Counterpoint: I lost a domain when a registrar went out of business, and another when a registrar bumped the price 10x and refused to give me authenticode unless I physically show up to their office. Sure, I cheapened out and used shady cheap registrars, and this all happened a while ago so things are probably more regulated now, but for comparison I never permanently lost access to hosted email. (Losing access temporarily is another thing, Google likes blocking me from my own account when travelling.)
One time I had several domains at a registrar that began to fall apart organizationally. They couldn't transfer my domains out with their automated tools and they weren't answering my emails. I filed a dispute with ICANN and had all my domains transferred out within a week.
So at least for .com and .net there's a responsive third party with procedures to work around failing registrars.
While I did lose access to a hosted email and other services, and only permanently lost access to a free domain name so far, also was close to losing access to regular paid domains on multiple occasions (once because of the used registrar, twice because of the place I live in and international politics, being disconnected from payment systems, though with registrars also contributing a little).
Mandatory reliance of services on other services (whether it is email, phone, or a more explicit identity provider) is generally unfortunate. I think it is best to not look for a perfectly reliable setup, as it is unachievable, but to keep in mind that they are not reliable, to have recovery plans and fallback options if possible, reduce dependence on online services, especially those depending on others. Though a personal domain name still seems more reliable to me than that of an email provider.
Even if you don't do dealings with shady registrars or TLDs (.af was a fun TLD until the Taliban returned to power...), you can lose your domain. For instance, lots of British people lost their .eu domains when they were no longer EU citizens thanks to Brexit.
On the one hand, using national TLDs can be a problem if the area you live in is no longer considered part of your country (I imagine .ua owners may have that problem in the future with the way things are going). On the other hand, using TLDs like .com/.net/.ai/.io puts your domain under control of foreign law enforcement (US for .com/.net, UK for .ai/.io).
Cloudflare aren’t a bad registrar (imo) - they sell and renew domains at wholesale cost, forward emails, can do website landing pages with a Worker (etc). Understand the product in depth and would seem like a reasonably safe bet. (Not shilling for them, just personal experience).
I have the opposite problem. I want to get rid of email at a legacy unattractive domain but it's still appearing here and there so I keep paying for it and preserve the setup for it.
Step 1 : go with the one company that's known worldwide for abusive & permanent bans with no recourse.
This post is a bit too generic, but it's true that using your own domain for mailing is the best solution to avoid getting locked out. Although you need to pick a good registrar, too...
I learned this lesson when switching away from the first ISP I had email through. Rather than switching to another transient ISP email, I registered a domain. I've been through a couple of email providers but my email address never needs to change again.
There are online services where a bad actor can enter your email to automatically sign you up for hundreds, thousands of marketing emails. In the event that that happens, given that you have full control over the domain, you could just divert whatever <x>@yourdomain.com to a black hole. What will happen when email attacks become more advanced--to the point of signing up thousands of different <x'>@yourdomain.com? What strategy would one have then? You would most certainly have to part ways with that domain.
The author makes a good point, your email address is (arguably) more important than your home address. Perhaps there already are, but I hope for better safeguards against these kinds of attacks.
This happened to me! Can I go to these services and turn it off, like remove my name from these spam lists? Please point me to this.
About once a month I go and drop myself from the latest lists. There are many magazines and whatnot where you can sign someone up for 100+ mails a day. Only a very few of them send you a message you have to ack to start the flood. Most just start the firehose without checking.
I'd like to hear what other people do to address this.
Over the past few weeks I've been systematically migrating every one of my accounts to a domain under my control.
During the process I've been marking them in a spreadsheet with their 2FA status (no 2FA, TOTP, security key, etc.) and adding their passwords to a password manager.
This is all in case I ever need to go through the migration process again for whatever reason, or if I lose/break a Yubikey, I will know what I'm signed up for, and will know where to enrol my new Yubikey(s).
It really is a massive hinge for many people that isn't even really considered, most people's entire digital lives would be uprooted if they lost access to their email for whatever reason.
Thankfully that doesn't really ever happen to most "normal" people to my knowledge, since most just use Gmail, but I know it can and has happened through account bans or such.
Looks like a good intro for people who want partial self-hosting, which is better than leaving it with a megacorp (especially for non-professional email).
