Readit News logoReadit News
Posted by u/warent 4 years ago
Ask HN: Why can't I host my own email?
I can host my own Mastodon server, or all kinds of other novelty / fun things which don't seem easily decentralized.

Email feels like one of the most decentralized internet concepts, and ironically it's seemingly the one thing I can't self-host unless, from what I've heard, I enjoy being permanently marked as spam / blacklisted. What's going on? How do we fix this?

zcdziura · 4 years ago
The problem is that spam was/is so bad that extreme measures were taken to curb it. There are all kinds of invisible forces that you abutt that can be difficult to figure out, such as IP blacklists and the like. And even if you set everything up properly and host your email with a responsible host, Microsoft will still mark your mail as spam.

I host my own email server with Vultr on an OpenBSD VM using OpenSMTPD and Dovecot, relaying all outbound mail through SMTP2Go (their free tier more than meets my needs). I have all of the necessary DNS entries set to mark my mail as legit, and I sign all outgoing mail using strong 2048-bit RSA keys. Thus far, I'm able to send mail and not have it marked as spam (at least to everyone that I've corresponded with thus far). It was a lot of work to get to that point, but not terrible.

post-it · 4 years ago
Prediction: Any distributed social media (like Mastodon) that gains mainstream popularity will share the same fate. Sure, you'll be able to host your own Mastodon instance, but 99% of people will be on the top 10 hosts and they won't peer with you.

I think the only way to make distributed social media practical is to have an extremely inexpensive turnkey self-hosting solution for the average person. A Chromecast-like device that they plug into their TV that backs up all their photos, plays music, and also hosts a Mastodon instance. Some kind of very friendly backup solution where you make an "emergency contacts" list, and the device encrypts all of your data and stores it on your emergency contacts' devices as a backup, and vice-versa.

seanp2k2 · 4 years ago
cough XMPP federation cough

Not only did Facebook and GChat refuse to peer with little players, they refused to peer among the big players too. We could have had something like IRC for the masses, peered chat servers with bring-your-own-client. Instead, we waited decades for iMessage to get Android support which only happened long after everyone moved on to IG, Messenger, WeChat, etc.

Email is probably one of the last great open[ish] distributed systems we’ll ever see. There are just too many incentives to build walled gardens instead.

rglullis · 4 years ago
The problem with email is that identity and authentication are an afterthought. Don't forget that (in theory) it is possible to get any email server to relay a message for you. Newer protocols do not have these kind of problems.
mypalmike · 4 years ago
On Mastodon, I believe it's currently somewhat backwards from this. The largest instances are filled with Japanese anime porn, and the smaller instances end up blacklisting them.
giords · 4 years ago
I was reading these tweets today confirming that this is already happening in Mastodon: https://twitter.com/Gravecat/status/1518598015396818944
jonathankoren · 4 years ago
Even a magic dongle isn’t going to work. People don’t want to buy things, let alone sysadmin their own television.

I’d love a world where data was truly distributed and federated, but unfortunately, the barrier of entry is too high. Because of this people will start hosting nodes for people. Which isn’t necessarily a bad thing, but network effects will take over, and we’ll be back where we started.

Look at git. It’s distributed in all the right ways, but almost everyone uses github.

The web is decentralized, but the same few websites dominate to the point that people — even people on this very site — think that you can’t post a video except to YouTube.

pbreit · 4 years ago
Disagree. If the authentication mechanism are available from the get-go, it could work.
GekkePrutser · 4 years ago
I noticed a lot of German sites don't peer with anyone who has the exact same rules (as in almost literally the same) as them. I was surprised to see such kind of box-thinking in a protocol that's been designed to be as open as possible.
ptman · 4 years ago
I hope matrix can avoid this fate. The federation can of course be limited, but currently it seems like most users are federated. And they have plans to combat spam etc. https://element.io/blog/moderation-needs-a-radical-change/
abecedarius · 4 years ago
> Any distributed social media that gains mainstream popularity will share the same fate.

The experience behind this predated peer-to-peer electronic cash and related developments. You may be right, and it may still be too soon. But problems can be solved.

dotnet00 · 4 years ago
One idea I've had is what if the protocol were designed in a way that a server can't be scaled too much, thus forcing lots of small servers to federate instead of having single entities running a large server with tens of thousands of users.
shadowgovt · 4 years ago
Arguably, your prediction is even a feature, not a bug.

The right to peer implies the right to not peer.

account42 · 4 years ago
> I think the only way to make distributed social media practical

The only technical way maybe. You could always legislate that large enough networks MUST peer.

poisonborz · 4 years ago
Just because at one time the majority of users are federated, a market/threat force can enter any time that would drive users to centralised solutions.
TZubiri · 4 years ago
If it's so easy to self host, surely attackers will host thousand of those instances and spam you.

PoW has been the best solution so far.

werber · 4 years ago
I am hardware stupid, but I have thought about this exact solution for so long. I hope someone figures this problem out!
random314 · 4 years ago
General observation: no matter how distributed you make a system or protocol, it eventually becomes centralized.
wpietri · 4 years ago
Yup. Spam is the root problem. With an enormous amount of complexity between that and the mail admin's day to day experience.

I hosted my own mail for more than 20 years. A couple years back I just got tired of trying to solve deliverability puzzles, plus the fears that deliverability issues generate. (E.g., "Did that potential employer get my email about the job?") Especially since some of the puzzles are not solvable, like why GMail does what it does. I even had friends at Google, and I still couldn't find out why GMail occasionally didn't like my server. And arguably, that's the right choice for them, as the more spammers know about how they work, the worse it is for Google staff and GMail users.

