I find it hard to judge how much, if at all, this will help, but I'm all for email being more secure, to the point that organizations (banks, governments, insurance companies) stop creating walled-email alternatives: please log in to our secure message center, where you can only see our messages poorly formatted, and for a short time, until we permanently delete them. I like that my Inbox is a somewhat-searchable, historical record of my life, and these alternatives break that.
iLoveOncall•Jun 12, 2026
> I'm all for email being more secure, to the point that organizations (banks, governments, insurance companies) stop creating walled-email alternatives
This will literally never happen. Email doesn't support the features that those messaging platforms need to have, such as recalling messages.
The security layers are also only on the sender part, not on the receiver part, which banks care a lot more about.
superice•Jun 12, 2026
I know this is only tangentially related, but recalling messages is horrible. I hate that so many services will allow people to send me a message, give me a notification with a preview, but then the message gets edited or deleted. If you drop a letter in a physical mailbox, or slide a paper underneath the door, you cannot get it back either. This whole philosophy of 'we allow destruction of messages in a shared chat' needs to stop. The moment things are being sent, both sides are co-owner of that message. Not being able to recall messages is a good thing.
I'll settle for a brief edit (not retraction!) window after sending though, say 5 minutes tops.
Edit (I realize the irony): banks of course won't give a hoot about the receiver, the power dynamic is inherently not equal.
nosioptar•Jun 12, 2026
With banks, I've found that offering to bring the matter up with the FDIC and/or fed regulators moves the balance of power to a less unfair level. "We have to use secure messages" turned into a willingness to use email in less than 6 hours last time I had an issue.
Hizonner•Jun 12, 2026
> Email doesn't support the features that those messaging platforms need to have, such as recalling messages.
"Need".
LoganDark•Jun 12, 2026
I love hearing that I received a "secure message", with no further detail. Straight to trash -- I don't read "secure messages". My inbox is probably more secure.
Symbiote•Jun 12, 2026
I get secure messages from public authorities and companies in Denmark, which go to my secure 'mailbox' for this purpose. Of course, contracted out to some private company, and they'll probably change the contract again in 5 years.
The messages are usually PDFs, which isn't great for accessibility, e.g. using a translation tool.
jasode•Jun 12, 2026
The gp isn't talking about spam using "secure message" as bait to open unwanted email.
Instead, legitimate companies like banks, healthcare, etc tell users to click on a url link to their "Secure Message Center" to read or submit some critical information. It's often the only way to get the info the users need.
E.g. if I open a payment dispute with the bank, the workflow they use is the Secure Message area. I can't just use my normal email client and upload some pdf attachments. Instead, I have to log into my bank website, navigate to their Secure Message area, and then upload the docs there to submit the claim. They also don't send followup status or final resolution in an email. Instead, you log back into the Secure Message area to read the case resolution. Similar for insurance claims.
Similar situation for asking a medical imaging center for some mammograms. They will not send those as PDF or JPG attachments directly to your email address. Instead, you log into a secure message area on a healthcare website and download it from there.
LoganDark•Jun 12, 2026
> The gp isn't talking about spam using "secure message" as bait to open unwanted email.
No, this includes all messages from my doctor/healthcare. It's not mass spam.
Theoretically I could want to know what's in the message, but not enough to visit a website I've been logged out of again, perform multi-factor authentication, navigate to the message center and find the message and then back it up manually.
ses1984•Jun 12, 2026
It must be nice to not need to use that crap, but one day you might.
naravara•Jun 12, 2026
I don’t understand how one doesn’t. I need to do it to look up status on health insurance claims and to access the tax documents for my financial accounts.
I guess you can avoid the email spam by just directly logging into the website when you need that stuff, but how else are they supposed to notify you when something new has happened?
ralferoo•Jun 12, 2026
For instance, I received one today from HMRC (my country's tax body). I had to log in to find out what the contents were, in this case it was just a reminder of how much tax I need to pay by the end of next month.
As it happens, I already knew this because the previous bill 6 months ago also included this information, but the message itself was unique and important. Certainly, there would have been financial consequences if I didn't act on that information.
I would have preferred to receive the contents by actual message rather than having to log in to read it, but that's not an option they offer. It's certainly not safe to assume it can all just be ignored.
dheera•Jun 12, 2026
> No, this includes all messages from my doctor/healthcare
Then IMO they accept the responsibility of me seeing the message potentially much later than if they had stated the concern up front in e-mail.
marysol5•Jun 12, 2026
At least in part, because of your workflow, is that it's a ticketing system. Much easier to manage than having people reply to e-mails (even when you specifically state "REPLY ABOVE THIS LINE!" they are absolute cretins.)
thefounder•Jun 12, 2026
To have secure email I think html /css should be dropped from email support and the inbox should work on an invite only basis. Basically you should pre-authorize the senders just like you add someone as friend on a social network.
Angostura•Jun 12, 2026
So... not e-mail then
fc417fc802•Jun 12, 2026
The necessary bits to facilitate that could be added on top of the existing protocol in a manner that doesn't break existing clients. Essentially it amounts to an out of band registration of the expected sender with your own server, likely by means of a short proxy code or phrase. Couple with key exchange to facilitate an E2EE extension at the same time, while also dodging the logistical issue that would otherwise arise when a sender has multiple addresses or the sending address changes.
coldtea•Jun 12, 2026
Yeah, because email as a family of protocols never developed different capabilities /s
thefounder•Jun 12, 2026
You can call it Secure-Email or RFC-99999
jen729w•Jun 12, 2026
> Basically you should pre-authorize the senders
This is kinda what 'masked email' services like Fastmail's – of which I am a delighted customer – do.
Until you've known the comfort of creating an address; giving it to a service; deciding that you want to end your relationship with them; just deleting that address, without changing your mailbox or infrastructure or archives or anything else … it's kinda life changing. I recommend everyone try it.
Also, the chances of a phisher trying to get my BigBank details by sending mail to lonely.chicken6382@spuriously-named-and-unused-other-than-for-email-domain.com are … well, it seems unlikely.
I've never felt more secure. For real.
Hnrobert42•Jun 12, 2026
I like per recipient emails, but I worried how I would know I authorized that sender to send to lonely chicken. The original site could have been compromised.
That's why I bought my email domain and use <domain_name>@hnrobert42.com. It helps to use a password manager.
I get a lot of convincing emails to linkedin@hnrobert42.com. As well as zynga, wework, etc.
latexr•Jun 12, 2026
> That's why I bought my email domain and use <domain_name>@hnrobert42.com. It helps to use a password manager.
Whenever there’s this discussion on HN, someone usually points out that can sometimes be a bother, especially when giving out the email in person, because people don’t really understand how email addresses works and ask “how did you get that email” or think you’re impersonating the service, or something similar.
I guess a solution might be to add the details sneakily. E.g. instead of linkedin@hnrobert42.com, saying robert_lkdn@hnrobert42.com
prepend•Jun 12, 2026
And some sites seem to have it not work. I suspect there’s lazy programmers with hardcoded test cases.
But that’s like 1:100 or so. And usually I’m entering my address to a robot so it’s not an issue.
marysol5•Jun 12, 2026
The weird looks when I tell a shop my e-mail is "name plus sign shopname AT mydomain dot com"
inigyou•Jun 12, 2026
I've done alice@myname.com, bob@myname.com, etc. I don't keep track of them carefully so I may pick the same name for two different sites.
It also makes it easier to pass off a fake realname! Hi I'm John Smith, jsmith@oneofmydomains-nottooobvious.com...
You can even pick a domain sound like a legitimate mail service or company, e.g. jsmith@jgs-consulting.com.or jsmith@liberty-mail.io
All domains and addresses in this comment are fictitious - overlap with real domains is coincidental.
prepend•Jun 12, 2026
I do something similar with prepend.com and find it helpful for sorting. Also fun to see which domains sell my email and which dont (blacksocks.com hasn’t show up from anyone else in 20 years).
marysol5•Jun 12, 2026
I use +, so username+domainname@email-vendor.com
Which is in the RFC, but yet the sheer amount of times I sign up for something. Like a bank, or a financial firm, get the confirmation e-mail, and then click "Verify your address"
And get HTTP500 as their SQL has kicked up a stink
tolciho•Jun 12, 2026
(The RFC also allows for (recursive (comments, so there's probably a middle ground between insanely overengineered specifications and a )))regex( someone found on a PHP forum somewhere (and yes this post is a valid email address (assuming there is a local regex account (or alias)))
ksidjdjdjsjd•Jun 12, 2026
Apple’s Hide My Email does the same thing and it’s just phenomenal.
patja•Jun 12, 2026
Apple is a problematic email service provider. They don't even send DMARC reports.
ksidjdjdjsjd•Jun 12, 2026
Irrelevant to the subject of the Hide My Email feature.
shevy-java•Jun 12, 2026
Damn it - ublock origin did not block this promo.
The amount of bots promoting Fastmail here is insane. What the actual ...
datakan•Jun 12, 2026
Hey.com email does this minus the blocking of html/css. You basically thumps up or thump down a sender and they either go away forever or you happily trust what comes from them. It's been hit or miss on some stuff for me and I hate the way the website looks, but otherwise its a great way of whitelisting senders.
noosphr•Jun 12, 2026
Email supports text.
It's your client that's the problem.
I'm happy in my text only Emacs heaven.
I'm also happy with my custom 5 year old bert based spam detector which hasn't failed me once (unlike whatever gmail at work does).
