownership will carry over. Two caveats to note. The first is that you can’t transfer a domain within 60 days of purchase or renewal. The second that I’ve seen is that a transfer to another registrar requires a one year renewal for the domain. So I’m guessing you may not be able to transfer a domain that’s already at 10 years (even taking into account 60 days after the renewal to keep it at 10 years). But if your domain is at nine years, you’d surely be able to transfer, and it would become 10 years at the time of transfer.

The expiry date never changes through all these actions.

Epik lets you buy domains more or less permanently for a large upfront cost (~$600 for a typical otherwise $10/year domain IIRC). Anyone know any other registrars that do?

Transfer the domain. You can generally find a deal for transferred domains.

When you reply to emails, does google let you put your custom domain address as the sender so folks don't see the underlying gmail address?

In fact Gmail requires you to add your SMTP if you want to send from a non-gmail address.


Do you use Namecheap's email inbox or is that accomplished just with DNS records?

Cream does cloud backups for office 365. Most other business focused backup software will do mail server backups in some form

iredmail does this pretty well


Indeed. I set up my personal email server on a Hetzner VPS using iredmail. It just took a couple of hours and everything actually works pretty well with very little maintenance. Even Hotmail/Outlook.com accepts my emails.

I think #1 is a super solid idea. I'd love to go beyond that— I'm familiar with the tech and love the satisfaction of a more DIY approach— but other end users preclude my doing so.

The author mentions quality in big email service but only passingly mentions what that encompasses. Smooth, responsive, well-worn, ceaselessly preened, and smoothed-over end-user UIs are important. Unfortunately, the open-source alternatives are comparatively rough.

(As a long-time developer and more recent designer, I write a lot of open-source code myself. I understand that these are complex and tedious problems to solve. However, without frank critique, "Open-Source Alternatives" will always be "Alternatives.")

Every interface I saw needed fundamental design work. My recent research showed 2+ decade old interface layouts w/new features just bolted on, visually complex toolbars, menus, and lists, little editing for views and controls, and comparatively unattractive designs(, which even if it doesn't matter to you, that doesn't invalidate its importance to others.) Even this crowd— people accustomed to configuring complex applications— lament the clunky interfaces.

To me, most open-source interfaces are like eating on a diet. Your sense of accomplishment offsets the discomfort... at least for a while. End-users, however, don't have or need, that holistic view of the service. To them, the interface IS the service. DIY/tech accomplishments are abstract and indirect factors, at most. For most, it's like eating on-diet, but someone else loses weight. Attractive alternatives make that unsustainable.

So the real hard part isn't technical— it's assembling an email stack where users don't feel deprived for having chosen it.

The solution is more collaboration between design and development expertise within the FOSS. If you have a position of authority in any FOSS projects, I implore you to be open-minded when presented with interface design ideas.

Happy to talk about productive ways to engage with designers and design feedback.

> most open-source interfaces are like eating on a diet.

Because there aren't open-source contributing UX/UI designers. Almost all open source interfaces are quick work done by mostly backend developers.

Firstly, I am one. I have ten years of full time back-end web dev experience and other types of coding for over a decade before that. I also know others— UX designers generally start in another field and dev work is a pretty common start.

Secondly, that few contribute as designers rather than developers is definitely a chicken and egg situation. Designers time and effort is universally seen as less valuable than developers’ and therefore more readily dismissed or minimized. People are worse at taking critique for things they’re not confident in, and as you note, most open source projects are maintained by developers. Ever give a brand new developer a code review? Yeah. That’s about what it’s like critiquing an open source project’s beloved “quirky” interface.

I’ve seen eager designers post issues in repos— some with complete wireframes and rationale having done a good amount of work already, asking for specific types of feedback— only for their system to be instantly bikeshedded into oblivion rather than productively discussed. Unsolicited contributions are often viewed as superfluous expenditures of dev time, or even viewed with outright suspicion or hostility. If it’s not submitted in the form of bite-sized PRs ready for production with the understanding that existing devs can veto any changes without any real justification. Going from a haphazardly assembled UI to a properly designed UI requires fundamental change, and that’s a lot of work. Would you contribute code in a project with those competing requirements?

Before any of that, any designer interested in open source software has almost certainly made the mistake of griping about the interface for gimp, or git. It’s a good preview for what lies ahead.

Security of your own domain depends a great deal on the security of your domain registar and dns provider.

If you are going this route for security purposes make sure they have proper policies and are not a susceptible to social engineering.

At least Cloudflare is offering such thing, but it’s enterprise option [1]. I would assume many others have similar offerings as well.

[1] https://www.cloudflare.com/en-gb/products/registrar/custom-d...

> Sending your mail yourself is the real hard part

It's possible to punt on this by using SES for outbound, while continuing to handle inbound a different way. Obviously SES doesn't count as fully self-hosted, but it does solve (or at least significantly ameliorate -- zero issues here) the reputation problem

I think that's what they're talking about in terms of 'you don't send your own mail', but it is a good solution and SPF+DKIM means you should have very few issues with deliverability and reputation.

spammers tend to set up SPF/DKIM

I mean that SES gives you SES IP reputation, and they force you to have a low bounce rate & complaint rate, thus SES specifically is usually not blocked by big providers nor small enterprise networks.

>It's possible to punt on this by using SES for outbound

How does this work? Do you just sign up for aws, then set your outbound SMTP to whatever SES provides?

Yep, you just configure your outbound SMTP server to be the SES credentials and adjust your SPF/DKIM records.

I was determined to make #3 work for years. But despite a golden reputation for my IP, perfect dkim, dmarc, dns, and everything else, plus exclusively personal mail (no bulk mail ever) I could never get out of the spam box at several major providers. Never could figure it out, even with all the tools. Finally gave up.

I have come to suspect new MX servers are spam-holed by default until enough people click “Not Spam”, which is an absurd hurdle for a single user hobby server.

> I have come to suspect new MX servers are spam-holed by default until enough people click “Not Spam”, which is an absurd hurdle for a single user hobby server.

Yes, a fresh (or: previously sending spam) IP requires some warmup time until providers like GMail will let you anywhere near the inbox.

And if you're not sending out a high enough volume of emails, no chance.

I had the IP for probably five to seven years- but my outbound mail volume was less than ten emails a week. Which, of course, was tough to increase when delivery was poor - chicken and egg.

I monitored all the blacklists, filed ownership attestations with receiving domains, the whole nine yards. It’s sad that a microscopic MX server can’t be default trust instead of default spam for the first two messages a week.

(I want to repeat, this was a single user exclusively personal domain. Writing to a friend, to grandma, to a colleague)

I was probably in a bad ASN, but at that level trying to find a good block you’re just rolling dice. I wasn’t willing to play anymore.