For me, switching to Fastmail hosting was a big win. It's not like I'm out of technical challenges to solve, but I get to apply that to things where the upside is greater than, "The thing everybody expects to work still works."

clairity · 4 years ago
the spam problem advantages google, as your own story illustrates, so it's unlikely they'd really want to help solve deliverability/spam issues systemicly. making personal email hosting more difficult means they have a chance to capture your email data streams via gmail. whether you switch there or not, it creates a pressure for most to aggregate on gmail, which means they can see most email exchanges.
azinman2 · 4 years ago
My issue with fast mail et all is storage is so unnecessarily expensive. I have many gigs of email that I don’t want to lose, but I also don’t want to pay many tens of dollars/month to host it.
tzs · 4 years ago
> And even if you set everything up properly and host your email with a responsible host, Microsoft will still mark your mail as spam.

I did some experiments back when I ran my own mail. Sending from my mail server to my Microsoft account it not only marked everything as spam, it continued marking everything as spam after I marked a bunch of them as not spam.

After that, I tried also answering several of them and composing several new mails to send to my non-Microsoft email to see if Microsoft's spam system was smart enough to figure out that if I'm actively corresponding with someone their incoming mail should not be marked as spam. It was not smart enough.

Then I tried whitelisting. Nope, still spam.

tonmoy · 4 years ago
Microsoft had marked an email from a professor from an vt.edu domain email address as spam causing me to miss an interview for a PhD funding.
codegeek · 4 years ago
Microsoft is especially notorious for flagging legit emails as spam if they are not from one of the regular providers.
2OEH8eoCRo0 · 4 years ago
Honest question- why can't people sue for this?
Fomite · 4 years ago
Former VT employee: It's not just Microsoft. Virginia Tech has a problem with their stuff getting flagged as spam.
jjav · 4 years ago
Yes to the OP, you most definitely can host your own email fully.

Many of us do it. If you have any interest in the topic, either due to the fun of managing the servers and learning something along the way or due to the moral high ground of supporting decentralization above proprietary walled gardens, do it!

Ignore the naysayers, if you're interested you can do it.

Will some emails very occasionally end up in the spam folder of a recipient? I mean, yes, but that is true of everything. You can end up in spam folder sending from Microsoft Office mail to gmail or vice versa. Heck, every now and then an email from my manager will end up in my spam folder in gmail even though he's emailing me from gmail to gmail, both of us in the same corporate gsuite account! So on average, once you set everything up correctly, your deliverability will be as good as gmail to gmail, which is to say not 100% perfect but no worse than any other solution. And you'll be in control of your email infrastructure and address. No longer will google/microsoft/apple/yahoo be able to cut you off all your accounts on the whim an AI gone bad.

The parent post mentions a useful safety valve to know about if you're worried about deliverability and want to take baby steps to get there. You can always, either selectively or wholesale, use a commercial relay for outbound mail from your email server. Some have free tiers that are plenty for personal/family use.

Personally I don't use any third party relay, I deliver to everywhere from my own infrastructure. No issues.

leephillips · 4 years ago
Me too, and this is my experience as well. In the rare event that I find out that someone isn’t getting my emails, I tell them that they should complain to their provider or use a different one. I’m no longer willing to jump through hoops so that hotmail delivers my email.
plainnoodles · 4 years ago
> There are all kinds of invisible forces that you abutt that can be difficult to figure out

This was my main experience, and all I did was try to set up the ability to simply send emails to myself (gmail) (and no-one else). Things like: this script crashed, or btrfs scrub finished + scrub results, and similar.

The first thing I tried was just setting up a VM with postfix running on it locally with my residential ISP. I don't even remember what the error was for this scenario, but it was just totally dead in the water. Absolutely zero mail delivery. I think I eventually figured out it's because google defers to spamhaus, and spamhaus says residential IPs = hard no.

That next thing I tried, and what I ended up doing, was writing a docker container that just runs an SSH port forward to jump from my local network to a digitalocean host, which is where another docker container runs postfix. I had done this bit once before, and I tried to just set up DKIM (since DKIM was, to my reading, basically bulletproof - why bother with SPF when you have real cryptographic identity assurance?). This led to weird error messages from google about my IP having a super low reputation. This was something I'd been worried about so I spent a bit of time trying to cycle my IP. But I eventually figured out it was just a bad error message and setting up SPF suddenly made my emails start delivering.

My main ongoing issue is that I had to add all my sending addresses (things my internalhostnamehere@myrealdomain.com) to my contacts in gmail, otherwise there was like a 50% chance they'd just go to spam. I've been running this setup for about a year and it's still a coin toss whether emails will come through fine, or if they'll say "this would've gone to spam but it's in your contacts". When that happens, I check the DKIM and SPF status in "original message" in gmail, and gmail itself says they both passed.

Absurd tbh.

For my "not self-hosted but better than letting google own my digital identity" solution, since I use apple icloud+ or whatever it's called, I set up the SPF stuff to let me send+receive email from my custom domain, so while icloud could still scan my mail, at least if I get banned, I still own the actual domain and could move somewhere else.

miohtama · 4 years ago
Even if one setups everything by the book (SPF, DKIM, DNS.) etc. No one at @outlook.com will receive email, based on my experience. Thus, it does not work well if email is important for business-to-business use.