This post was sent from Emacs.
arximboldi•Jun 12, 2026
can you post some details about the spam detector, and just your general setup? I am also an emacs-emailer, using Notmuch, but never looked too deep into the spam story
azinman2•Jun 12, 2026
Have you put this up anywhere for others to use?
Fastmail’s spam filter is not very good.
deltarholamda•Jun 12, 2026
>Email supports text.
Yes it does. However, I have sent messages to more than a few people who tell me that my message is completely empty. I have my client set to send text-only, no HTML, and apparently the system on the other side drops the HTML version altogether. Something on the other end only processes the HTML part. No HTML, no message.
(I believe these are Outlook/MS based systems, but I don't know for sure. It's certainly not ALL Outlook/MS systems that do this.)
For these people I have to set my client to send HTML. It's all well and good to blame them, but I can't make them do something. They may not even be in a position to do anything. And I don't have an option to tell them "too bad, so sad".
The email situation is really quite bad if you don't conform to the Big Three. I've run my own email infrastructure for a very long time, and it's quite irritating that when we get something good (like DMARC, SPF, etc) it gets forced by the Big Three because along with that we also get things like Google toying with the requirement that you have to have AAAA MX records too.
JimDabell•Jun 12, 2026
> To have secure email I think html /css should be dropped from email support
I don’t think that helps at all. We already know how to consume that securely, we do it billions of times a day in web browsers.
> the inbox should work on an invite only basis. Basically you should pre-authorize the senders just like you add someone as friend on a social network.
Yes. A fundamental problem with email is that the only thing required to send email to somebody is knowledge of their email address, which as a recipient you cannot control. This is what enables spam and phishing. This needs to be changed so that in order to send email to somebody, you also need their consent. A “friend request” mechanism is one way of achieving this.
I think this is a problem that can be feasibly solved in a fairly reasonable way, and I sketched out a protocol for doing so a while back, which I described in more detail in this comment:
> A “friend request” mechanism is one way of achieving this.
But then you’re left dealing with spam “friend requests”, which is still something I have to take action on, filter out, or ignore — same as spam email.
JimDabell•Jun 12, 2026
Having a trustworthy inbox that contains only legitimate email and a separate friend request queue where you can decide “do I know this person / organisation?” is far better than having a single inbox that’s a vast ocean of emails of unknown provenance you have to make a trust decision for for every single email.
inigyou•Jun 12, 2026
You can do this with email today. Heck, you could do it in 2001, I remember. Hotmail's "exclusive" spam filter policy where anything not from your contacts goes to spam, where you can decide if you want to add them as a contact or not.
the_bear•Jun 12, 2026
Those "message centers" aren't just about security, they're also about compliance. For example, insurance companies need to be HIPAA-compliant which requires that they can only send health-related info to other HIPAA-compliant systems, which means signing a BAA (a contract) with those other systems. There's no way to do that with email (your insurance company can't sign a contract with every potential email host in the world, and they don't even know where the email will ultimately end up after they send it) so practically speaking, they're not legally allowed to send any health info via email.
It's extremely difficult to accurately identify which emails have health info and which ones don't (even something like a person's name or IP address could count depending on the context) so they just default to sending everything through their message center. No amount of email security could change that.
prepend•Jun 12, 2026
Somehow they mail letters with info.
Encrypted email wouldn’t require a BAA.
b112•Jun 12, 2026
Dollar bills are essentially untracked, good everywhere, secure, work no matter what. Same goes for normal mail, and it's a federal offense to tamper with it.
Nothing electronic will ever be secure, unless it is never, ever networked. Networking changes "touch physical thing" into "everyone on the planet plus their bots" can touch it.
Even if you pass harsh laws, you need to geogate network connections to only within that legal jurisdiction. Otherwise, it's pointless.
The real, true problem is anonymousness. I used to advocate for, now I'm done. The problems anonymity solve, are a gnat compared to the ones it creates.
I'm all for ipv8, but with a unique ID in the packet identifying the person directly.
I can't drive a car, own a gun, drive a boat, buy explosives, ply many trades, and 100 other things without a license. Maybe unrestricted internet access is in that category, and bad behaviour means it is revoked.
The Internet was a toy for a long time. Now it's the backbone of all commerce, industry, personal communication, with life threatening implications at times.
Play time is over.
inigyou•Jun 12, 2026
Botnet operator says "Hey I'll pay you $1000 to use your connection for a month."
b112•Jun 12, 2026
And you go to jail.
the_bear•Jun 12, 2026
I'm not a lawyer, but I'm currently working on getting my company HIPAA-compliant, so I know more than the average person about this.
My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant.
This seems crazy to me, but that's how it works I think. For example, if you encrypt PHI and store it in AWS without signing a BAA with them, that's a HIPAA violation, even though the data is encrypted and Amazon can't see it. But if you send encrypted data through AWS without actually storing it, that's fine.
Mail is specifically mentioned as a thing that qualifies for the conduit exception. I'm not totally clear why it isn't a HIPAA violation the moment it arrives at a destination (it's not in-transit at that point, and it's potentially not in the possession of the intended recipient either), but it seems pretty well accepted that it's not.
All that to say: I think encrypted email would still require a BAA because it's being stored, not just transmitted.
cogman10•Jun 12, 2026
Honestly, I think it's just because it's a crime to open someone else's mail. For whatever reason that sort of policy isn't extended to encrypted data in the cloud.
It was a law written in the 90s, it should be updated and modernized.
Telaneo•Jun 12, 2026
Same goes for phones (and by extention, fax). Since wire tapping is already illegal, it doesn't need to be secure (at least going by the law).
I agree the laws need an update. I'd imagine a general 'common communication channels' or whatever would work, rather than specifing every single one that's allowed to be used. That way, it's still illegal to snoop on your communications, regardless of whether they happen by post, phone, email, SMS, Whatsapp, or whatever else we end up using in 20 years.
Telaneo•Jun 12, 2026
> My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant.
Sounds like they needed fax to be compliant, and came up with some moon logic to make that happen.
cogman10•Jun 12, 2026
It's a crime to open someone else's mail and generally speaking the post office does a pretty good job of reliable delivery. Even if an address is a bit wrong/corrupted, it can likely be delivered just from the name and the zipcode.
Email is a lot harder. The older SMTP standard sends emails unencrypted so there's a possibility of a MITM reading the email. But also addresses if you get them wrong can end up in the wrong hands. For example, if someone sends an email to cogman10, I'll get it, but if they go to cogman1O I won't get it. A lot of the nuance of how secure and when it's secure gets erased by auditors to just "email is insecure".
inigyou•Jun 12, 2026
The post office is heavily regulated not to open your letters with severe criminal penalties if they do. An attacker also can't quietly X-ray your letter in transit to get a sneaky copy.
prussian•Jun 12, 2026
They also send faxes to providers as well. It's kind of ridiculous when you think of it.
jermaustin1•Jun 12, 2026
I think a lot of the HIPAA compliance can be signed away when you authorize them to send your medical information over email/voicemail/sms, but I'm not a lawyer, and my doctor doesn't email me anything but a link to log in to their EPIC portal.
aag•Jun 12, 2026
So much work is done for HIPAA compliance, and then the only authentication required is a birth date.
zenoprax•Jun 12, 2026
It is frustrating to know that we can digitally sign and encrypt messages but don't because "it's too hard for normal people".
With HIPAA, is it not possible to simply encrypt the message? The "forgot password" flow for their message center is probably email anyway.
I can upload my public key to SourceHut and all email from them becomes signed and encrypted. It's a one-time process to generate long-lived keys and another to set up with SourceHut and that's all I need to do.
nosioptar•Jun 12, 2026
Those secure messaging platforms make it damned near impossible to make a backup. I've seen medical clinics delete messages that would have bad for them in court.
As such, I tell anyone who sends me one to fuck off and send a real email.
marysol5•Jun 12, 2026
My bank does a PUSH notification that is "Please log into the app to read an important message", which is usually just my monthly statement or whatever.
And then also sends an e-mail, which sometimes I confuse and think is ANOTHER message, and log in again....
It has a "Download this message as a PDF" button, which just takes you to a web-browser wrapper....
WhyNotHugo•Jun 12, 2026
I called my bank for some info recently. They can't email it to me, but they _can_ send it through postal mail. Should be arriving any time next week.
I'm sure there's a sum of compliance reasons why this is not allowed, but it doesn't make any sense at all.
w3ll_w3ll_w3ll•Jun 12, 2026
What's the point of the article?
pbhjpbhj•Jun 12, 2026
I'd say "advertise Fastmail".
They have an MCP end-point, they want to market to both AI proponents and critics -- that's about what I learnt from scanning the article.
reddalo•Jun 12, 2026
Yeah, it's just a simplified explanation of what SPF, DKIM and DMARC are. Nothing new.
whh•Jun 12, 2026
I feel like I just ate a sandwich made entirely of corporate air.
dgellow•Jun 12, 2026
As coming from fastmail I expected something more substantial, it seems to be low quality marketing
Hugsbox•Jun 12, 2026
I've heard nothing but good things about Fastmail, but this article in particular is literally just pointless fluff.
reddalo•Jun 12, 2026
Yes this kind of article makes me lose trust in Fastmail
zhouzhao•Jun 12, 2026
Bit of a nothing burger.
