The email monopolies annoy me the most when other apps assume you have gmail/apple/etc.
Notion recently launched email integration that only works with GMail, and all the marketing was basically "we added Email to Notion" instead of "we added _Gmail_ to Notion".
I ranted about this before, tailscale doesn't allow you to signup with your own username/password, they expect you to use google/facebook/microsoft accounts (or bring your own OIDC server, which is overkill if you are an individual user). As someone who got his google account blocked and got locked out of half of the internet, I can only warn anybody from ever using 3rd party logins.
Tailscale is heavily focused on authorization (authz; what you can do), and considers strict identity verification (authn) crucial to that goal. So they chose to delegate the latter problem to a party that's already solved it better than Tailscale could. This is reasonable and I'm with them.
But I do agree with you on your point; once you lose your Google account, you lose a lot more - including your personal TS network, which may include offsite devices, grandparents' PC, etc.
Unfortunately your TS account is also heavily tied to the chosen ID provider, I don't think you can change it at all (even if you go thru support). I would prefer to be able to link two IDs to a single TS account (e.g. Google and Apple), perhaps be able unlink the one I don't want anymore. I see a security concern in there (you either have a weak link, or you can't unlink an account you don't control anymore), but it would still be nice.
>As someone who got his google account blocked and got locked out of half of the internet,
Say again please? How did you get locked out of so much I ask? I use one gmail account for mostly unimportant emailing and as a dumping ground for email signups that later spam you to death with "promotions". That's about it, and I'm able to use a hell of a lot more than "half the internet".
I'm honestly curious about the mechanics of how and why one could let aving, or losing, a google account affect them so much.
Have you seen headscale? It's a bit of work if you don't have a selfhosting setup but it enables you to use the service without being at the whim of Tailscale.
You can login with a passkey now: https://tailscale.com/kb/1341/tailnet-passkey-admin. It looks like you still have to use Google/etc. for your main account initially. But still, this would prevent getting locked out.
More annoying than that is the email monopoly operators deciding any non-monopoly email is spam, effectively driving businesses into their corporate packages. As a business, you have no guarantee that if you run your email server or have a hosting company run it, you'll actually be reaching customers.
I've been self-hosting for about 15 years now, and the only deliverability problems I've had in the past were with ISPs. I have no problem sending to Gmail, Outlook, Yahoo, and so on, or any business who hosts their own E-mail. Very occasionally, I get bounces from people who still get their E-mail through their ISP, like from AT&T or something. But I just go through the ISP's opaque process and deliverability goes back to normal.
And worse, your customers blame you instead of the provider, forcing the switch even more. "I don't have any problems with other emails, it must be your fault."
Is this not the logical result of fighting spammers? It’s easier to trust messages coming from mega corp when you know mega corp has invested in mechanisms that ensure their systems aren’t being used to send spam. I certainly don’t like the negative impact on people who choose to self host, but I also don’t see it as an intentional effort to shut out legitimate emails.
It's frustrating because it sidelines everyone who made a conscious choice to use alternatives or self-host, and it normalizes the idea that Gmail = email
If they add Microsoft they will probably cover 99% of companies from small to medium - including practically every tech startup along with all the small creators and note taking influencers.
one thing: given that gmail is free includes forwarding and all-but-unlimited storage, I work around these limitations with a (free) new gmail account that I use for notion etc.
(this issue also affects Advanced Protection gmail users, who are often blocked from various integrations... the workaround is to create a gmail account for those and setup bi-directional filtering/forwarding...)
I think in general treating email any other way than "everyone will eventually read your mail" makes no sense. Email communication, from forwarding to how people archive, to copy-pasting provides no security and is so brittle, just assume anything you write in an email is for public consumption. Reminds me of a post from a few years ago about encrypted mail as a security LARP (https://www.latacora.com/blog/2020/02/19/stop-using-encrypte...)
If you want secure messaging that nobody else will snoop on use an application dedicated to.. secure messaging. It's never what email was for and it's not how it's being used.
I mean, for normal people that is exactly how it’s being used. Your receipts for everything are automatically emailed with all kinds of private info for example. Nobody, and I mean nobody, is expecting those receipts to be public. And since all that is in your email you reasonably expect your other email to be private as well.
Email is auth now. People do not use email the way you are describing.
One of the biggest issues with the way the modern internet works is that it technically works the way GP describes but people believe it works the way you describe.
