315 comments

[ 4.4 ms ] story [ 437 ms ] thread
This seems great, would be pretty popular through a tor service I imagine.
I've been using Purelymail as my sole mail provider for over a year now (previously with Fastmail) and it has been my best email experience.

It's a one-man enterprise, which may frighten some people, but I prefer boutique internet companies to the faceless monoliths. (I'd like more of the internet to be made of these small corner bodegas.)

> It's a one-man enterprise

For this reason alone, I can't trust that they meet all the security considerations email providers now have as a consequence of all the services effectively delegating either secondary or primary authentication factors (or reset mechanisms) to email.

> It's a one-man enterprise, which may frighten some people

Email is super critical for most people these days (eg. 2FA). That sounds like a really scary bus-factor [1] risk, especially considering data is encrypted at rest.

[1]: https://en.wikipedia.org/wiki/Bus_factor

I actually get asked about this semi-frequently. Probably nobody could replace me as a _developer_ on Purelymail, but I've been training my brother to handle extended maintenance and to have handover credentials if anything happens to me personally. (This might be in the FAQ?)
Thanks! Have you looked into source code escrow for this situation?
No, but I will. Thanks for giving me a term to research!
That eliminates some of my worry! Thanks for replying.
I think my odds of getting banned by Google’s shitty AI is just as much of a risk for me as the bus-factor for a one person show.
> Email is super critical for most people these days (eg. 2FA). That sounds like a really scary bus-factor [1] risk

Not such a big deal if you have your own domain (you should). Update the MX record and point it elsewhere.

I've switched from Gmail to a similar setup a year ago. Honestly, it's been way easier than I expected, in terms of updating everywhere. And I can just point my MX somewhere else should I ever be unhappy with the current provider.

No delivery issues either so far. Seriously, the hardest part about this whole ordeal was getting imapsync to run, to transfer my mails over.

Not using gmail or another big silo is really not that hard, as HN often makes it out to be.

I _always_ use that particular phrase for highlighting the importance of information sharing, but I never knew this page existed, thanks!
From the FAQ > Occasionally, obscure email servers will block emails sent through us.

Maybe it's good for personal use or as a throwaway email, but it is not good for main business email. Certainly not a replacement for Gmail or Fastmail kinds. Because you expect the email service to have 24/7 availability and near-perfect email delivery and receiving.

> It's a one-man enterprise

A person can get sick or just wish to take a holiday for a couple of weeks. What happens when service goes down or I need customer support urgently?

> A person can get sick or just wish to take a holiday for a couple of weeks. What happens when service goes down or I need customer support urgently?

I think the expectation of urgency should be put into perspective alongside the $10/year price tag, i.e. if you need someone to get out of bed in the middle of the night $10 is probably not enough incentive.

That said, any issues or questions I've had have been resolved way faster than I experienced with Fastmail.

For me, this would be a major issue for personal emails as well. Even if an undelivered email wouldn't cause a monetary loss it still could have significant consequences, such as upsetting friends or family or missing the signup deadline for your kid's sports team. Personally, I don't mind paying the higher Fastmail prices to not have to worry about this.
Fastmail isn't entirely faceless either :p But we're definitely not still the 3-man show that we were before the Opera years (up until 2010).

Obviously, I think Fastmail is worth the extra for the multi-copy redundancy & backups, new features, contributions we're making to the standards world, and not being dependent on a single person - the past few years in particular we've been focusing on not only being able to survive any server dying, but also being able to survive the unavailability of any single person!

Anyway - glad you're happy. Fastmail will still be here if you ever find that you want to move back.

Oh sorry I did not mean to suggest Fastmail was a faceless megacorp, I was thinking of Google, MS, Apple, etc.

I fondly recall many years ago I had some WebDAV issue and got a reply directly from you saying you'd fixed the issue but you were just heading out to dinner and so you'd push to production when you got back. That convinced a few friends to join too.

After about 10 years, Fastmail felt it was shifting to a more "enterprise" focus, which I can understand, and I just wanted to try something a little more "indie web".

Hah, yeah - fair enough. Glad I could fix your issue. Ahh, Webdav. I know the XML libraries a lot better these days and could make that code a lot tighter, but it's still chugging along just fine, pretty much untouched since :)

As for enterprise focus - not so much enterprise, but we are focusing more on the non-technical user. All the power is still there under the hood and available, but it's not so much in your face if you don't want it to be!

Hi, is there going to be a plan like the lowest tier of mailbox.org (esp. the price)? People who just need email with 1-2GB and probably a catch all?
No, that isn't likely. The email storage used is part of our cost, but a relatively small part compared to the support, operations, and development costs. We don't have any other business subsidising the email service, and we're not intestered in a race to provide the cheapest, no-frills product.
Your custom domain pricing is weird. Is it really important to squeeze the extra $20/year out of the first user? It ends up being $50/year for the first user vs $12/year at Zoho. Why not just put custom domains in the basic tier?

DMARC reporting could be a huge value add if you could build something in. That whole industry is a massive ripoff and too expensive for small businesses.

Over 1/3 of our staff are support agents, and support is one of our largest costs, so yes - custom domains do add additional support challenges, and we do need to cover that cost.

Thanks for the suggestion with DMARC reporting. It's not something we're going to work on straight away, but I'll add it into the suggestions for the domain features. Definitely we'd only look at building something pretty basic and low-touch, but maybe that's enough for a lot of small businesses.

Minimal DMARC reports would be useful. The problem that I see for small businesses is the cost keeps them from even trying it, so they can have problems that never get surfaced.

As an example of where I think the current value propositions are bad, DMARCian charges $240/year for the most basic plan that includes 100k compliant messages in a month. Most small businesses won’t do half that in a year. You probably have good stats to grok that.

I get it on the support thing. I pretty much never use support, so I guess that’s why I always feel like everything is too expensive. I’m always stunned to see how many employees at smaller tech companies are support. Sometimes I feel like I’m subsidizing users that are too lazy to learn.