Big title, little content.
whh•Jun 12, 2026
I was definitely expecting profound insights into the next decade of digital communication...
oakinnagbe•Jun 12, 2026
We’re basically outsourcing email judgment to AI, then trying to compensate by strengthening SPF/DKIM. That feels like hardening the locks while handing out more master keys.
cryo32•Jun 12, 2026
I think there's several things going on at once in that space. This is just their vocalisation of it because it suits them.
The thing is Fastmail can't speak with absolute authority about email because Fastmail is not email. It's subordinate to it.
itskokeh•Jun 12, 2026
Emails are very important especially at this age of rapidly changing technological landscape.
It's important that they're secure.
Is it possible to have E2E encryption on emails?
vbezhenar•Jun 12, 2026
Of course it is possible to have E2E encryption on emails. You can have E2E encryption on everything. Just use `age` and encrypt your message with sender public key. Easy.
zikduruqe•Jun 12, 2026
> Easy
vbezhenar, this is your grandmother. I just got an email from you with a bunch of gobbledygook and I can't read it. /s
If it were that easy, everyone would be doing it.
marysol5•Jun 12, 2026
I used to always use GPG, had my keys listed on keybase, which cross references my social media and websites to validate they're me. And there already is the first problem, how do you get and trust a public key? Key servers are chock full of fake keys. Just search Linus Torvalds on there...
But even then, the sheer amount of people who'd complain and wonder what the block of base64 data was at the bottom of the e-mail, or the strange attachments I'd have (including signing other attachments) was too much to have to deal with. For the once in a million people who ever looked at key signing...
zikduruqe•Jun 12, 2026
I use GnuPG daily and mandate that everyone in our organization do the same. As part of the onboarding process, I have a doc explaining how to install GnuPG, generate keys and how to share their public key in a specific place in our network.
Once you force people to do it, it is not terrible once they get the hang of it.
fooqux•Jun 12, 2026
> Is it possible to have E2E encryption on emails?
You literally have a proton email address on your profile.
Hugsbox•Jun 12, 2026
my brother in christ
collabs•Jun 12, 2026
I was hoping this would be about JMAP.
LoganDark•Jun 12, 2026
I didn't know what JMAP was but upon looking it up, I agree
OJFord•Jun 12, 2026
JMAP's been Fastmail's future of email since circa 2016 iirc; it seems unlikely Google will ever get on board (NIH?) so it's doomed to remain not completely standard and fairly niche/popular but struggling for (technical) support.
josephg•Jun 12, 2026
We'll see. I think mass JMAP adoption is really waiting for either apple (mail.app) or google (gmail) to jump on it.
My favorite feature of JMAP is that it gives you a single, consistent API endpoint that works for native clients, webmail and programmatic clients (like, backup scripts and things like that). JMAP means you don't have to invent your own REST API for webmail. Unfortunately, gmail, yahoo mail and all the rest predate JMAP. So it doesn't really help them in the same way.
It'd be lovely to get thunderbird working with JMAP!
roenxi•Jun 12, 2026
This was the post where I learned about SPF, DKIM, and DMARC which seems like a nice technical win. It isn't text encryption but it goes to show there is still room to improve on the basic email situation.
internet_points•Jun 12, 2026
I've been a happy Fastmail customer for years, and one of the best things about Fastmail has been how they just incrementally make things slightly better, as if they somehow haven't learnt how to enshittify.
So on seeing this title, I was a bit worried.
> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.
Phew.
arpinum•Jun 12, 2026
BIMI certificates cost over $1,000 / yr right now. For me that's a feature. I wish the fallback in my mail client was a big untrusted symbol rather than sender initials when they aren't in my address book.
danielhep•Jun 12, 2026
I love fastmail, I switched from Proton a couple years ago after deciding the trade offs to have encrypted email were not worth it, since even if I fully trust Proton, most emails come from or go to AWS, Outlook, or Gmail anyway. I have been extremely happy with the service. Fairly priced, very fast even with a huge inbox, and they don’t add unnecessary features or bloat. I thought I would use my OS’s mail apps but the fastmail app and website are so good I just use that.
wycy•Jun 12, 2026
What were the tradeoffs with Proton?
cianmm•Jun 12, 2026
As a Proton user - the main trade-off for me is that you are forced to use their apps on mobile, and those apps are pretty barebones and (on iOS at least) have none of the bells and whistles of a modern iOS app, such as Home Screen widgets.
Since I use my own domain for email, I am considering moving over to another provider once my subscription term is up. I really miss widgets.
danielhep•Jun 12, 2026
For me it was search. The proton apps are the only way to access email on mobile, and on them and on their webapp the search barely functioned, even with full text search downloaded. The only way to reliably search my email was with Proton Mail Bridge on desktop, but for some reason it continuously was using CPU on my laptop and of course didn’t work on mobile. If they made a server version that I could put in a docker container on my server it would probably solve most of my problems with Proton, because then I could access it from the Mail app on my phone over IMAP.
jabroni_salad•Jun 12, 2026
for me there were two:
no caldav support so I couldn't get my next appointment as a widget on my phone. Similarly, your contacts in proton are trapped there and cannot sync with any other system (such as your phone...)
limited quantity of aliases compared to fastmail. this is actually a really sticky feature with fm from what I've been seeing. I would have to rename a bunch of accounts or switch to using a catchall to transfer out.
bloggie•Jun 12, 2026
When I cancelled Proton the subscription ended immediately instead of running out the clock on the time I had paid for. Left a really bad taste in my mouth.
raffael_de•Jun 12, 2026
I'm using Fastmail for more than 9 years. Especially since they added offline support to their app, there's nothing left why I would even remotely consider leaving them.
Diti•Jun 12, 2026
What about the fact it’s a US-based product so you’re under forced Five Eyes data collection?
ImJamal•Jun 12, 2026
Fastmail is not a US product, it is Australian. Australia is part of 5 Eyes though.
danielhep•Jun 12, 2026
Almost every email is going to or coming from US servers anyway. Better to treat email as insecure and use something else for more secure communication.
raffael_de•Jun 12, 2026
Correct. I mean if you send from ProtonMail to GMail (which will be 90% of private conversations) you're an open book anyway. And if you want to be sure then there's PGP et al.
p2detar•Jun 12, 2026
And how does Protonmail help when Switzerland has signed the Mutual Legal Assistance Treaty with the US? If they need anything, they’ll get it.
mthoms•Jun 12, 2026
The Fastmail desktop app is literally a wrapped version of their website but with the added feature of... get this... no back button (or equivalent shortcut).
My 30 years of muscle memory using webmail is made useless by this "app" because some web developer somewhere wants to cosplay as a desktop app developer now.
It's not an oversight either. It's an intentional choice to not have a go-back-to-previous-page keyboard shortcut. A customer support person said they would add it as a "feature request". Gee, thanks.
steve_adams_86•Jun 12, 2026
It might be worth learning their hotkeys because they're pretty efficient in many cases (potentially included cases where you want the back button). They work in the browser and the app:
The easiest and best filter is to screen emails. Only emails that were screened in once go to your inbox. It's that easy. HEY.com introduced it, and I can't see email without it; that's why I integrated it into my TUI email client, neomd [1]. Since then, when I get an email from Amazon that lands in my "To Screen" box, I am automatically alerted and know it is potentially spam, because I have approved Amazon and legit emails land in my inbox. Check it out, it's that easy. Neomd works with Fastmail or any other IMAP/SMTP email provider.
No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.
So the natural extension of this would be plugins which have curated open source allow-lists? Similar to how I trust uBlock Origin's default ad filtering block-lists, I would similarly trust a curated open source allow-list for email domains, and then I would add my own from the "to screen" folder?
zazuke•Jun 12, 2026
Oh, that's a great idea. Currently, every user has their own private list (it's just text files). It takes a bit of work initially, as you need to approve each email, but it's totally worth it. And it must be per user IMO, as your friends and family have different emails, so its less about public or legit domain, but more what domain and e-mail YOU trust.
But great idea, what i added is the opposite direcrection: showing if a sender used spy pixel. There I used public spylists I found.
GlibMonkeyDeath•Jun 12, 2026
This is basically where I (and I imagine many others) have landed with the telephone. Anyone not in my contacts goes to voice mail. Made my phone usable again.
zazuke•Jun 12, 2026
still not many are doing it with emails. but great point, tough we all still have to pick unknown calls here and there as we expect someone, so with the email screener it's even better, as each email has a sender.
GlibMonkeyDeath•Jun 12, 2026
That is the drawback - sometimes important calls come from someone not in my contacts (like an emergency where someone borrowed a phone, or a contractor trying to call you.) Still, the beauty of voice mail is that, if the caller is really trying to reach you, they will leave a message. Some random number with no message is almost assuredly spam. That model wouldn't work with email (you would need an equivalent real-time notification of an email going to a spam folder, then the user would have to decide to send to spam or not send anything.)
Anyone without caller id is also suspicious. Emails have a sender, but it is also about as reliable as a caller id (i.e. not very) when it comes to identity.
hylaride•Jun 12, 2026
This certainly helps, but I still get spoofed calls from my bank - and there's legit reasons for my bank to contact me.
jdw64•Jun 12, 2026
These days, it seems that what they call security is just isolating oneself
sph•Jun 12, 2026
A lot of nonsense about AI and this The inbox of the future will be faster, smarter, and more capable than what most of us use today
Please, Fastmail, don't fuck this up. I have been a happy customer for years. Do not fuck this up with idiotic AI systems. I just want reliable email.
upofadown•Jun 12, 2026
>Anyone can put anything in the “From” field of an email.
... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.
I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.
greengreengrass•Jun 12, 2026
What's the point of this article? The most I got was "email is here to stay," followed by some discussion of an MCP server for their proprietary mail platform.
I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.
hliyan•Jun 12, 2026
Agreed. I had some vague hope that this article made it to the HN hope page because someone was saying what needs to be said: that the future of email should be protocols over platforms, as it was in the past. Mail servers and mail clients.
layer8•Jun 12, 2026
> HN hope page
Nice. ;)
aquariusDue•Jun 12, 2026
Yeah, it's the same thing with self-hosting email. The technical side is documented and the tradeoffs are well known. It's the up front effort of migration, maintenance and mails landing in spam that gets people down and so on. Though once you get going it's supposed to become easier with time.
Also there's a spectrum from Gmail to Fastmail to AWS SES to Wireguard on a VPS that's tunneling to a server running at home. And when the people from both extremes of the spectrum interact they look at each other as if they're from other planets.
It's the same for Auth stuff I believe, almost a decade of generic advice like "don't roll your own auth" has lead some people to file it into a tidy corner of their mind labelled "DON'T TOUCH" so most people end up gawking and staring in awe when someone does so and lose all nuance along the way. To be clear I'm advocating for learning how stuff works and playing around with it (time permitting) instead of simply delegating it to the technical equivalent of Higher Powers in perpetuity.
joshka•Jun 12, 2026
Same - I plugged it into ChatGPT to check if I'd missed something contentful. I hadn't really. Not news, more survey of things that matter a bit. If you know those things already then this is just fluff. Nothing about the future, more just here's some things I like.
the_bear•Jun 12, 2026
I was going to say the same thing. I only saw two things that are sort of about the future and not the past:
- BIMI (I hadn't heard of that before) which seems like a very minor thing to be calling "the future of email"
- AI might be easier to trick that humans
On that second point, here's the exact text:
> A person reading a suspicious email might notice that the sender’s domain has an extra character, or that something about the request feels off. An AI assistant scanning your inbox for items that need action may not slow down to check those things.
That seems wrong (AI should be better at this than the average human), but let's assume that assertion is correct. It then says "authentication is the safeguard that should stop it before it ever reaches your mailbox". Except then, a few paragraphs down, it says "A scammer with a convincing look-alike domain and a properly configured DMARC record will still pass sender authentication checks." Ok, so authentication isn't a solution to the stated problem at all (it does solve a different problem). And unless I'm missing something, no solution is proposed. No statement is made about what the future actually looks like.
Like you said, what is the point of this article?
jprjr_•Jun 12, 2026
Lookalike domains are a problem but in my opinion the bigger problem is when attackers figure out how to hijack a real domain.
For example, making a company named "there's a problem with your account call this number" on a site like PayPal and getting it to generate emails. They'll be from actual paypal.com and pass all authentication.
The other issue I'll often see is subdomain takeovers. Company makes a subdomain a CNAME to some other, external domain. Usually with the intention of hosting a webpage externally or whatever.
That other domain expires, but the CNAME doesn't. Somebody buys up the external domain, now they can publish SPF records and pass DMARC relaxed alignment on the organizational domain.
Now you can send all the emails you want with literally anything you'd like and the providers will say "yep, this passed DMARC."
jprjr_•Jun 12, 2026
> They're widely understood
I'll tell you right now, I've had multiple cases where I've had to quote parts of the RFCs to large companies because they were handling email authentication incorrectly.
They are wildly misunderstood. The moment I see "add this include: directive to your SPF record" in some marketing platform's integration documentation I know they're going to fuck something up.
To add-on, the really pro move is to not touch the client's SPF record at all. Use your own domain in the SMTP envelope and have SPF be valid for that. Just have the client establish DKIM records and use DKIM, and only DKIM, to pass DMARC.
If you insist on using the client domain in the envelope, make it a subdomain with MX records back to your infrastructure (so you can track bounces). That will pass relaxed alignment - or just use a subdomain in the from and now you're passing strict alignment as well.
Most companies have no idea how the envelope domain impacts bounces and frankly, doesn't care about tracking them.
A shockingly high number of companies have no idea of the concept of the envelope address.
marysol5•Jun 12, 2026
I wouldn't recommend for your own mental stability to look at /r/sysadmin when it comes to any sort of DNS or E-Mail issues. It really shows just how many bad systems administrators there are out there, who do not have a basic understanding of the systems they're using.
jprjr_•Jun 12, 2026
Just a few years ago, Atlassian required you to add an unnecessary include: record to your SPF record, and wouldn't use your domain for emails until they scanned your SPF record for that include. https://jira.atlassian.com/browse/AX-1477
You'd think companies generating as much email as Atlassian would know what they're doing.
TitaRusell•Jun 12, 2026
Paying for email will never be the future of email.
Another subscription for software- and people outside HN hate paying for software- when outlook, apple and Gmail exist?
scary-size•Jun 12, 2026
Have been paying for Fastmail for years. It’s actually fast and lets me use my own domain. (And doesn’t shove AI down my throat). Cash well spent.
upofadown•Jun 12, 2026
The article makes a reference to the failed ARC (Authenticated Received Chain) proposal which was intended to help DKIM not break email forwarding:
It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.
Are there any options left at all to self host email?
lloeki•Jun 12, 2026
You can absolutely set up SPF, DKIM, and DMARC for yourself, it's really not that hard if your difficulty reference point is self hosting email. I did it like 10 years ago and I don't think it has changed.
Self hosting is hard (which is why I just use Fastmail now), but it's not because of that.
lifty•Jun 12, 2026
Sure, I do it, and many others. Some people say it's hard, but I think it's much easier than it used to be, technically. You have projects like https://stalw.art which make it quite easy. Single binary setup which covers all functionality you need. Setting up SPF, DKIM and DMARC is also easy. The only thing that remains is IP reputation, but even then, I haven't had major issues. People seem to receive the few emails that I send.
OJFord•Jun 12, 2026
Tonnes? I don't like to say 'just search for it', but seriously you'll get more out of that than a response here. Personally I use SES for the 'hard' bit, but there's loads of OSS if you want to self-host the actual receiving too. (Sending probably requires more time looking into getting a trustworthy static IP than software. Again, I bypass that by using SES, but that's technically only self-hosting storage & client.)
sylware•Jun 12, 2026
email is turning into a walled-garden of big tech.
For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).
This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.
If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.
I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.
cryo32•Jun 12, 2026
I think it's more they simply don't register small tech and self-hosting.
In time there will be a reckoning though. The geopolitical instability at the moment will see the end of the US dominant services used outside of the US so they will have to work out how to make a not small but balkanised email provider model work again.
einpoklum•Jun 12, 2026
> In early 2024, Google and Yahoo began requiring
Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.
> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.
And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.
> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.
Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.
> The inbox of the future will be faster, smarter, and more capable than what most of us use today.
That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.
2000UltraDeluxe•Jun 12, 2026
Disclaimer: I do some work for one of Gmail's competitors.
Of all the stuff Gmail imposes on the rest of the world, requiring proper sender authentication was a good thing and we've helped thousands of senders set up proper authentication because of it.
Forcing the issue finally got rid of the ridiculous practice of ignoring SPF/DKIM failures and just setting the DMARC record to p=none.
None of this changes the fact that Gmail is a problem for so many other reasons, but this specific imposed change was a net benefit for the entire email ecosystem.
jprjr_•Jun 12, 2026
Honestly requiring DMARC was overall a good thing.
I was an email admin for a university. In the past - each college ran their own email. Before DKIM, before SPF, you'd just have basically random servers on the internet sending email as (school).edu. Tons of random subdomains too. math.(school).edu and so on.
Email was eventually centralized but you'd have parts of the university still running their own things. Insisting they're special and can't be brought into the fold.
So, we had a lot of stuff out there just not passing authentication. A lot of spammers could just impersonate our domain.
We'd go to leadership and say "hey we should really get our act together" - but everything was working. Our emails were still getting out. Hard to justify spending the time, getting various higher-ups within departments to give up their things, and so on.
Unless you can get like, the president to back your initiative- universities are very decentralized and it becomes an issue of "do we have the political capital to spend here." The overall relationship between central IT and the various college-based IT departments was terrible, often bordering on combative.
Google and Yahoo made it so we could go to leadership and say "people will not get our emails if we don't get this straightened out" and it became a priority. When I left our DMARC reports were showing something like a 99% pass rate when it was previously like, 50.
So, I'm glad Google and Yahoo made that call, it gave us the kick in the pants we needed to get our own shit together. I am 100% certain we were not the only org like this.
Plus for a small host - where you're just running a single mail server or something - you just need a few things to pass DMARC.
A DMARC record, and an SPF record, and for your emails to pass SPF. You technically don't need to do DKIM signing (though I'd still recommend it because that survives automated forwarding).
shevy-java•Jun 12, 2026
They really want to kill anonymity. That's a hit piece if ever I saw one - and a very poor, unconvincing attempt at promo. Shame on you, Fastmail.
jgalt212•Jun 12, 2026
> The first is AI filtering: the systems that decide what’s spam, what’s phishing, and what deserves your attention.
