Ask HN: What's your email setup?

36 points by 6ak74rfy ↗ HN
Do you use Gmail like almost everyone out there?

If not, you must be someone who cares about their privacy. How do you cope with the fact that almost everyone you email to uses Gmail? In other words, if the people you interact with on email don't use secure/encrypted email, how does whatever effort you put into help?

45 comments

[ 2.8 ms ] story [ 87.0 ms ] thread
I use namecheap for email hosting. A while ago I read quite a lot and it was my preferred option. Maybe there is something better now. Regarding your other concern, although theoretically they shouldn't map my custom email with my usage of chrome or Google maps, I have to admit that most likely they can do some correlations and target me anyway. Still, they will not know about what I buy or where I go (flight emails etc)I, and that's already something.
Still namecheap is the best eamil hosting service provider.
Same. It's been great. Their spam filter needed a little tweaking from the default settings, but other than that, I've had no problems with the service.
Had to drop them after a my first year due to lots of deliverability problems (even with inter-organizational emails hosted on the same service). Its cheap, but 98% reliability isnt good enough for business.
I've been pleased overall with Migadu as well.
Based on a recommendation from HN, I switched to fastmail.com. I create aliases for most new services I sign up for, and treat the actual email address like a secret. Being able to "turn off" annoying services is a delight!
I use Fastmail to punt all of my domains' catchall inbound mail into my Gmail account.

> you must be someone who cares about their privacy

That's quite an assumption. I care about privacy but use Gmail. Email is not, has never been, will never be private. It's a postcard protocol.

I use ProtonMail, and tell people that if they care about secure email, they should too.

I looked in to other services, like FastMail, but from what I've seen, they aren't as secure. I'm no security master, but according to these:

https://www.fastmail.com/about/privacy.html

https://www.theguardian.com/technology/2013/oct/07/australia...

FastMail is subject to the Australian government, so if a "properly authorised Australian law enforcement" person comes, there goes your privacy.

Do others use ProtonMail? Or is there another email service that's as secure? I'm no master, just trying to go after security. However, email is email, so you can only be so secure, especially when emailing people with gmail accounts, etc.

Protonmail when under DDOS attacks routes their traffic through servers owned by mossad. Which again is an "observer" in the global five eyes surveillance network
It's BGP routing, and requests only (not responses). Radware, which is not Mossad, does not do our TLS termination--we do.
The “security as in Swiss” concept ProtonMail uses is a marketing tactic. ProtonMail is a US company. Do some research on the Patriot Act, Liberty Act and the omnibus rider passed in DEC2015.
I use Fastmail after switching away from Gmail and Google pretty much entirely. The core issue with Gmail and other free services is that since you aren't paying for the service they need to sustain in some other fashion(mining your data for example). With Fastmail I know that it's in their best interest to do what's right for their customers.

I use an alias system so I can have email addresses for specific purposes and signups. Also have a bunch of other assorted email addresses.

Google does offer a paid email service through their G Suite product.

It's generally aimed at businesses but the cheaper options are $5 and $10 a month which is comparable to Fastmail.

The problem with the G Suite product, is that it's overwhelming. You get access to the entire suite of Google products. When you only need Email, Calendar, Contacts.
I switched to Fastmail from Gmail at the end of 2017. While it's of course not as privacy-oriented as ProtonMail, it is sufficient for my needs. Like you, I realized that Google's interests didn't line up with my own, and I would rather pay for a service with money instead of personal data.

As a cherry on top, they host a static homepage for me for no extra cost, but that didn't really factor into my decision.

I also use mail-in-a-box: https://mailinabox.email/

Honestly, after 20 years of using 3rd party services I got tired of being subjected to their whims and issues. The straw that broke my back was when Mandrill was taken over by MailChimp.

Not that there's anything wrong with MailChimp, my problem was with investing my time learning how to do things "their way" and exposing myself once again to a 3rd party's whims and issues.

It took me some time to go through all the necessary steps to get mail-in-a-box set up and secured but it was worth the effort and I learned a lot in the process and got a lot more than just email for my efforts.