Heh, yep - you are subsidising users that don't know how to do everything - and they are subsidising you by paying for the engineers to build robust and reliable systems with 24/7 operations support, and developers, and standards authors improving the system for the future... along with the support team.

Anyway, I've already filed the DMARC request internally, and linked to this thread.

Fastmail is not for me because

a) it's expensive for multiple mailboxes (like even three or four mailboxes) and

b) it's right in the Five Eyes jurisdictions (which I try to avoid as much as I can)

but I do appreciate

a) Fastmail's work on JMAP and can't wait for it to become more widely deployed and

b) frank and straightforward responses (including for example in the threads on the Assistance and Access Bill in Australia)

I'm happy to pay whatever I'm paying for what you're offering. I had create two support tickets so far and both were dealt with very quickly and by an actual human which makes me trust you guys with my data even more.
This is the kind of feedback I like to hear! Thank you, and the support team will be pleased to hear that you're happy.
These tiny services are cool. I have the cheapest account on Migadu[1] for all my random custom domain emails.

1. https://www.migadu.com

Plus one. Great, small Swiss shop with decent support and response time. Never had any issues with them.
Can only second migadu, only think I really miss is a Calendar support.
Thanks so much for sharing this! Just spent half an hour reading about this hidden gem and will switch all my projects to them!!
How does Migadu compare to purelymail? I’m not using either and it looks like migadu has their own software stack instead of using something like roundcube, etc. And not just a single person behind it.
Where is this hosted?
AWS us-east-1, it looks like:

    $ dig mx purelymail.com 
    ;; ANSWER SECTION:
    purelymail.com.  86400 IN MX 50 mailserver.purelymail.com.
    
    $ dig mailserver.purelymail.com
    ;; ANSWER SECTION:
    mailserver.purelymail.com. 60 IN A 18.204.123.63
    
    $ whois 18.204.123.63  
    OrgName:        Amazon Technologies Inc.
https://awsips.co for the region information
For some stupid reason I can't bare to see that done in 3 lines.

  whois $(dig +short A $(dig +short MX purelymail.com | head -n 1) | head -n 1)
I stopped using -n X for head/tail in favor of just -X (eg -1 or -10 or whatever). Save a few keystrokes, plus certain unixes (eg Solaris) only work with -X and don’t the support -n switch.
From the website:

> our infrastructure runs on the highly reliable AWS cloud,

Switching emails every N years would really piss off my cutomers. I need one email for as long as the company exists, you see.
Use your own domain and your customers will notice nothing.
Then you really should be using your own domain, at which point you can replace the service at will.
The price is right, but the polish isn't.
Grammarly will eliminate verbose and passive-voice copy, and that will increase its polish. I can take or leave the existing design aesthetic.
That's partly intentional! Hopefully it scares away the users who expect perfection, and they can be better handled by a glossier service.

(Also I'm just genuinely mediocre at design, and kind of personally prefer less frills anyway.)

I'm glad someone posted it here. You're filling a very much needed service in the industry, even if it doesn't meet my particular desires.
$10/year is not bad but I already have more email addresses than necessary.
Thank you for making this service available. For entrepreneurs who like to launch new ideas with custom domains, pricing models like the one here is a HUGE savings over pay-per-account (or domain) pricing found at most major email providers. Further, it's not easy making much money charging just $10/year, even if the business gets quite popular... so again, thanks for making it available.
I'm curious, what are your thoughts on Zoho mail. You can use your custom domains even in their free tier
Zoho Mail's free tier doesn't include IMAP (for new accounts since about 3 years ago), so you wouldn't be able to use Thunderbird, FairEmail, K-9 Mail, or other third-party apps. Offline access on the free tier is restricted to Zoho Mail's desktop and mobile apps. Zoho's Mail Lite plan ($1/user/month) does include IMAP access, and you'll need to do some calculations to see whether Purelymail or Zoho Mail is cheaper.

https://purelymail.com/advancedpricing

https://www.zoho.com/mail/zohomail-pricing.html

I've tried Zoho mail and the "problem" is that it's so much more than mail. It's a huge suite of online apps, really. That means if you purely need mail, it'll take a bit of time to find the setting you need.

(It's been three years since I tried it, and looking at my notes, I couldn't get Zoho to sync contacts for me, and somehow didn't get calendar notifications.)

Well, I'm no expert and I'm not in any position to say anything negative about Zoho Mail... but the free tier you mention seems to allow for one domain. So it likely won't work if you have, say, 5 active domains you want to receive and send email.
It’s only 1 domain I think and they stripped out things like ActiveSync and IMAP a couple years ago IIRC. I use the $1/user/month plan and it’s decent. I don’t use calendars or contacts, so I’m not sure how that stacks up, but the email stuff is good.

The biggest annoyance is that someone used mx, mx2, mx3 for their MX instead of mx1, mx2, mx3, so the dns record indentation doesn’t line up. Lmao.

I’ve used Zoho for a while and you can add on domains. It’s pretty cool and the online mail is a pretty decent UI.
I have a custom domain email address on Zoho and suffer constantly from delivery issues. Sometimes my emails go into spam filters, sometimes they go into a black hole. It’s a huge PITA and I am tempted to either move providers (maybe it’s Zoho’s fault) or just stop using my custom domain (maybe it’s not Zoho’s fault).
I'm quite happy with Migadu for own domain use. I have a dozen that are unlikely to receive email but good to be able to receive them nonethelrss - migadu is great for that as you can add as many domains as you want.

Calendar feature is sorely missing though it seems this service also doesn't have it. I guess calendar is a pain to set up/troubleshoot timezone issues, etc

I've also been happy with mxroute.com which has super low cost promos every November (black friday) so I'm on a $15/year plan. Regular pricing starts at $45/year for unlimited domains and mailboxes, 10GB storage.
MXroute is super awesome for device based email. If you have firewalls, copiers, system notifications, backup alerts, etc. it’s a great fit.