Outlook and Gmail are basically having opaque rules who can receive email and there is no process to get “whitelisted” on these receivers.

exikyut · 4 years ago
One potential 1%-of-the-complexity answer to the problem of personal notification (which I presume was what email-to-self was solving) is to set up a Telegram bot. I recently really wanted realtime notifications on my phone (package tracking) and realized that all the top-level "send notifications to phone" type services are either mass push notification shops ($$$$) or bundled offerings ($$$) that were entirely overkill for my purposes.

There are two ways to run a bot on Telegram, either by running the bot client directly (meh, interesting but extra setup) or by using Telegram's bot hosting system that works over HTTPS. It's the second approach that takes 3 minutes (!) to get to an MVP state for notifications.

- You walk through a flow with a specific account (@Botfather) on Telegram to create a new bot account, which gives you an API key

- Find the new bot using the search function then open a conversation with it and (after sending /start) send a junk message

- Call `curl "https://api.telegram.org/bot$APIKEY/getUpdates"` and fish out the "chat"->"id" value from the JSON representation of the message you just sent to obtain your user ID

- Call something like `curl "https://api.telegram.org/bot$APIKEY/sendMessage" -X POST -H 'Content-Type: application/json' -d '{"chat_id":"1234567890","text":"boop"}'` (set chat_id to your account id) to send a new message - yup, it's literally this simple to send messages

- Go into Telegram's settings and add the bot as a notification exception (assuming you have notifications universally turned off by default)

- If you also set the full-screen popup to "when off" Telegram will (even when your device is locked) show an instant notification containing the sent text

- Because this is a conversation, the message history will be preserved unless you explicitly delete the messages (which you can do on a per-message basis)

- The Telegram bot API supports both polling and push-based I/O, where you can periodically poll /getUpdates or have Telegram call a webhook you configure. IMHO the way easier approach is just running the bot client locally at that point, *but*, for just sending out one-way notifications where replies don't matter, the default polling setting (no webhooks) is ideal as the bot server will delete un-acknowledged messages after IIRC 24 hours or so - so you don't have to worry about queue quotas or whatever, you can just ignore the whole receive side and it just works

Obviously the caveat is that this is 1% of the complexity and equally 1% of the... provenance, for want of a better way to put it. But in terms of "I need realtime notifications now" I am yet to find a better system. It worked perfectly.

leros · 4 years ago
This is the answer. Blocked emails happen for random reasons and fixing them is a black art that involves talking to ISPs and stuff. It's really too much for an average person to handle.

At work we've had issues with email delivery due to things like outdated IP block lists at some random ISP four hops away, only impacting deliverability when mail gets routed through that part of the web.

paulmd · 4 years ago
I have an email address with "spam" in the name (this is through gmail) and lately I've had all kinds of problems with emails to it disappearing - I've had to call several places and have them change my email because I can't log in and the reset emails don't ever show up... but changing to myfirst.mylast works fine.

I've run into this with both Sam's Club and Speedway Rewards.

Only thing I can think of is that some outbound mail service they're using is dropping them, or some relay in the middle is dropping them... I can see where the word "spam" would be a keyword you might use, but I've had this email address for 15 years now and it's only been a problem in the last few years.

aaron_m04 · 4 years ago
I have this part:

> I host my own email server with Vultr on an OpenBSD VM using OpenSMTPD and Dovecot

But with outgoing mail being relayed internally to dkimproxy which signs it before being relayed back to OpenSMTPD for delivery to the other email server.

I had to set up SPF and DKIM DNS records, and one time I had to request that my IP be removed from the Abusix blacklist. Other than that, it's pretty rare for my emails to be marked as spam. Outlook 365 seems to do it much more often than Gmail though.

zcdziura · 4 years ago
That's very interesting. I never thought to relay mail internally to dkimproxy. I'll have to give that a shot. I like the idea of hosting the entire solution myself and not relying on any 3rd party solutions, but relaying through SMTP2Go was the only thing that I tried that actually solved the problem. Perhaps this will offer a good solution! Thanks!
rhizome31 · 4 years ago
> relaying all outbound mail through SMTP2Go

So it's not an entirely self-hosted solution, is it?

Veen · 4 years ago
No, but it's quite difficult to have email reliably and consistently delivered to Gmail and other major email providers without sending it via a relay. The relay provider is in the business of maintaining IP addresses with good reputations that aren't blocked by spam lists etc. If you can find and keep a reputable IP address, then you're fine, but it's usually easier to pay someone who does that for a living—you have no guarantee that the IP address assigned to you by Digital Ocean or whoever wasn't used for spamming at some point.
throw10920 · 4 years ago
> The problem is that spam was/is so bad that extreme measures were taken to curb it.

Man, and there's such an easy solution, too - just use Hashcash[1] (invented in 1997) and 90%+ of spam disappears overnight (if not more, depending on how high you set the difficulty).

Well, ok, "easy" in the sense that We Have An Algorithm For This - it'd still be hard to get email clients/servers to agree on a protocol...

[1] https://en.wikipedia.org/wiki/Hashcash

dTal · 4 years ago
Ah yes, time to break out this old classic: https://craphound.com/spamsolutions.txt

  ( ) Requires immediate total cooperation from everybody at once
  ( ) Unpopularity of weird new taxes
  ( ) Public reluctance to accept weird new forms of money
  ( ) Huge existing software investment in SMTP
  ( ) Sending email should be free

throw0101a · 4 years ago
If there's a compromised machine it will be the victims paying the cost in energy bills for spammer's nefariously installed malware to send garbage.
derefr · 4 years ago
Is there such a service that will tell me the reputation of an email domain, i.e. whether mail originating at that domain would be likely to be treated as definitely spam or not? (I don't really care about "no reputation"; I want to know if a domain has known bad reputation.)