> Sending your mail yourself is the real hard part

No, having quality spam and fraud filtering, and quality security, that you host yourself, is by far the much harder problem. I would argue that outsourcing your email to Proton or Tutanota is not running your own "artisanal" email server. By the way, even with those email providers, I still have terrible spam and fraud emails getting through filters that I never would have seen with my GMail.

Well, on the flip side unless you constantly check your spam folder (which pretty much completely defeats the purpose of a spam filter) you most definitely have lost important mails thanks to gmail.

I just don't see what people see in gmail part from the google brand - which surely isn't a good thing anymore.

I'm not here to be a Google apologist, but in the 10 or more years that I've used gmail, I don't think I've ever had an important email go to spam.


Most people I know? It is almost a daily occurrence. Including if senders are in address books, and "not spam" is clicked when found in the spam folder.

Most people I know see legit emails in the spam folder, all the time.

Google workspace sends yes/no meeting confirmations that you make in workspace, to people within your own organization, to spam unless you specifically make a rule to allow them.

For me, this was the main reason to move away from MSFT/GMail to Mailbox.org where I could set the Spam filter to as low as they'd allow.

So far I've been lucky to rarely receive actual spam, but I've often missed out on important emails too often.

I still have a @gmail.com account and every time I check it there's a whole lot of spam sitting in the inbox waiting to be classified as spam. Very strange as my main address (which I've had as my main address for almost 20 years) is on FastMail and hardly gets any spam despite the address being much more exposed e.g. it's found on many public mailing lists and it's been part of more data breaches than I can count. Yet it's Gmail that gets the torrent of spam including many obvious ones ending up in the inbox. YMMV of course but I don't rate Gmail highly compared to FastMail and even Office365.

At this point, I suspect the pattern firstname.lastname@gmail.com is so common that spammers just blindly target it.

My experience is similar, I receive much less spam on my actual mail than I do on gmail.

That is possible, my Gmail is indeed firstname.lastname@gmail.com.

> I would argue that outsourcing your email to Proton or Tutanota is not running your own "artisanal" email server.

That's not a claim I'm making. The goal of my message was merely to help people see that there are several steps you can take from using a gmail account to relying on no third party. When I talk to people, they often don't realize this, and especially, how easy it is to set up #1.

> No, having quality spam and fraud filtering, and quality security, that you host yourself, is by far the much harder problem.

Handling spam is not an easy problem, but it's one where you have all the cards to take actions. On the other hand, having your mail properly delivered is something where people have wildly different outcomes, and for people with bad outcomes it's "impossibly hard, and there's no action you can take about it, unless you personally know the right people at the right places".

I've done #1, it didn't occur to me that you could split up #2 and #3. That sounds like a really interesting project. Thanks for the idea!

Might be a silly question, I own a domain that is my first initial + last name dot dev for my portfolio. What's a decent, or usual, prefix to use with such a domain as a personal email for job applications? Bonus point if it is English-French bilingual.

contact@ sounds off, like I'm a corporation. email@ or mail@ I kind of like, but I'm afraid it sounds "confusing" (is that in my head?). application@ or job@ is not bad, but a bit specific and not one I could use all around.

I use me@my-domain.com, and I am playing with the idea of different versions per language, Ja, watashi, moi, mig, and so on.

I always give out 'hello@' or 'hi@' on for general contacting

hello@ is pretty popular.

But when I give the mail directly to a given company, I use companyname@mydomain.com. That lets me track how I'm contacted, and sometimes it starts interesting conversations.


Your post is super insightful.

Option 2 in particular is super appealing.

I’ve tried a bunch of pricacy-focused email services and have been let down by one or more aspects of their service. Pretty much all of them managed to handle sending Ronny satisfaction, though.

So setting up inbound to run on my own gear and paying a couple bucks a month for others to deal with dkim and and domain keys and all that other crap… that’s brilliant.

Thanks for the idea!

This is great advise. I do #1 and #2 but not #3. I use sendgrid.com for #3. They have one of the highest (if not the highest) deliverability rates in the world and mails arrive really fast (faster than gmail).

As a bonus: I get to see report which of my emails were classified as spam or not opened.

Also, first 100 mails per day are free (which has been enough for me so far).

You put tracking pixels into private emails? That’s pretty upsetting, luckily I’ve had images disabled for years.

Using sendgrid would seem to have similar or worse privacy implications to using gmail, outlook and their ilk.

#2 has practical reasons as well, such as security and privacy (yes, other mail servers on the internet can catch your mails in flight; that’s quite different from a mail provider having full retention of your email at any point in time)

I’d add another thing:

- Hosting your own mail client. You can self-host roundcube/mutt/thunderbird/or even an imap server that just fetches (and possibly deletes) email from the remote server using something like mbsync. This mail client/server doesn’t need to interact with any other mail server apart from the mail provider that receives the incoming email, be that gmail or fastmail. While paid ProtonMail can be used for this, it’s a bit of a hassle with their lack of native imap support.

> other mail servers on the internet can catch your mails in flight

This also shouldn't be a problem most of the time if your email server supports TLS; Google currently sees 81% outbound email encryption[0], so you can imagine roughly 4/5ths of email servers support it.

0: https://transparencyreport.google.com/safer-email/overview?h...

Indeed. It was more of an inb4 of the common reply of “there is 0 privacy gains of self-hosting email since most of the people you’re mailing with will be on one of the big providers anyway”, which is tired and defeatist.

Tired, defeatist, and giving way too much credit to the big guys. No matter how good they are at assembling a profile on me from indirect data, it's still going to be more effort and likely lower quality than if they had a giant store of data labelled as mine.

Great write up!

I’ve long been interested in self hosting, but constantly tweaking and never got #3 stable. After iCloud made it easy to do #1, I pushed my parents into using it and gave them my domain (@lastname). Now I just share it too, since it’s just too easy.

I encourage everyone who wants to change to something they control, or uses a paid iCloud tier to set up their own vanity domain for iCloud. It’s so easy and lets you own the identity, which is a critical part and portable. Not trying to shill anything, but it took 10 minutes and is offered by apple, so every not tech-savy person has heard of and trusts them, so it’s easier to convince others.

Yep! I do #1 despite researching controlling the whole stack. I still like the idea of doing it someday, if only with a development domain.

I pay $12 a year for email hosting, $10 a year for the domain. I use name.com and I presume (though I have not tested) that if I needed a human to talk to, I would have much better luck than with Google. I also don't have to worry about a snarky Youtube comment getting me locked out of Youtube, Youtube TV, Gmail, GDrive and everything else.

Qualifier to add to #3. Sending mail to other recipients who are running their own mail server (for themselves not for others) is not "real hard".