The killer features are unlimited mailboxes and per-mailbox quotas. I make a new mailbox for every device and give them a quota that makes sense; 10 messages per day for most. If a device goes haywire, gets compromised, or gets stolen, it’s one mailbox to fix and maxes out at a super low quota, so it’s useless for spamming.

That’s 100x better than the options on Office 365 which absolutely sucks ($$$) for low volume email coming from devices.

You can setup a receive connector on exchange online to trust mail from specified souce IP(s) (ie your onprem mailserver) with no need for additional mailbox licenses... good for alerting/reporting/MFP's etc
Screenshots of the mail UI would be awesome.

On the drawbacks blurb, it mentions potential deliverability issues and says they’re usually resolved in a day or two. Through blog entries by mailchimp, I've read this is an extremely hard problem to solve and like playing whack-a-mole. How true is that? For example, I’ve read that trying to host your own email on digital ocean is pointless, which is understandable because of the amount of spam likely coming out of their subnets. Is this service downplaying the issue?

The webmail is RoundCube with Classic, Larry or Elastic skins.

I have had a handful of deliverability issues, but every one of these has been due to one of those awful "enterprise network solutions" that does everything wrong.

It's worth keeping in mind that MailChimp is primarily a spam delivery service, of course they're going to have issues where they get stuck in spam filters.
This looks like a good deal. We could use this at https://fabform.io our web forms "google forms alternative" platform.
I recently switched to Posteo from a few years with ProtonMail. Reading from Purelymail's docs and with price being within $3 annually of one another (Posteo is €12 annually)

Posteo pros: comes with calendar and contacts via WebDAV, not registered in the US (Germany is part of 14 Eyes, but not 5 or 9, and the EU is better about privacy), cash payment option

Purelymail pros: more storage @ $10, custom domain support, security key 2FA (though unclear according to docs if this is WebAuthn/FIDO2 or Yubikey vendor lock-in)

Neither: cryptocurrency payment option

The 2FA is just regular TOTP RFC 6238.
Posteo also runs on FOSS and is being endorsed by the FSF - if that matters. They also do 2FA, via TOTP (which many apps support). They offer a migration tool that downloads email from your other accounts.
Both of these email provider options support TOTP so I omitted it; and TOTP ≠ U2F/WebAuthn with a USB token. I have an OnlyKey, but it’s mostly full of TOTP keys already because applications are not supporting WebAuthn. Posteo does not support this, and last I emailed them, they said they do not release information about future features.
Never heard about Posteo. Too bad it does not support custom domains.
Another alternative to Posteo is Mailbox.org [1]. Personally, I use Soverin [2], but that's mostly cause I get it for free with Freedom Internet plus its hosted in The Netherlands. And I can always leave.

[1] https://mailbox.org/en/

[2] https://soverin.net/

I have a question: if this is hosted on AWS, what (and I'm sure there's something, I just don't know what) is stopping Amazon from accessing my mail and using it for whatever?
I believe this is part of the AWS's explicit policy, possibly also in the terms of service:

https://aws.amazon.com/compliance/data-privacy-faq/

It would be crazy suicidal for their cloud business to break it, and possibly open them up to lawsuit.

And of course it would be even more crazy for them to refuse a request e.g. by the FBI or NSA. I'm sure they respect SLAs as much as OnePlus, Huawei & co don't share data with Chinese government.
Yea, they say as much in the data privacy FAQ. I think my recommendation is that if you're worried about being explicitly targeted by state actors, don't use email. (Not even Protonmail.)

If you're worried about general data hoovering, AWS would probably need to implement very sophisticated introspection into what your machines are doing to break the SSL on SMTPS, and courts might not be sympathetic to that. I expect state actors would find it easier and more convenient to just hoover from big providers like Gmail instead.

> Yea, they say as much in the data privacy FAQ. I think my recommendation is that if you're worried about being explicitly targeted by state actors, don't use email. (Not even Protonmail.)

Protonmail (and Tutanota, which I went with) both offer E2E encrypted email via open-source client apps, so they should be fine even against state actors if you use their encryption. In the case of Tutanota, this has even been tested in court.

Of course, if you use them to send or receive plain ol' unencrypted email, this largely goes out of the window regardless of the provider.

The E2E will help so long as you're sending email to other users of the same service, yeah. For most cases, it's probably not a huge upgrade from stored encrypted; the bulk of damage in email leaks would be from accumulated emails from the past.

The reason I don't recommend using it if you're super paranoid is because it'd be easy to mess up, and it comes with quite significant holes- e.g. subjects aren't E2E in Protonmail. Best to use a protocol designed for E2E from the ground up.

https://protonmail.com/support/knowledge-base/does-protonmai...

Tutanota went with a different tradeoff so they have E2E encryption of subject lines etc. Downside is that they can't support other clients, which is why I wouldn't have even considered them if the apps hadn't been open source.

https://tutanota.com/secure-email/

They also have a pseudo-workaround for using E2E with external users - if I send a secure message to foo@bar.com, I can encrypt it with a pre-shared password and their mail will get a link to a web "mailbox" where they can enter that password to decrypt the message. Clunky, but I wouldn't know how to do better.