I feel like, if there was such a service, it would be pretty useful to use it to prevent account registrations on other services, from users whose email addresses have domains with bad reputations. After all, they'd very likely just be registering with the intent of using the service to send or post spam in some way.

TZubiri · 4 years ago
multirbl.valli.org

Contains blacklists on the domain level, also on the ip block and AS level.

inetknght · 4 years ago
> The problem is that spam was/is so bad that extreme measures were taken to curb it.

The problem with spam is that there's no real legal recourse for spam. If it's in your own country then maybe. But outside of your country? Well the easiest thing to do is to IP block and the next best thing to do (when IP block isn't an option) is to use some sort of "smart detection" to put spam into a special box labeled "spam". There's no deterrence and literally no criminal prosecution for spam.

patrck · 4 years ago
Also, one should subscribe to the mailop mailing list, which serves as a Distant Early Warning line for email deliverability issues (ie. like NANOG for netops issues).

https://www.mailop.org/best-practices/

tinroofrusted · 4 years ago
zddziura, I want to say a big thank you, thank you, thank you for pointing me to SMTP2Go. I have been trying to get my DMARC and DKIM email woes solved for months, but couldn't get it figured out. When I read your post I signed up with SMTP2Go at the free tier and I had a 100% Mailgenius score in less than an hour after I set it up. So awesome! No more big yellow warning boxes in Gmail when receiving mail from my own domain! Yea!!!
raxxorraxor · 4 years ago
Spam got significantly worse but this is also an chance to curb the federalization of mail by large companies. Of course they would like you to use a Microsoft or Google account to send mail.
elorant · 4 years ago
Any chance you'll provide a detailed write-up of your experience with tips and whatnot?

Deleted Comment

jhugo · 4 years ago
I've been self-hosting email for about 20 years, from a dedicated server in Europe. The server hardware has been replaced a couple of times but kept its IP.

If you set everything up right, and choose the host for your mail server carefully, and never change IP, after a fairly short time you won't have much problem with being marked as spam. No more so than with any other email host.

As is so often the case, the people that say you should never do it probably have little relevant experience, they are just repeating something they heard.

baobabKoodaa · 4 years ago
> If you set everything up right, and choose the host for your mail server carefully, and never change IP, after a fairly short time you won't have much problem with being marked as spam. No more so than with any other email host.

This is untrue. If you are the only person using your email server, your volume will be so low that the big providers (Gmail, Outlook, etc.) won't track your reputation. So, ironically, being a low-volume sender means your email will be constantly classified as spam.

I speak from experience: https://www.attejuvonen.fi/dont-send-email-from-your-own-ser...

jhugo · 4 years ago
"This is untrue" and yet I and others in this thread have been doing this for a long time without encountering the issue that you so confidently claim exists.

My email server is used by two people. Reputation is tracked by all the big providers, as evidenced by a) my email not being classified as spam, and b) them showing reputation of my domains in their various reputation dashboards.

"Those who say it cannot be done should not interrupt those that are doing it."

jjav · 4 years ago
> being a low-volume sender means your email will be constantly classified as spam

"will" is a strong word. I've read that very low volume sending server can sometimes have issues, but never experienced it. My outgoing volume is about as low as it gets since it's just me and some family that don't use it much, but don't experience any problems.

warble · 4 years ago
I have a low volume mail server and don't have any problem with this.
Noughmad · 4 years ago
> As is so often the case, the people that say you should never do it probably have little relevant experience, they are just repeating something they heard.

More likely, they're saying that 99% of people don't know how to self-host, and for 99% of the rest it's not worth the trouble. Also, if you have to ask, then you shouldn't self-host it.

tinsmith · 4 years ago
"If you have to ask, you shouldn't be doing it," said the tired old King of Gatekeeping.

For a second, I thought I was on Stackoverflow. If you aren't starting by asking questions about the possibilities or limitations of a system you're about to work in, then you aren't starting properly.

kijin · 4 years ago
People who have been hosting their own email for decades like GP probably built up a solid reputation for their domain and IP before spam filtering became such a kafkaesque business and IPv4 blocks became so fragmented.

If you start self-hosting now, you should be prepared to lose quite a few emails randomly for the first X months while everyone else tries to figure out whether you're legit or not. Though I would encourage anyone who can to try to self-host at least some part of their email infrastructure, even if just for the learning experience, I would also recommend that they avoid using self-hosted email for anything business-critical until they're sure they've got the hang of it.

jjav · 4 years ago
> More likely, they're saying that 99% of people don't know how to self-host, and for 99% of the rest it's not worth the trouble.

Certainly way more than 99% of the general population wouldn't know how to self host, but within a techie population like HN, easily ~50% can be capable of doing it if they wanted to. Whether it's worth the effort is a personal decision, but there's a lot of value in owning your own email so I recommend it to anyone who's curious about it and willing to do it.

> Also, if you have to ask, then you shouldn't self-host it.

We should be encouraging curiousity (a HN value) not stomping on it.

If anyone asks, I say go for it. Worst case you'll learn new things, best case now you own your email.

sosborn · 4 years ago
I would amend this to say, "If you have to ask, then you shouldn't self-host it for anything mission critical."

