Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)
Posted Nov 7, 2025 13:52 UTC (Fri) by anselm (subscriber, #2796)In reply to: Email insecurity (was One of the great benefits of Open Source) by taladar
Parent article: Debian to require Rust as of May 2026
The nice thing about email is that it works reasonably well for the vast majority of people without arbitrarily restricting the set of people one can communicate with to those who are prepared to subscribe to the same more-or-less-proprietary walled garden as oneself. Sure, Signal (for example) is nice but you only get to use it to talk to other people who are also on Signal, using a special program you need to install that is only good for talking to other people on Signal, and may or may not even be available for the platform you're using. If the people who run the Signal servers ever get tired of doing it¹ then congratulations, you get to find a new service where all the people hang out who you used to talk to on Signal, and hope that whatever program you need to use to get on that service will also run on the computer(s) you'd like to use. And so on².
With email at least, the underlying “mess of semi-underspecified standards” is sufficiently well-understood by enough people all over the place that the service itself will not be going away anytime soon. We cannot guarantee the eternal existence of any particular mail server instance or piece of software used to send or process email, but it is overwhelmingly likely that you will always be able to find some MUA that runs on your system (however unusual) and can connect to some MTA in order to get email from you to whoever@somewhere.com. In a pinch you could even write your own. For all its obvious shortcomings and all the legitimate criticism one could level at the email system, it's what we have, it's everywhere, and so far nobody, as in nobody, has been able to come up with a viable contender to replace it that doesn't involve a walled garden or single centralised point of failure of some kind. It may be “just network effects”, but those network effects are pretty hard to beat.
1. We can debate about how likely that is to happen, but in point of fact it's not as if you have a contract with the Signal people that says they can't simply stop providing the service to you whenever they feel like it. Certainly recently when the EU was debating forcing messenger services to scan messages for unwanted content, Signal was considering withdrawing from the EU altogether, which would obviously have sucked for Signal users in the EU (certainly those without the wherewithal to use a VPN to connect to somewhere where Signal is still available).
2. Sure, you could run your own Signal server, but then you would need to convince everyone you want to communicate with to use that particular server, too. (So instead you use Mastodon, but that of course comes with its own set of issues and restrictions, and of course you would need to convince everyone you want to communicate with to also use Mastodon.) With email, you can run your own server and it will generally be fine for communicating with people on arbitrary other servers.
Posted Nov 7, 2025 16:10 UTC (Fri)
by paulj (subscriber, #341)
[Link] (3 responses)
This isn't true. You may be able to receive email, but you will struggle to have others receive email you send, unless you spend a good bit of time configuring various hacky side-protocols and testing them and maintaining them. That's sort of the origin of this off-story-topic sub-thread.
Posted Nov 7, 2025 16:20 UTC (Fri)
by pizza (subscriber, #46)
[Link] (1 responses)
I set up DKIM on systems I administer nearly seven years ago. I don't recall it being particularly challenging (on the order of a few hours), and I am not exaggerating when I say it has required zero maintenance since.
Honestly, email barely even registers on the "list of headaches involved in running public-facing services" these days.
Posted Nov 7, 2025 18:59 UTC (Fri)
by dskoll (subscriber, #1630)
[Link]
Also. I've been hosting my own email on behalf of a company I used to own since 1999, and self-hosting my personal email since 2018. The initial setup took some time, but there's no ongoing maintenance needed for DKIM/DMARC/SPF unless you make changes to your network topology, and that hasn't yet happened for me. It's really not all that hard, and IMO we need a wide variety of email hosting providers and self-hosters to ensure that concentration amongst the Big Ones never reaches the point where they can unilaterally change the price of admission.
Posted Nov 7, 2025 17:14 UTC (Fri)
by anselm (subscriber, #2796)
[Link]
These days you can get nifty oven-ready container-based email systems – usually based on Postfix, Dovecot, and the like –which will take care of that stuff for you. But even setting up SPF and DKIM from scratch isn't exactly rocket science. There are loads of web pages which explain how to do it, in easy-to-follow steps, and doing just that will take you a long way towards being able to send email wherever you like.
I've been running mail servers (on my own behalf and that of various companies and non-profits) and teaching other people how to do it for 30+ years now, and it's generally not something I'm losing any sleep over. As far as I'm concerned, claims like “you will struggle to have others receive email you send” are wildly exaggerated.
Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)
Email insecurity (was One of the great benefits of Open Source)