Unfortunately, most outbound mail I send these days end up at Google or MS.

You can have the best of both worlds with self-hosting received mail and achieving good deliverability by using a service such as Amazon SES. SES will probably cost you less than $10 a year for personal email sending volumes. I use it for my business and it is less than $15/yr. Rarely get a bill for more than $1. They hold you accountable for any abuse/complaints, which is a good thing.

I use it for personal use, would also recommend. It's not 'self-hosting' of course, but that's not what I actually care about personally, more interested in 'running my own' regardless of whether it's physically my hardware or not.

(Or rather given everything I've read about self-hosting email, not regardless, this is my preference...)

For a private mail server operator, Amazon SES is somewhat annoying because if your mail server is down, they're only keeping mails in the delivery queue for something like eight hours or so, which is way too short if you're not a big provider who can commit to round-the-clock support for the mail server.

I keep a backup postfix server in a different location from the primary. It all kicked in once about 3 months ago and worked beautifully.

How do you use SES for this? It seems to only allow receipt of email conveniently. Sending seems to require using an api which is not something most people want to do to email others.

You can create smtp credentials for use in any email client. The api is optional.

Yeah, I've gone with the compromise of my own domain and a rented managed server for the last twenty years or so. Works well enough for me. I like to be able to give different email addresses every time I need to register somewhere. Keeps my personal address free of spam.

Someone should try "artisanal email server" using cloudron or yunohost ! the bigger problem is that "authoritative" email monopolies such as Gmail, 365 and the other big ones arbitrarily define and impose what is a legit email server or not and even with better score than gmail an "artisanal" email server can suffer from being classified into spam by the big tech players just because they can and will do anything to maintain their monopoly.

I'm running an email server and I can tell you that this is by and large not the case.

If you put some decent effort into making sure that you don't send spam, try to monitor if anyone thinks you send spam and react when someone complains that you send spam (and stop it), it works.

In my experience people telling these stories often do send spam, but they don't believe they do. ("It's not spam, it's a Newsletter. No, it has no unsubscribe link. These are people that agreed to be put on the newsletter by clicking on some ToS they never read, and they can unsubscribe by some arcane mechanism that we will make as complicated as we can. But we're definitely not spammers.")

As other are saying this just isn't true.

I've run my own email for decades and I've designed and run some pretty big commercial installations.

As a small provider, you run the risk of existing in a netblock used by other people sending spam. A small co-op I ran encountered this problem once. They were operating on the cheap and while they weren't sending spam their neighbors had been.

Even as a large provider at a billion dollar company, figuring out delivery issues is a huge pain and generally not worth it. There are unofficial professional postmaster meetups around the bay and these can be helpful in getting escalation contacts to fix issues, but even with entire teams of people dedicated it's a lot to handle and is usually worthwhile to outsource the work to other companies who already have these types of relationships established.

> If you put some decent effort [...] it works

Well, I put in more than some decent effort, and I didn't get it "to work". I detailed my efforts here:


Please stop spreading falsehoods. If you were able to somehow get your own email server to deliver email to Gmail and Outlook, great, good for you - but stop pretending that anybody can do it.

I did run my own email server for 20+ years. As you may imagine, I had to learn a thing or two about DMARC, DKIM and SPF, but spread over the years it is not a big investment to make.

Most of the time, delivery problems were of my own creation. Like running out of disk space or accidentally disabling TLS.

Once in a while, Microsoft would start swallowing emails or Google would push everyone to use DMARC.

But overall, the experience has been very pleasant. I host my mails, I own my data. I am not shy of using Google, but my work is not defined by their whims. When Google tells me I ran out of space in my account I just delete stuff because I have copies of everything outside of Google infrastructure.

Lots of sister comments here saying that they've been running a mail server for X amount of years, where X is a rather large number. That will obviously come with some reputation for your mail server, reducing the curve of being classified as down. I would be interested in hearing from someone who tried to setup a new mail server in the last 1-2 years who was able to run it without a hitch.

In my case x>10y for a personal server, but that reputation got ruined when some test email account I had created with a weak password and forgotten, got breached and some spammers started sending spam. My mail server (smartermail) notified me within an hour of the abnormal number of emails and I disabled the account immediately. But that was it for the reputation of that IP. Fortunately I could switch to a spare, clean IP.

That being said, now I monitor and auto-ban failed authentication attempts to smtp/imap (among others) and running the service is fairly low maintenance.

But the morale of the story is that you are only one weak password from one of your users away from your mail server getting blacklisted as a spam server. So while I think it is fairly easy to run a personal server, running one for a small organisation is another matter.

i use a very low sending limit in my mail server. If a user were to send out spam, it would end up being relatively few by the time i noticed.

According to AWS, most mail servers will not even count statistics for low-volume senders. If that is true, then it won't matter whether your personal email server has been up for 20 years or 1 year, it won't have any reputation.

Yeah, I have that problem with gmail, I had a test account with a weak password get exploited a few years ago. Now for any new gmail address I want to send to seems to endup in spam. The problem here is there is no getting out of jail easily for low volume email users.

My personal gmail account is full of spam and emails I do want from email lists end up the spam folder randomly.

This matches my exprience. I switched recently after 10+ years, and was cautious that this might be a problem but it hasn't been at all. I think it has more to do with the choice of ISP.

I think they meant servers with no reputation are punished. Other comments said so at least.

What ISP should someone choose?

Interesting, I misinterpreted what was being said!

I'm doubtful a default block would work, as that would even penalise the 'big boys' of email when they make basic network changes and piss off existing customers of both sender and receiver... Its easier and logical to conclude something without reputation yet is therefore sending too few mails to be useful to a spammer.

I've had good experiences with smaller ISPs (currently Mythic Beasts). In contrast, OVH was a poor experience.

I find that reputation (beyond the known "block-lists") appears more likely being tracked for the whole AS number, therefore a lot more to do with your "neighbours" than anything else.

>What ISP should someone choose?

What matters most is if the IP address they issue you has been blacklisted for spamming. DigitalOcean is fine but you need to check the IP address before you do the work of building a mail server. Some of their IPs are on a lot of blacklists.

If it's only on a very few you need to look into who's blacklisting it. There are some that offer a way to get delisted and make it easy, there are others that block pretty much every IP address DigitalOcean has (or large ranges of them) and they won't de-list anything within them. Many of those blacklists are managed overseas and not used much in the U.S.

No matter the ISP you should check the IP address they issue for a VPS before you build the email server.

I've been running my own email server for around 7-8 years and just setup a new email server on a DigitalOcean vps earlier this year using "Mail-in-a-Box".

That's about as easy as it gets but it still requires some work and you need to check the IP address DigitalOcean issues to see if it's blacklisted before you set it up.