I personally feel that calling Proton Mail or Tutanota end-to-end encrypted is sort of misleading. Sure, they may have the contents of your mailbox encrypted but in transit they can see your email in plain text and so can the recipient's mail server. If you desire E2EE I highly recommend using GPG or Signal.
I don't know about the Protonmail UX, but the Tutanota apps at least make it very clear when sending an email whether you're using E2E or just plain unencrypted mail. (If you leave it on E2E and try to email a non-Tutanota account, it will ask you for a pre-shared password with which to encrypt the message.)
Encryption, if it is set up properly.
Email is unencrypted by default anyway. Just encrypting your mailbox is not enough, because ultimately you are sending your email to someone else, and their mail server will have access to the email. For conversations where privacy is important, I would setup PGP or use another method of communication like Signal.
They encrypt your email on the disk with your password. So a simple disk image will not get it if your password is reasonably good. AWS would have to be able to hunt for and then find your password in the memory image.
can anyone explain what benefits are to a managed email service over rolling your own on a vps server with stuff like mailinabox? you use your custom domain anyways and it allows s3 or backblaze backups so data retention is not an issue. you use your custom domain so in case something stupid happens to your vps provider, you can just restore and be done with it? and its not like managing your own vps email server is much of a hassle, every few months you have to update the install script and thats it
because of spam many systems agessively block email delivery from IP addresses which do not known to belong to well established mail providers with millions of users. And it is very tedious to unblock it on case by case basis. This is the reason I've stopped running my personal mail server 10 years ago.
well there are checks to see if your ip address is blocked as spam. even then you can just ask your vps provider for giving you a fresh one.
yea, but it have to be done constantly. Somehow you never sure your messages are delivered or if people can reach you. At some point after running my onw mail infrastructure for 15 years I gave up and decided that I would like to oursource this to somebody else, a email provider who have a dedicated team of admins making sure my mail is delivered, so I do not have to worry and spend time on it myself.
If you have new IP and that IP don't have bad history, then your main issue is hotmail and Office365. There is little bit rate limiting over next 24h period, but if you host yourself and don't send unsolicidated bulk messages, then you don't see those limits. Some anti-spam services graylist you, that causes usually 5 minute delay for delivery.

90% spam score comes from message, sending server isn't that relevant (if you base configuration is reasonable: PTR is right, server knows it's hostname and don't EHLO himself as localhost and so on). You can look at SpamAssassin default rulebase[1] for common rules.

---

[1] - https://spamassassin.apache.org/old/tests_3_3_x.html

People in HN are weirdly afraid running own mail server. Thats not that hard. If you are web developer, who is capable setting up linux+varnish+nginx+php-fpm+redis+mariadb stack, then I would say that functional mail server has less moving pieces. I think most horror stories are related to trying run own server in bad neighborhood, in some cheap VPS service. Now entire IP block has bad reputation and indeed there is hassle with delivery.
It's not that weird.

Mail is the only critical thing most people run for themselves, really; and if the proverbial excrement hits the fan, mail is useful in fixing the fallout.

Sure, I would be able to acquire the skills to run a mail server, and I know how to monitor it all, and I know about what the moving parts are. But why go through all that hassle to save 10-40 dollars a year?

There isn't much breaking usually, I really don't remember big issues in my 15+ years self-hosting time. I have changed colocation place several times, some places have been offices with average office internet (without redundant links or BGP peering).

I can see issues, if you over-engineer and try build some microservice farm in some cloud provider, but simple physical server with DC grade disks in RAID and backup (tested and out of server) is pretty reliable.

Of course, when you really don't want to do it, then paying for someone else is reasonable, no issue with that. But its not fair to make mail self-hosting look like something very complicated and dangerous, I would say that modern web service stacks are more complicated and fragile. Lots of guys here are writing own internet facing software, handling customer data. Compared to that, using pre-existing mail server software isn't that hard.

i wrote how i used "mailinabox" https://mailinabox.email/

this makes it stupid easy to set up your server. you have to do little config and you are up and running.

I decided to do miab because i had a necessity of "email aliases" in hundreds. none of these low cost email providers allowed that, unless i went with google workspace or 365 if i remember correctly.

rolling my own solved this issue and for the same price plus the "management headache" which i saw as a personal challenge more than a chore. so i am very happy with the results.

gmail has given me headaches in the start but if i send more than a few emails with attachments to gmail, they still flag all emails as spam so that is a recurring problem but not something i cannot live without

its not always about saving a buck. i spend more in hosting +domain than i would if i went with fastmail or zoho or whatever. what it feels like is going from google to zoho. when you own the server, you own the backup on s3, you know you can just switch servers if need be. your addresses and everything comes with you.

i see this as a hobby if nothing else. maybe others have the same idea

Email is different from a website, in a way that if the website doesn't load, I can fix it, reload, and go on with the day. After fixing my email stack though, I can't exactly make the sender retry their email. If I miss it, then that's on me, it's a ship that sailed, and often I don't even know about this.
Oh cool, my project is on HackerNews! I was wondering about the sudden uptick in user signups, and then I checked HN...

I'm Scott, feel free to ask me anything about the service.

Great work, and as somebody who self hosted my own email from 2013 to 2021, I don’t envy you. What broke me down was Google starting to spam my emails that were replies to conversations that I did not start — even with a stellar domain reputation and DKIM, SPF, reverse DNS, greylisting, everything set up right.

I hope you have personal contacts on the Gmail team at Google, much as I’d like for this to be a joke.

I actually haven't had huge problems with Google (yet). I'm not sure why.
My experience has been cyclical, as long as you stick to IPv4 with good SPF and your reverse DNS works it will work 95% of the time. The remaining 5% appears to be completely random however.

It’s possible that my issue was too low a traffic to ‘hold onto’ my score with Gmail, since it was one domain and one email address. With some luck you should be able to have enough traffic to avoid that. Best of luck.

I had this exact same problem. When I finally got hold of someone who worked for Google (via a friend of a friend on a mailing list) and with the ability to check whatever their logs were claiming, I was informed that my domain's reputation was "too recent" or something like that.

My domain is a year older than Google itself and has been in continuous use for e-mail that whole time. The IP addresses it is on haven't changed in a decade. But that didn't matter. DKIM, SPF, DMARC, forward and reverse matching DNS, exactly four users who do not send spam under penalty of being buried under legal solicitations for green cards, and all the rest didn't help. Randomly getting sent to /dev/null for no good reason. And not enough traffic to qualify me to use their Postmaster utilities.

Three years ago I gave up and ported to Fastmail with a tear in my eye for the days when even the smallest net on the Internet could be a full participant.