In before:
* running your own mail is too much of a burden
* I used to host my own mail but I couldn’t figure out DNS or used a bad IP or something and Microsoft/Gmail won’t accept my mail
* if “they” want to ban you they will just seize your domain or kick down your door and shoot your dog
* it’s good that they can ban you from your email because I don’t like spam
Edit: lol, I was not in fact “in before” the comment about domain seizures. Unbelievable.
Creating aliases for the addresses you are actually using, e.g. a netflix@ signup is preferred over a general catch all, .. and all that spam senders can generate approach.
I've been doing this for years, though I don't really think of it as "having a backup" so much as "using an IMAP client". Works fine. It's really useful to be able to make up a new email address for every company who wants one; they each get their own folder. If I get any unexpected mail, it's obvious where it came from and easy to deal with, though in practice this rarely happens.
The caveat is that if your account gets banned, the IMAP access will also be blocked. An email forward is more likely to remain active, is the point made in TFA.
That's fine for your own domain, but I usually download my emails via IMAP and don't leave anything on the remote server.
Finally, do you really keep your emails?
Emails are ephemeral, often just informative, and if there's anything important, I process it and delete the email.
I may archive 'sentimental' emails, but I rarely search the archive as I mainly delete emails.
I never really understood why "owning" a domain is any more owning than you own your Gmail address: a company is letting you use it and that works until they don't. What an I missing?
> With this solution, there's a high chance that if they ban you by mistake (AI bots are to blame), they will not disable the forwarding mechanism.
Why bet on that instead of doing it the other way around (i.e. making the self-operated mail server the primary that forwards to the service provider inbox), or at least practicing doing so by pointing the MX records accordingly?
Been doing this for years, and surprised he didn't seem to mention the other benefit: "infinity" email addresses. Oh, rando burger spot wants an email for some free fries? Great, hit me up at randoburgerspot@"mydomain".com .
I do this, too - but I've been running into more and more companies that block you from using their company name in the email address.
It also results in awkward conversations if you have to talk to staff. I had ordered some pet supplies online a while ago registered like this.
Then I go in store more recently and they ask "Do you have an account with us?", I give them that email when asked, which causes them to pause. We went around a few times of them asking what my email was, before getting a manager who thought I was doing something dodgy and decided to try looking up my account by phone number instead of email.
I've occasionally pondered some sort of phone app that that can dynamically create a random new forwarding email, and keep track of what purpose it was for and who you shared it with.
I don't even have to bother with creating a 'real' alias address. When I make an account I can punch in any random address @mydomain and it shows up in my primary inbox in a special folder. It's so much more convenient
I've self hosted my email forwarding service on my own domain for over a decade, but eventually gave up because of deliverability issues that were out of my control - primarily with Microsoft's email services.
I've switched 3 years ago to a hosted forwarding service forwardemail.net
Pros:
* Allows to switch email providers if needed
* Allows to forward email to multiple providers
* Allows to store backups of emails
* Allows to have emails on multiple domains for different contexts (personal/professional/projects/etc.)
* Allows to have different email addresses per service. If you get spam on that email address you can just stop forwarding emails for it.
* Allows to have reliable mail rules based on the email address
* Allows also to send emails from multiple addressses
* Most spam is filtered before it reaches the inbox
* Open source
* Would be easy to switch to a different email forwarding service if needed (or self host it).
* Excellent track record over 8+ years
Cons:
* They have the potential to snoop on your emails. Any service that's really important would have 2FA enabled, so I accept the risk.
* They have the potential to send emails on your behalf - again, they've earned my trust, so I accept the risk for that.
* Add another point possible failure. So far I haven't noticed any issues with it.
* There's greylisting that delays emails for 5 minutes if they are not on the whitelist, which affects some of less common sending services.
* In very rare cases, some services ban registering with a forwarding email addresses.
* You need to make sure you don't lose your domain. I renew it 5 years before expiry with a reputable domain registrar (NameCheap).
What’s your plan after for after those 5 years and you can’t renew? Domain expires, someone registers it and now has access to all your accounts? Albeit maybe you won’t care because you won’t be around but I wonder how it’ll impact your family/friends
Forwarding emails is problematic especially if your provider for the primary mx does not have great spam filtering and then you end up sending spam to your backup account.