Not so for Google Workspace. I get more spam and fake invoices and DocuSign contracts than I used to.
fiskeben•Jun 12, 2026
It's insane that in 2026 signing and encryption of emails still isn't the norm, but as long as the business model of the largest email vendors rely on us not having it, I guess we never will.
nicce•Jun 12, 2026
None of the big providers want that. Otherwise Microsoft had more difficult to share the Outlook data for 1000 partners.
jcranmer•Jun 12, 2026
In 2026, pushing for encryption of emails is a sign that you care more about box-checking requirements rather than actual security practices. Encrypted email sounds good--it's encrypted, how can that be bad?--but when you actually work through various threats and see what encrypted email protects against, it's really not much compared to the status quo, and encrypted email also turns out to lose a lot of features.
Keep in mind that the baseline is that, when you send an email, it is encrypted from your computer to your email server, your email server to your recipients' email servers, and your recipients' email servers to their computers. The only people other than you and the recipients who can see it are the email servers involved in the middle, so the best you can get with encrypted emails is maybe cutting out some of the entities that have a critical role in the process (and which therefore can't entirely be cut out). In particular, encrypted email leaves all the email headers public, so it's not like the best case here is particularly private.
But encrypted email also breaks the ability to do any server-side processing of email, like server-side email filters (okay, not the hugest loss in the world). Or spam processing--no one's come up with a workable solution here, especially given the vast amount of spam that never hits an email folder (the things that get routed to your spam folder are the emails your spam filters aren't sure is spam). Users also expect the ability to log onto their email server's website and just read their email: such webmail is the dominant email client used, and even people like me who almost exclusively use email clients still end up using a webmail client from time-to-time. You can fix this by giving your email server your key... which puts them back on the list of people who can read your email again, oops, you've gained nothing over the status quo.
Worse still is the problem of key distribution. To send an email, you need to look up the recipients' keys... and the most practical approach to make that work at scale is probably to ask the mail server what its users' public keys are. The one entity that is guaranteed to be able to intercept literally every message to somebody, and thus is in prime position to offer its own key instead, strip the encryption, and re-encrypt it to the user without anybody else finding out. Alternative approaches like keyservers don't work: the PGP keyserver ecosystem collapsed several years ago when PGP encryption was of interest to fewer than a million users, far less scale than the billions of email users.
Encrypted email is a useless pipedream, and not because of the business models of email vendors, but because the architecture of email provides good-enough security today that makes improving on it very challenging without negating the supposed benefits of extra encryption.
marysol5•Jun 12, 2026
>Or spam processing--no one's come up with a workable solution here, especially given the vast amount of spam that never hits an email folder
The origins of "Bitcoin" was actually a PoW system to send e-mail to a server!
jcranmer•Jun 12, 2026
So Hashcash was, as far as I'm aware, the first PoW system ever developed, but I'm not aware of it ever actually being deployed as an antispam measure. And indeed, the history of bitcoin also demonstrates why Hashcash would have ultimately failed as a spam-prevention measure: bitcoin can only be effectively mined by large, dedicated farms (or just outright stealing others' resources). There is no clearing price for compute that would have let regular people (especially those on anemic hardware, think "feature phone in Africa") send email while prohibiting people with access to large resources (e.g., botfarms) from mass email.
iamacyborg•Jun 12, 2026
> as long as the business model of the largest email vendors rely on us not having it
The model literally can't function if emails are encrypted. They have to be unencrypted for all the ML to run for the inbox to actually be useable.
stavros•Jun 12, 2026
The new email isn't email at all, it's something like Matrix, or Signal (if you don't mind the centralization). Excellent encryption with great UX.
eggbrain•Jun 12, 2026
I feel we need a "proof of work by human" for emails. Something that could be signed that attests that someone took the time to write the email, not just sent a template / used AI to auto-generate a personal looking email, etc. Sure that could be gamed as well (have an AI write characters one by one to look more human-like), but taking more time usually is a fairly good blocker for spammers / salespersons / etc.
dgellow•Jun 12, 2026
I would love for a proof of human work to exist, but how would you even do that? It would need to be monitoring the user activity in their email client, which isn't something that can be trusted by a server (and is pretty shady).
But that makes me think of Hashcash, that was developed to limit email spam via proof of work, but I don't think that has ever been used in practice: https://en.wikipedia.org/wiki/Hashcash (and of course wouldn't work for the proof of humanness you're talking about).
dbdr•Jun 12, 2026
What about automated signup confirmation emails, just as one example?
BatteryMountain•Jun 12, 2026
I want to give my bank my public key (preferable at a branch), so that ANY comms coming from them I can prove it came from them as.
bingemaker•Jun 12, 2026
In the world of AI, I think the future of email is deliver-ability.
The new fad is "loop". And any loop should have a trigger. Rather having countless integrations, let all the triggers to got email, and those triggers trigger loops. I feel AI can kick off from personal/shared inboxes to deliver meaningful outcomes
Jgrubb•Jun 12, 2026
If only there were some interest on the part of Big Telco to solve these types of problems.
jollyjerry•Jun 12, 2026
It's frustrating not being able to send email for my hobby projects even if I follow all the rules and have the correct headers. I enjoyed reading jeremyevan's post on self hosting email, but it's only for receive and not send https://code.jeremyevans.net/2021-07-29-running-my-own-email...
timwis•Jun 12, 2026
I read this article and was surprised when I reached the end because the whole thing felt like it was setting the stage for some announcement or new thing. But nothing came..? Forgive me if I'm being thick but what was the takeaway?
LearnYouALisp•Jun 12, 2026
"A crummy ad??"
nickpeterson•Jun 12, 2026
They want you to drink your rich chocolate email.
reaperducer•Jun 12, 2026
Downvoters are obviously not fans of A Christmas Story.
jimbobimbo•Jun 12, 2026
As a fastmail user I'm glad there was no announcement. Every time a company starts telling me about some bright future, this usually means my user experience is about to sink.
frereubu•Jun 12, 2026
But there is an announcement, called "The Future of Email", which is a clickbait title that would be much better titled with the last header of the last paragraph: "Email is not going anywhere".
riffic•Jun 12, 2026
I thought as well - it seemed like it was poised to say something about JMAP:
Same; I was preparing for the "exciting new AI" announcement.
jprjr_•Jun 12, 2026
That was how I felt. "The Future of Email", from Fastmail - I immediately assumed some big announcement.
It's basically "you need to pass DMARC now" which has been true for 2 years.
It also goes into how authentication helps stop spoofed domains which yes, is true. But in my opinion the biggest problem isn't spoofed domains at all.
Attackers will figure out how to make your payment platform (PayPal, Stripe, etc) send out emails. They'll figure out what pieces of info make it into the generated emails, so they'll do things like set their company name to "there's a problem call this phone number." So next thing you know you're getting an email from PayPal that sounds urgent because they'll put that company name in the subject or body of the email.
These emails will be legit, from-the-actual-company, passes-all-authentication emails. DMARC can't catch that, and that's what I've been observing attackers do. They'll find a ticketing system or payment processor and get them to generate "authentic" emails.
I was sincerely hoping that Fastmail had something to deal with that problem.
sgc•Jun 12, 2026
I thought the most interesting part of the post was that they have an mcp endpoint for bring-your-own agents, and they won't be force feeding ai on anybody. In the security context of the post, they mean that you are responsible if your ai is duped into falling a victim, or tricked to send malicious mail.
arrowsmith•Jun 12, 2026
Yeah I had the same reaction. From the title I was expecting to find out what the "future of email" is. I'm still waiting.
bensyverson•Jun 12, 2026
The future of email is… the present of email!
reaperducer•Jun 12, 2026
Best news I've heard all day.
netule•Jun 12, 2026
Unless you’re a Gmail user.
jms703•Jun 12, 2026
Agree. I was waiting for the other foot to drop and then..."email's not going away."
Genuinely curious. Why is it posted and being upvoted here?
dieselgate•Jun 12, 2026
With the recent articles about Proton supporting French right-wing candidates (from what I recall) individuals were mentioning how great Fastmail is as an alternative. That's my best guess at least
calvinmorrison•Jun 12, 2026
What does this even possibly mean? Fastmail has employees in the US, Europe and Australia. As far as I can tell with a warrant the government of any of these is likely to get a response from fastmail, just like if the government had a warrant to search my storage unit or review my bank statements. I don't understand the point you make. either there is rule of law or there isnt.
Semaphor•Jun 12, 2026
My guess: A lot of fastmail fans here. And people often upvote stuff from companies they like.
FM often(ish) posts blog posts that are very low key, sometimes they make it on HM, sometimes they don't.
advisedwang•Jun 12, 2026
Because it's just inbound marketing. Write some random vaguely interesting blog article, post it everywhere, then watch as thousands of people see your brand name for the first time, connect it with being helpful. Maybe even see a search engine boost for your product.
carlosjobim•Jun 12, 2026
Everybody who has a Fastmail e-mail in their profile here on HN has received several targeted phishing mails with senders who are registered with @fastmail accounts that sound official. And Fastmail doesn't seem to do much about it.
It's absolutely the worst part of using Fastmail, that they don't clean up in their own house.
br0ceph•Jun 12, 2026
pgp exists, sheesh
daft_pink•Jun 12, 2026
A little bit off topic but We need dmarc to prevent phone spoofing. STIR/SHAKEN should adopt the DMARC model from email. The legitimate holder of a phone number should be able to publish a policy declaring that any call claiming to originate from their number without A-level attestation must be blocked by the terminating carrier. Just as domain owners can instruct mail servers to reject unauthenticated email sent in their name, number holders should be able to instruct carriers to reject unauthenticated calls spoofing their numbers.