Same here - I HAD to move over to Fastmail because like GP I'd respond to email enquiries from GMail addresses and then never hear back. After weeks of this, someone finally phoned up to complain about my poor customer service. This despite also having an old and apparently well set-up domain.

I lost a lot of business back then. Thanks, Google.

I have a legacy GSuite account. Google filters email from Facebook and Microsoft sometimes. Hell, I think I might have even seen them filter their own mail once.

It’s a clown show. The opaque filters are just an excuse to engage in anti-competitive behavior IMO.

To be fair Facebook used to send an enormous amount of spam emails, at least to me. Years ago when I used it somewhat regularly they used to constantly shuffle their contact preferences and the effect was that I was constantly opted back in to an insane amount of emails. Eventually I just started marking them as spam until Gmail blocked everything they send. I've seen family Email addresses fairly recently full of Facebook junk too so I assume they still default to sending a lot.
I really enjoyed the whole process of running my own mail setups, configuring Postfix or OpenSMTPd to do clever aliases and transports, setting up CARP failover relays, managing DNS records, experimenting with different SPAM-filtering techniques, SSL, IMAP, mailing lists, the works. It taught me a lot about networking and security and everything a good sysadmin should know.

I find it sad that that‘s pretty much a waste of time now for most use cases.

I ended up doing the same for the exact same reason. And even when using fastmail, my email still sometimes gets blocked.
FTR, directed at those who valiantly continue to self-host mail/SMTP: Greylisting is not sound any more in this day and age, because the largest mail services will rarely, if ever, use the same MTA instance to retry delivery upon a soft bounce.

The good news is that if you have postfix, using postscreen with an informed choice of blocklists is enough to deal with 99%+ of inbound spam. You can strap in rspamd or spamassassin/amavis behind that, but it's mostly not needed.

The inbound-mail-problems are largely solved, but surefire delivery to other parties is a matter of IPaddr/domain reputation, properly implementing relevant standards, and luck.

If you're interested in learning more about (including, but not limited to, self-hosting) email, the #email channel on the libera.chat IRC network is a great resource to ask questions.

> FTR, directed at those who valiantly continue to self-host mail/SMTP: Greylisting is not sound any more in this day and age, because the largest mail services will rarely, if ever, use the same MTA instance to retry delivery upon a soft bounce.

I had this issue with SendGrid years ago: long story short, after discussing with support and eventually an engineer it turns out they weren't just looking at the status codes, but at the status messages. I don't recall the exact patterns they used, but they will retry if the message matches a fixed set patterns, and otherwise it would just discard it.

There was some back-and-forth over this, because our customer just had greylisting with the "wrong" error message. To be fair, they did turn it off for a few hours and took the conversation serious (none of this "we have passed it along", never to be heard from again) but they got back to us they turned it back on again "because the queues got too large". I mean .... okay.... Seems rather curious to break a fundamental aspect of email because "muh queues". Not having to worry about this sort of stuff is exactly why we're using SendGrid in the first place :-/

My experiences with MailGun were also not exactly stellar. At the time at least, these people literally did not understand how encodings worked and would mangle e.g. Greek or Hebrew emails in ISO-8869-7 or -8. Why? Well, turns out that "emails should be in ASCII or UTF-8 and there is no way for us to know which encoding is used". Ehh ... there is literally a header telling you... I sent a nice detailed email explaining this: no reply. Some follow-ups over the course of a few weeks: no reply. A not-so-nice snarky email inquiring whether the entire MailGun team was suffering from a horrible debilitating disease and if there was anything I could do to help: "well, we just didn't know what else to do as there is no way to solve this"...

I'm hardly an "email purist"; I understand there are practical concerns and the RFC isn't a stone tablet from the mountain. But this was just ridiculous. There are a bunch of other cases both SendGrid and MailGun are actually quite bad at.

Dealing with email providers is always a frustrating experience.

I haven't used DCC, but it looks like an interesting anti-spam toolkit:

https://www.dcc-servers.net/dcc/

It appears to support "weak" IP matching:

> All or part of the IP address of the SMTP client can be optionally ignored by DCC clients as far as the greylist triple is concerned. This feature may be useful for legitimate mail systems that shuffle messages among SMTP clients between retransmissions. See the dccm and dccd man pages.

https://www.dcc-servers.net/dcc/greylist.shtml

It doesn't quite sound like it does a job of 100% "same email, same sender, different mx in same domain" -but I suspect it works well enough in practice?

> Usually the DCC greylist system requires that an almost identical copy of the message be retransmitted during the embargo. If weak-body is present, any message with the same triple of sender IP address, sender mail address, and target mail address ends the em-bargo, even if the body of the message differs.

> If weak-IP is present, all mail from an SMTP client at an IP address is accept after any message from the same IP address has been ac-cepted.

https://www.dcc-servers.net/dcc/dcc-tree/dccd.html#OPTION-G

I can't recall what I used for greylisting last -possibly greylistd.

Anyway, the smart play these days might be to whitelist/greylist via SPF - I'm not sure if spammers (of the variant caught by greylists) generally have SPF?

See: https://poolp.org/posts/2019-12-01/spf-aware-greylisting-and...

https://github.com/poolpOrg/filter-greylist

Ed: although if service providers like mailgun simply ignore rfc and only "sometimes" retries... wwell that's a problem.

Two questions from me:-

  Usernames on shared domains:

    1 to 6 letters: $1.00 per user per year
    7 to 12 letters: $0.25 per user per year
    13+ letters: $0.10 per user per year
1. Why does the length of a mailbox name make a difference?

2. Do you support IPv6?

Shorter emails are more catchy, and their total possible number is smaller. So they can be more valuable.

boss@example.com is cooler for some than john.n.johnson.2@example.com, and they will pay.

I think there is also another reason: Shorter addresses receive more spam and spam attempts from guessers.
1. Basically what nine_k said. It's kind of a trivial point most of the time- honestly might be a bit overpriced right now.

2. Not at the moment- IPV6 support is a little dicier for mailservers because the scarcer IPV4 address is often used as a antispam signal.