Google makes it easy to get whitelisted. Microsoft email services (Hotmail/Outlook) are a pain though. I tried to get through their process but got nowhere. Other services I had to submit a request to get de-listed. So it does take awhile to go through all that.

Still, I prefer that to hitching that wagon to a 3rd party provider like Google, or any other.

Before I set mine up the 1st time I'd been screwed a few times by 3rd party providers. The last one, I can't recall which, but it was either "MailChimp" or whomever bought them, that I'd configured an app to use and almost as soon as I'd released it they announce they'd been acquired and I would have to use the new services APIs, and of course they cost more, and their services were geared towards mass mailing, and that's not what my apps do, and their API sucked for my needs.

It was about 12 years of dealing with 3rd party bullshit that motivated me to set up my own email server.

If you just want to fiddle around with one to get a feel for it Mail-in-a-Box is a good place to get started: https://mailinabox.email/

And even if you did get it to work there is absolutely no guarantee that they won't block you tomorrow morning for no reason at all.

I setup and have been running an email server for around 20 domains for over a decade. There have been no issues delivering to Gmail or Outlook, AOL, or Hotmail. There was some work I did initiallity to remove our IP addresses from blackhole lists, which had resulted from whatever the prior owners of the addresses had done. That was, however, minor and didn't take much time. Similarly, setting up DKIM, SPF, and the like were necessary and ugly to do, but they didn't take much time.

My mail server running on DigitalOcean has been relatively trouble free over the last 9 years. It runs docker-mailserver and is used by me and a dozen employees of my various small businesses.

It requires some effort to maintain and understand, and I’ve had a few deliverability issues over the years but they are generally with niche providers. I’ve never had trouble sending mail to the big providers.

Every time I read comments about the impracticality of self-hosted email, I scratch my head. Maybe I’ve just been lucky.

I think DO is really good about policing their IP space. When I signed up for the Microsoft JMRP [0], DO was already a contact of record for the IP I was using. I just appended myself to the list to get any abuse reports as well.

>Every time I read comments about the impracticality of self-hosted email, I scratch my head. Maybe I’ve just been lucky.

I feel the same. I've had one or two hiccups but smooth sailing for the most part. I'm also happy to provide receipts that show how the recipient's mail server is responding when I send the emails. It's a powerful tool to say, "your mail provider is misbehaving, look!" They will wonder how many people tried to send them email that didn't get to them.

[0]: https://postmaster.live.com/snds/JMRP.aspx

That's what I've been using for some years and it's never been a problem for me. You are right that you have to have at least a basic understanding of how a mail server works, and there is some configuration to know about. But I think of all the things I host myself, docker-mailserver is the least cumbersome and among the most reliable.

Easy on generalizations, mate.

I've been running my own mail server since mid '00s. Initially hosted with one of West coast Canadian colos and subsequently moved to an EU colo. Had some deliverability issues with Outlook and Yahoo, but these were episodic and rare even though I set up DKIM only last year and have been running with just SPF and DNS/PTR before that.

I know at least a dozen of others with similar setups and timelines. But we all use dedicated colo'ed boxes on IPs from clean netblocks that weren't previously used for shared hosting. I strongly suspect that attempting to run a mailserver on Digital Ocean, OVH, 1and1 and similar mass-hosting providers will not go well. Just like it will be an uphill battle to run it on a residental IP.

> Easy on generalizations, mate

What did I generalize, exactly? Parent poster was claiming that anybody can set up a mail server with good deliverability - that's a generalization. I said good for them (acknowledging they managed to make it work) and said that I also tried and couldn't make it work - therefore, clearly not everybody can make it work. Did I not argue against generalization there?

> I strongly suspect that attempting to run a mailserver on Digital Ocean, OVH, 1and1 and similar mass-hosting providers will not go well.

I run my mail server on Linode, no issues at all.

> If you were able to somehow get your own email server to deliver email to Gmail and Outlook, great, good for you - but stop pretending that anybody can do it.

Yes, that's probably true. I've been running my own server for 20 years now, and I guess that in itself helps with getting my mail delivered (apart from t-online, but who cares about them). At some time I also hosted some mailing lists, but I quickly abandoned that because that's a surefire way to get your IP blacklisted sooner or later. If you set up a completely new mail server, there probably is a lot of luck involved, and I wouldn't recommend it to anyone, at least not for your critical business mails. I pretty much keep doing it only out of nostalgia, it doesn't really make any sense otherwise.

Haha I have the same experience... I have given up trying to send emails to t-online, but every other email-provider accept emails from the server I manage. It sends a few thousand emails per day.

A few years ago we had problems, but then I realized some of the emails sent from our servers had non-ascii characters in headers (subject, from, to) which caused email-providers to distrust our server. Using encoded-words syntax ("=?UTF-8?B?" + BASE64(text) + "?=") fixed that problem:


My little server on Hetzner is delivering to gmail and outlook since two years with no hiccups: postfix,dovecot,rspamd.

> but stop pretending that anybody can do it

I do it as well and apparently so do many others.

Not sure why it seems problematic for some, but it hasn't been an issue at all for me.

I think the "decent effort" part is the key thing. We had to change our mail routing temporarily earlier in the year (after having sent via Office 365 for multiple years) and keeping on top of emails that were being blocked was a non-trivial amount of effort (and stress) for a period of time.

Unlike the person to you're replying to we had no issues with Google or Microsoft (once we did the requisite things) - it was Yahoo (and the people they provide email for) and then multiple mid-size organisations who used IP based block lists. At one point our mails were being rejected by our local NHS trust, the London Fire Brigade and a mental health agency we make referrals to. None of this was complicated to resolve but it was energy that could have been better used elsewhere.

I'm not usually part of the "let's go cloud without doing any cost-benefit analysis" movement but with email delivery I was happy when we could go back to routing via Office365 again. If a recipient decides to ban Microsoft's IPs that's usually going to be a bigger problem for them than me.

> If you [...] it works.

I've been running mailservers using free software for 20 years. I've run two for personal use, and several for groups like companies. In the old days, you could indeed throw up a server, and provided you don't spam, and you're not in a bad neighbourhood, outgoing mail would be accepted.

In more recent years, my experience has been that it takes time for a new mail sender to be acccepted; could be a year or two to build reputation. That's assuming you do everything right.

My personal mail, by the way, has been on the same domain since about 2001. I've quit running a mailserver now. My small ISP runs a setup that's basically what I would have built, so I use that; the support is excellent. But it's still on the same domain.