In my experience since phone scammers tend to scam a small subset of numbers like dell, facebook, Microsoft, the Internal Revenue Service, copying this could allow big companies to block a huge number of phishing calls requiring their numbers. Since many calls originate from authenticating carriers now we need to go to the next level and block fake calls.
br0ceph•Jun 12, 2026
seems like pgp would solve alot of the issues around auth and confidentiality
i think email is fine the way it is
marysol5•Jun 12, 2026
E-Mail should have died in the early 2000's. It's an absolute shit communication system and isn't fit for purpose, and wasn't even then....
br0ceph•Jun 12, 2026
seems like pgp inside emails would solve alot of the issues around auth and confidentiality
i think email is fine the way it is
i dont need any more solutions that make it harder to host your own servers
email is meant to be self hosted. i feel like commercial email services have their usecases but we should avoid having service providers playing with standards, as their motives might be self serving.
we should keep decentralized internet tech as decentralized as possible, with a caution against blocking random senders, as this leads to monopolies blocking their competition and demanding compliance to their agendas.
inigyou•Jun 12, 2026
How would you get someone's key?
jfb•Jun 12, 2026
Postage. Postage. Postage.
NewCzech•Jun 12, 2026
In 1993, a friend of mine was working at Apple. I wanted to send him a funny message with a spoofed sender. I just typed "telnet apple.com 25" and then typed in the required commands. Apple.com accepted it and delivered it to my friend with a fake sender.
Those were the days, lol!
monitron•Jun 12, 2026
My friends and I used to do this all the time in that same time period. It was all fun and games until one day I caught one of them spoofing a message from me to president@whitehouse.gov making vague threats. He seemed to think I overreacted when I dove under the desk and unplugged the machine.
vkaku•Jun 12, 2026
Counter Point: Until people can migrate their inboxes and steer them to any provider, none of this authentication business seems to hold up actual value at scale.
If anyone can port their phone number, they should be in theory, allowed to port their email addresses as well.
None of the authentication systems here are helpful enough to allow this. You need a valid way to authenticate people irrespective of whatever provider they are on (not their email domain name)
That means that a standard needs to evolve that allows you sign on the behalf of the hosting provider itself.
kaishiro•Jun 12, 2026
As a Fastmail user for both personal use, as well as for my business, the best thing I can say about them is that I haven't thought about them in...a decade?
We built a Discord integration so that new emails to our support address would ping us in a Discord channel using the JMAP API. It's only failed to work once that I can recall - and that ultimately ending up being on Discord - not Fastmail.
Just rock solid service all around with no bullshit.
wakamoleguy•Jun 12, 2026
> A person reading a suspicious email might notice that the sender’s domain has an extra character, or that something about the request feels off. An AI assistant scanning your inbox for items that need action may not slow down to check those things.
I don't quite buy this in either direction (although they are both couched as possibilities, which makes it a pretty safe statement). Humans might notice, but years of annual mandated phishing trainings has led me to believe that humans as a whole are generally not great at noticing.
AI agents OTOH mostly do as they are prompted. If the human prompting them tells them to check these things, they will likely check much more consistently than any human. If the prompt doesn't say to check, the agent won't. But that again falls back to what the human might or might not think about.
ruslan•Jun 12, 2026
> The second is AI assistance: tools that summarize your inbox, surface action items, draft replies, and in some cases take actions on your behalf.
That is the most evil part. Finally we will have bots talking to bots, no human in the loop.
All email problems can be solved with GPG, but that ruins Fastmail and other email services business, as they won't be able to read and analyze their users' emails. No ads, no selling user profiles to ad companies, not even teaching AI on user data. This is the kind of future of email I would like to see. Sadly, noone uses GPG and it's quite hard to teach people to do it.
BatteryMountain•Jun 12, 2026
Preach. Exactly.
We will eventually be forced down this path though, be patient! Upfront key exchange in-person will be the only way left to prove comms are real. GPG is just one path but someone will come along and make it easy on organizational level.
IncandescentGas•Jun 12, 2026
Fastmail reads or analyzes users email to sell ads? Fastmail trains ai models on their user's email messages?
Metadata is more valuable than message content for analysis. GPG solves that how?
riffic•Jun 12, 2026
> Email is not going anywhere
time and time again it's worth stressing how the Lindy effect directly applies here to email or other layers of the protocol stack.
I really like Fastmail, but I wish they offered a lightweight AI feature. Their filtering system is unmatched, yet I’d love a basic, privacy-focused AI filter powered by a small, private model they run.
For example, I could set rules like “if an email looks like a promotion, move it to the promotions folder.” I could roll my own MCP server sure, but that’s not the direction I want to go.
BatteryMountain•Jun 12, 2026
We will end up with a situation where all interactions with computers (remote systems), including email, will need an initial step to pair/exchange keys, much like ssh. So when the bank wants to send me email, they can only do so if they have my public key. We should try to make this as frictionless as possible. Or, we generate semi-random email addresses that are short-lived, so that each company I interact with get their own unguesable email address.
Either way, we are getting to a point where offline-2FA will be mandatory for all auth systems and when interacting with another party, it will need something like the above to be sure you are dealing with the correct company.
reader9274•Jun 12, 2026
We need email end to end encryption. Good to see Google getting into that world, we need Apple and others to join too.
mthoms•Jun 12, 2026
I used to love Fastmail, but their spam/phishing filtering (and customer service) have been really poor lately. I don't know if AI is helping or hurting them. My anecdotal experience suggests the latter.
As one example, I'm now regularly getting phishing email from "The IRS" that always comes from some random account that has been taken over. The latest one was literally from a hotmail account (and my address is dot ca so I'm clearly not subject to the US government). If they can't detect this kind of half-arsed phishing attempt, then things are pretty bleak.
Their customer service was pretty bad when I tried to discuss it. The rep didn't even acknowledge what I wrote. I won't be renewing unless they get this sorted.
48 Comments
This will literally never happen. Email doesn't support the features that those messaging platforms need to have, such as recalling messages.
The security layers are also only on the sender part, not on the receiver part, which banks care a lot more about.
I'll settle for a brief edit (not retraction!) window after sending though, say 5 minutes tops.
Edit (I realize the irony): banks of course won't give a hoot about the receiver, the power dynamic is inherently not equal.
"Need".
The messages are usually PDFs, which isn't great for accessibility, e.g. using a translation tool.
Instead, legitimate companies like banks, healthcare, etc tell users to click on a url link to their "Secure Message Center" to read or submit some critical information. It's often the only way to get the info the users need.
E.g. if I open a payment dispute with the bank, the workflow they use is the Secure Message area. I can't just use my normal email client and upload some pdf attachments. Instead, I have to log into my bank website, navigate to their Secure Message area, and then upload the docs there to submit the claim. They also don't send followup status or final resolution in an email. Instead, you log back into the Secure Message area to read the case resolution. Similar for insurance claims.
Similar situation for asking a medical imaging center for some mammograms. They will not send those as PDF or JPG attachments directly to your email address. Instead, you log into a secure message area on a healthcare website and download it from there.
No, this includes all messages from my doctor/healthcare. It's not mass spam.
Theoretically I could want to know what's in the message, but not enough to visit a website I've been logged out of again, perform multi-factor authentication, navigate to the message center and find the message and then back it up manually.
I guess you can avoid the email spam by just directly logging into the website when you need that stuff, but how else are they supposed to notify you when something new has happened?
As it happens, I already knew this because the previous bill 6 months ago also included this information, but the message itself was unique and important. Certainly, there would have been financial consequences if I didn't act on that information.
I would have preferred to receive the contents by actual message rather than having to log in to read it, but that's not an option they offer. It's certainly not safe to assume it can all just be ignored.
Then IMO they accept the responsibility of me seeing the message potentially much later than if they had stated the concern up front in e-mail.
This is kinda what 'masked email' services like Fastmail's – of which I am a delighted customer – do.
Until you've known the comfort of creating an address; giving it to a service; deciding that you want to end your relationship with them; just deleting that address, without changing your mailbox or infrastructure or archives or anything else … it's kinda life changing. I recommend everyone try it.
Also, the chances of a phisher trying to get my BigBank details by sending mail to lonely.chicken6382@spuriously-named-and-unused-other-than-for-email-domain.com are … well, it seems unlikely.
I've never felt more secure. For real.
That's why I bought my email domain and use <domain_name>@hnrobert42.com. It helps to use a password manager.
I get a lot of convincing emails to linkedin@hnrobert42.com. As well as zynga, wework, etc.
Whenever there’s this discussion on HN, someone usually points out that can sometimes be a bother, especially when giving out the email in person, because people don’t really understand how email addresses works and ask “how did you get that email” or think you’re impersonating the service, or something similar.
I guess a solution might be to add the details sneakily. E.g. instead of linkedin@hnrobert42.com, saying robert_lkdn@hnrobert42.com
But that’s like 1:100 or so. And usually I’m entering my address to a robot so it’s not an issue.
It also makes it easier to pass off a fake realname! Hi I'm John Smith, jsmith@oneofmydomains-nottooobvious.com...
You can even pick a domain sound like a legitimate mail service or company, e.g. jsmith@jgs-consulting.com.or jsmith@liberty-mail.io
All domains and addresses in this comment are fictitious - overlap with real domains is coincidental.
Which is in the RFC, but yet the sheer amount of times I sign up for something. Like a bank, or a financial firm, get the confirmation e-mail, and then click "Verify your address"
And get HTTP500 as their SQL has kicked up a stink
The amount of bots promoting Fastmail here is insane. What the actual ...