Otherwise, how would anyone learn anything?

andrewaylett · 4 years ago
I'm in a similar boat, but have a slightly different conclusion: if you started 20 years ago, you'll have a much easier time today than if you started six months ago.

I think it's also fair to say that personal mail for a small domain is much easier than even a small amount of transactional email and don't even try sending newsletters beyond your friend group.

I have run mail off three different IPs over the ~20 years I've been hosting, switching IP address didn't affect me all that much.

Another thing to note is that receiving mail is really easy. Sending it is hard, filtering out the spam (and only the spam) from your inbound email is harder.

jhugo · 4 years ago
Spam has become much easier to avoid on inbound mail at some point. I turned off all Bayesian/heuristic based spam filtering around 2015 and now just check SPF and DKIM, and have a fake first MX record. No "Junk" folder, everything that passes the checks goes to the inbox. I get maybe one spam mail every week or so, which I just delete.
jjav · 4 years ago
Yes, receiving is very easy. Just doing that has a lot of value because now can't be arbitrarily cut off from your internet identity by gmail/et.al. for no reason.

So a easy way to get started is to receive everything directly and use a commercial (often with low-volume free tier service) relay for outbound until you get comfortable enough to remove the training wheels. (Or never remove them, that's a legit choice as well.)

> filtering out the spam (and only the spam) from your inbound email is harder.

I don't find that at all. Filtering spam is the easiest part. All I do is if SPF doesn't match, goes to spam folder. Beyond that, apply a bayesian filter.

I get no false positives and the spam that gets through to my inbox can be counted on one hand per quarter. Basically none.

That's yet another benefit of self hosting, since my bayesian filter is trained on my personal email specifically, it tends to become very good. Unlike generic gmail filters for example, where there'll always be some mail that ends up in spam no matter how many hundreds of times you mark it not-spam.

GoblinSlayer · 4 years ago
Use aliases?
_moof · 4 years ago
Yup, came here to say pretty much that. I've been self-hosting email for decades, first from a box on my home network (back when that was possible) and later from a VPS. It's not nearly as hard as folks make it out to be.

At the very least, getting your server marked as spam/blacklisted is not inevitable. Just make sure you aren't an open relay and that you've got properly configured SPF and DKIM records in your DNS. Once that's set up you can pretty much forget about it. I haven't had to touch any of my configs in years.

Initial setup takes maybe a day or two if you know your way around Linux or one of the BSDs.

porbelm · 4 years ago
I agree, I've been hosting my own email for a few years now, using Mailcow on a Linode. With SPF and DKIM properly set up, mail is /usually/ accepted by the receiving end.

The only nag is that Microsoft is EXTREMELY strict for their hosted email. It's the only provider that consistently denies recieving mail from my server when the IP range it's on becomes greylisted in UCE-PROTECT -- which happens every so often...

Easily solved with getting the MX and backup MX IP's whitelisted there, but I haven't bothered cashing out for that yet...

jhugo · 4 years ago
> when the IP range it's on becomes greylisted in UCE-PROTECT -- which happens every so often

This is a common complaint with Linode specifically, but probably fairly common with low-cost virtual server providers in general. It's worth looking into the history of your IP before you start using it to host mail, and if it's feasible, shelling out for a dedicated server (ideally from a provider that doesn't also offer virtual servers, or has enough network separation between them) makes it much less likely that your neighbour is a spammer. Mine's never been on UCE-PROTECT.

pera · 4 years ago
It also depends on the reputation of your neighbours / AS... try to setup an e-mail server with a cheap VPS in DigitalOcean|OVH|Hetzner and even if you kept using the same IP address for 10 years I don't think you will be able to relay to gmail
flo123456 · 4 years ago
I‘ve been doing exactly that for roughly 10 years and never had a problem with Gmail. You just have to set everything up to latest best practices (DKIM etc.). I‘ve even changed IP addresses a couple of times.
cpach · 4 years ago
I have a friend who is self-hosting on Linode. All mails from her reach my inbox (Gmail).
nemothekid · 4 years ago
You started self hosting before Gmail was a thing. It’s completely likely that Google has had you whitelisted since the inception of gmail when they were far more open. The “reputable IP” is the hardest part of delivering mail reliably; and your post says the equivalent of “just have your dad gift you a reputable IP from the 90s”
_moof · 4 years ago
I've also been hosting since before Gmail was a thing but have since set up new servers with new domains in disreputable subnets, and I haven't had any deliverability issues. If you configure things right (SPF, DKIM) you won't have problems.

This idea that self-hosted email is impossible is wildly overblown.

jhugo · 4 years ago
I'd be very surprised if I was on some kind of static whitelist from the early days of Gmail. Such a list, if it exists, would likely be reserved for much higher-volume sending IPs.

I've helped others set up self hosting much more recently, and haven't had any reputation problems beyond the early period where the IP has no history. (It is important to find an IP that doesn't have recent bad reputation, but that is fairly easy to do. Unless your host is in the business of hosting spammers most IPs will be clean.)

The reality is honestly just that self-hosting mail is not as hard as all the people who don't do it say it is.

warble · 4 years ago
I've setup 2 mail servers in the past 3 years and can reliably deliver to Gmail and Hotmail.. AT&T can be a chore I've found, they have been mostly unresponsive, but very little of my targets host there.

The other option is to relay through Send in Blue, or Sendgrid or something like that.

nerdponx · 4 years ago
It's wild that something as pedestrian as hosting your own email comes with a pile of caveats comparable to those attached to browsing I2P or using cryptocurrency to buy stuff.
traceroute66 · 4 years ago
> It's wild that something as pedestrian as hosting your own email comes with a pile of caveats

No, it's not "wild".