Last company I was at ran their mail on their ISPs mailserver. The ISP got taken over; service deteriorated, to the point it became unacceptable. So I built $EMPLOYER a mailserver; it took me longer than I predicted, because the bosses had all kinds of finicky requirements (don't they always) that I had to figure out how to provide after the fact. But that "artisanal" server beat the bejabers out of the ISP system; it was fast, reliable, and when anything went wrong I could fix it - which that ISP couldn't.

To most, including Gmail, it's actually no problem with DMARC in my experience too.

However, one of my servers IPs is on a Microsoft blacklist since many years now. It sends <10 messages / day. I've tried every unlist form I could find, even called MS but it does not get taken of that list and they "won't disclose why". I'm routing SMTP to MS via another relay now :)

> I'm routing SMTP to MS via another relay now :)

How do you do this? Could you share details on the setup?

It's a rather simple Postfix setup:


hotmail.com relay:[relay.server.tld]:587 # and other domains


transport_maps = hash:/etc/postfix/transport smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd

relay_passwd.db: # if necessary / not authenticated by IP relay.server.tld user:pass

The relay can/should rewrite the Return-Path to pass SPF. It's no problem for DMARC as the DKIM signature added by the initial server still authenticates it.

It requires manually adding domains of custom 365 installations to the list - at this size I do this manually, but should probably be automated "on bounce" or maybe even by a smart rule based on the MX record.

In Exim4 it's also possible to conditionally rewrite based on for example the recipient domain.

same experience here, perfect score but no mail into Microsoft

You need control of the entire netblock you send email from. Everything was going smoothly for me for 7 years until the entire Digital Ocean netblock my static IP was in landed in a permanent blacklist due to enough of the other IPs in that block having repeated complaints. I don't remember the mailing blacklist it was on but unblocking that single IP required the netblock owner (Digital Ocean) contacting the blacklist provider directly

this is why persons self-hosting email servers are much more likely to have success using a small to medium sized, trusted local ISP where you can establish a relationship with the persons who run the ASN. And determine for certain that the ipv4 /24 your mail server's /32 is contained within does not contain random other $5 to $30/month people buying VPS/VMs/low-budget-dedicated-servers with credit cards.

If you can have a high degree of confidence that no outgoing smtp spam traffic has ever been emitted from any of the other IPs adjacent to where you're hosted, the opaque blacklists of the big mail receiving providers (gmail, etc) are much less likely to consider your legit traffic as spam.

I think the vastly different experiences have a lot to do with the quality and scale of the ISP. Best results with small, good quality ISPs.

Also running my own servers for personal and business, and working well.

But when we tried to use one of the large VM providers the experience was much less reliable. Despite ensuring the IP was not on the various block lists etc. mails would be accepted and silently discarded by recipients ISPs, perhaps due to the level of abuse of these IP ranges.

Exactly. I’ve been running my own email server for over a decade not because I think I’m artisanal, but for practical reasons. But I don’t send out spam or “newletters”.

Or any kind of transactional email, I assume?

I've run a hobby website for about 15 years that does not even have a newsletter of any kind, and includes "stop sending me emails" in each transactional email (all users are double opt-in verified), and password resets are still not delivered half the time to gmail addresses.

In my experience people telling these stories often do send spam, but they don't believe they do. ("It's not spam, it's a Newsletter. No, it has no unsubscribe link. These are people that agreed to be put on the newsletter by clicking on some ToS they never read, and they can unsubscribe by some arcane mechanism that we will make as complicated as we can. But we're definitely not spammers.")

Yes. I do get that impression from most complainers.

I send from my own domains, and if I sent it, I wrote and addressed it personally.

Indeed, after setting up dmarc and such delivery is no longer really an issue. I guess around 10 years ago, that was different!

But what is a problem is providing a good enough web interface, search, and so on.

I've run an email server for 10 years now and by and large this is the case. I am the only person that uses my domain/IP/mailserver. I know it doesn't send spam. I've still been blocked by MS Office 365, marked as spam by google, etc, every few years. It's quite a hassle to get unblocked involving lots of lying about having a Microsoft account or the like to tech support till you get to techs who actually know what a mailserver is.

Frankly, I'm shocked you've never been arbitrarily blocked and I find your insinuations offensive.

The last time I was getting blocked it was the solarwinds fiasco where their internal mail tunneling/forwarding and filtering setup broke all DKIM and suddenly solarwinds users like NOAA.gov were rejecting me and adding me to naughty lists. There was no fallout for the megacorps and their broken setups. There was only damage to independent mailserver operators doing the right thing.

I deal with this every day. Personal fully controlled server. I don’t conduct business over this server, have only one email, a personal email, associated with it.

I hear this all the time, but I question how true it is. I've been running my own mail servers for decades, and I've never had any problems with sending or receiving mail. I suspect anyone who properly configures their server will be fine.

> I hear this all the time, but I question how true it is. I've been running my own mail servers for decades, and I've never had any problems with sending or receiving mail. I suspect anyone who properly configures their server will be fine.

At work I ran email servers professionally and with good deliverability for years. My own email server was arguably longer lived than those at work, just much lower volumes. IP block was clean, DKIM, SPF, rDNS, etc. all setup correctly.

I thought I had no deliverability issues. I interacted with mailing lists regularly, the odd email to friends and family and I was firmly in your camp until I had to deal with a death in the family.

I think this was shortly after Microsoft BPOS became Office365. It became very very clear very very rapidly that to certain orgs I just wasn't hitting the inbox. And there was jack shit I could do about it. That was the end of my mail server, and it's certainly got worse over time.

The problem is delivery problems are almost undetectable.

If I send an email to a corporation’s customer support, or to a distant relation, or to an open source mailing list, and I don’t get a reply, it could be a delivery problem - or it could just be that they didn’t decide to reply.

For corporate support, that’s totally on them. Checking the spam folder is customer support. The “oh sorry your email went to spam!” is one of the few times I express dissatisfaction to a company. It’s not my responsibility to make sure my email doesn’t go to their spam folder. Not when I’ve taken all the right steps to make sure my emails are not marked as spam. If you have customers, you have to check your spam folder! It’s not foolproof.

You seem to not realize many email providers just drop emails (often after accepting it) instead of putting it in spam folders. So even your suggestion is of no help in that situation.

>just because they can and will do anything to maintain their monopoly.

This is a popular opinion on HN but it doesn't seem at all inline with reality. Email isn't exactly a real money maker for anyone. And the amount of email spam and abuse is immense. Filtering out most unknown providers is unfortunately extremely effective. Almost all spam wiped out with a simple check.

Maybe the ideal solution would be to let you link your custom email domain with a google account so you can have your google account vouch for the legitimacy of your custom domain. But even then, some of the time your email server actually is just blasting out spam without you knowing it.

Email itself maybe is not a money maker, but my company just went to 365 and 90% of the justification to management is "were switching email providers". Microsoft and Google's small business offerings are inextricably dependent on email first.