It's your client that's the problem.
I'm happy in my text only Emacs heaven.
I'm also happy with my custom 5 year old bert based spam detector which hasn't failed me once (unlike whatever gmail at work does).
This post was sent from Emacs.
Fastmail’s spam filter is not very good.
Yes it does. However, I have sent messages to more than a few people who tell me that my message is completely empty. I have my client set to send text-only, no HTML, and apparently the system on the other side drops the HTML version altogether. Something on the other end only processes the HTML part. No HTML, no message.
(I believe these are Outlook/MS based systems, but I don't know for sure. It's certainly not ALL Outlook/MS systems that do this.)
For these people I have to set my client to send HTML. It's all well and good to blame them, but I can't make them do something. They may not even be in a position to do anything. And I don't have an option to tell them "too bad, so sad".
The email situation is really quite bad if you don't conform to the Big Three. I've run my own email infrastructure for a very long time, and it's quite irritating that when we get something good (like DMARC, SPF, etc) it gets forced by the Big Three because along with that we also get things like Google toying with the requirement that you have to have AAAA MX records too.
I don’t think that helps at all. We already know how to consume that securely, we do it billions of times a day in web browsers.
> the inbox should work on an invite only basis. Basically you should pre-authorize the senders just like you add someone as friend on a social network.
Yes. A fundamental problem with email is that the only thing required to send email to somebody is knowledge of their email address, which as a recipient you cannot control. This is what enables spam and phishing. This needs to be changed so that in order to send email to somebody, you also need their consent. A “friend request” mechanism is one way of achieving this.
I think this is a problem that can be feasibly solved in a fairly reasonable way, and I sketched out a protocol for doing so a while back, which I described in more detail in this comment:
https://news.ycombinator.com/item?id=44969726
But then you’re left dealing with spam “friend requests”, which is still something I have to take action on, filter out, or ignore — same as spam email.
It's extremely difficult to accurately identify which emails have health info and which ones don't (even something like a person's name or IP address could count depending on the context) so they just default to sending everything through their message center. No amount of email security could change that.
Encrypted email wouldn’t require a BAA.
Nothing electronic will ever be secure, unless it is never, ever networked. Networking changes "touch physical thing" into "everyone on the planet plus their bots" can touch it.
Even if you pass harsh laws, you need to geogate network connections to only within that legal jurisdiction. Otherwise, it's pointless.
The real, true problem is anonymousness. I used to advocate for, now I'm done. The problems anonymity solve, are a gnat compared to the ones it creates.
I'm all for ipv8, but with a unique ID in the packet identifying the person directly.
I can't drive a car, own a gun, drive a boat, buy explosives, ply many trades, and 100 other things without a license. Maybe unrestricted internet access is in that category, and bad behaviour means it is revoked.
The Internet was a toy for a long time. Now it's the backbone of all commerce, industry, personal communication, with life threatening implications at times.
Play time is over.
My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant.
This seems crazy to me, but that's how it works I think. For example, if you encrypt PHI and store it in AWS without signing a BAA with them, that's a HIPAA violation, even though the data is encrypted and Amazon can't see it. But if you send encrypted data through AWS without actually storing it, that's fine.
Mail is specifically mentioned as a thing that qualifies for the conduit exception. I'm not totally clear why it isn't a HIPAA violation the moment it arrives at a destination (it's not in-transit at that point, and it's potentially not in the possession of the intended recipient either), but it seems pretty well accepted that it's not.
All that to say: I think encrypted email would still require a BAA because it's being stored, not just transmitted.
It was a law written in the 90s, it should be updated and modernized.
I agree the laws need an update. I'd imagine a general 'common communication channels' or whatever would work, rather than specifing every single one that's allowed to be used. That way, it's still illegal to snoop on your communications, regardless of whether they happen by post, phone, email, SMS, Whatsapp, or whatever else we end up using in 20 years.
Sounds like they needed fax to be compliant, and came up with some moon logic to make that happen.
Email is a lot harder. The older SMTP standard sends emails unencrypted so there's a possibility of a MITM reading the email. But also addresses if you get them wrong can end up in the wrong hands. For example, if someone sends an email to cogman10, I'll get it, but if they go to cogman1O I won't get it. A lot of the nuance of how secure and when it's secure gets erased by auditors to just "email is insecure".
With HIPAA, is it not possible to simply encrypt the message? The "forgot password" flow for their message center is probably email anyway.
I can upload my public key to SourceHut and all email from them becomes signed and encrypted. It's a one-time process to generate long-lived keys and another to set up with SourceHut and that's all I need to do.
As such, I tell anyone who sends me one to fuck off and send a real email.
And then also sends an e-mail, which sometimes I confuse and think is ANOTHER message, and log in again....
It has a "Download this message as a PDF" button, which just takes you to a web-browser wrapper....
I'm sure there's a sum of compliance reasons why this is not allowed, but it doesn't make any sense at all.
They have an MCP end-point, they want to market to both AI proponents and critics -- that's about what I learnt from scanning the article.
Big title, little content.
The thing is Fastmail can't speak with absolute authority about email because Fastmail is not email. It's subordinate to it.
It's important that they're secure.
Is it possible to have E2E encryption on emails?
vbezhenar, this is your grandmother. I just got an email from you with a bunch of gobbledygook and I can't read it. /s
If it were that easy, everyone would be doing it.
But even then, the sheer amount of people who'd complain and wonder what the block of base64 data was at the bottom of the e-mail, or the strange attachments I'd have (including signing other attachments) was too much to have to deal with. For the once in a million people who ever looked at key signing...
Once you force people to do it, it is not terrible once they get the hang of it.
You literally have a proton email address on your profile.
My favorite feature of JMAP is that it gives you a single, consistent API endpoint that works for native clients, webmail and programmatic clients (like, backup scripts and things like that). JMAP means you don't have to invent your own REST API for webmail. Unfortunately, gmail, yahoo mail and all the rest predate JMAP. So it doesn't really help them in the same way.
It'd be lovely to get thunderbird working with JMAP!
So on seeing this title, I was a bit worried.
> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.
Phew.
Since I use my own domain for email, I am considering moving over to another provider once my subscription term is up. I really miss widgets.
no caldav support so I couldn't get my next appointment as a widget on my phone. Similarly, your contacts in proton are trapped there and cannot sync with any other system (such as your phone...)
limited quantity of aliases compared to fastmail. this is actually a really sticky feature with fm from what I've been seeing. I would have to rename a bunch of accounts or switch to using a catchall to transfer out.
My 30 years of muscle memory using webmail is made useless by this "app" because some web developer somewhere wants to cosplay as a desktop app developer now.
It's not an oversight either. It's an intentional choice to not have a go-back-to-previous-page keyboard shortcut. A customer support person said they would add it as a "feature request". Gee, thanks.
https://www.fastmail.help/hc/en-us/articles/360058753534-Key...
Not saying your complaint is invalid at all.
No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.
[1] https://neomd.ssp.sh
But great idea, what i added is the opposite direcrection: showing if a sender used spy pixel. There I used public spylists I found.
Anyone without caller id is also suspicious. Emails have a sender, but it is also about as reliable as a caller id (i.e. not very) when it comes to identity.
Please, Fastmail, don't fuck this up. I have been a happy customer for years. Do not fuck this up with idiotic AI systems. I just want reliable email.
... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.
I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.
I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.
Nice. ;)
Also there's a spectrum from Gmail to Fastmail to AWS SES to Wireguard on a VPS that's tunneling to a server running at home. And when the people from both extremes of the spectrum interact they look at each other as if they're from other planets.
It's the same for Auth stuff I believe, almost a decade of generic advice like "don't roll your own auth" has lead some people to file it into a tidy corner of their mind labelled "DON'T TOUCH" so most people end up gawking and staring in awe when someone does so and lose all nuance along the way. To be clear I'm advocating for learning how stuff works and playing around with it (time permitting) instead of simply delegating it to the technical equivalent of Higher Powers in perpetuity.
- BIMI (I hadn't heard of that before) which seems like a very minor thing to be calling "the future of email"
- AI might be easier to trick that humans
On that second point, here's the exact text:
> A person reading a suspicious email might notice that the sender’s domain has an extra character, or that something about the request feels off. An AI assistant scanning your inbox for items that need action may not slow down to check those things.
That seems wrong (AI should be better at this than the average human), but let's assume that assertion is correct. It then says "authentication is the safeguard that should stop it before it ever reaches your mailbox". Except then, a few paragraphs down, it says "A scammer with a convincing look-alike domain and a properly configured DMARC record will still pass sender authentication checks." Ok, so authentication isn't a solution to the stated problem at all (it does solve a different problem). And unless I'm missing something, no solution is proposed. No statement is made about what the future actually looks like.
Like you said, what is the point of this article?
For example, making a company named "there's a problem with your account call this number" on a site like PayPal and getting it to generate emails. They'll be from actual paypal.com and pass all authentication.
The other issue I'll often see is subdomain takeovers. Company makes a subdomain a CNAME to some other, external domain. Usually with the intention of hosting a webpage externally or whatever.
That other domain expires, but the CNAME doesn't. Somebody buys up the external domain, now they can publish SPF records and pass DMARC relaxed alignment on the organizational domain.
Now you can send all the emails you want with literally anything you'd like and the providers will say "yep, this passed DMARC."
I'll tell you right now, I've had multiple cases where I've had to quote parts of the RFCs to large companies because they were handling email authentication incorrectly.
