• It should be reliable
• It should help protect my privacy by:
  • not unnecessarily exposing the contents to my discussions*
  • allow aliases to prevent easy cross-correlation between different sites**
• Managing aliases should be easy
  • It should be easy to set up new aliases (possibly with a “catch-all” address, where all emails for the domain go)
  • Replying from an alias should be easy (or at least possible)

Which leads me to my current setup: use simplelogin.io from Proton with a fallback to Cloudflare Email Routing.

Advantages of this setup

• Both Proton and Cloudflare are trusted companies (though this can be subjective, but I certainly rank them higher than the FAANGs)
• The simplelogin software stack is open source, which means that it’s better audited and theoretically I could run it on my own if it makes sense
• Both providers promise to only forward, never store your email
• Simplelogin also provides some generic domains, which means that I can hide even more “in the crowd”, but using those generic domains when creating low-value accounts
• Replying through a simplelogin account is simple (you “just reply” to the email), though it has some funkyness to it (simplelogin rewrites the email address to “man in the middle” the communication to achieve this – then again, it also includes the original email address in a custom email header)
• Simplelogin has some advanced features (like “send email from this address to multiple recipients) that can be useful for families for example (where both parents want to get the communication from the school)
• Simplelogin also has Bitwarden integration

Details of the setup

The description of the setup is probably shorter than the list of advantages, which is probably a good thing

• Get a domain and “link it” to Cloudflare (aka. point the nameservers to the Cloudflare ones)
  • I’m assuming here that you already have a Cloudflare account
  • I’m also assuming here that you want to have a custom domain. If not, and just want to use the domains provided by Simplelogin, just create an account with them, done
  • Since I would like to separate my (little bit public) persona from my private persona (ie. why should Amazon know that the person ordering a book from them also runs a blog?), I also have a secondary, more private domain set up this way, in addition to grey-panther.net.
• Enable Cloudflare “Email Routing” for your domain
• Enable “Catch-all” for Cloudflare Email Routing and configure it to send to the preferred email address
  • Remember that this is just a fallback / backup solution, normally emails wouldn’t be routed here
• Enable DMARC in Cloudflare to get some reports about bouncing emails. Alternatively you can use a third-party DMARC service like easydmarc.com to get periodic reports about potential email problems
• Now go to your Simplelogin account and start setting up the domain
• To set the MX records for the domain, you’ll need to go to Email > Email Routing > Settings in Cloudflare and click on “Start disabling”
  • Click “Unlock and keep DNS records”! This will allow us to use the Cloudflare email servers as backups later
• Now continue with the Simplelogin DNS setup
  • Since the Simplelogin MX servers are added with priority “10” and “20” respectively, it means senders will generally prefer them and only fall back to Cloudflare if the simplelogin servers are not available
  • After you finish the setup of the domain in Simplelogin, you probably want to go to said domain > settings in Simplelogin and enable “Auto create/on the fly alias” (Catch-all)
• Now we want to do a bit more tweaking to the DNS entries in Cloudflare:
  • We should update the SPF record to: v=spf1 include:simplelogin.co include:_spf.mx.cloudflare.net -all
  • (this allows Cloudflare to also forward emails when it acts as a fallback email server. Also, this says that emails for the domain not coming from the enumerated set of servers should be dropped. If you want to be less strict, you can use “~all” instead of “-all”. You can use tools like the SPF Record analyzer to double check that the SPF record is well formed)
  • Update the _dmarc record if you want to use EasyDMARC.com as instructed by the site. You probably want to set “p=reject” here.

That’s it! Here is again a the relevant DNS records for grey-panther.net:

;; CNAME Records
dkim02._domainkey.grey-panther.net. 1 IN CNAME dkim02._domainkey.simplelogin.co.
dkim03._domainkey.grey-panther.net. 1 IN CNAME dkim03._domainkey.simplelogin.co.
dkim._domainkey.grey-panther.net. 1 IN CNAME dkim._domainkey.simplelogin.co.