Its just that we're in 2022, not 1997.

Long gone are the days of "fire up Sendmail and you're good to go".

To those thinking of self-hosting, I would say they should start by understanding modern anti-spam.

Understanding modern anti-spam will not only help them with their inbound email, but will also help them understand how to ensure deliverability of their outbound email too.

redox99 · 4 years ago
> If you set everything up right,

You don't even need to set everything right. Up until very recently (months), I was sending emails from a few of my servers, and I had NOTHING set right. As in, I was sending from IP addresses that were never mentioned on my DNS, no PTR no SPF no DKIM no nothing. Just good old "here's an email from this address, trust me I actually own that address and it's legit".

And it worked just fine.

Surely just a reputation thing, as I had been doing this for over a decade, and all emails were very important (password recovery, order details, etc), no newsletter or anything.

I recently replaced all that with zoho because I wanted something a bit more secure and didn't want to configure it myself.

Biganon · 4 years ago
Self hosting my emails, grade of 100/100 on mail-tester, I'm on none of the dozens of blacklists I've queried... and Microsoft marks every single one of my emails as spam.

Just because you're lucky doesn't mean other people are "unexperienced". I don't know what experience has to do with it tbh. Maybe if you have experience working for Microsoft and you can contact the right people there...

jhugo · 4 years ago
Have you contacted Sender Support at Microsoft? They're very responsive and if your mail activity is legit they'll certainly help you solve the issue. Also make sure you set up the SNDS dashboard so you can view your IP reputation: https://sendersupport.olc.protection.outlook.com/snds/index....

In my experience the difference in outcomes that people have with self-hosting mail are largely down to, from most important to least, (1) the nature of the mail they are sending, (2) their choice of hosting provider, and (3) the correctness of their mail server setup. It sounds like you've got (3) sorted, so maybe (1) or (2) are relevant here.

snitch182 · 4 years ago
I have been self hosting my private domains for a couple of years now and spam is not a problem with rspamd and it needs very little resources. Some large hosts just outright blocked me but i always get it unblocked with some assistance of my hoster. So, yes it is fine. I even set up webmail with rainloop. Better than anything once you got it set up right.
loup-vaillant · 4 years ago
I did the same for like 10 years, and got similar results…

…except when Hotmail decided my entire IP block was barred from sending emails to them. Happened several times, I always had to wait a few days for my emails to stop bouncing.

In my experience it mostly works, but it’s never reliable.

notacoward · 4 years ago
> probably have little relevant experience

Or maybe they have 10x the experience you do, but it was different experience for reasons beyond their control. Don't over-generalize from a sample of one. That's hubris.

jhugo · 4 years ago
That's what the word relevant means in relevant experience.
systemvoltage · 4 years ago
May be you've been grandfathered into a white list when things weren't so sophistcated 20 years ago?

Have you tried setting up a brand new email server with a fresh IP from say, Digital Ocean or AWS?

jhugo · 4 years ago
I've helped friends set up mail servers fairly often, and they've had the same experience. But I wouldn't recommend DO (especially) nor AWS for this.

I'd recommend a smaller, tech-savvy hosting provider that has been around for a long time, who has no tolerance of abuse on their network, who is easy to communicate with directly (no paying for 'Business Support' just to talk to a clueful person), and ideally who mostly rents dedicated servers / colo rather than cheap virtual servers.

rsync · 4 years ago
There's a lot to say here from both sides - people running their own mail infrastructure (like I have for almost 25 years) and big mail providers dealing with brutal, unrelenting spam.

But there is one piece of this that's ridiculous, broken and almost cruel: silently dropping messages marked as "spam" with no notification given back to the sender.

Why does this practice exist ? Who believes that this is decent or acceptable behavior ?

If gmail doesn't want my inbound message - for any reason - that is just fine.

If they drop it on the floor without telling me that is totally shitty.

denton-scratch · 4 years ago
Mailservers drop mail on the floor because they are doing spam-filtering AFTER accepting mail for final delivery. Once it's been accepted for final delivery, it can no longer be rejected.

The delivery server doesn't generate the bounce message you were expecting; that's generated by your own mailserver, on seeing a REJECT status code from the delivery server.

Mailservers do spam-filtering after accepting for final delivery because spam filtering can be processor-intensive. Sometimes it's farmed-out to an appliance or whatever. To have the SMTP process suspended while Spamassassin goes through it's contortions multiplies the consumption of server resources on the SMTP server.

The delivery server CAN'T (and shouldn't) send you the desired bounce message, because it doesn't really know who you are. It can't rely on the From: address, because you could be sending on behalf of someone else.

In my view (and the view of the RFCs), if a server says "200 OK Accepted for final delivery", then it MUST deliver the message.

There's an awful lot of the kind of server-side spam-filtering that does actually involve delivering: the kind that filters mail into the recipient's spam folder. That mail hasn't been dropped on the floor. It's been delivered, just not to the inbox.

rsync · 4 years ago
You've described how my mailserver should work.

I'm willing to stipulate that this is correct and would, in my case, be a difficult problem to solve.

But nobody is losing job offers or missing kids' schedules or breaking their summer plans because of my mailserver.

I am talking about gmail. I am talking about MS (whatever it is). I am talking about yahoo.com.