They are wildly misunderstood. The moment I see "add this include: directive to your SPF record" in some marketing platform's integration documentation I know they're going to fuck something up.
To add-on, the really pro move is to not touch the client's SPF record at all. Use your own domain in the SMTP envelope and have SPF be valid for that. Just have the client establish DKIM records and use DKIM, and only DKIM, to pass DMARC.
If you insist on using the client domain in the envelope, make it a subdomain with MX records back to your infrastructure (so you can track bounces). That will pass relaxed alignment - or just use a subdomain in the from and now you're passing strict alignment as well.
Most companies have no idea how the envelope domain impacts bounces and frankly, doesn't care about tracking them.
A shockingly high number of companies have no idea of the concept of the envelope address.
You'd think companies generating as much email as Atlassian would know what they're doing.
Another subscription for software- and people outside HN hate paying for software- when outlook, apple and Gmail exist?
https://www.ietf.org/archive/id/draft-adams-arc-experiment-c...
It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.
Gmail Thinks I'm Stupid, So I Left: https://news.ycombinator.com/item?id=48375016
Self hosting is hard (which is why I just use Fastmail now), but it's not because of that.
For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).
This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.
If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.
I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.
In time there will be a reckoning though. The geopolitical instability at the moment will see the end of the US dominant services used outside of the US so they will have to work out how to make a not small but balkanised email provider model work again.
Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.
> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.
And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.
> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.
Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.
> The inbox of the future will be faster, smarter, and more capable than what most of us use today.
That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.
Of all the stuff Gmail imposes on the rest of the world, requiring proper sender authentication was a good thing and we've helped thousands of senders set up proper authentication because of it.
Forcing the issue finally got rid of the ridiculous practice of ignoring SPF/DKIM failures and just setting the DMARC record to p=none.
None of this changes the fact that Gmail is a problem for so many other reasons, but this specific imposed change was a net benefit for the entire email ecosystem.
I was an email admin for a university. In the past - each college ran their own email. Before DKIM, before SPF, you'd just have basically random servers on the internet sending email as (school).edu. Tons of random subdomains too. math.(school).edu and so on.
Email was eventually centralized but you'd have parts of the university still running their own things. Insisting they're special and can't be brought into the fold.
So, we had a lot of stuff out there just not passing authentication. A lot of spammers could just impersonate our domain.
We'd go to leadership and say "hey we should really get our act together" - but everything was working. Our emails were still getting out. Hard to justify spending the time, getting various higher-ups within departments to give up their things, and so on.
Unless you can get like, the president to back your initiative- universities are very decentralized and it becomes an issue of "do we have the political capital to spend here." The overall relationship between central IT and the various college-based IT departments was terrible, often bordering on combative.
Google and Yahoo made it so we could go to leadership and say "people will not get our emails if we don't get this straightened out" and it became a priority. When I left our DMARC reports were showing something like a 99% pass rate when it was previously like, 50.
So, I'm glad Google and Yahoo made that call, it gave us the kick in the pants we needed to get our own shit together. I am 100% certain we were not the only org like this.
Plus for a small host - where you're just running a single mail server or something - you just need a few things to pass DMARC.
A DMARC record, and an SPF record, and for your emails to pass SPF. You technically don't need to do DKIM signing (though I'd still recommend it because that survives automated forwarding).
Not so for Google Workspace. I get more spam and fake invoices and DocuSign contracts than I used to.
Keep in mind that the baseline is that, when you send an email, it is encrypted from your computer to your email server, your email server to your recipients' email servers, and your recipients' email servers to their computers. The only people other than you and the recipients who can see it are the email servers involved in the middle, so the best you can get with encrypted emails is maybe cutting out some of the entities that have a critical role in the process (and which therefore can't entirely be cut out). In particular, encrypted email leaves all the email headers public, so it's not like the best case here is particularly private.
But encrypted email also breaks the ability to do any server-side processing of email, like server-side email filters (okay, not the hugest loss in the world). Or spam processing--no one's come up with a workable solution here, especially given the vast amount of spam that never hits an email folder (the things that get routed to your spam folder are the emails your spam filters aren't sure is spam). Users also expect the ability to log onto their email server's website and just read their email: such webmail is the dominant email client used, and even people like me who almost exclusively use email clients still end up using a webmail client from time-to-time. You can fix this by giving your email server your key... which puts them back on the list of people who can read your email again, oops, you've gained nothing over the status quo.
Worse still is the problem of key distribution. To send an email, you need to look up the recipients' keys... and the most practical approach to make that work at scale is probably to ask the mail server what its users' public keys are. The one entity that is guaranteed to be able to intercept literally every message to somebody, and thus is in prime position to offer its own key instead, strip the encryption, and re-encrypt it to the user without anybody else finding out. Alternative approaches like keyservers don't work: the PGP keyserver ecosystem collapsed several years ago when PGP encryption was of interest to fewer than a million users, far less scale than the billions of email users.
Encrypted email is a useless pipedream, and not because of the business models of email vendors, but because the architecture of email provides good-enough security today that makes improving on it very challenging without negating the supposed benefits of extra encryption.
The origins of "Bitcoin" was actually a PoW system to send e-mail to a server!
The model literally can't function if emails are encrypted. They have to be unencrypted for all the ML to run for the inbox to actually be useable.
But that makes me think of Hashcash, that was developed to limit email spam via proof of work, but I don't think that has ever been used in practice: https://en.wikipedia.org/wiki/Hashcash (and of course wouldn't work for the proof of humanness you're talking about).
The new fad is "loop". And any loop should have a trigger. Rather having countless integrations, let all the triggers to got email, and those triggers trigger loops. I feel AI can kick off from personal/shared inboxes to deliver meaningful outcomes
https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol
It's basically "you need to pass DMARC now" which has been true for 2 years.
It also goes into how authentication helps stop spoofed domains which yes, is true. But in my opinion the biggest problem isn't spoofed domains at all.
Attackers will figure out how to make your payment platform (PayPal, Stripe, etc) send out emails. They'll figure out what pieces of info make it into the generated emails, so they'll do things like set their company name to "there's a problem call this phone number." So next thing you know you're getting an email from PayPal that sounds urgent because they'll put that company name in the subject or body of the email.
These emails will be legit, from-the-actual-company, passes-all-authentication emails. DMARC can't catch that, and that's what I've been observing attackers do. They'll find a ticketing system or payment processor and get them to generate "authentic" emails.
I was sincerely hoping that Fastmail had something to deal with that problem.
Genuinely curious. Why is it posted and being upvoted here?
FM often(ish) posts blog posts that are very low key, sometimes they make it on HM, sometimes they don't.
It's absolutely the worst part of using Fastmail, that they don't clean up in their own house.
In my experience since phone scammers tend to scam a small subset of numbers like dell, facebook, Microsoft, the Internal Revenue Service, copying this could allow big companies to block a huge number of phishing calls requiring their numbers. Since many calls originate from authenticating carriers now we need to go to the next level and block fake calls.
Those were the days, lol!
If anyone can port their phone number, they should be in theory, allowed to port their email addresses as well.
None of the authentication systems here are helpful enough to allow this. You need a valid way to authenticate people irrespective of whatever provider they are on (not their email domain name)
That means that a standard needs to evolve that allows you sign on the behalf of the hosting provider itself.
We built a Discord integration so that new emails to our support address would ping us in a Discord channel using the JMAP API. It's only failed to work once that I can recall - and that ultimately ending up being on Discord - not Fastmail.
Just rock solid service all around with no bullshit.
I don't quite buy this in either direction (although they are both couched as possibilities, which makes it a pretty safe statement). Humans might notice, but years of annual mandated phishing trainings has led me to believe that humans as a whole are generally not great at noticing.
AI agents OTOH mostly do as they are prompted. If the human prompting them tells them to check these things, they will likely check much more consistently than any human. If the prompt doesn't say to check, the agent won't. But that again falls back to what the human might or might not think about.
That is the most evil part. Finally we will have bots talking to bots, no human in the loop.
All email problems can be solved with GPG, but that ruins Fastmail and other email services business, as they won't be able to read and analyze their users' emails. No ads, no selling user profiles to ad companies, not even teaching AI on user data. This is the kind of future of email I would like to see. Sadly, noone uses GPG and it's quite hard to teach people to do it.
We will eventually be forced down this path though, be patient! Upfront key exchange in-person will be the only way left to prove comms are real. GPG is just one path but someone will come along and make it easy on organizational level.
Metadata is more valuable than message content for analysis. GPG solves that how?
time and time again it's worth stressing how the Lindy effect directly applies here to email or other layers of the protocol stack.
https://en.wikipedia.org/wiki/Lindy_effect
> Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.
https://news.ycombinator.com/newsguidelines.html
For example, I could set rules like “if an email looks like a promotion, move it to the promotions folder.” I could roll my own MCP server sure, but that’s not the direction I want to go.
Either way, we are getting to a point where offline-2FA will be mandatory for all auth systems and when interacting with another party, it will need something like the above to be sure you are dealing with the correct company.
As one example, I'm now regularly getting phishing email from "The IRS" that always comes from some random account that has been taken over. The latest one was literally from a hotmail account (and my address is dot ca so I'm clearly not subject to the US government). If they can't detect this kind of half-arsed phishing attempt, then things are pretty bleak.
Their customer service was pretty bad when I tried to discuss it. The rep didn't even acknowledge what I wrote. I won't be renewing unless they get this sorted.