Even assuming all encryption is configured correctly at the endpoints so we can discount the risk of mid-transit interception and comprehension (do I assume CVS has encryption set up correctly on their outbound receipt emails? I do not...) People think it's like the postal network but it's more like the mail lands at the post office and they hand you a copy of it, while they retain the originals.
Exactly. Email is never an organized channel for communication. It only makes sense in the corporate world.
For users who don't pay for their personal email, email is nothing but a marketing channel and a very inefficient one at that. All the companies and corporations and people try to pretend to make email addresses look confidential and private. But the reality is they just see it as a way to spam you with ads and promotions and meaningless clickbait messages.
The idea of unsubscribing from emails from corporations and agencies is again just an act of pretense. 95% of the cases, it's not done in one click and involves a series of a few confusing steps. Even from a technology perspective, email is fucked and a legacy artifact as of today.
I would love to see a more secure protocol to replace it, where the recipient always has full control over all the messages that he can ever receive.
> For users who don't pay for their personal email, email is nothing but a marketing channel and a very inefficient one at that.
I have a paid personal email plan on my own domain name. (Mostly to get aliases and plus addresses). It is setup very well and filters spam very efficiently, compared to some 'corporate-standard' filters on other services. But I still have to use my gmail address because most individual contacts wouldn't see my mails otherwise since they are on gmail, hotmail, etc. And for many official websites, my email addresses are 'not valid email addresses'. Granted that my TLD .space isn't an official sounding one, but it's used by exactly two types of users - people who use it as their space, and people/organizations working on space tech. So I pay, but I'm still forced to watch them spam. Honestly, I believe that email is now a captured monopoly (cartelopoly?).
> I would love to see a more secure protocol to replace it, where the recipient always has full control over all the messages that he can ever receive.
I wholeheartedly agree. Email is an awesome idea. But its age is starting to show. We need something with security and encryption built-in, much fewer moving parts (Can we integrate MTA, MDA, WebUI, spam filters, DKIM, etc into just one?), option to opt out of rich formatting (the HTML and AMP junk), dynamic updates, etc and proper spam filtering, etc. We should also have a way to disincentivize or punish big players from rejecting valid emails. Perhaps it can use HTTPS to overcome those pesky corporate reverse proxies and firewalls.
But the idea of having a domain name as a namespace for users is still precious.
> 95% of the cases, it's not done in one click and involves a series of a few confusing steps.
My experience has been the complete opposite as someone who had to it recently. Only a handful made it more arduous than a single click. I was surprised.
The words probably get read somewhere on the way to the destination and in the future someone will probably unpin the pretty picture that has been decorating the notice board, turn it over and read what is on the other side.
Article is from 2014 where this was more of a valid concern. These days I don't think people send email for anything other than external communication with businesses. And only in western countries.
The only personal electronic communication I use are the only two widely deployed federated protocols: email and SMS. Everything else involves compromises to enter a walled garden that offers no value to me.
As I see it, the problem is that the email address has been conflated with your identity, and that is extremely problematic. It should only ever have been a somewhat transient reachability identifier. As an identity it then gets linked to concepts like authorization and trust, eg "we'll send this code to your email, because we implicitly trust that only you can see your email, and that youll always be able to get to it."
Every so often one sees a cri de coeur from someone who has learned this lesson the hard way when Google locks them out of their account, the key to their digital life evaporates, there's nothing they can do about it.
Alternative identifiers exist, eg handles on sites like HN, but they are second-order artifacts of the email as ID.
Given the stakes, then, you have to decide whether to try and control your identity by bulding your own infra for email (domain, mail server, dkim etc and a fair bit of hell), paying for someone to run the infra (eg getting a proton or fastmail address), and hoping they dont enshittify or fail, or letting Google or Microsoft control it and hoping you dont fall foul of them. All these options have drawbacks.
Side musing follows: I dont know what the solution to identity is on the Internet. A very long time ago, X.509 certs issued by quasi government authorities was mooted as part of a international directory system. I can see a future authoritarian state falling in love with this idea again, esp with the resulting lack of anonymity,..but also the ability to "kill" people on the Internet simply by revoking their cert.
Not just email - today it's almost impossible to have a decent life without a (smart) phone and being tied-in through OTP verification.
All these things have become so essential that it's shocking that it's not regulated like a utility (or even as a right given their systemic imposition).