But if I am using my own domain, what difference does it make if it is more "valuable"?

Sadly the lack of IPv6 is a deal breaker for me.

Oh I think there's some confusion here: for your own domains it doesn't cost anything extra, so go nuts with addresses.

Purelymail also has some domains you can use like I can get "koselig@purelymail.com" and then I'm charged in the 7 letters tier for it.

At least that's how it's been for me as a happy user of PM for the past year and a half.

This is the best pricing scheme for email I've ever seen.
How do you do spam blocking?

I think Gmail really shines at this. It's one of the reason I was thinking of switching to Hey email also, though after reading Hey's reviews I've decided not to. So anyway, would love some comments from users or you about how good you are at separating the wheat from the chaff.

I think SpamAssassin (plus curated greylisting) does a decent job most of the time, although I'm starting to see weird issues with spurious DNSWL tests that pass through pretty spammy mail.

In the long run I'm probably going to replace the Bayesian part of SpamAssassin with something custom, simply because operationally it's painful and I think neural nets are closer to state of the art.

Hey has bad reviews now? Huh. I really enjoy it.
Good job, Scott! This is Stan from SaaSHub. I'll be featuring Purelymail on next week's newsletter of SaaSHub. It's a good moment to verify the listing and improve the details.
Cool! I'll make a note of it on my task list (I think I still have the old task on there too, which is nothing against SaaShub, I was preoccupied).
Looks great!

Supporting ManageSieve is a nice touch. Most sieve services only allow managing sieve through a web UI.

I use Fastmail and like that they contribute to open source mail servers, and do standards work (JMAP).

Does PurelyMail contribute to open source?

In general yes I do contribute to open source, although there's not too much to contribute back to open source _yet_, so the main contribution has just filing Roundcube bugs. (The main mailserver code has diverged too much from Apache James to really be useful.)

Some of the libraries I wrote are open sourced and on my Github account, e.g. the web framework: https://github.com/ScottPeterJohnson/shade

Hey cool - glad to see James being used as well. Hopefully the JMAP support that Linagora have worked on will mean that you can bring JMAP eventually too.

I hope you don't find the pain of diverging from the mainline to be too great. We kind of cheated there with Fastmail and Cyrus IMAP by merging all our changes back to the mainline, since there wasn't much other development happening.

Yea, I do plan on adding in JMAP. It's so much nicer than IMAP, I really do hope it can overcome the adoption hump.
Awesome - do keep in touch while you're doing it. We have some documentation up at jmap.io but of course seeing the challenges that people face as they try to implement is always good for improving the documentation for the next round.

(We're also working on JMAP for calendars and for contacts over in the IETF working groups - hoping to publish Calendars by the end of this year)

Will sign up in a heartbeat as soon as you have CardDAV / CalDAV support!
We do have CardDAV support, and hope to develop CalDAV soon :)
Good luck with CalDAV - it's pretty hairy! I do recommend joining CalConnect if you have the budget for it - you get access to a lot of experts there. Or at least show up to the calsify mailing list at IETF, we're pretty friendly there too. The edge cases in Calendaring are a right pain.
I would recommend using some existing opensource tool for that and not roll your own implementation
Consider etesync, which offers client side encrypted Card/CalDAV.

You can still use Purelymail for mail, and have your mail client provide a cohesive mail/contacts/calendar UI.

If you don't mind separating your mail from your CalDAV there is https://fruux.com

(I use a paper diary, YMMV.)

€4/u/m is pretty steep. I'm currently using fastmail which is $3-5/u/m for mail/cal/card.
It is free if you only use it on 2 devices
Yeah unfortunately the main cost I'm looking to reduce is a family domain which I have ~10 family members on.
I'm sorry if I missed it, but do you do catchall email service for custom domains? My current email provider (https://mailbox.org) limits email aliases per price plan, the most basic that I currently use allows for 3 + a free root@ and webmaster@. I'd probably be convinced to go through the hassle and switch providers if your service provides an improvement over this limit.
IIRC, mailbox supports catchall if you sacrifice one alias for it. You’d have to input „@domain.tld“ at the alias config menu.
Yeah, that works for me as well.
I had no idea, thanks a bunch! I'll set it up right away!
(comment deleted)
mailbox.org supports catchall aliases.
Yes you can have unlimited domains/aliases with catchalls and RFC 5233 subaddressing.
Yes, we have catchalls. We don't restrict how you route anything under your domain, and you can send from any email address you own.
Thats good to know. Apparently my current provider allows for those as well, but honestly the proposal "just email, nothing else" might be attractive enough to try your service anyways.
You can use x3 domains with catch-all. Just add each one as "@domain.tld" and setup mx/spf/dkim/dmarc as usual. Then the domain will receive with catch-all. However, prepare to be spammed, as many spammers figure that "mail@domain.tld" are always available, so that one will frequently receive spams.

If you need more than three domains, try Migadu(not affiliated, just happy customer), they have no formal limits to their "micro" plan and is cheaper than FastMail. Migadu also allows adding alias domains(something I haven't seen anywhere), basically if you have a mailbox like "merlinscholz@domain.tld" you can attach some more domains as alias, like "@domain2.tld" "@domainx.tld" and those will all receive/send/operate as the same "merlinscholz@domain.tld". Neat feature I haven't found yet on other services.

I use Tutanota and it supports catchall aliases.

12€/yr for 1GB + custom domain + 5 aliases (plus catchall).

Same price for 2GB + Custom Domain + 3 sending Aliases + Catchall + Contacts and Calender Sync + Web Client + hosting in Germany for the old Mailbox.org plan is still the better offfering for me privately as I regularily clean up my Mail + like having calender and contacts integrated.

But 10€/ month for unlimited storage and users is definitely a good offer, too.

I just want to thanks for the service, I just need email for my personal stuffs and after hassles with self-hosted solution I gave up. The pricing is on point, I'm relying on the free Protonmail and their asking price is too high to me so I signed up for purelymail.
Hey Scott - tell me how you got the word out about Purelymail?