It certainly does not get around the ...if your account gets banned maybe the forwards will still work... concept but in general something like https://github.com/joeyates/imap-backup to backup your email and then add them to a typical backup process with your other files works well.
Anyone wanna share their email strategy? I'm thinking of going for the following but I'm still undecided:
1. 1 custom domain (<simple-word-or-two>.com): this will be used for friends, family and any online accounts that know me IRL.
Use Fastmail masked addresses with my custom domain where it makes sense like an online account for amazon.
2. 1 custom domain (<online-nickname>.xyz): this will be used for a blog, professional IRL interviews, correspondence, github.
Use Fastmail masked addresses with my custom domain where it makes sense.
3. Masked emails using fastmail.com: for online accounts that are ephemeral, random newsletter signups etc. Don't want to associate any of my custom domains or IRL identity. Don't care if these are portable.
My main goals are:
- Separate my online identity/alias used for my blog (2) from gov entities, banks etc (1).
- for more anonymity/privacy use the fastmail.com domain with masked addresses to blend in with others on this domain.
I'd love feedback and to read what you do if you want to share :)
I got banned by .xyz once. I did manage to get it cleared up, but being banned by the TLD itself is pretty unpleasant. It's hard to even figure out that's what happened. And then I had to "prove" I was no longer distributing malware, with a list of what things I'd done to clean up the site and prevent further malware distribution - which was difficult as I was never distributing malware to begin with. Just a static website for a wordle variant, no ads or other 3rd party content.
Another huge thing is that if you get banned from Google you (might) also lose "Sign in with <bigcorp>" - so you lose access to a lot more thing than just your email.
I am actually working on doing the opposite and getting rid of my custom domains. I’m not really doing anything with them except spending money to have them. Working on getting all my socials to basically match with a similar username and just go from there.
If I host my blog, assuming I actually start making posts, on GitHub with a custom domain, when I die then the domain will likely expire and the blog is no longer accessible. If I keep it with my GitHub .io url, it’ll be there for as long as the account is there.
I'm thinking about trying something similar to this on top of AWS SES. They make it fairly trivial to accept email and store it to S3. So email forwarding would be straight to S3 backup. But still would need a system to backup these emails to some local storage.
Not sure what's the best way to handle this, I had my gmail account since the early days and it's baked into so many important accounts. It definitely crosses my mind what it'd be really difficult if I were blocked out somehow.
62 comments
[ 3.4 ms ] story [ 76.9 ms ] threadAlso when you pick an email provider, pick one with a good privacy policy.
This is not sufficient. Even your domain can be seized. There is no way for any service dependent on the DNS System to be irrevocably owned.
So at least for .com and .net there's a responsive third party with procedures to work around failing registrars.
Mandatory reliance of services on other services (whether it is email, phone, or a more explicit identity provider) is generally unfortunate. I think it is best to not look for a perfectly reliable setup, as it is unachievable, but to keep in mind that they are not reliable, to have recovery plans and fallback options if possible, reduce dependence on online services, especially those depending on others. Though a personal domain name still seems more reliable to me than that of an email provider.
On the one hand, using national TLDs can be a problem if the area you live in is no longer considered part of your country (I imagine .ua owners may have that problem in the future with the way things are going). On the other hand, using TLDs like .com/.net/.ai/.io puts your domain under control of foreign law enforcement (US for .com/.net, UK for .ai/.io).
Step 1 : go with the one company that's known worldwide for abusive & permanent bans with no recourse.
This post is a bit too generic, but it's true that using your own domain for mailing is the best solution to avoid getting locked out. Although you need to pick a good registrar, too...
The author makes a good point, your email address is (arguably) more important than your home address. Perhaps there already are, but I hope for better safeguards against these kinds of attacks.
About once a month I go and drop myself from the latest lists. There are many magazines and whatnot where you can sign someone up for 100+ mails a day. Only a very few of them send you a message you have to ack to start the flood. Most just start the firehose without checking.
I'd like to hear what other people do to address this.
During the process I've been marking them in a spreadsheet with their 2FA status (no 2FA, TOTP, security key, etc.) and adding their passwords to a password manager.
This is all in case I ever need to go through the migration process again for whatever reason, or if I lose/break a Yubikey, I will know what I'm signed up for, and will know where to enrol my new Yubikey(s).
