Ask HN: Fair and decent email providers?

8 points by ics ↗ HN
Fair and decent– well priced, solid data policies, easy to use or configure...

I've self-hosted in the past and would consider doing it again for privacy reasons, however a solid email provider would certainly save a lot of work on the spam/delivery side of things and could potentially make up for it in the general case. One of the things I'm concerned about though is finding a solution that would allow me to create/destroy aliases on the fly and add addresses across multiple domains (one user/mailbox) without paying exorbitant amounts, but other features like full IMAP support, two-factor authentication, and a fast interface are also desirable.

So far I've looked at: Rackspace, Fastmail, and Namecheap but I'm curious to see what people here (especially DevOps) are using and would recommend. Even though price is a controlling factor for me, I thought the discussion might be valuable since I'm sure the recent news is just one more reason why some people might feel uncomfortable relying on their Gmail accounts.

17 comments

[ 5.6 ms ] story [ 61.9 ms ] thread
THis has been asked several times.. but I'll go ahead and say I've been using Fastmail.fm for my personal email for several years now and have not had a problem with it.

For work, I've used self-hosted exchange (I didnt manage it), Rackspace, and most recently Microsoft Office 365 for my current startup. We're liking MS O365 but I wouldn't pay that much for my personal email hosting at this point.

Doesn't gmail do everything you ask for? $50 a year? It is the best if you don't care about control/privacy.
But I do care about control and privacy. I have a few clients who I likely will be moving to Google Apps but it's not really what I'm looking for. That's $50/year per user, which is a fine price for the amount of space you get but far too much for me when I would much rather divide that 30GB into 30x1GB mailboxes. That being said, it looks like their alias features are very agreeable (30 addresses, 20 domains).
Ahh, I did not understand you wanted service for multiple users. It sounds like price is your main requirement.

>>Rackspace, Fastmail, and Namecheap

These are slightly lower quality than gmail IMO.

Fastmail has earned its name recently - it's freaking fast now. Much faster than gmail.
It's funny that people would flee from Gmail to other third-party mail providers out of privacy concerns, because it suggests they think their biggest privacy concerns are the NSA. But that's not true; in practice, you have much more to fear from criminals than the government; you can use simple means/motive/opportunity reasoning to arrive at this conclusion.

Meanwhile: no mail provider in the world has invested more resources in security than Google Mail. Google spends millions of dollars to ensure the security of the Google Mail platform. It also runs a public-facing bounty program --- one of the oldest and most reputable --- to solicit more vulnerabilities. It staffs a large and extremely well-regarded software security team to keep up with vulnerability classes and to research new ones.

Can you say the same thing about Fastmail.fm?

My understanding is that people went to fastmail to get away from google's tracking not the NSA.
Admittedly I was asking this here primarily for small business suggestions– I certainly wouldn't expect a simple provider switch to pull the wool over the NSA's eyes. It's a silly thought for a business anyway, where the only people you might be trying to hide from are your competitors. As you said, for practical security Google's offerings are likely top notch and it gives me no qualms having some accounts with them. That being said, I think there's still room for someone to bring almost as much to the table security wise through focus and perhaps a tighter codebase, but beat them out for clear ("fair and decent") terms in regards to privacy and data handling.

Regarding Fastmail, as far as I can tell the new interface is one of the better ones around and it's a big help that they provide Yubikey authorization. I've been using Google Authenticator for a while now but in recommending it to others I've found people taking advantage of just about every opportunity to undermine its usefulness (i.e. backup codes not protected or used regularly when their phone is dead, disabling two-factor auth for a few days because they forgot their charger, or sharing app-specific keys...).

How do you know that you aren't some trivial but obscure SQL injectable HTTP POST away from losing all your mail on that provider? Because I gave you a reason to believe you don't have to worry about that on Google Mail.
First off, I can't really fathom why anyone (businesses!) wouldn't keep good offline backups of their email of all things. But it's a fair point– data loss isn't the only threat and Google is not lacking in engineering talent or money. Still, wouldn't their threats scale with their services and number of users? I don't care for any of the features that come with a Google account (really, just mail) but if an attacker found an exploit in any of the services attached to an account things wouldn't be so swell. To some degree the only reason I asked this question in the first place is because admittedly I cannot provide any specific counterargument to what you just stated. I was hoping others might, but I certainly appreciate your weighing in either way. If you really think that Google is the best way to go for practical security (do you use them for Matasano/Cryptopals/...?) then I'll keep them on the top of my list, but it's still out of my price range without significant restructuring. Perhaps I was too hopeful about finding the tarsnap of email or something. Ahh, well.
(comment deleted)
Still, wouldn't their threats scale with their services and number of users?

No! This is almost never true!

No? I didn't mean that they're just a bigger target. Are you saying there is no additional threat (whether XSS, HTTP, SQL or whatever) to the system when YouTube, Google+, Gmail, etc. are all being developed by different teams with different timelines etc? Of course they must have pretty sound security practices in addition to frequent coordinated reviews, but I can't imagine that makes things any easier.
Yes, I am saying that you are at vastly less risk of losing your data to an SQLI flaw on Google Mail than you are on some small competitor to Google Mail. I am saying exactly the thing you seem to be surprised I'm saying, and if you ask any 5 other software security practitioners the same question, at least 4 of them will say the same thing (I'd actually be surprised if 5 didn't).
Very well then. Practically speaking I'm much more concerned with spear-phishing on Google services than what we're discussing, but I'm glad you took the time to make your points. I won't hold my breath for them to introduce more flexible plans any time soon though... (As a sidebar, MS Office365 looks to be about the same thing, but not much different than Google on price/plans.)
fastmail.fm is great. I've used them for a decade.

The downside to me is their spam filter is not as good as gmail.

I read my email in a local client so I can't comment on the web interface.

That said, far less of my communication is done via email these days. Like, almost nil. It's almost gotten to the point where I don't need email at all. It's mainly a repository for online receipts. I'm toying with the idea of killing my fastmail account and just using my gmail account for receipts.