Their spam heuristics are, in many cases, laughably bad - they are demonstrably, clearly broken. If I email my wife twice daily for 15 years and then one of my responses to her emails gets put in the gmail spam folder ... what words to even use for that ?

They need to fix this. I don't care how sticky of a problem it is.

pas · 4 years ago
if gmail wanted to, they could provide some SMTP extension. eg. they could advertise that the sender server can send a callback url where gmail will post back the results

there's already some kind of feedback loop mechanism, but mostly available for large senders.

Deleted Comment

yellow_postit · 4 years ago
Responding gives the sender the ability to better explore the detection rule space and find a way to get through.

Exactly what a legitimate sender wants and what a provider would not want to give an adversary. Now the adversary has to also incur a cost to determine successful deliver vs open/engagement rates make it just that much harder.

lbriner · 4 years ago
I think it's a false economy. At best it is security by obscurity.

Google tell you why things are spam and often they even return quite detailed error emails when they don't accept stuff it doesn't benefit an attacker that much. Any decent attacker already knows that they should sign stuff and make identifiers align and can do so trivially easily.

People like Yahoo are the opposite and are completely opaque as if they are doing anything that clever. All they can realistically do is check originating IPs, message content, alignment etc. just like everyone else.

Since I can still a lot of very decent SPAM in my inbox, their lack of transparency clearly doesn't work so they might as well help legitimate senders to deliver stuff properly.

GoblinSlayer · 4 years ago
In case of gmail you can have an account there and see what goes through.
Someone · 4 years ago
I would think returned spam would have to be checked for being spam by servers receiving the returned messages.

If they don’t do that and decide whether checking is needed based on presence of some mail headers, or using heuristics on the subject line, spammers will start faking returned messages.

I think that makes it expensive to return spam. https://99firms.com/blog/spam-statistics/ says about half of all e-mail is spam, so returning that would increase e-mail traffic and spam checking by 50%.

GoblinSlayer · 4 years ago
A bounce message can be very small, specifying only three fields: To, From, Date to identify the rejected message. Compared to this spam messages would be much bigger, consisting of html, css, javascript, pdf attachmens, zipped executables etc. The message could be sent to a fixed address, like abuse@same.server; how to check messages on that address is a different story as it's not user messages, but technical messages.
bityard · 4 years ago
> If they drop it on the floor without telling me that is totally shitty.

No, it's the ONLY reasonable thing to do when something like 98% of all SMTP traffic on the Internet is spam.

If mail administrators bounce back an explanation for every "bad" message:

1) Their outbound mail volume would go through the roof.

2) The host sending all the bounces would look like a spammer to _other_ automated spam-classification systems.

3) In the unlikely event that a spammer actually reads bounches, they could use the feedback to tweak their systems to avoid the spam filters.

teddyh · 4 years ago
What a recieving mail server should do is reply immediately after the DATA command with “That mail is spam and I refuse to acknowledge recieving it”. This would be fair, as the sender would know that the mail was not passed on. What it should not do is to simply say “Yep, I got this mail now, I’m good!” and then later, silently look at the contents of the mail and decide that it’s spam and delete it.
jjav · 4 years ago
> If mail administrators bounce back an explanation for every "bad" message:

Nobody is talking (I don't thing anyone is) about sending back a bounce message, that would indeed make no sense.

A responsible email server should:

1) Reject the email during the SMTP conversation if it's going to do that. Then the sender knows it didn't go through because it got the error code. There's nothing to bounce back.

2) If it accepts the mail during SMTP conversation, then always deliver to the recipient.

2a) Some disagree, but I think it's totally fine to deliver it to the recipients spam folder if post-processing determines it might be spam. That's not wonderful, but it still got delivered and the recipient can go find it in the spam folder. Most people are used to looking there regularly anyway since many of the larger providers (coughgooglecough) have such terrible false positive rates. The important thing is to never lose email.

What's never ok is to accept the email during SMTP and then silently file it in /dev/null.

judge2020 · 4 years ago
Does this really happen? Because I imagine that, if Gmail really did drop some super-spammy incoming messages, it would includes quite a lot of my current spam folder[0]. Maybe they only drop spam when it’s an IP [range] ban at some firewall level?

0: https://cdn.discordapp.com/attachments/468851579487780905/96...

eminence32 · 4 years ago
I run my own mail personal mail server, and do my own spam filtering. Things that are likely spam get delivered into a spam folder for the occasional review, but things that are extremely likely get rejected entirely (with a "spam rejected" message).

I guess my feeling is: if I want to quarantine suspected spam without telling the sender, that's my prerogative -- why does the sender get any say in this?

rstupek · 4 years ago
I don't think he's saying you can't quarantine spam if you choose. What his complaint is, I send you an email, your mail server says it accepted it, the email is then just discarded entirely (not put in a spam folder).
yobbo · 4 years ago
I guess the volume of spam-reject messages would dwarf legitimate mail.
minimaul · 4 years ago
You can host your own email.

I have been hosting my own for at least 15 years now, and I don't have big issues - I can deliver email to MS, gmail, et al.

Pick a decent hosting provider (not the cheapest options around!), make sure you have matching reverse DNS, forward DNS and HELO name (exactly the same is best!) on both v4 and v6 (if you have v6), disable IPv6 privacy addressing for your mail server (again, if you have v6), make sure you set up SPF, DKIM and DMARC, and keep your server secured.

By following these rules, in 15 years I have had only had deliverability issues with AT&T and Deutsche Telekom - both of which were fairly easily resolved.