;; MX Records
grey-panther.net. 1 IN MX 20 mx2.simplelogin.co.
grey-panther.net. 1 IN MX 10 mx1.simplelogin.co.
grey-panther.net. 1 IN MX 147 amir.mx.cloudflare.net.
grey-panther.net. 1 IN MX 119 linda.mx.cloudflare.net.
grey-panther.net. 1 IN MX 163 isaac.mx.cloudflare.net.

;; TXT Records
_dmarc.grey-panther.net. 1 IN TXT "v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1;"
grey-panther.net. 1 IN TXT "v=spf1 include:simplelogin.co include:_spf.mx.cloudflare.net include:sites.nearlyfreespeech.net -all"
grey-panther.net. 1 IN TXT "sl-verification=xznetmbmfgmkinlnopzlakneigjhzk"

Who can spy on me? (aka. threat model)

Nothing is perfect, and I’m enabling quite some people to spy on my in the worst case:

• Both Proton and Cloudflare can decide to log my emails
  • Although Cloudflare is only a “low priority backup server” in this setup, if we assume that they are acting maliciously (or somebody took control of my Cloudflare account), they can remove the Simplelogin MX records and force email to be forwarded to whatever system they control.
• If the hardware that runs Proton / Cloudflare services is compromised, I have the same problem
  • Although, hopefully, I’m too small of a fish for somebody who pulls that off to target me specifically (this goes back to “hiding between all the people)
• My domain registrar (or somebody who gets access to my account there) can decide to repoint my domain to different nameservers that serve different MX registries
  • Not too much to do – just have complex passwords, 2FA and hope that the security of the registry / registrar is good enough
• The final destination of the emails
  • I host the final address everything is forwarded to in the cloud, so that means that the specific cloud provider also has access to everything. I could use a different solution, but for now the sync-in between devices is just too convenient…

Alternatives considered

• Self hosting email infrastructure
  • This would have given me the ultimate flexibility, but it would have also tasked me with monitoring and updating the service
• Using a “catch all” email address with Google Workspace / Google Apps / whatever it’s called this week
  • It’s not all to difficult to set up
  • However, it requires a separate Workspace account that doesn’t work well with many other Google products
• Migadu
  • Run out of Switzerland, just like Simplelogin/Proton
  • Can pay for it, just like Proton, to hopefully ensure that they’re around longer
  • However less well known, so I don’t feel like I have a good insight into “how they tick”
  • They’re more a “let’s make email hosting simple” kind of company, rather than focusing on privacy, which means they don’t provide additional “generally used” domains (which could be used to better hide in the crowd)

* Yes, unencrypted email can be considered mostly public anyway – still, basic security precautions like making sure that your email server speaks SSL/TLS for incoming and outgoing emails is useful.

** So, if I sign up with [email protected] for two different sites, it’s easy to conclude that it’s one person who owns both accounts. However if I use [email protected] for one site and [email protected] for the two different sites, it’s much less clear that there is the same person behind them.

I’m a long time Yahoo Mail user. Just to illustrate how long I’ve been with them: when I joined the space available was a couple of MBs! I staid with them because I was mostly satisfied (never really caught the GMail bug), however recently I started looking for options to consolidate the different email accounts (work / personal / yahoo / gmail / etc). I explicitly wanted IMAP support because I really need to keep in sync between multiple machines.

The common wisdom seems to be on the ‘net that Yahoo! Mail doesn’t support IMAP (not even for paid accounts) or that various hacks are needed to support it (like sending custom / non-standard commands after login). This information however seems to be outdated, since I was able to find a least 3 IMAP servers (I’ve tested them all and they all work – with standard email clients with no hacks!):

• imap.mail.yahoo.com (this is the one Thunderbird configures by default)
• winmo.imap.mail.yahoo.com (from this article)
• zimbra.imap.mail.yahoo.com

All of the servers support SSL/TLS encryption, so they are safe to access even from public hotspots. The outgoing server is smtp.mail.yahoo.com, which also supports SSL/TLS (and you should use it!)