And it was a lot easier than I'd expected. The mail-in-a-box team has done some great work on that project and the community support is solid.

I have old yahoo addresses that refuse to die. My "main" email is Gmail, but all of my domains are hosted on Dreamhost and have email, so I have addresses on all of them also, but forward to my Gmail for reading/cataloging. Work uses a Microsoft account.
I'm using Gmail and considering host my own email server. But the only/big thing stopped me to do that is how to filter SPAM. Gmail is really useful for SPAM filtering.
If you care about privacy, use PGP.

You can use PGP with a gmail account.

I agree that if you are located in the US, there is no difference between doing this and using ProtonMail, for instance.
I use Gmail for most things. I also use ProtonMail, and I want to migrate things to there because I do care about my privacy but it seems to be too much hassle and I don't have enough time.
These days you pretty much have to choose between privacy (e.g Protonmail, Fastmail, self-hosted) and security (Google). Account security should matter more since your primary email address probably holds the keys to the kingdom for the rest of your digital life. Oh, and privacy as you know it is essentially dead.
Why do you say that? My email provider (fastmail) supports two-factor auth. Beyond that, I use a long password generated by my password manager. Why am I less secure than a Gmail user?

I think security is much more dependent on user configuration. If my password is "passw0rd" then I'll be fairly insecure regardless of my provider. Likewise, since I have 2FA set up, I'm better off, regardless of provider.

That's a reasonable question. You're absolutely correct that security is often highly dependent on account configuration, but Google has invested more into security than any other mail provider and my ridiculous prediction is that their anomaly detection powered by their all-powerful compute network is only going to create a bigger gap there.

For most people, the biggest risk is a troll abusing account recovery or weak 2FA settings to hijack your email account, pivot to other accounts, and wreck your online life. In those cases, you're probably safe w/ a strongly configured Fastmail account (although there have been some recent issues brought to light around Fastmail's account recovery practices [1])

[1] https://news.ycombinator.com/item?id=15855081

The past year I've tried to leave Google and have tried, in order, Zoho, Rackspace Email, self hosting and am currently with Fastmail. However I've planned moving back to Google this coming weekend. I just miss many features and services and the integration between them.
May I ask why you stopped using Zoho? I'm using them currently, but only to forward my emails to a google account. You mention a lack of features, but of course with a forwarding setup that is not a problem.
I setup my mail server manually from scratch with my own scripts. I never had such experience before, so it was total pain and I spent about 2 weeks to get fully working healthy server. Now I know what is behind curtains and how complex mail serving nowadays. At the moment I'm deciding: stay with my own server or trow this headache and buy a service like Migadu or fastmail.
I've run my own email server since the mid 1990s. While it's not trivial, it's certainly not all that difficult. What I find strange and suspicious, though, is how quickly and readily people go out of their way to actively discourage others, and how there's this crazy push to move everyone and everything in to the "cloud". This even happens in places where running one's own email server is expected, such as the selfhosted reddit channel.

There are two problems with that, broadly speaking. One, if we care about privacy and security, the "cloud" doesn't have that. Google can genuinely try all they want to keep things secure, but we know without doubt, thanks to Mr. Snowden, that people who actually work for TLA agencies are working at Google (and Amazon, and Microsoft, and Yahoo, et cetera). So is our data REALLY safe? Even if they're not interested in our data specifically, the data can't be said to be safe.

The other problem is that email with Gmail and others is not deterministic. In the real world of email, you either get an email or you don't. If you don't, you can look at your logs and see why. You'll end up with a precise reason why delivery failed. With Gmail and friends, though, they might simply not like the choice of subject, or they might not like the attached picture, or they may simply not like the cut of the sending server's jib. I've been told that access to email logs for businesses is better than it used to be, but do you think a user who gets free Gmail gets to know why a specific email wasn't delivered?

Finally, I think Gmail accounts shouldn't be usable for WHOIS and for abuse addresses because they can't accept abuse complaints. I consider any WHOIS or any Internet service provider which uses Gmail to be amateurish and unprofessional. There's nothing less professional than setting up an email for incoming abuse complaints that filters abuse complains.