In terms of software, you can use one of the out-of-the-box email server packages, but I personally run postfix, dovecot and rspamd on a debian stable VM. Stick to the versions from the repos and you'll have very few problems upgrading it in future, too - my current mailserver VM started on Debian Squeeze or Lenny around 2010, and is currently on bullseye (the latest stable).

mattbee · 4 years ago
I've run the mailu.io stack for 4 years off a Hetzner dedicated server. It's an easy stack to set up and update through several major versions. About 25 different mail users, friends and family who aren't in IT.

The issues I've had have been Microsoft (hotmail/outlook/office365) dumping messages into their Spam folder, but that went away in the last year. I had put in a hack to deliver to Microsoft through a more "reputable" SMTP host, but only when people complained.

I'd say give it a go with a new email address, any software that seems manageable to you, and move your usage over gradually.

baobabKoodaa · 4 years ago
> Pick a decent hosting provider (not the cheapest options around!), make sure you have matching reverse DNS, forward DNS and HELO name (exactly the same is best!) on both v4 and v6 (if you have v6), disable IPv6 privacy addressing for your mail server (again, if you have v6), make sure you set up SPF, DKIM and DMARC, and keep your server secured. By following these rules, in 15 years I have had only had deliverability issues with AT&T and Deutsche Telekom - both of which were fairly easily resolved.

How did you measure your deliverability? If this is true, then congratz for succeeding, but it's still bad advice to give to other people, as most people will not succeed no matter how many hours they put into that.

minimaul · 4 years ago
By the fact I get answers to emails I send to others (eg people using gsuite, people using o365), and I don't get issues from the sites that I run that use the mail server for sending - it sends confirmation emails for a forum I run, for example. I know that gmail, o365, yahoo, aol, etc work, because people use those emails to sign up and manage to validate their accounts.

I don't agree that most people will not succeed, I know many other people personally who run their own mail servers. It's doable, and it's not nearly as bad as some like to make out.

I've run low volume mail servers and high volume mail servers sending (GDPR compliant!) marketing mail.

edit: where low volume = <1 outbound message a day.

Dave3of5 · 4 years ago
Basically the same setup as me other than I use ubuntu.
0xbadcafebee · 4 years ago
If literally anyone could find your Mastodon address and message you, you'd get spammed daily there too, and it'd be the same problem.

So you think, fine, whitelists! But you still need to be able to accept messages by new authors without knowing their From: address ahead of time. You'd have to comb through your spam folder past tens of thousands of messages from new authors to find the one new genuine sender. Rings of trust don't solve it either because either you get spammed by someone in a ring of trust, or messages end up in concentric rings of spam folders.

You can host your own mail. It's just very hard to do it correctly, easy to screw up, and there's basically no gain whatsoever by doing it yourself. Some problems are just difficult and cannot be easily solved by a single person. You can't be your own CA [and have anyone trust your connections]. You can't create your own TLD [and have everyone be able to resolve it]. You can't create your own ASN. You can't create your own IP address. There are some things in life you have little to no control over, even on the Internet.

GekkePrutser · 4 years ago
Microsoft in particular is a total pain in the ass to deal with.

I was hosting my own mail server, did not have open relays and I know 100% sure nobody on my server sent spam. It was fully configured with all the DMARC and SPF trimmings.

Yet one of my users needed to email users at live.com/outlook.com/hotmail.com and kept getting banned. Every time I was able to unblock it using an automated link.

One time it didn't work and I actually got through to someone. He was like "Yeah, your server doesn't send enough legitimate emails so it doesn't build up 'reputation'". This sounds ridiculous, not sending spam is not enough, you have to send a certain amount of legit mails to stay unblocked??

Anyway it kept happening so I eventually gave up :( It only happened with consumer MS-hosted emails addresses though. I had no issue reaching companies using M365 for business.

But email is just so incredibly broken... All the patches to kinda try and fix it are a mess. We need a whole new protocol.

pas · 4 years ago
nah, email is okay, the protocol is fairly extendible. storage and processing capacity is cheap for it, even naive spam filters are pretty good and quarantine can take care of the rest.

what's missing is simply the coordination to force the big ones to stop fucking over the small players.

but since paying for 100k mails/month is less than 1 hour of how much one engineer's hour costs a lot of companies just don't care. there's no real incentive to fix this :/

pwg · 4 years ago
You certainly /can/ self host. I've been self hosting my own email since circa 1999 on my home internet link. I've been through four different ISP's in the ensuing 22 years, but email still flows.

What often happens is that virtual hosting firms (Linode, Digital Ocean, etc.) are often used by spammer's for their hosting too, and so if you try to host by renting a "cloud vm" or "cloud server" and are unlucky to have an IP address a spammer previously poisoned, or just happen to be in the same netblock as a prior spammer, you find your new IP often 'blocked' from the big services, for no good reason than you happen to be from a "bad neighborhood". And this is usually the genesis for all the scary stories about "can't self host".

But reality is, you can self host, but you do have to set things up with all the modern requirements (SPIF, DKIM, etc.) as well.

gvb · 4 years ago
You can set up your own email server. There isn't anything to "fix" (unless you can "fix" all the spammers) but does require setting up SPF in your DNS and it helps to support DKIM/DMARC. Also, your internet provider / VPN host likely blocks port 25; if that is the case, you need to use a "smart host" email relay service.

https://www.google.com/search?client=firefox-b-1-d&q=self+ho...

https://www.google.com/search?q=self+hosted+email+server

https://www.google.com/search?q=dkim+dmarc+spf