Ask HN: Why isn't whitelist only email used more often or even the standard?

2 points by stuntkite ↗ HN
I plan to be Google and Apple free by the end of the year. I've been migrating my personal email over to Protonmail, which I feel is the best service option. The main reason to use a service is preventing spam. Obviously not getting your emails dumped as spam is important too, but that can be solved by anyone with a static IP.

I've been thinking about whitelist only email for personal though. Why isn't that more of a thing? You can definitely do it with existing services, but this could already be a standard and hosted independently.

You could give people a portal where they can make a request to send you emails and you can approve it and revoke that approval at any time. You can generate keys for people so they'll be whitelisted when they've signed up. You could even print those on business cards and tie their usage to events. You could use that to provide a more complete identity for contact. Chats, currency wallets, feeds of information you're publishing, but you'd never have to deal with an open connection to stuff you did not want.

When I search the problem it appears as if this idea doesn't have any traction anywhere. I had my own email server on Slicehost in like 2001 and haven't messed with operating my own since GHA came online. I am not an expert in this area. What am I missing?

13 comments

[ 5.1 ms ] story [ 49.3 ms ] thread
If I have to go to a web page to request access to email you, I'm just not going to email you. That's the part you're missing.

You're asking people to jump through extra hoops to help you.

Then don't email me. I understand that's what I'm asking. That approval process could be built into how we email each other and be very simple and smooth.
I think there are better solutions to what you want to achieve.

If S/MIME certs were more readily available you could just spam-filter mail that isn't signed, and use the signer's details to better flag spam automatically.

Interesting.

Why I made this post is to figure out a better solution to what I want to achieve. You proposition here doesn't look like it solves it, but I didn't know about it before. I'll dig into it. If you have any further thoughts, I'd love to hear them.

The solution seems pretty simple to me. First sent email is automatically preceded by a request which the receiver can accept or deny. If deny, all incoming communication is blocked, if accepted sender is added to whitelist. No website or separate approval process needed.
Why have the initial pre-message then? Why not just have a client that prompts on unknown senders?

Edit: or maybe that’s what you meant?

Request was just a generic term for asking permission in some way, a client prompt would work. Preferably logged in some fashion.
I think you could probably do this now with a good enough client and mail processing rules.
I vaguely recall seeing something like this on the postfix users list ages ago. you can already do something similar (way less automated, though) with postfix's sender_access map.

as for why it's not a thing.. I think it's too many steps for the masses. you can do it on your own server like I mentioned, though. but on a smaller scale, sure. go for it.

Pretty sure I’ve seen a system like this in action. People sign up for our service; we send them a receipt (and for many of them, the cost is tax deductible); and it bounces with a message that we have to click on a link to enable it to go through. (For a number of reasons, we don’t. And most companies send stuff like that from a black hole no-reply address anyway.)

Good luck when your bank tries to contact you about something important but the email bounces.

I'm a developer and I want to build a Whitelist Only Email service.

The idea is changing how emails should work. When you want to message someone on social media, you have to first add them as a friend, so there is a whitelist-only approach in that regard. Emails should be like that in a way.

When you signup for a service, Facebook for example, you go into this email service and whitelist the *.facebook.com domain, so all emails from Facebook will go through your inbox.

If your email address ends up in the hands of the bad guys, they can't spam you or send you phishing emails since they are not on your whitelist.

Seems like a reasonable solution. I don't know why there is no service like this yet.

I'm still doing some market research hence why I stumbled upon this thread.

Anyone, please jump in and give me a reason to stop making this email service a reality.