It really is a massive hinge for many people that isn't even really considered, most people's entire digital lives would be uprooted if they lost access to their email for whatever reason.
Thankfully that doesn't really ever happen to most "normal" people to my knowledge, since most just use Gmail, but I know it can and has happened through account bans or such.
In before:
* running your own mail is too much of a burden
* I used to host my own mail but I couldn’t figure out DNS or used a bad IP or something and Microsoft/Gmail won’t accept my mail
* if “they” want to ban you they will just seize your domain or kick down your door and shoot your dog
* it’s good that they can ban you from your email because I don’t like spam
Edit: lol, I was not in fact “in before” the comment about domain seizures. Unbelievable.
[1] https://www.mailgw.com
Then use mail client instead of webmail. I use thunderbird and have multiple boxes I just backup Thunderbird profiles folder to my NAS.
Why bet on that instead of doing it the other way around (i.e. making the self-operated mail server the primary that forwards to the service provider inbox), or at least practicing doing so by pointing the MX records accordingly?
It also results in awkward conversations if you have to talk to staff. I had ordered some pet supplies online a while ago registered like this.
Then I go in store more recently and they ask "Do you have an account with us?", I give them that email when asked, which causes them to pause. We went around a few times of them asking what my email was, before getting a manager who thought I was doing something dodgy and decided to try looking up my account by phone number instead of email.
I've switched 3 years ago to a hosted forwarding service forwardemail.net
Pros:
* Allows to switch email providers if needed
* Allows to forward email to multiple providers
* Allows to store backups of emails
* Allows to have emails on multiple domains for different contexts (personal/professional/projects/etc.)
* Allows to have different email addresses per service. If you get spam on that email address you can just stop forwarding emails for it.
* Allows to have reliable mail rules based on the email address
* Allows also to send emails from multiple addressses
* Most spam is filtered before it reaches the inbox
* Open source
* Would be easy to switch to a different email forwarding service if needed (or self host it).
* Excellent track record over 8+ years
Cons:
* They have the potential to snoop on your emails. Any service that's really important would have 2FA enabled, so I accept the risk.
* They have the potential to send emails on your behalf - again, they've earned my trust, so I accept the risk for that.
* Add another point possible failure. So far I haven't noticed any issues with it.
* There's greylisting that delays emails for 5 minutes if they are not on the whitelist, which affects some of less common sending services.
* In very rare cases, some services ban registering with a forwarding email addresses.
* You need to make sure you don't lose your domain. I renew it 5 years before expiry with a reputable domain registrar (NameCheap).
Overall, it's been working great for me.
It certainly does not get around the ...if your account gets banned maybe the forwards will still work... concept but in general something like https://github.com/joeyates/imap-backup to backup your email and then add them to a typical backup process with your other files works well.
1. 1 custom domain (<simple-word-or-two>.com): this will be used for friends, family and any online accounts that know me IRL.
Use Fastmail masked addresses with my custom domain where it makes sense like an online account for amazon.
2. 1 custom domain (<online-nickname>.xyz): this will be used for a blog, professional IRL interviews, correspondence, github.
Use Fastmail masked addresses with my custom domain where it makes sense.
3. Masked emails using fastmail.com: for online accounts that are ephemeral, random newsletter signups etc. Don't want to associate any of my custom domains or IRL identity. Don't care if these are portable.
My main goals are:
- Separate my online identity/alias used for my blog (2) from gov entities, banks etc (1).
- for more anonymity/privacy use the fastmail.com domain with masked addresses to blend in with others on this domain.
I'd love feedback and to read what you do if you want to share :)
I got banned by .xyz once. I did manage to get it cleared up, but being banned by the TLD itself is pretty unpleasant. It's hard to even figure out that's what happened. And then I had to "prove" I was no longer distributing malware, with a list of what things I'd done to clean up the site and prevent further malware distribution - which was difficult as I was never distributing malware to begin with. Just a static website for a wordle variant, no ads or other 3rd party content.
If I host my blog, assuming I actually start making posts, on GitHub with a custom domain, when I die then the domain will likely expire and the blog is no longer accessible. If I keep it with my GitHub .io url, it’ll be there for as long as the account is there.
Not sure what's the best way to handle this, I had my gmail account since the early days and it's baked into so many important accounts. It definitely crosses my mind what it'd be really difficult if I were blocked out somehow.