OTP verification can largely be worked around because so many sites still use SMS codes which a dumb phone can handle. Similarly, 2FA codes can be handled on a PC without requiring a smart phone. It adds hurdles but can be done.
Where it becomes challenging is situations where smart phones truly are required. When I attended college football games last fall, all tickets were e-tickets. You were required to present a QR code on your device or your ticket stored in Apple Wallet or Google Wallet. I ran into the same situation with my local theater's ticketing. You haven't lived until you've witnessed an audience with an average age of 70 try to figure out their tickets on their smartphones when they've never used them for that before nor had any notion that was even POSSIBLE.
You don't need to reinvent the wheel to have a "somewhat safe email". Just own a personal domain and host it on migadu, mailcheap, mxroute, Zoho or any other provider.
I've ranted about this before, but setting up or migrating semi-selfhosted personal services like that is a lot of hassle, even if you're used to cosplaying as a sysadmin.
Migrating DNS providers is a pain - recently done it twice. Transfer itself is reasonable with most providers. Importing/exporting a BIND-formatted zone file is sometimes unheard of, as is setting custom TTL; you'll have to go through a stupid form. One provider tries to hold your hand so tightly it won't let you set CAA with iodef, only issue/issuewild.
Migrating email is a pain. Yes! You can just point your MX elsewhere, and that is brilliant. You still want to copy over all your email, and given IMAP has won, if you don't have a recent backup (who does back up their email?), losing your old account sucks.
Fixing up your email clients is also troublesome. You can't just CNAME smtp.yourdomain.com to smtp.example.com, because that's nuts, so changing providers from example.com to beispiel.de requires a couple more dances; provider docs also suck, and email clients usually fail a dozen times before you can find the right incantation. You could set up your own autodiscover, but that requires an HTTPS server.
Yes there are providers that sell a full package and do all the initial setup for you, but that's not the point of owning your domain.
Yeah, I sometimes do sysadmin stuff for fun. None of this is fun.
> Side musing follows: I dont know what the solution to identity is on the Internet.
I was fond of how Keybase brought to life [1] identity proofs (linking and validating your different online identities) in a very easy to use platform. Pity it went away; feels like a loss for the internet.
Right, but I want to validate my identity for cases where it is important to me. I also want to prevent others from assuming my identity in cases where it doesn't really matter (until it does). My identity here is not the same identity use on Reddit. At the same time being erroneously linked to someone else's posts on Reddit because they use this username could be a real problem. At he same time, I don't necessarily want my posts here to be linked to posts at Reddit or X or wherever. Rinse and repeat across thousands of web sites.
It's a problem with no easy solutions. In part, because no two users want exactly the same solution.
If you don't want to link your email and your identity, you can use aliasing services like SimpleLogin. I have a separate email alias for every account, such as hackernews.ci72j@slmail.me, and only use my personal email for personal communications.
> paying for someone to run the infra (eg getting a proton or fastmail address), and hoping they dont enshittify or fail
I don’t experience them doing that. They’re email companies going strong. Maybe they get sold in some decades, and you move on. But I’ve had FastMail for one decade now, and it’s remained the same throughout. Including the minor UI bugs in their email client. But I’d much rather live with those than suddenly they’re also an AI company.
I care about my privacy but I use almost all of the Google's products because they are so easy to use and because they are so ubiquitous. But for people who are super worried about your privacy, did you ever refuse to send or receive an email from Gmail or some other big corp email provider e.g. Hotmail/Outlook, Yahoo etc.?
For example if there was en masse boycott of Gmail and Outlook maybe people would start switching to more privacy aware email providers. Let's say that you want to contact a blogger and s/he says: "I bounce off emails from Gmail, Outlook and Yahoo, please use other more privacy friendly email providers."
An addendum for going forward from 2025: Microsoft's AI, and any malicious agent that hacks into Recall's data store¹, will in future have most of my “end-to-end encrypted” comms, because many people will be running Recall by default, perhaps without even knowing.
----
[1] Or are we trusting those dumb enough to use a completely unencrypted sqlite datastore for the initial versions, not to do something less dumb, but still dumb enough to be a security issue, in current/future versions?
Not my experience. For example, when I rented a house, I sent some personal documents to the landlord through such password protected email and also texted them the password to their phone. The called me about it and I explained to them this was the latest "secure mail" technology, as "old email" are just like postcard mail which anyone can read. And hence "old email" technology is not secure enough when we are dealing with financial documents, and personal ids etc. I later ended up helping them create a new ProtonMail id which is what he now uses as his primary mail account.