My own experience from running a private e-mail server the past 5-6 years is that the problem more than anything else is garbage "e-mail gateway" products, like e.g. Cyren GlobalView and Proofpoint, that gets in the way.

There's a tendency to perma-reject e-mail coming from "not seen before" domains despite the e-mail passing FCrDNS + SPF + DKIM + DMARC validation, which makes it difficult for private e-mail server users to get through to people.

This is exactly it. Email is now just another way to squeeze companies and private individuals alike instead of a cheap, secure and free way to communicate. Peer-to-peer email was worth having, in spite of the downsides.

I’ve seen a lot of small businesses go from $50 / year to $500+ / year. And from their point of view all they get is a bunch of nagging about 2FA and a much bigger target on their back when it comes to phishing.

The most frustrating part is someone who isn't getting your mail will blame it on you. "I get everyone else's (gmail/outlook) email, it must be you."

And my retort is “that you know of”. If mine isn’t getting to you, who else’s isn’t? (For businesspeople) how much business are you losing because Google isn’t letting mail through? It’s one thing if the server is declining email and telling you why. It’s another thing to silently hide email.

Hmm, guess it's time for a counter-attack : "Sorry, but it's too much hassle to send e-mail to gmail/outlook, please use another provider if you want to communicate." ?

I post on a mailing list where one member has configured his server to reject all emails from Gmail. Inevitably we end up getting messages sent to the list which begin, "Direct emails to <guy> are being rejected, so I'm sending it via the list, sorry for the noise!"

The unspoken "you silly prick" gets louder every time this happens.

So, you just give up and leave control to bad actors ?

Every time my artisanal mails went to spam it was an overzealous corporate spam filter (mostly for mails with attachments). Never from one of the big hosts.

Having run my own email for the last two years, this is the number one problem I encounter. Somehow every official step published in terms of standards for securing email servers is not enough to appease large provider such that they’ll deliver your mail and not relegate it to spam.

The only problem I've had are with small players. You can't seem to reach anybody in charge of configuring and they do stupid shit that doesn't actually work.

The big players all have a process and followup within days.

Sending to Gmail/Workspace and O365 is by far the easiest case for me. It's the random enterprise email servers that don't like new gTLDs like '.xyz' who cause the most headache.

The suggestion that they will try muscle you out to maintain their monopoly is a bit alarmist. If you’re not sending spam, and your email infrastructure includes strong DMARC and SPF policies, then it’s unlikely that your reputation will be tarnished simply because it isn’t part of the Gmail or Exchange Online ecosystems.

I’d argue that the vast bulk of email is sent from dedicated providers like Sendgrid which are built on the same tech that might be found in any given ‘artisanal’ on-prem service.

Indeed. Only that's not the bigger problem. It is the actual problem with email.

Yeah I stopped running my own. I kept getting blocked by Microsoft in particular (mainly consumer recipients at live.com and outlook.com, strange enough not corporate O365 users!). I'm 100% sure I did not send any spam, the only emails going to those addresses were legit from a family member. DMARC and SPF were all set perfectly, relays blocked, I was not on any spamlist and I never have been either.

Literally every month I got blocked again because my server did not have enough reputation. Kept logging tickets to get it unblocked and then a month later it was back. One time I did manage to get a personal email back from a guy in India. Said that it was because my mailserver did not send enough legitimate mail for their algorithm to trust it.

So the lack of spam is not enough anymore to be blocked. You actually have to send a load of legit traffic to build up 'reputation'. Now just being a small time sender is a problem. This way the big players can just carve out a bigger market for themselves. They basically break the decentralised concept of email by doing this.

In the end I moved to O365, which felt bad because I didn't want to reward them for their behaviour. But we moved to it at work too and I wanted an instance with full admin rights to explore. My contract is up next year so I may change then if I can find a party that does it well and ideally cheaper.

> Said that it was because my mailserver did not send enough legitimate mail for their algorithm to trust it.

In other words, a small self-hosted email server will be considered a spammer until it starts sending out large amounts of email? Maybe that can be automated...

In theory it would be simple to provide a "cloudworkers cooperative" kind of service that just bundles the outbound mail so that traffic is sufficiently large to be whitelisted by the big providers. The two biggest problems are A. Scaling up sufficiently without attracting Spammers. Because even a single Spammer can ruin your reputation forever. So ideally you'd have a tight knit group of friends or similar. Even then you could hardly assure than no one ever gets hacked. B. Edge Cases. Even if your US or West European Traffic is sufficient to be whitelisted by all major Providers, how do you ensure that the occasional Email to a customer of an Indonesian ISP does not get blocked by their provider...

Yeah SMTP relaying is quite common. The problem is due to email architecture, to my knowledge, that same relay is going to be able to read your incoming emails because remote servers will block emails from user@endserver.org sent from relay.net unless endserver.org has MX entries pointing to relay.net.

That is less the case today. Back before SPF, absolutely. Today, with properly configured SPF records, not so much.

'large amounts' is also pretty relative, I'm sure if you had a small team of 10-25 employees on a self-hosted mail server (preferably with a static IP via the ISP) you'd be taken seriously pretty quickly versus only you sending an email once a week or less.

I'm sorry this happened to you, but it's a shame. You end up giving money to your perpetrators and leaving the rest of us in the same situation you were in previously.

Maybe a hosting coop could be an option? Large enough for reputation but ethical enough to still federate with smaller hosts?

Agreed. But I did learn a lot from it. I needed that because in our large organisation at work the admin rights are highly compartmentalized. And this way I was able to understand what other admins were and weren't able to do.

You can actually get a free test tenant from MS for 3 months but setting up a real production environment is much better than doing some tests.

But yeah I feel lousy about it.

I tried office 365 for email this year but couldn’t get the marketing emails from Microsoft under control. No matter how much time I spent trawling through the settings menus. Almost every email I got was about some security update or promotion from some ms product I did not use and had no intention of using. And I was paying for O365 too!

It is possible. I managed to stop them in the end. One of the many admin sites if I recall correctly (seriously, they have an office admin portal, exchange online admin, Azure Ad portal and everything is spread out across those)

If you use hotmail.com a lot of legitimate email goes to spam. I see it as a problem of the hotmail users, not mine as a sender.

I host my own email and I have the same problem with MS. Perhaps this is something for the new Digital Markets Act and interoperability laws in the EU to handle.

You can configure postfix to relay emails to certain domains through a 3rd party SMTP service like SES. The MS domains give all of us the same problems, there is no other solution.

Thanks I wasn't aware of this option. I'll consider it. Thanks for the tip! At least I'm not the only one but I'm sorry you're experiencing this too.