Obviously you reached the right audience and they liked what they saw to post it here and generate so much interest. Consider me another subscriber!

Sum total of my marketing efforts: One time I mentioned it in HN comments on a post about Fastmail, mostly because I was going to make a comment about owning your own email domain anyway.

I am usually the classic "engineer who neglects marketing" archetype. Maybe at some point I'll overcome that.

How do you deal with spoofing?
Depends on what you mean. Inbound email is checked for authentication (SPF, DKIM, DMARC, etc) as part of the spam filter. For outbound email, we ask you to set up at least one of SPF or DKIM before you can send.
One thing is not very clear: how many custom domains can I have? Can I use 30 domains with 2 users each (random number, but i do need 3 domains).

How is the mailbox on phone? My major problem with email hosting is the lack of a decent mailbox service that's available on. Windows, android, linux that's either. One-time-purchase or open source. A monthly fee is fine if for unlimited users (I have a family)

You can have as many domains/users as you want. (Unless it's like five billion and breaks the service or something.)

Generally phone access is third party through IMAP. On Android I personally use K-9 mail, but you can use anything that supports IMAP anywhere, which is a pretty good number of options for any platform.

Thanks for the response, suddenly this makes it very interesting!

I wish K-9 had snooze-email, it's the one feature (non-standard) I use a lot

It seems you support TOTP as 2FA.

Great job.

What provisions are in place to prevent someone from opening an account, use it to spam and then putting your IP block on a shitlist with large email providers like Gmail?
Rate limits, feedback loops, and we scan outgoing mail through SpamAssassin. In practice we've only had password breaches causing spam, nothing intentional.
If a plane crash into your house while you stop the service for maintenance, how will the service be back again and can we access our mails?

Sure, i use IMAP and have local copy and backup. But Murphy's law, my Laptop die at the same time and my backups were stolen.

Slightly OT, but what is the best practice to store (archive) email locally after they have been read from a remote imap server?

3 Gb is plenty for a few months of "live" email but after that what should we do to keep those emails -- and still have them searchable if need be?

I keep everything remote, so that every client gets the whole corpus. For now, that means that indexing is done with notmuch whose command line I use for search... Not as good as a webmail's UI but it puts search results as a maildir so I can open them from any IMAP client as a special folder.
Are there any open-source projects similar to Barracuda’s Archiver product?
Thunderbird has "local" accounts, you can move emails there and have them removed from your imap server. You can also export emails to .eml files, throw them wherever you like and grep for contents if you like.
I have a local maildir[1] account in Evolution. Each of my (IMAP) mail accounts is set so the "archive" command moves the message to a folder under the maildir account (if you're using Evolution, this can be configured under "Defaults" in the account properties for each IMAP account). Anything worth keeping from any of my IMAP mail accounts is archived to the local maildir, everything else is deleted.

The local maildir account is searchable like any other mailbox (I have about 10,000 messages going back to 2003). Syncthing[2] is configured to sync the maildir directory for backup and sync.

[1]https://en.wikipedia.org/wiki/Maildir

[2]https://syncthing.net/

Do you support DKIM/SPF etc? Are these still useful?
They are still useful. One of DKIM or SPF is required to send emails on a custom domain. Both are recommended.
Hey there, cool service. I signed up immediately.

>You cannot have more than $50 in credit at any time.

Just curious, why a $50 limit? I'm the weird kind of guy who likes to pay years in advance. If possible, please consider raising this limit to $100 or even $200.

Risk. To the provider, prepaid fees are a liability.
Yea, this to an extent. Honestly I thought people wouldn't need more than $50 too, maybe I was wrong there.
When signing up for a trial, the page says:

> To activate a trial account, you will need a reasonably modern browser and a phone number that can receive SMS texts.

It makes no mention of the use of a "hashwall" ... It gives no indication of what the user's browser is going to do ... Just a progress meter with a note saying it will take about 3 minutes.

This feels fishy. Especially if a user doesn't know how to get into the developer console, find out what's running etc.

Just completed my signup. I am going to check if the domain that failed to work with forwardemail.net[1] will work with your service.

If it does, then I'll say goodbye to my $36 and hello to your service.

Update: While setting up, I noticed:

- Ownership record content in `code.codebox` does not fit in the content area and extends entirely too far to the right. I had to inspect and copy out of developer tools.

- In general, UI elements seem not properly aligned, contained.

These are not deal breakers to me. The site might actually benefit from going more old school. Trying to fit everything in a narrow box with large font sizes and padding is hard.

Update: I had already clicked on CloudFlare instructions. It's the friendly stuff that has the problems I mention above. The actual information at the bottom of the page is actually displayed the way I would have expected.

Update: After creating the DNS records, I noticed the checks were still failing. So, I replaced the actual IDN in the textbox with punycode and the DNS checks worked. It would be a better user experience if the punycode conversion step was handled by the UI.

Update: Created a new user on the custom domain. Login box does not accept IDN either but the email composer does show the from address using IDN instead of punycode.

Update: I was able to exchange email with a Gmail user. Did not go to SPAM. But, in my reply, Gmail did give a scary warning about the IDN. To be clear, there is nothing the email provider can do about that :-)

I'll try out a few more custom domains and very, very likely switch. Thank you and good luck.

[1]: https://news.ycombinator.com/item?id=27523038

I clicked for a trial... after a while I entered my phone, received an SMS, and no indication of what to do with the code I received. No place to enter the code in the web page, nothing.

Second attempt, and I got a place to put the code. Then, while I was filling up the registration data, the page refreshed and started all over.

Third attempt finally worked...

Not the best on-boarding experience, but hey it really is cheap!

(comment deleted)
Hm, no idea what would've gone wrong in your case. It sounds like something kept closing the websocket used to provide page interactivity or something?
For the trial hashwall, the browser just does some heavy computations. I guess I should add a warning there, it's probably does have battery impact if you're using a phone for whatever reason.