> For almost 15 years, I have run my own email server which I use for all of my non-work correspondence. I do so to keep autonomy, control, and privacy over my email and so that no big company has copies of all of my personal email. [...] A few years ago, I was surprised to find out that my friend [...] a very privacy conscious person who is [...] at the EFF — used Gmail.
Almost the exact same situation here, except my friend was once at an EFF-related organization.
I think a lot of things, like the tech industry turning into '80s Wall Street bros, wore down some of his on-principle determination. And when life got too busy, he gave up, and moved to GMail. I was very surprised to learn.
Another friend, who in school was one of those MIT student Linux hackers who had serious OPSEC as ordinary practice, once he had kids, and had to think about continuity of all the things he ran if something should happen to him, ended up moving home stuff to popular Apple and Google services.
Readit News
Notion recently launched email integration that only works with GMail, and all the marketing was basically "we added Email to Notion" instead of "we added _Gmail_ to Notion".
But I do agree with you on your point; once you lose your Google account, you lose a lot more - including your personal TS network, which may include offsite devices, grandparents' PC, etc.
Unfortunately your TS account is also heavily tied to the chosen ID provider, I don't think you can change it at all (even if you go thru support). I would prefer to be able to link two IDs to a single TS account (e.g. Google and Apple), perhaps be able unlink the one I don't want anymore. I see a security concern in there (you either have a weak link, or you can't unlink an account you don't control anymore), but it would still be nice.
Say again please? How did you get locked out of so much I ask? I use one gmail account for mostly unimportant emailing and as a dumping ground for email signups that later spam you to death with "promotions". That's about it, and I'm able to use a hell of a lot more than "half the internet".
I'm honestly curious about the mechanics of how and why one could let aving, or losing, a google account affect them so much.
Case in point a bit further down in the comments: https://news.ycombinator.com/item?id=43902653
one thing: given that gmail is free includes forwarding and all-but-unlimited storage, I work around these limitations with a (free) new gmail account that I use for notion etc.
(this issue also affects Advanced Protection gmail users, who are often blocked from various integrations... the workaround is to create a gmail account for those and setup bi-directional filtering/forwarding...)
Had the same problems myself so decided to build a product I actually needed.
https://marcoapp.io
If you want secure messaging that nobody else will snoop on use an application dedicated to.. secure messaging. It's never what email was for and it's not how it's being used.
Email is auth now. People do not use email the way you are describing.
Even assuming all encryption is configured correctly at the endpoints so we can discount the risk of mid-transit interception and comprehension (do I assume CVS has encryption set up correctly on their outbound receipt emails? I do not...) People think it's like the postal network but it's more like the mail lands at the post office and they hand you a copy of it, while they retain the originals.
The idea of unsubscribing from emails from corporations and agencies is again just an act of pretense. 95% of the cases, it's not done in one click and involves a series of a few confusing steps. Even from a technology perspective, email is fucked and a legacy artifact as of today.
I would love to see a more secure protocol to replace it, where the recipient always has full control over all the messages that he can ever receive.
I have a paid personal email plan on my own domain name. (Mostly to get aliases and plus addresses). It is setup very well and filters spam very efficiently, compared to some 'corporate-standard' filters on other services. But I still have to use my gmail address because most individual contacts wouldn't see my mails otherwise since they are on gmail, hotmail, etc. And for many official websites, my email addresses are 'not valid email addresses'. Granted that my TLD .space isn't an official sounding one, but it's used by exactly two types of users - people who use it as their space, and people/organizations working on space tech. So I pay, but I'm still forced to watch them spam. Honestly, I believe that email is now a captured monopoly (cartelopoly?).
> I would love to see a more secure protocol to replace it, where the recipient always has full control over all the messages that he can ever receive.
I wholeheartedly agree. Email is an awesome idea. But its age is starting to show. We need something with security and encryption built-in, much fewer moving parts (Can we integrate MTA, MDA, WebUI, spam filters, DKIM, etc into just one?), option to opt out of rich formatting (the HTML and AMP junk), dynamic updates, etc and proper spam filtering, etc. We should also have a way to disincentivize or punish big players from rejecting valid emails. Perhaps it can use HTTPS to overcome those pesky corporate reverse proxies and firewalls. But the idea of having a domain name as a namespace for users is still precious.