You may just have been unlucky with your IP block having spammers. How were you hosting it - own ISP or another provider?

I have not had deliverability issues for years with my Kimsufi (OVH France) server. While I am confident my server is well configured using best practices, I suspect some of it is also just luck not to be in the same IP block as a spammer.

I was using a colocation hoster in Belgium. They actually moved me to another netblock to test (they were a really nice small company). But the same happened.

I heard Kimsufi is indeed pretty bad as it's so cheap people tend to use it for 'throwaway' purposes. It's basically the white label budget brand of OVH :)

I've had 2 kimsufi email servers and both were fine. It shares the same data centres as OVH so I guess IP ranges are similar. No problems with blacklisting based on anything other than my own misconfiguration so far, and it's been maybe 8 years.

I had a very similar experience. Is there any cheaper option than just using aws SES nowadays ? (for outbound only! don't understand why people would pay the same rate for inbound) My concern is what happens when aws decides to massively increase rates...

If you send from an ec2 instance is "always free" (tm) for the first 62k outbound emails each month and 1k inbound.

> This way the big players can just carve out a bigger market for themselves.

Or it’s because there is a near infinite number of domains so it’s relatively simple for spammers to avoid bad rep blocks by grabbing new domains and starting fresh.

Yeah but then why keep putting me on the Blacklist every month? After I've been in touch so many times.

Moved away from outlook.com hosting a while ago since so much legitimate transactional email went to spam whilst actual spam easily got through. Now, when outlook forwards to gmail, gmail catch it before it hits the inbox.

Corporate O365 users often have their own Exchange server (cloud or self-hosted) with custom configuration.

Except of course that it isn't an artisanal choice, a very practical one that is made increasingly impossible by the few very large email providers that are left. It should be as simple as hosting a web server.

Speaking of which, how long before it won't be possible to host your own web server?

On another note: the biggest source of spam is gmail itself, and guess what, that makes it to my inbox just fine, because what could possibly be wrong with someone using google as their source. Spam was annoying but it was never an actual problem. The consolidation of the internet into a handful of players is a problem.

> Speaking of which, how long before it won't be possible to host your own web server?

It's increasingly getting harder and harder. Recently I was trying to watch a TV show with my friends using a self-hosted Plex server, which was located in one of my friend's house, connected via a gigabit, albeit residential link. Another friend was using LTE internet at that time. He couldn't watch the show, because his connection was so slow, but when he did a speed test the download speed was good enough (100+ Mbit).

Turns out the mobile carrier was throttling connections to select IP ranges to about 1 Mbit (we tested that with a few other IPs). I reckon it was to cripple peer-to-peer protocols. So I guess it's a matter of time until you will be allowed only to connect to certain IP addresses owned by the biggest companies (AWS, Azure, GCP) and nothing else.

Why net neutrality would have been nice, exhibit 78

Net neutrality wouldn’t fix this is if the issue is a peering problem (which is very common today). The internet has become so centralized that ISPs cheap out on transit and just direct peer to all of the big content providers.

If your peering is that poor, how are you not failing to uphold your end of the contract?

Speaking of which, how long before it won't be possible to host your own web server?

Maybe its just a matter of time for some. For me personally, I could not possibly care less if all the free mail providers blocked me some day. If something is important I can call people and tell them to go to https://mydomain.tld/theirName/ to grab files. I have used this method with non technical people including lawyers without issue. They prefer of course to use their own secure portals. I do acknowledge that running my own mail server may get more expensive with time as I may have to use providers that and more vigilant about keeping abusers off their network.

As for web servers why would I not be able to run my own servers? I can rent VM's, physical servers, racks, cages.

I am just speaking for myself but I will never give in to the bully anti-competitive behavior of the likes of Google and as for ISP's I will not use one that blocks ports or protocols. If there is any blocking to be done it must be done by me. I would never fund an ISP that uses CG-NAT or rate limits something by protocol or port. I realize some people have limited options but at least in terms of blocking and rate limiting, those ISP's are shooting themselves in the feet given that providers like Starlink and various 5G providers will be more common place soon.

GSuite and Office 365 are not free, and make security guarantees to their customers.

"Except of course that it isn't an artisanal choice, a very practical one that is made increasingly impossible by the few very large email providers that are left. It should be as simple as hosting a web server."

I don't get this one. How do large email providers make it difficult to host your own email?

I host my own email. It was a pain to setup so I try not to touch it since it is running fine. Setting up email on your own server is just complicated unless you install server management software. I am not sure big email providers are to blame for this.

> How do large email providers make it difficult to host your own email?

By randomly marking your email as spam without any recourse. This may be because they blacklist your provider en bloc, your IP address or some subnet, because they feel like it, it's Tuesday or because their spam filters suck.

But it happens and it happens often enough that running a business in that way will cost you money, sometimes lots of it.

"By randomly marking your email as spam without any recourse."


I'd like to describe how badly this is implemented:

I run my own mail server and I have a 15+ year history of emailing (mywife)@gmail.com.

On a regular basis (mywife)@gmail.com will email me, and I will respond to her email and my response will go to her junk/spam folder.

And there is no alert, no bounce, no notification.

Let's unpack this:

Google (gmail) knows that these two email addresses converse back and forth, regularly, with a 15+ year history. Google knows that their own user initiated this conversation. Google knows my email is a response to their users email. Google knows my address has never been marked as spam/junk.

So, what kind of unimaginably bad heuristics would have to be in employ to allow this to happen ?

To be honest, this wouldn't bother me that much - I don't think google owes me anything and my wife doesn't pay for their service. What makes me so, so angry is that they behave this way without any notification or bounce email.

That's just shitty.

Same here. And I can't even forward mail from one inbox to another because it invariably gets marked as spam. Two mailboxes, same browser, same IP.

> unimaginably bad heuristics

This is every Google product in a nutshell for me. Their "algorithms" are absurdly bad in every category.

Business use of email tends to look a lot like spam and people mark it as such. An appointment reminder or notification that something just shipped is generally fine. Send out mass notification of your holiday sales and that’s going into someone’s spam folder.

> generally fine

So you're saying that anything can get you blacklisted if you're unlucky enough? I think that's the point of the people you're arguing with.

At this point we just need to figure exactly how unlucky.

Not so much a question of luck, sending out sipping notifications that for example include advertising is risky. Sending a high volume of appointment reminders for the same appointment is similarly problematic.

I've never done any of that.

I don’t mean that’s the only way to trip up, there are a lot of unspoken self hosing email rules. Don’t use public data centers, don’t send news letters etc.

My email server is only used as a personal server for a few select friends and family. They absolutely do not send and have never sent anything that could remotely be considered spam. Everything in our setup is picture perfect (SPF, DKIM, DMARC, PTR records, etc). We still can't get email onto Microsoft's servers without it being marked as spam.