The easiest to set up is Mozilla Thunderbird, however Evolution seems to work much better. One important feature in particular is that it works with large (10 000+ emails) folders, while Thunderbird chokes with an error (“UNAVAILABLE] UID FETCH too many messages in request”). To have Evolution work properly, you need to select “IMAP+” (also called IMAPX) as the protocol.

HTH somebody out there.

use strict;
use warnings;
use Net::SMTP::TLS;

my ($from, $password) = ('[email protected]', 'MySuperSecretPassword');
my $mailer = new Net::SMTP::TLS(
  'smtp.gmail.com',
  Hello => 'smtp.gmail.com',
  Port => 587,
  User => $from,
  Password => $password);

$mailer->mail($from);
$mailer->to('[email protected]');

my $data = <<'EOF';
X-Face: "8.]Z_3ptuNK'CA~DM>M,G.T(h=1.y9"0gXW3V91E:dw2?|&G2R(?/no'F2g4%8Fv.
 J1p5K-^1epKXxIG)mj4}nGWTi<=iz8n)bUVhLu}MXRFl9"J%'=-;IfMXcuPK>-%^;$uW87O/B
Subject: Hello X-Faced World!

email body.
EOF

$mailer->data();
$mailer->datasend($data);
$mailer->dataend();
$mailer->quit();

The code is largely based on this snippet: Sending Mail Through Gmail with Perl. The X-Face header was generated using the Online X-Face Converter (yes, I know that there is a Image::XFace module, but it was very cryptic – it didn’t mention supported input / output formats). One word of warning: if you are using ActivePerl under Windows, Net::SMTP::TLS isn’t available in the default module list (AFAIK, because of encryption restrictions), so you might need to experiment with alternative package sources or using Linux :-). I’ve also tested the script with an email account I control (using Thunderbird with the Mnenhy plugin – which can read but not create X-Face emails) and it worked nicely.

There you have it: how to use an old (from the 1980s according to Wikipedia) method for embedding pictures which is not supported by most of the email clients

There is nothing particularly interesting about the scam itself (it promises something in return if you buy a prepaid card and send the number to them – such scams circulate over every media – e-mail, sms, phone, etc). What I wanted to exemplify is the multitude of actors involved (which makes stopping the scam that much harder):

There is my e-mail provider (Yahoo) who managed to classify this message (correctly) as spam.

There is the account the email originated from ([email protected]). Now, as far as I can tell, the website babs-education.info is a completely legitimate site for the “British Association of Barbershop Singers”, hosted at the provider hosts.co.uk (hence the email address). My current working theory is that this account was hacked and being used to send spam. I’m not really sure who to contact (supposedly the attacker has full control over the email account, so mailing there won’t do much good – I also tried to sign up to their forum, but it requires “administrative approval” which I still didn’t get – probably the administrator gets notified through the same email account).

There is also a third actor – Gmail – who will get the reply messages. Their abuse department got notified.

It is interesting how humans calculate the utility function. Email, as a tool, is completely inadequate in situations where we have active, hostile activity. Yet we don’t try to move on to something engineered having this situation in mind. Simply because our email (kind of) works, we regard it as more useful than future systems which would work better.

Also: closed systems like Facebook messaging, which some people claim “replaces email”, won’t ever substitute it for at least two reasons: (a) they are seeing a low(er) volume of spam because they are not as ubiquitous as email (as their popularity increases, so will the volume of spam) and (b) it is a closed system, making it useless for many usecases (companies internal messaging system for example).

Some random dude in Taiwan couldn’t browse the web (because an undersea cable broke due to a recent earthquake) and he decided that using a webserver (probably configured by him) which ran arbitrary executables mailed to it (hint: the from e-mail field is not a reliable authentication mechanism) is a sane thing to to because I need Slashdot!. Of course he made the front page on Slashdot.

Please, don’t reinvent the wheel! I’m too young to have used any of the following services, but at least I know that they’re out there:

• Accessing th Internet – offline (Google Cache because the site loads very slow). The mail address mentioned works (I just tested it) and has a response time of ~10 minutes.
• www4mail.org