My experience has been the complete opposite as someone who had to it recently. Only a handful made it more arduous than a single click. I was surprised.
The words probably get read somewhere on the way to the destination and in the future someone will probably unpin the pretty picture that has been decorating the notice board, turn it over and read what is on the other side.
Every so often one sees a cri de coeur from someone who has learned this lesson the hard way when Google locks them out of their account, the key to their digital life evaporates, there's nothing they can do about it.
Alternative identifiers exist, eg handles on sites like HN, but they are second-order artifacts of the email as ID.
Given the stakes, then, you have to decide whether to try and control your identity by bulding your own infra for email (domain, mail server, dkim etc and a fair bit of hell), paying for someone to run the infra (eg getting a proton or fastmail address), and hoping they dont enshittify or fail, or letting Google or Microsoft control it and hoping you dont fall foul of them. All these options have drawbacks.
Side musing follows: I dont know what the solution to identity is on the Internet. A very long time ago, X.509 certs issued by quasi government authorities was mooted as part of a international directory system. I can see a future authoritarian state falling in love with this idea again, esp with the resulting lack of anonymity,..but also the ability to "kill" people on the Internet simply by revoking their cert.
All these things have become so essential that it's shocking that it's not regulated like a utility (or even as a right given their systemic imposition).
Where it becomes challenging is situations where smart phones truly are required. When I attended college football games last fall, all tickets were e-tickets. You were required to present a QR code on your device or your ticket stored in Apple Wallet or Google Wallet. I ran into the same situation with my local theater's ticketing. You haven't lived until you've witnessed an audience with an average age of 70 try to figure out their tickets on their smartphones when they've never used them for that before nor had any notion that was even POSSIBLE.
Migrating DNS providers is a pain - recently done it twice. Transfer itself is reasonable with most providers. Importing/exporting a BIND-formatted zone file is sometimes unheard of, as is setting custom TTL; you'll have to go through a stupid form. One provider tries to hold your hand so tightly it won't let you set CAA with iodef, only issue/issuewild.
Migrating email is a pain. Yes! You can just point your MX elsewhere, and that is brilliant. You still want to copy over all your email, and given IMAP has won, if you don't have a recent backup (who does back up their email?), losing your old account sucks.
Fixing up your email clients is also troublesome. You can't just CNAME smtp.yourdomain.com to smtp.example.com, because that's nuts, so changing providers from example.com to beispiel.de requires a couple more dances; provider docs also suck, and email clients usually fail a dozen times before you can find the right incantation. You could set up your own autodiscover, but that requires an HTTPS server.
Yes there are providers that sell a full package and do all the initial setup for you, but that's not the point of owning your domain.
Yeah, I sometimes do sysadmin stuff for fun. None of this is fun.
The real problem comes when your email address is owned by someone else (eg. @gmail.com).
That’s the definition of lock-in.
I was fond of how Keybase brought to life [1] identity proofs (linking and validating your different online identities) in a very easy to use platform. Pity it went away; feels like a loss for the internet.
[1] https://news.ycombinator.com/item?id=7453360
It's a problem with no easy solutions. In part, because no two users want exactly the same solution.
Dead Comment
I don’t experience them doing that. They’re email companies going strong. Maybe they get sold in some decades, and you move on. But I’ve had FastMail for one decade now, and it’s remained the same throughout. Including the minor UI bugs in their email client. But I’d much rather live with those than suddenly they’re also an AI company.
For example if there was en masse boycott of Gmail and Outlook maybe people would start switching to more privacy aware email providers. Let's say that you want to contact a blogger and s/he says: "I bounce off emails from Gmail, Outlook and Yahoo, please use other more privacy friendly email providers."
----
[1] Or are we trusting those dumb enough to use a completely unencrypted sqlite datastore for the initial versions, not to do something less dumb, but still dumb enough to be a security issue, in current/future versions?
Almost the exact same situation here, except my friend was once at an EFF-related organization.
I think a lot of things, like the tech industry turning into '80s Wall Street bros, wore down some of his on-principle determination. And when life got too busy, he gave up, and moved to GMail. I was very surprised to learn.
Another friend, who in school was one of those MIT student Linux hackers who had serious OPSEC as ordinary practice, once he had kids, and had to think about continuity of all the things he ran if something should happen to him, ended up moving home stuff to popular Apple and Google services.