Interesting, marked as spam in peoples inbox is different from simply never showing up which is what happens to the vast majority of spam.

See the Digital Markets Act in the EU. It could be a way to force large corporations to cooperate.

While completely abandoning hope for the small players in the process.

Could you expand? Abandoning hope in what way?

You are still hosting it fine. They just decide that you or your messages are suspect.

Also one thing - if people actually want your email they will contact you if they don't get an expected email. If they don't want your messages it is spam.

Even if your ip address/domain is not in the blacklist right now, it only takes a few people marking your correspondence as spam for it to be blacklisted. Since everyone is on these big free providers, nobody will ever see a single email from you any more. With less centrally controlled email, that would not be possible. I think that is the problem everyone is talking about.

People generally know to check their spam folder if they're waiting for an email but it doesn't arrive.

I generally don't check my personal spam folder. I've honestly not seen any false positives with Fastmail. But I certainly do have to check every now and then for my work O365 account which is pretty bad at marking legitimate mail as spam. YMMV of course.

> How do large email providers make it difficult to host your own email?

By not delivering mail sent by your mailserver to mailboxes hosted by them. There's not much use for an own server, if your mail won't be received by most users on gmail or hotmail.

The problem with e-mail, and with other forms of communication, is that two parties (or their service providers) need to co-operate. You can run your own e-mail server just fine, but Google, Microsoft and friends might consider you to be a spammer or silently block your e-mail just because.

What if email was based on a whitelist instead of a blacklist? So you'd only receive email from addresses of people you've already established contact with some other way (maybe using conventional email)? This eliminates spam and if the big providers supported this, it could also enable them to stop blackholing innocent servers (though whether they care is another question).

You'll get it when Microsoft decides you are a spammer for no other reason then sending email from port 25 from your house. Or when you can't seem to sign up for a service... until you use your old Gmail address.

Yeah, there was (is?) a period of time where viruses were used to send spam so if you got infected you'd suddenly be sending out a lot of SMTP traffic from a residential IP address. The entire industry adopted the practice of not trusting residential ips. Then the spammers shifted to cheap VPS providers and ip and netblock black lists became more common.

> biggest source of spam is gmail itself

[citation needed]; is this actually going out from gmail or does it just use gmail return addresses?

I too used to run my own email from about 2000-2010, but the maintenance overhead is quite stressful especially because it always happens for critical times or critical emails.

Almost all spam I receive is from Gmail. It's gotten so bad I've actually setup a filter that routes everything from @gmail.com into spam - except for some whitelisted email addresses. G Suite is fine, it's only @gmail.com that is an issue

And yes, it's genuinely from Gmail; valid SPF, valid DKIM, came from a Google IP address, etc...

To say the biggest source is Gmail might be technically wrong though - I suspect there's a large volume of spam that Migadu (my provider) is dropping before it even reaches my inbox, i.e. emails that it is 100% sure are spam and it can just drop. Nevertheless, an overwhelming amount of spam I observe/have to deal with is coming from Gmail. Second to that is outlook/hotmail.

> To say the biggest source is Gmail might be technically wrong though - I suspect there's a large volume of spam that Migadu (my provider) is dropping before it even reaches my inbox, i.e. emails that it is 100% sure are spam and it can just drop. Nevertheless, an overwhelming amount of spam I observe/have to deal with is coming from Gmail. Second to that is outlook/hotmail.

This. It's more likely to be survivorship bias -- the gmail emails happen to survive because gmail is more trusted.

Re: [citation needed];

> Gmail obvious spam still #1 in the quarantine folders..

-- Michael Peddemors, President/CEO LinuxMagic Inc.


The citation you are looking for is my inbox. That's the spam that still makes it through and there is quite a bit of it, conversely some ham consistently gets misclassified as spam or just simply disappears entirely.

You are of course welcome to not believe me.

I will echo this experience. An example of an email that made it through from a gmail.com account (abbreviated, it also contained links to some apps (the main purpose I assume) and much more text):

شهر مجاني عند الاشتراك السنوي $ الأسئلة الشائعة

    In 1979, LA residents were wearing masks — because of smog Los Angeles Times staff photographer Boris Yaro photographed Sera Segal-Alsberg on Crescent Heights Boulevard in West Hollywood Segal-Alsberg, an artist-instructor, was en route to teach a class at the Los Angeles County Museum of Art
    للمزيد من الأسئلة

    — In another sign of live entertainment’s rebirth, Bruce Springsteen returned to Broadway over the weekend
    يقوم الموظفين بتسجيل حضورهم ، انصرافهم الشركات العصرية مع الاستفادة القصوى من الإمكانيات الهائلة التي تقدمها لنا تكنولوجيا العصر أو الهاتف المتحرك ( الجوال ) أو إذا كنت تستخدم الحاسب فيمكنك استخدام أو يمكن للإداري تحميل هذا التطبيق على جهاز تابلت اشترك في النظام 10

    Diverse yet divided cities
    واحد أو عدة أجهزة ثم يضعها اشترك في النظام تسجيل دخول فقط في الأفرع المسموح له بالتبصيم فيها  |  أسبوعين كما أن الموظف لديك يستطيع التبصيم في ثوان قليلة بريد إلكتروني هو نظام إلكتروني قوي وحديث يستخدم لتسجيل فهل يمكن استخدام النظام في جميع هذه الأفرع أدخل بيانات الأفرع إن وجدت الموظفين

    Experts say the Delta variant poses a greater chance of infection for unvaccinated people if they are exposed The variant, first identified in India, may be twice as transmissible as the conventional coronavirus strains It has been responsible for the rise in cases recently in India, the United Kingdom and elsewhere
    في مداخل الشركة أو أفرعها المختلفة يمكنك الاعتماد على أي جهاز إلكتورني حديث أو حتى قديم في تسجيل ومتابعة تبصيمات الموظفين ، إعرف المزيد اشترك في النظام مجانا , أدخل بيانات الشركة والموظفين

When I ran my own mail server some years ago I was shocked at the amount of spam originating from Google. Definitely their IP addresses as I would routinely get other legitimite mail from the same IP ranges. Was quite a challenge dealing with these spam as it wasn't as simple as blocking their ip ranges as the vast majority of my personal contacts use Google. Never saw the same from Microsoft, Apple, etc.

There's quite a lot of small providers left and thriving - I've recently migrated from Gmail to mailbox.org, set up inbox encryption with my own key and can't be happier about it.

It's not as feature-rich as Gmail, and webmail with your own encryption key is not usable, but desktop (Thunderbird) and mobile (K9 mail) clients fully cover my use cases. Cheaper than Google Workspace, too.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact