I feel we need a "proof of work by human" for emails. Something that could be signed that attests that someone took the time to write the email, not just sent a template / used AI to auto-generate a personal looking email, etc. Sure that could be gamed as well (have an AI write characters one by one to look more human-like), but taking more time usually is a fairly good blocker for spammers / salespersons / etc.
I find it hard to judge how much, if at all, this will help, but I'm all for email being more secure, to the point that organizations (banks, governments, insurance companies) stop creating walled-email alternatives: please log in to our secure message center, where you can only see our messages poorly formatted, and for a short time, until we permanently delete them. I like that my Inbox is a somewhat-searchable, historical record of my life, and these alternatives break that.
To have secure email I think html /css should be dropped from email support and the inbox should work on an invite only basis. Basically you should pre-authorize the senders just like you add someone as friend on a social network.
> To have secure email I think html /css should be dropped from email support
I don’t think that helps at all. We already know how to consume that securely, we do it billions of times a day in web browsers.
> the inbox should work on an invite only basis. Basically you should pre-authorize the senders just like you add someone as friend on a social network.
Yes. A fundamental problem with email is that the only thing required to send email to somebody is knowledge of their email address, which as a recipient you cannot control. This is what enables spam and phishing. This needs to be changed so that in order to send email to somebody, you also need their consent. A “friend request” mechanism is one way of achieving this.
I think this is a problem that can be feasibly solved in a fairly reasonable way, and I sketched out a protocol for doing so a while back, which I described in more detail in this comment:
This is kinda what 'masked email' services like Fastmail's – of which I am a delighted customer – do.
Until you've known the comfort of creating an address; giving it to a service; deciding that you want to end your relationship with them; just deleting that address, without changing your mailbox or infrastructure or archives or anything else … it's kinda life changing. I recommend everyone try it.
Also, the chances of a phisher trying to get my BigBank details by sending mail to lonely.chicken6382@spuriously-named-and-unused-other-than-for-email-domain.com are … well, it seems unlikely.
I like per recipient emails, but I worried how I would know I authorized that sender to send to lonely chicken. The original site could have been compromised.
That's why I bought my email domain and use <domain_name>@hnrobert42.com. It helps to use a password manager.
I get a lot of convincing emails to [email protected]. As well as zynga, wework, etc.
> That's why I bought my email domain and use <domain_name>@hnrobert42.com. It helps to use a password manager.
Whenever there’s this discussion on HN, someone usually points out that can sometimes be a bother, especially when giving out the email in person, because people don’t really understand how email addresses works and ask “how did you get that email” or think you’re impersonating the service, or something similar.
Hey.com email does this minus the blocking of html/css. You basically thumps up or thump down a sender and they either go away forever or you happily trust what comes from them. It's been hit or miss on some stuff for me and I hate the way the website looks, but otherwise its a great way of whitelisting senders.
The necessary bits to facilitate that could be added on top of the existing protocol in a manner that doesn't break existing clients. Essentially it amounts to an out of band registration of the expected sender with your own server, likely by means of a short proxy code or phrase. Couple with key exchange to facilitate an E2EE extension at the same time, while also dodging the logistical issue that would otherwise arise when a sender has multiple addresses or the sending address changes.
I love hearing that I received a "secure message", with no further detail. Straight to trash -- I don't read "secure messages". My inbox is probably more secure.
The gp isn't talking about spam using "secure message" as bait to open unwanted email.
Instead, legitimate companies like banks, healthcare, etc tell users to click on a url link to their "Secure Message Center" to read or submit some critical information. It's often the only way to get the info the users need.
E.g. if I open a payment dispute with the bank, the workflow they use is the Secure Message area. I can't just use my normal email client and upload some pdf attachments. Instead, I have to log into my bank website, navigate to their Secure Message area, and then upload the docs there to submit the claim. They also don't send followup status or final resolution in an email. Instead, you log back into the Secure Message area to read the case resolution. Similar for insurance claims.
Similar situation for asking a medical imaging center for some mammograms. They will not send those as PDF or JPG attachments directly to your email address. Instead, you log into a secure message area on a healthcare website and download it from there.
> The gp isn't talking about spam using "secure message" as bait to open unwanted email.
No, this includes all messages from my doctor/healthcare. It's not mass spam.
Theoretically I could want to know what's in the message, but not enough to visit a website I've been logged out of again, perform multi-factor authentication, navigate to the message center and find the message and then back it up manually.
I don’t understand how one doesn’t. I need to do it to look up status on health insurance claims and to access the tax documents for my financial accounts.
I guess you can avoid the email spam by just directly logging into the website when you need that stuff, but how else are they supposed to notify you when something new has happened?
I get secure messages from public authorities and companies in Denmark, which go to my secure 'mailbox' for this purpose. Of course, contracted out to some private company, and they'll probably change the contract again in 5 years.
The messages are usually PDFs, which isn't great for accessibility, e.g. using a translation tool.
> I'm all for email being more secure, to the point that organizations (banks, governments, insurance companies) stop creating walled-email alternatives
This will literally never happen. Email doesn't support the features that those messaging platforms need to have, such as recalling messages.
The security layers are also only on the sender part, not on the receiver part, which banks care a lot more about.
I know this is only tangentially related, but recalling messages is horrible. I hate that so many services will allow people to send me a message, give me a notification with a preview, but then the message gets edited or deleted. If you drop a letter in a physical mailbox, or slide a paper underneath the door, you cannot get it back either. This whole philosophy of 'we allow destruction of messages in a shared chat' needs to stop. The moment things are being sent, both sides are co-owner of that message. Not being able to recall messages is a good thing.
I'll settle for a brief edit (not retraction!) window after sending though, say 5 minutes tops.
Edit (I realize the irony): banks of course won't give a hoot about the receiver, the power dynamic is inherently not equal.
I love fastmail, I switched from Proton a couple years ago after deciding the trade offs to have encrypted email were not worth it, since even if I fully trust Proton, most emails come from or go to AWS, Outlook, or Gmail anyway. I have been extremely happy with the service. Fairly priced, very fast even with a huge inbox, and they don’t add unnecessary features or bloat. I thought I would use my OS’s mail apps but the fastmail app and website are so good I just use that.
I'm using Fastmail for more than 9 years. Especially since they added offline support to their app, there's nothing left why I would even remotely consider leaving them.
As a Proton user - the main trade-off for me is that you are forced to use their apps on mobile, and those apps are pretty barebones and (on iOS at least) have none of the bells and whistles of a modern iOS app, such as Home Screen widgets.
Since I use my own domain for email, I am considering moving over to another provider once my subscription term is up. I really miss widgets.
We’re basically outsourcing email judgment to AI, then trying to compensate by strengthening SPF/DKIM. That feels like hardening the locks while handing out more master keys.
This was the post where I learned about SPF, DKIM, and DMARC which seems like a nice technical win. It isn't text encryption but it goes to show there is still room to improve on the basic email situation.
JMAP's been Fastmail's future of email since circa 2016 iirc; it seems unlikely Google will ever get on board (NIH?) so it's doomed to remain not completely standard and to struggle for support.
It's insane that in 2026 signing and encryption of emails still isn't the norm, but as long as the business model of the largest email vendors rely on us not having it, I guess we never will.
The easiest and best filter is to screen emails. Only emails that were screened in once go to your inbox. It's that easy. HEY.com introduced it, and I can't see email without it; that's why I integrated it into my TUI email client, neomd [1]. Since then, when I get an email from Amazon that lands in my "To Screen" box, I am automatically alerted and know it is potentially spam, because I have approved Amazon and legit emails land in my inbox. Check it out, it's that easy. Neomd works with Fastmail or any other IMAP/SMTP email provider.
No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.
So the natural extension of this would be plugins which have curated open source allow-lists? Similar to how I trust uBlock Origin's default ad filtering block-lists, I would similarly trust a curated open source allow-list for email domains, and then I would add my own from the "to screen" folder?
Oh, that's a great idea. Currently, every user has their own private list (it's just text files). It takes a bit of work initially, as you need to approve each email, but it's totally worth it. And it must be per user IMO, as your friends and family have different emails, so its less about public or legit domain, but more what domain and e-mail YOU trust.
But great idea, what i added is the opposite direcrection: showing if a sender used spy pixel. There I used public spylists I found.
This is basically where I (and I imagine many others) have landed with the telephone. Anyone not in my contacts goes to voice mail. Made my phone usable again.
still not many are doing it with emails. but great point, tough we all still have to pick unknown calls here and there as we expect someone, so with the email screener it's even better, as each email has a sender.
It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.
I've been a happy Fastmail customer for years, and one of the best things about Fastmail has been how they just incrementally make things slightly better, as if they somehow haven't learnt how to enshittify.
So on seeing this title, I was a bit worried.
> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.
BIMI certificates cost over $1,000 / yr right now. For me that's a feature. I wish the fallback in my mail client was a big untrusted symbol rather than sender initials when they aren't in my address book.
Tonnes? I don't like to say 'just search for it', but seriously you'll get more out of that than a response here. Personally I use SES for the 'hard' bit, but there's loads of OSS if you want to self-host the actual receiving too. (Sending probably requires more time looking into getting a trustworthy static IP than software. Again, I bypass that by using SES, but that's technically only self-hosting storage & client.)
Sure, I do it, and many others. Some people say it's hard, but I think it's much easier than it used to be, technically. You have projects like https://stalw.art which make it quite easy. Single binary setup which covers all functionality you need. Setting up SPF, DKIM and DMARC is also easy. The only thing that remains is IP reputation, but even then, I haven't had major issues. People seem to receive the few emails that I send.
You can absolutely set up SPF, DKIM, and DMARC for yourself, it's really not that hard if your difficulty reference point is self hosting email. I did it like 10 years ago and I don't think it has changed.
Self hosting is hard (which is why I just use Fastmail now), but it's not because of that.
>Anyone can put anything in the “From” field of an email.
... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.
I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.
What's the point of this article? The most I got was "email is here to stay," followed by some discussion of an MCP server for their proprietary mail platform.
I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.
Agreed. I had some vague hope that this article made it to the HN hope page because someone was saying what needs to be said: that the future of email should be protocols over platforms, as it was in the past. Mail servers and mail clients.
Yeah, it's the same thing with self-hosting email. The technical side is documented and the tradeoffs are well known. It's the up front effort of migration, maintenance and mails landing in spam that gets people down and so on. Though once you get going it's supposed to become easier with time.
Also there's a spectrum from Gmail to Fastmail to AWS SES to Wireguard on a VPS that's tunneling to a server running at home. And when the people from both extremes of the spectrum interact they look at each other as if they're from other planets.
It's the same for Auth stuff I believe, almost a decade of generic advice like "don't roll your own auth" has lead some people to file it into a tidy corner of their mind labelled "DON'T TOUCH" so most people end up gawking and staring in awe when someone does so and lose all nuance along the way. To be clear I'm advocating for learning how stuff works and playing around with it (time permitting) instead of simply delegating it to the technical equivalent of Higher Powers in perpetuity.
Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.
> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.
And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.
> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.
Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.
> The inbox of the future will be faster, smarter, and more capable than what most of us use today.
That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.
Disclaimer: I do some work for one of Gmail's competitors.
Of all the stuff Gmail imposes on the rest of the world, requiring proper sender authentication was a good thing and we've helped thousands of senders set up proper authentication because of it.
Forcing the issue finally got rid of the ridiculous practice of ignoring SPF/DKIM failures and just setting the DMARC record to p=none.
None of this changes the fact that Gmail is a problem for so many other reasons, but this specific imposed change was a net benefit for the entire email ecosystem.
email is turning into a walled-garden of big tech.
For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).
This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.
If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.
I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.
I think it's more they simply don't register small tech and self-hosting.
In time there will be a reckoning though. The geopolitical instability at the moment will see the end of the US dominant services used outside of the US so they will have to work out how to make a not small but balkanised email provider model work again.
Of course it is possible to have E2E encryption on emails. You can have E2E encryption on everything. Just use `age` and encrypt your message with sender public key. Easy.
It's your client that's the problem.
I'm happy in my text only Emacs heaven.
I'm also happy with my custom 5 year old bert based spam detector which hasn't failed me once (unlike whatever gmail at work does).
This post was sent from Emacs.
I don’t think that helps at all. We already know how to consume that securely, we do it billions of times a day in web browsers.
> the inbox should work on an invite only basis. Basically you should pre-authorize the senders just like you add someone as friend on a social network.
Yes. A fundamental problem with email is that the only thing required to send email to somebody is knowledge of their email address, which as a recipient you cannot control. This is what enables spam and phishing. This needs to be changed so that in order to send email to somebody, you also need their consent. A “friend request” mechanism is one way of achieving this.
I think this is a problem that can be feasibly solved in a fairly reasonable way, and I sketched out a protocol for doing so a while back, which I described in more detail in this comment:
https://news.ycombinator.com/item?id=44969726
This is kinda what 'masked email' services like Fastmail's – of which I am a delighted customer – do.
Until you've known the comfort of creating an address; giving it to a service; deciding that you want to end your relationship with them; just deleting that address, without changing your mailbox or infrastructure or archives or anything else … it's kinda life changing. I recommend everyone try it.
Also, the chances of a phisher trying to get my BigBank details by sending mail to lonely.chicken6382@spuriously-named-and-unused-other-than-for-email-domain.com are … well, it seems unlikely.
I've never felt more secure. For real.
That's why I bought my email domain and use <domain_name>@hnrobert42.com. It helps to use a password manager.
I get a lot of convincing emails to [email protected]. As well as zynga, wework, etc.
Whenever there’s this discussion on HN, someone usually points out that can sometimes be a bother, especially when giving out the email in person, because people don’t really understand how email addresses works and ask “how did you get that email” or think you’re impersonating the service, or something similar.
I guess a solution might be to add the details sneakily. E.g. instead of [email protected], saying [email protected]
The amount of bots promoting Fastmail here is insane. What the actual ...
Instead, legitimate companies like banks, healthcare, etc tell users to click on a url link to their "Secure Message Center" to read or submit some critical information. It's often the only way to get the info the users need.
E.g. if I open a payment dispute with the bank, the workflow they use is the Secure Message area. I can't just use my normal email client and upload some pdf attachments. Instead, I have to log into my bank website, navigate to their Secure Message area, and then upload the docs there to submit the claim. They also don't send followup status or final resolution in an email. Instead, you log back into the Secure Message area to read the case resolution. Similar for insurance claims.
Similar situation for asking a medical imaging center for some mammograms. They will not send those as PDF or JPG attachments directly to your email address. Instead, you log into a secure message area on a healthcare website and download it from there.
No, this includes all messages from my doctor/healthcare. It's not mass spam.
Theoretically I could want to know what's in the message, but not enough to visit a website I've been logged out of again, perform multi-factor authentication, navigate to the message center and find the message and then back it up manually.
I guess you can avoid the email spam by just directly logging into the website when you need that stuff, but how else are they supposed to notify you when something new has happened?
The messages are usually PDFs, which isn't great for accessibility, e.g. using a translation tool.
This will literally never happen. Email doesn't support the features that those messaging platforms need to have, such as recalling messages.
The security layers are also only on the sender part, not on the receiver part, which banks care a lot more about.
I'll settle for a brief edit (not retraction!) window after sending though, say 5 minutes tops.
Edit (I realize the irony): banks of course won't give a hoot about the receiver, the power dynamic is inherently not equal.
"Need".
Since I use my own domain for email, I am considering moving over to another provider once my subscription term is up. I really miss widgets.
The thing is Fastmail can't speak with absolute authority about email because Fastmail is not email. It's subordinate to it.
No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.
[1] https://neomd.ssp.sh
But great idea, what i added is the opposite direcrection: showing if a sender used spy pixel. There I used public spylists I found.
https://www.ietf.org/archive/id/draft-adams-arc-experiment-c...
It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.
Gmail Thinks I'm Stupid, So I Left: https://news.ycombinator.com/item?id=48375016
So on seeing this title, I was a bit worried.
> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.
Phew.
Please, Fastmail, don't fuck this up. I have been a happy customer for years. Do not fuck this up with idiotic AI systems. I just want reliable email.
Self hosting is hard (which is why I just use Fastmail now), but it's not because of that.
... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.
I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.
I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.
Nice. ;)
Also there's a spectrum from Gmail to Fastmail to AWS SES to Wireguard on a VPS that's tunneling to a server running at home. And when the people from both extremes of the spectrum interact they look at each other as if they're from other planets.
It's the same for Auth stuff I believe, almost a decade of generic advice like "don't roll your own auth" has lead some people to file it into a tidy corner of their mind labelled "DON'T TOUCH" so most people end up gawking and staring in awe when someone does so and lose all nuance along the way. To be clear I'm advocating for learning how stuff works and playing around with it (time permitting) instead of simply delegating it to the technical equivalent of Higher Powers in perpetuity.
They have an MCP end-point, they want to market to both AI proponents and critics -- that's about what I learnt from scanning the article.
Not so for Google Workspace. I get more spam and fake invoices and DocuSign contracts than I used to.
Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.
> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.
And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.
> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.
Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.
> The inbox of the future will be faster, smarter, and more capable than what most of us use today.
That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.
Of all the stuff Gmail imposes on the rest of the world, requiring proper sender authentication was a good thing and we've helped thousands of senders set up proper authentication because of it.
Forcing the issue finally got rid of the ridiculous practice of ignoring SPF/DKIM failures and just setting the DMARC record to p=none.
None of this changes the fact that Gmail is a problem for so many other reasons, but this specific imposed change was a net benefit for the entire email ecosystem.
For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).
This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.
If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.
I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.
In time there will be a reckoning though. The geopolitical instability at the moment will see the end of the US dominant services used outside of the US so they will have to work out how to make a not small but balkanised email provider model work again.
Big title, little content.
Another subscription for software- and people outside HN hate paying for software- when outlook, apple and Gmail exist?
It's important that they're secure.
Is it possible to have E2E encryption on emails?
You literally have a proton email address on your profile.