I agree with everything johnklos said and I do the same for the same reasons.

I enforce TLS for certain domains and sometimes for all domains, depending on if I am subscribing to something for the first time and unsure if they support TLS.

I read emails with strings and more. If there isn't a plain text version, I just delete it.

You were probably waiting for this, but how do you handle IP reputation?

I REALLY would like to host my own e-mail server but when I've previously tried this on the various vendors platforms (Digital Ocean, AWS, Azure), I naturally end up with an IP that has either no rep or bad rep. I did everything I could with regards to proving my mail server was legit but still ran into issues with my e-mails being flagged as spam.

I know I could use someone like SendGrid or whatever to handle my outgoing e-mail, but now I'm back into the whole privacy concern area...

In most instances, you get what you pay for. I handle IP reputation by colocating with good, if somewhat conservative, colo providers. The most recent colo provider contacted me after placing my order to ask what services I intended to run, to match my provided address with WHOIS on the main domain I planned to use, and to ask me to explain the discrepancy between the IP from which I filled out their web form and my given address. Some people would be indignant about this. I certainly was not. I'd rather ALL people have to jump through many stupid hoops, myself included, than have a network where money is the only prerequisite to joining. That provider, if anyone is looking, is Turnkey Internet. They're definitely worth considering if you want to deal with real people.

Once you have an address (or a new-to-you address), you have to break it in, so to speak. I did this by setting up reverse DNS (of course) which unambiguously matches the hostname, the primary IP, and the HELO / EHLO name given by the server. I then set up SMTP-auth so I could use it for little bits of email here and there. I did this for several weeks before I started increasing the volume. At the same time, I configured a long running server elsewhere to allow relaying from this machine and started sending email list traffic through the new server, which relayed through the long running server so that services like Google, Yahoo, Hotmail and others would get more exposure to the new server, albeit indirectly.

I also took the time to proactively register the new server and IPs with anti-spam sites and blocklists. This usually involves providing proof that the contact information is real and works, but it helps lots.

Barracuda gave problems - they listed my new IPs even after requesting delisting TWICE, but an email that got to a human fixed this more permanently. While frustrating at first, the fact that you can correspond with a human is always a good thing.

After more than a month of this, I started sending directly from this new server. As anyone who has done it can tell you, running a mailman list these days is hardly trivial considering how quick most services are to consider mail lists spam. But regardless of how much time it takes, it's worth it to take the time, to be careful and deliberate. I've only had to do this four times in the last decade, but not rushing is always worth the extra energy.

Of course, VPS IPs are often much more "beat up" and are usually considered undesirable neighborhoods, more so than colo networks. That's partly due to the more transient nature of VPSes. When you colocate, you're more invested, generally speaking, so you're more apt to keep the IP for many years.

i have some honest questions for you though. i write software daily yet don’t have much knowledge of what you have described here and have even less inkling to want to do any of that. so i think setting up an effective e-mail server is simply beyond the scope of nearly everyone. moving to the “cloud” isn’t some fad for e-mail, it’s just not everyone has the IT knowledge and even less want to have it. what is the real benefit beyond not having your e-mails crawled? is your server really more secure than google’s or microsoft’s?
Saying that setting up an email server is "simply beyond the scope of nearly everyone" is... Well, it's a bit sad, if you honestly believe that. At the same time, it's also pessimistic and disingenuous. It's disingenuous because you do a thing that some people might incorrectly generalize as, "simply beyond the scope of nearly everyone," even though we all know that there are lots of six year olds are learning Python. Granted, there are likely more six year olds learning Python than people in general learning from scratch to stand up email servers, but we both know that your characterization is quite stretched.

So let me ask you, since your post carries a similar sentiment as many others: Why do you feel that you should express a dismissive opinion about the practice when you've also made it clear you have no inkling to want to do it?