I'll make a note on the UI elements. Honestly hadn't thought about the punycode usecase, good catch.

> For the trial hashwall, the browser just does some heavy computations.

Yeah, I figured that out, but someone else might think you are trying mine some *coin or something. I am not sure if I would mind it if you did, but it would be good to tell up front what you are doing. It does seem to be a much better than recaptcha.

The fact that it works is good enough for me. I am going fiddle a little more before I sign up, but it looks like this is fills my needs.

Scott, nice service! Two notes:

1. I don't know if it's the social media kiss of death at work, but I'm getting lots of SSL errors trying to load your site. It's a crap-shoot whether it works or not right now.

2. Seeing this post, I posted this: https://news.ycombinator.com/item?id=27711124. If you don't already (did I miss it?) it might be worth tossing up a page or an item in your FAQ teaching people about how they can go about migrating their email address to another/your service. I don't know how easy/hard it is (hence my AskHN post), but the perception is that it's nigh impossible to do.

> 1. I don't know if it's the social media kiss of death at work, but I'm getting lots of SSL errors trying to load your site. It's a crap-shoot whether it works or not right now.

Hard to say for sure. None of the servers really went above 15% average CPU and I don't think they maxed out net, and the health checker for HTTPS didn't have any problems. I'll doublecheck.

On the subject of migration, I'll make a note to add a FAQ for that, thanks.

I think you're typing purelyEmail.com, not purelymail.com.
I looked at your About, Security and Privacy pages. I see that you're using AWS, but which region/country/jurisdiction is that located in? Is it safe to presume that since the company is an LLC, the company as well as the AWS country are the U.S.?
Is it a one person show, or are there people, team, cofounders, and a company behind it?
Just me- check the about page. (It is registered as a company too.)
I am using migadu after recommendation from drew devault. It's nice if you have a couple domains you want mail for.
This looks great! Sign up for the free trial was pretty slick. I'm not sure how well known Klarna is outside of Europe (I know they launched in the US), but that would be my preferred method of payment. Or.. anything but Paypal (and giving my CC information)
At least according to their marketing Klarna make their money by charging retailers, so it's probably not viable for this sort of business.
FYI, the credit card checkout option allows for using Apple Pay, so I went that route to obfuscate my CC info (and get cash back, because hey, why not).
FYI: your pricing calculator is incorrect. If you choose more than 1 year, it multiplies the "price per year".
(comment deleted)
this is great, services that actually does what they where supposed to at a low cost instead of ad spamming/tracking/spying on me for additional cash i wish you luck my friend!
I'm not sure price is the parameter to compete on for email services, at least for me. Email is extremely important to most businesses, and if I'm already paying for a domain, and running a business, even the $70 for a Workspace solution is a drop in the bucket. What I need, however, is deliverability, strong privacy and security, good spam filtering, and support when I need it.

I'd encourage you to try doubling or tripling the price so you can afford to hire more people and grow the business :) I suspect the rate of signups will stay the same.

Perhaps you're not the target customer?
> We're not trying to bamboozle you with glossy images, or sell you a lofty ideal.

I appreciate the dig at psuedo-righteous slogan-eering like "Don't be evil.", "Bring the worked closer together". Just fucking email.

Looks good. Fair pricing. I hope it works out for them.

I started out with self-hosting mail-in-a-box [1]. If you really want to self-host, I can highly recommend it. Would be the cheapest option. At some point I decided to let go of it, because maintenance and configuration can still be a bit cumbersome. There was one thing (DMARC or DNSSEC?) which I never was able to set up properly for some unknown reason, even after long hours tinkering around with it...

So I started to look at other mail hosting offerings with custom domain. One thing I like is that gandi offers free mail hosting for a domain you order through them. [2] That's quite unique for a domain registrar.

Also, be aware that free 3rd-party mail hosting with a custom domain does not exist. I started out with the free plan at migadu, but they switched to a paid plan soon after. [3]

The same happened to postale.io after a while. [4] At least I could keep my free plan there.

Zoho is free [5], but their custom mail application and the countless other services they try to sell you completely put me off.

[1] https://mailinabox.email/

[2] https://www.gandi.net/en/domain/email

[3] https://www.migadu.com/pricing/#what-happened-to-the-free-pl...

[4] https://postale.io/faq#What%20happened%20to%20the%20free%20p...?

[5] https://www.zoho.com/mail/

+1 for gandi as a mail host.
I'll throw my hat in the ring for postale, they are a good service for both individuals and business. Is $1 a month really going to put you in financial stress? Is your business going to die paying $5 a month?

> Also, be aware that free 3rd-party mail hosting with a custom domain does not exist.

You can set up a custom domain on a free gmail account, it's hidden away but certainly possible.

https://mailbox.org I pay 1 euro per month. With calendar, contacts, file storage and DAV. With aliases and your own domain. Plus it's a well-known company.
Custom domains and cloud storage are €3/month. Not included in €1/month.
Old users had the option to stay on the of 1 euro tariff with all included
But mailbox.org is also priced per mailbox by default. When I checked with Mailbox.org support a few years ago, there was no way to go beyond 25 aliases on a single mailbox (even when one is willing to pay).
Isn't Google free? Perhaps with certain limitations... I know I never paid for email.
GMail has ads. It's free because you are the product, not the customer. Google's customers are the advertisers. The money has to come from somewhere.
I'm not talking about gmail. This post is about hosting an email with your own domain.
Google workspace isn't free.
Can't find any free plan either now. I guess they just discontinued them and are not upgrading existing accounts.
It's not been free for around a decade now. The free version was mostly a ploy to attract people away from Outlook at the time.
(comment deleted)
Early editions of Google Apps for Business (aka G Suite aka Google Workspace) included a free version which included support for custom domains and catch-all email. Those accounts got grandfathered (i.e. stayed free) when Google discontinued them. The cheapest plan seems to be $72/year per user.

https://workspace.google.com/pricing.html