I’ve been in the email business for a lot longer than many people at Google, Yahoo! and even Microsoft have been alive.
I wrote my first email system entirely in BASIC for my GCSE Computer Studies coursework back in the early 90s. It wasn’t fancy by any means (and used an external text editor), but it worked over the school network just fine.
I’ve been tinkering and managing email systems for near enough 20 years professionally. But I don’t run my own mail system for my personal domain. Why?
Managing a modern email system is incredibly hard work. When I first started off running the ISP side of Albatross Networks Ltd. in Norwich, spammers were a mere twinkle in somebody’s eyes. But now, it’s spamming, phishing, malware, viruses and all manner of nasties. Keeping on top of it all is a right royal pain in the arse.
I’ve used many different email systems over the years – some commercial, some open source, some hosted, some self-hosted.
Commercially I love MDaemon and SLMail (no longer developed/maintained) - both Windows products, but they worked beautifully and were easy to maintain. Expensive, yes, but they did exactly what it said on the tin. MDaemon in particular has one of the best implementations of SpamAssassin I’ve seen on any platform so far (and this includes spam appliances, such as the earlier Barracuda Spam firewalls back in the mid-2000s).
I’ve managed Sendmail, Exim, Qmail and Postfix servers for my personal mail over the years. Qmail really lead the way forward in maintaining a sane mail system that was really easy to configure and manage. Exim was my favourite for a while, and Postfix is really growing on me for work and customer email systems. Combined with SpamAssassin or one of the many other anti-spam systems, you can build a really good mail system.
But you still need to work hard at managing an efficient and working email system. Even with a cPane/WHM server, you’ve still got many components that you’ve got keep an eye on and tweak to get the best out of it. It’s made even more complicated that should your web site on the same cPanel system ever is compromised, you’re more than likely find that you can’t send email because your server’s IP is on a real-time blacklist (RBL) of servers that have found to be sending spam, phishing or malware emails.
Note: If you do use cPanel/WHM for your hosting, I thoroughly recommend hosting your email separately on another server or using a hosting service such as Google Apps for Business or Office 365/Exchange Online . Heck, stick your email on another cPanel/WHM server that’s used only for email. This way if you site is compromised, your ability to send email is far less likely to be affected.
These days a lot of people use free email services such as Gmail, Hotmail/Outlook, Yahoo!, etc. This is all fine and dandy for personal use, but there is one big problem with these services – you have little to no control over who can send email to you.
In my job I see a LOT of compromised cPanel/WHM systems where customers have put everything on a single server – web site, email – the whole caboodle. As a consequence of not managing or updating their WordPress/Joomla/Drupal site often enough (not upgrading to the latest version, as well as using much older and more vulnerable versions of PHP, Apache and MySQL), their site is compromised to send out spam and phishing email, putting their entire server on several real-time blacklists (RBLs) that then prevents email delivery for all their customers.
I cannot tell you how much I hate the fallout of having to deal with a compromised WordPress/Joomla!/Drupal CMS and having to tidy up the email system afterwards. I’d much rather stick pins in my eyes, but it’s part and parcel of my job.
As an example:
One customer had a compromised WordPress site and this is the result of them trying to email to a @gmail.com address (I’ve obfscuted their IP address for obvious reasons):
SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.78.26]: 550-5.7.1 [xxx.xxx.xxx.xxx 5] Our system has detected that this message is\n550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,\n550-5.7.1 this message has been blocked. Please visit\n550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for\n550 5.7.1 more information. eo16si294790wid.32 - gsmtp
Additionally, they didn’t have SPF or DKIM records – DNS-related tools that help to tell receiving mail servers whether an incoming email is responsible for sending on behalf of a particular domain. And sometimes Gmail’s SMTP servers will accept an email and then throw the message into the recipient’s spam folder (this is usually, but not always, due to lack of SPF or DKIM records).
As a free @gmail.com user, you have limited control over incoming mail. You can add users to your contacts list which provides a limited whitelisting capability, but there are still factors that could stop you from receiving email from them.
To completely have control over Gmail’s spam filters, you’d have to buy a domain name and move over to Google Apps for Business. $5 (or $10 for unlimited storage) per user (minimum one user) buys you the ability to have full control over Gmail’s spam filter (you can explicitly – that is, completely, override the spam filter and whitelist IPs and IP address blocks), as well as giving you a personalised email address.
If you’re a business using a free @gmail.com/@yahoo.com/@hotmail.co.uk (or .com) or @outlook.com address, think long and hard about this.
If you want to be able to receive emails from customers even if they’re sending from a blacklisted email server, you’ll want to pay Google or Microsoft (Yahoo! don’t offer a commercial solution to the best of my knowledge) to get control over your email.
Or you can try running your own email server, but as I’ve said, it’s a big challenge these days!
The same thing applies to free Hotmail/Outlook/Yahoo addresses. If you’re using one of these free services, and you’re expecting a very important email from somebody, you have little control over receiving email. Microsoft do offer a cheap online Exchange service called Exchange Online, if you’re inclined to go Microsofty (*shudders*). It’s reasonably priced and looks to offer similar tools to be able to control who is able to send you mail.
In short – if you want unrestricted delivery of incoming (or if you’re an organization that wants to restrict delivery, incoming or outgoing) then you’ll want to pay for your email service.
I personally use Google Apps for Business and have found it to be excellent. I may grumble about some aspects of it from time to time, but ultimately I’ve still yet to find something that can beat it in terms of functionality and price.
And finally, I stumbled across an email that claims to come from Royal Mail.
I flagged it up as a potential phishing email because, well, look at it:
And let’s look at the headers:
Received: from btsms.net (tntinfo.eu. [62.216.224.242])
by mx.google.com with SMTP id vv7si6334922wjc.156.2014.08.07.04.12.28
for <martyn@drake.org.uk>;
Thu, 07 Aug 2014 04:12:28 -0700 (PDT)
Received-SPF: none (google.com: sms@btsms.net does not designate permitted sender hosts) client-ip=62.216.224.242;
Authentication-Results: mx.google.com;
spf=neutral (google.com: sms@btsms.net does not designate permitted sender hosts) smtp.mail=sms@btsms.net
Received: from SRV004 ([62.216.224.242])
by btsms.net
; Thu, 7 Aug 2014 12:11:29 +0100
What a mess! If you do a WHOIS lookup on the btsms.net domain, it’s protected with EasySpache’s WHOIS privacy service – usually reserved for individuals who don’t want their home address information to be available online.
This email, despite appearances, is genuine. But it’s shocking that a company the size of Royal Mail hasn’t given much thought to how their notification emails are formatted and presented both on a technical and commercial level.
What’s even more silly is that having rearranged the delivery, it comes from another email address. But the SPF records match and the WHOIS shows a Capgemini physical address attached to it.
The next problem with email is to convince Microsoft their standard Outlook reply system is the biggest, stupidest thing to ever happen to the internet.
I don’t want to have to wade through pages of text when replying, I want a quick and easy way to trim the reply and follow up directly underneath the text I’m quoting. And quoting text should be easy, and easy on the eye too. If Gmail can handle this properly, Outlook should be able to as well.