For your information, I set up a how-to to show people how to set up an email server from scratch. No, it's not wildly popular, but several people have used it and have written to thank me, so I don't agree in the least that it is "simply beyond the scope of nearly everyone," and I also have evidence that this is clearly not the case.

To answer your questions, not having my emails crawled is just one benefit, but it's a very important one. Plenty of people say crazy and ignorant things like, "I have nothing to hide," not realizing that it's not about that - not even a tiny bit. If we dismiss the fundamental right to privacy because we have "nothing to hide" right now, we can't later on get privacy back. But, obviously, this isn't a concern of yours, and most people can't consider how the principle applies to historical lessons or how it applies to a possible path to totalitarianism.

So what ARE the benefits? I mentioned that my email servers are deterministic. I can say with precision why a thing happened or didn't happen. Now it may be true that writing Sendmail rules is "simply beyond the scope of nearly everyone," programmers included, but the option is there to decide, again with precision, what I want my servers to accept or reject. I even wrote my own Sendmail rules to refuse email from servers that lie about their HELO / EHLO, or, optionally, only accept from servers where the HELO / EHLO name resolves to the connecting IP. Add procmail to the mix, and now you can have rules than programmers can easily create and change.

Another benefit is precise control of all of my email information. If I delete something, I can be sure it's deleted. It's my information, and I want to control it.

Is my server (well, servers) really more secure than Google's or Microsoft's? Unambiguously yes. Microsoft only ever ends up in a state of relative security after long periods of trial-and-error while non-technical managers come up with design goals which are antithetical to security, bad things happen, then those same non-technical managers demand adding security as an afterthought. Google, I believe (and really, we never can know all that much), genuinely tries to get security right, but how many employees do they have? How many have access to private data?

Take a clean, concise, easy to understand OS, install it on a non-x86, non-IPMI, non-VM computer, install a minimum of things to run only what it's intended to run, do so cleanly without extra cruft or OS specific idiosyncrasies, keep up to date with security vulnerability announcements, and colocate in a trustworthy place, and yes, my servers are definitely more secure than Google's or Microsoft's.

i didn’t dismiss it at all. it’s okay for me to wonder why i would want to do such a thing, especially when people claim it as such a simple thing and is instead a rather subtle thing that requires time and attention. i have other interests.

and how is it disingenuous or stretched? i count nearly everyone as, say, 95% of people. if you seriously think even 5% of people have both the skills and want to setup and maintain their own e-mail sever for many years, then you and i are on different planes of thought and experience.

i can understand the crawling thing, although you make a lot of incorrect assumptions. i don’t like it either, but i also don’t enjoy spending my time on things that other people have made trivial.

it’s good people have found your setup posts helpful. if it can be made easier to be self-sufficient, thne more people will do it.

Fantastic, thank you! I've reached out to a few local colocation companies so we'll see what they say...
I’m quite paranoid and put a lot of effort into maintaining a good security posture. Rather than worrying about the security of my emails, however, I simply assume that any email I send or receive may become public one day.

Remember, there is always a third party on the other end of the email, and you cannot control what they do with their copy of it. You can have the most secure email server in the world, but unless you’re sending emails to yourself, that security goes out the window once another correspondent is involved.

Consider this: every time you send an email to someone with a @gmail.com address, there is a copy of your email stored on google servers (not to mention it might even get spam filtered). So did you do all that work to secure your email for nothing?

The one exception is for security related, primarily inbound, emails (password resets, OTP codes, etc.). Here I can see the argument for self hosting. Ideally you would keep a separate email for all signups / transactional emails that is used 99% for inbound, and isolated from any of your public email addresses.

I’ve been toying with the idea of a postfix/dovecot/spamassasin/opendkim solution.

I don’t need one more thing to do, but the big G has me worried.

I am a posteo [1] subscriber. Superior set of features [2] (privacy, security, encryption), runs on green power, no ads / tracking, groups in address book, nice staff -- for 1€ per month. Also supports mandatory TLS transfer (or doesn't send the email), if wanted. Couldn't be happier since ~5yrs!

[1] https://posteo.de/en [2] https://posteo.de/en/site/features#featuresprivacy