I have a deep affection for email and regard it as one of the most crucial components of modern communication, and to some extent, society at large.
But email is badly treated. Yes, it has flaws, but it accomplished something unique: an universal way to contact someone, for free, from anywhere on the planet.
In this post, I will rant about email, about what I love and what I hate. Some of it will be constructive, while most of it will be a graybeard grumbling about how society ruined something great.
I will use the term email to speak of everything, from protocols to the user perspective. It is an over simplification, but I reassure you and I'll brag about it just now: I know "a lot" about emails.
Also, when I say you I mean developers, sysadmin, webmasters but never users. Users are sacred, users are never wrong, users are like babies in cribs and should be looked after. This is important and should drive our industry.
The Universality and federation of email
The Universality and federation of email is its greatest strengths. Almost everyone understands and uses email, making it a truly global communication tool. Anyone can send an email to anyone else, from anywhere to anywhere.
While this used to be true, and is still true for most of it, it is under threat. email is losing a lot of presence to services like WhatsApp and it has become increasingly hard to self host a mail server (more on this later). However, as of today, it remains the only widely adopted federated messaging service that is interoperable with free specifications.
This makes email mostly immune to things like censorship and you can use any tool to read, send, relay or search your emails.
Email is also your universal identifier. While this has some drawbacks and limitations, it works fairly well for authentication.
To summarize, email is an incredible communication tool and ecosystem and played a crucial role in modern society.
Use email, no excuse
The best way to fight for email, is to use it. And I'll make a few recommendations.
Put an email on your website
If you have a website, put an email in the footer. Many companies use crappy contact form. You don't want that, put an email address or I will not do business with you.
With an email I can:
- use my beloved email client to compose the message
- archive the message I send you
- follow the thread when you respond
On your side, you can:
- use a ticketing system to ingest the email sent to
info@yourcompany.com - if you can't manage spam (you should), use a captcha (you shouldn't), for this, have an automated email sent to me that says "your email is in quarantine, follow this link to pass a captcha"
- you can also use a format like
<request-id>@in.yourcompany.com. This way you can link the incoming email to a web a request, for example, that passed a cloudflare captcha (again, I have them, but I'm giving you options). Generate such email for all requests and put it in your footer.
Give Me Email Access to Everything
Imagine this: my health insurance sends me a notification about a new document, but I'm forced to log into their clunky system just to download a PDF.
This is nonsense. Just email me the PDF directly. I couldn't care less about your so-called "security" (more on this later). Let me sign a waiver and get my documents via email.
This way, I can set up a sieve rule and automatically archive the PDF on my NAS.
Notifications should always include an "email" option. For instance, Discord lacks email notifications, causing me to miss most of my mentions there.
Email is More Secure Than You Think
There's a common argument that emails aren't secure. While it's true that emails aren't end-to-end encrypted (PGP aside, but that's not the point), they're not as vulnerable as you might think. Most modern email infrastructure ensures TLS encryption from the sender's client to the recipient's client.
Ensuring TLS is the sending server's responsibility. For example, if a bank wants to send you a document, they can configure their server to require TLS for all outbound emails. If your server doesn't support TLS, they can send an email without the attachment instead.
Another point to consider: many companies now have "secure areas" where you log in to retrieve your documents. My health insurance, for instance, has one. They email you a notification with a link to your document, you enter your PIN, and you're in. I argue that it's far more secure to send the PDF directly to the user's email inbox than to send an invitation to log in, primarily due to phishing risks. You might counter that 2FA solves this problem, but it comes with major usability drawbacks. Ultimately, my point is this: let the user choose, with a proper disclaimer for the email option.
The Reality of Security
All systems are vulnerable if someone's motivated enough. Email is convenient and not nearly as bad as it's made out to be. The cost and resources needed to hack a properly configured email system are often higher than hacking the end device.
For example, I know many doctors¹ who receive medical documents through "highly secure, very inconvenient" systems. What do they do next? They dump everything into their dropbox. And on their computer, they has TeamViewer or AnyDesk running 24/7. Add to that an overstressed secretary who could easily be tricked into granting remote access with a single phone call. And this is without even considerin misconfigurations and vulnerabilities.
The point is, these supposedly ultra-secure systems often lead to less secure practices in the real world. Sometimes, the simplest solution - like a well-configured email system - can be more secure than complex systems that people work around due to inconvenience.
SPAM folder shouldn't exist
Most email providers have a SPAM folder. And I want to argue that they should not exist anymore in 2024.
In the past, it would require significant time to process emails and run the spam filter. So when the server got an email, it would store it and put it in a queue to be filtered and then delivered with a little latency.
But today servers can easily run complex spam filters in a few hundred miliseconds max. Which means they can run the SPAM filter during the SMTP connection and not accept email that is marked as spam. This is what I do with my server and it works great. The huge added benefit is that false positives got a delivery error email from their mail server.
Also, if we follow the RFC stricly, all emails must be delivered when the server
respond with 250 respond code, so the SPAM folder is a violation of this.
Having the server respond with with an error code at the SMTP connection level
is the correct way to handle SPAM. Also, responding something like 521 might
trigger spamming server to stop trying and reduce the global trafic.
Never use noreply address
Noreply addresses should not exist, period. If I get an email from your company,
I should be able to hit reply and the reply should go somewhere. Just hook a
ticketing system or whatever, but NEVER EVER EVER use noreply address. If you
have no idea, just put info@yourdomain.com in the reply-to header and be
done with it. But you can also go as fast a doing somthing like
98jdsjk@notifications.yourdomain.com where 98jdsjk is a notification ID and
have my reply linked to the context it was sent from.
Do not use super long URLs
When you want me to confirm an email, use something like:
https://example.com/email-confirm/1234568789
Anything longer is crap, it will wrap and confuse the user. The action should be visible in the URL.
Use HTML sparingly
I don't use HTML email, I use aerc and I set everything to plain text. But most users like HTML formatting, and that's fine. HTML is not bad per se, but if you don't need it, do not use it. For example, notifications hardly ever require an HTML message. But if you want to display something super fancy like newsletters, include a link to the web version in the plain text message.