I find it hard to judge how much, if at all, this will help, but I'm all for email being more secure, to the point that organizations (banks, governments, insurance companies) stop creating walled-email alternatives: please log in to our secure message center, where you can only see our messages poorly formatted, and for a short time, until we permanently delete them. I like that my Inbox is a somewhat-searchable, historical record of my life, and these alternatives break that.
We’re basically outsourcing email judgment to AI, then trying to compensate by strengthening SPF/DKIM. That feels like hardening the locks while handing out more master keys.
I've been a happy Fastmail customer for years, and one of the best things about Fastmail has been how they just incrementally make things slightly better, as if they somehow haven't learnt how to enshittify.
So on seeing this title, I was a bit worried.
> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.
BIMI certificates cost over $1,000 / yr right now. For me that's a feature. I wish the fallback in my mail client was a big untrusted symbol rather than sender initials when they aren't in my address book.
I love fastmail, I switched from Proton a couple years ago after deciding the trade offs to have encrypted email were not worth it, since even if I fully trust Proton, most emails come from or go to AWS, Outlook, or Gmail anyway. I have been extremely happy with the service. Fairly priced, very fast even with a huge inbox, and they don’t add unnecessary features or bloat. I thought I would use my OS’s mail apps but the fastmail app and website are so good I just use that.
The easiest and best filter is to screen emails. Only emails that were screened in once go to your inbox. It's that easy. HEY.com introduced it, and I can't see email without it; that's why I integrated it into my TUI email client, neomd [1]. Since then, when I get an email from Amazon that lands in my "To Screen" box, I am automatically alerted and know it is potentially spam, because I have approved Amazon and legit emails land in my inbox. Check it out, it's that easy. Neomd works with Fastmail or any other IMAP/SMTP email provider.
No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.
>Anyone can put anything in the “From” field of an email.
... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.
I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.
You’re mistaken: DKIM always signs the entire From field. Signing is done on the MTA, so yes, it is “the reputation of the server” like you say, but “server” can be a relatively granular thing here, using different DKIM selectors for different addresses, MTAs, etc.
What's the point of this article? The most I got was "email is here to stay," followed by some discussion of an MCP server for their proprietary mail platform.
I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.
It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.
email is turning into a walled-garden of big tech.
For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).
This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.
If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.
I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.
Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.
> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.
And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.
> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.
Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.
> The inbox of the future will be faster, smarter, and more capable than what most of us use today.
That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.
It's insane that in 2026 signing and encryption of emails still isn't the norm, but as long as the business model of the largest email vendors rely on us not having it, I guess we never will.
51 comments
[ 3.2 ms ] story [ 54.2 ms ] threadBig title, little content.
It's important that they're secure.
Is it possible to have E2E encryption on emails?
So on seeing this title, I was a bit worried.
> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.
Phew.
No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.
[1] https://neomd.ssp.sh
Please, Fastmail, don't fuck this up. I have been a happy customer for years. Do not fuck this up with idiotic AI systems. I just want reliable email.
... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.
I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.
I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.
Another subscription for software- and people outside HN hate paying for software- when outlook, apple and Gmail exist?
https://www.ietf.org/archive/id/draft-adams-arc-experiment-c...
It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.
Gmail Thinks I'm Stupid, So I Left: https://news.ycombinator.com/item?id=48375016
For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).
This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.
If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.
I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.
Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.
> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.
And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.
> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.
Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.
> The inbox of the future will be faster, smarter, and more capable than what most of us use today.
That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.
Not so for Google Workspace. I get more spam and fake invoices and DocuSign contracts than I used to.