To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it. This is one of those.
Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
It had much more freedom. Currently it's up to Cloudflare to decide whether you will read that article or not. Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
It's both. In allowing Cloudflare to grow so big, we now have one huge universal button for governments to push. If instead all of these customers were dispersed over hundreds of different services from different countries, good luck with trying to keep them all in line with your specific country's whims.
Worse, governments can also just block Cloudflare's IP ranges wholesale - because Cloudflare is used to launder IP addresses for sites with shady and/or illegal content.
Legitimate sites get blocked too, but most governments probably won't care.
Because human nature is what it is. The best way to eat better isn't to be a better person, it's to not keep junk food at the house. It's not Cloudflare's fault that they're successful, but it's now everyone's problem that they're an easy throat for governments to choke.
For example, recently certain big corp ask me to verify something. I clicked on the link in the E-Mail and it was suck on Cloudflare the click button over and over again. No matter how many times I clicked.
No, it's a common issue. A bit of traffic is always misclassified and one day you'll be the unlucky one. And there's nothing you can do about it beyond trying different device on a different network.
Blocking access to everyone or to scraping crawlers?
They have detailed stats about the behavior of all visitors, including how bot-like they are and how likely they are to scrape your (their users’) content.
The internet is worse for me with Cloudflare. I'm using a cellphone router for my internet. My guess is I don't get a dedicated IP and probably behind a NAT with other users. 85% of my request needs me to solve a cloudflare captcha. on bad days I have to do this easily 100+ times.
It is not Cloudflare's fault. It means the website operators were so fed up with bots and bad actors that they just applied a carpet ban and called it a day.
Thanks to Cloudflare I was able to reduce my website load threefold and downscale my VMs and my monthly cloud bill, and seeing how 50k daily requests were shown CAPTCHA and not even tried to solve it makes me terrified of running anything without Cloudflare.
Don't blame site owners and service that is trying to help them. Blame the fact that 90% of today's Internet traffic is bots
If I click on a search result and it shows me a CloudFlare CAPTCHA I leave. Immediately and permanently. I get what you are saying but also you will not get a dime from me if I have to waste my time solving a CAPTCHA prompt that half the time is so broken it just gets stuck in a loop.
I guess whatever revenue you lose you make up for in a lower hosting bill. I just go to your competitor that doesn’t have the horrible UX. Usually those websites also tend to have much more optimized web pages too so it is an all around better experience.
It's cloudlare's fault that it's so common to have very overzealous blocking. Site owners need access to bot protection but that doesn't mean highly flawed protection gets to be blameless.
Of course it's cloudflare's fault. They monetized and scaled a service that blocks humans from interacting with websites.
They're also essentially a deanonymization reverse proxy that can track everyone's browsing history and decide whether you get to see websites based on social credit.
That I'm not so sure about. If they get too block-happy they'll lose customers.
But I don't think they care if they block firefox users, or people who delete cookies, or VPN users, or Tor users, or people who resist fingerprinting, or people who block ads, etc.
But what's the counterfactual? People use cloudflare because they want protection from ddos attacks and bots. If cloudflare didn't exist there would probably be similar measures.
Businesses want to protect the continuity of their business operations, and to that end they buy such protection as a service, from a business that managed to MitM half the Internet in order to provide such service.
Point being, it's a commercial subverting the Internet from inside, reshaping it to better serve the interests of commerce. It is indeed protection, but it's accomplished by reducing variance. 99% of legitimate commerce on the Internet follows the same patterns, use a small subset of possibilities offered by the technology - so why not just block the remaining 1% that doesn't fit and call it a day? It will stop most of the threats to running businesses on the Internet. The 1% of legitimate commerce that doesn't fit the pattern? It's not being ignored per se, just pressured to adapt and conform to the majority.
What is being ignored is that the Internet is not just a place of commerce, and non-commercial use cases, ideas such as empowering people to better their lives, are gradually becoming impossible, as fundamental Internet infrastructure becomes inhospitable for them.
Some of us still remember the Internet being more than just a virtual mall, and are unhappy about it gradually becoming one. And it's not like CloudFlare, et al. are hostile to non-commercial interests as a matter of principle - it's just out of scope for them.
I actually think that Cloudflare has made publishing on the internet _more_ accessible for many individuals. I’ve helped a few people get personal websites running on Cloudflare pages and run my own there—it’s free and extremely easy. They could obviously pull the plug at any point, but with static sites it’s easy to avoid lock-in. If it weren’t for Cloudflare and other services that give free, easy hosting, I suspect there would be even fewer of the non-commercial small-internet sites that you value.
There have been places that host personal and hobby websites for free for at least the last 30 years. Some older ones have left, and newer ones keep coming along. Cloudflare didn't make this any more accessible.
Your first paragraph summarize why businesses want to use Cloudflare and how it helps them maintain their business.
Your second paragraph talks about other (non-commercial) sites. I think I'm missing the link here. Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
I think the issue is that the general threat level has massively increased compared to the past - not in terms of sophistication but frequency/scale. But that's a consequence of widespread adoption, nothing Cloudflare in particular is responsible for.
> Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
Marketing and free tiers.
But my point is that Cloudflare is addressing threats that predominantly affect businesses, and does so well, but the way it does is effectively changing the whole Internet to be more hospitable for commerce, and less hospitable for any other kind of use.
I don't know what kind of internet you used but mine didn't randomly decide to block my access to a website because some quasi monopolist decided I wasn't allowed to use a certain website for intransparent reasons.
Being blocked from a web site and having to hit a little box are two different things. Are you talking about the former or the latter? If it's the former ... that has literally never happened to me unless I'm on a VPN and even then it's rarely (if ever) CF that's doing the blocking.
If it's the latter then it reflects the sad truth that we can't have nice things anymoret. I have lots of problems with the accessibility of that box, but either Cloudflare would be implementing it, somebody else would be implementing it, or a huge chunk of data would be unavailable to you anyway because of accidental DDoS attacks caused by irresponsibly deployed bots.
It was implied that the "let's check you're human" didn't do a good job at that, causing the block - without a VPN. Meanwhile, certain bots just circumvent it (there's even a couple of videos showing robot arms/fingers prove their humaness) while legit users, even coming from Tor, get blocked. That's the internet I used to know. (I am not in the "everything was better" camp though.)
I can’t book a table at a local restaurant without calling because their resy link is behind Cloudflare and Cloudflare has decided that my up-to-date Firefox is out of date and therefore can’t pass the challenge. In reality it’s more likely that one of my ad blockers is stopping it from doing what it wants. It doesn’t even let me hit the box.
Due to implementation chosen by Cloudflare, allowing Cloudflare also allows the proxied website to run code, because Cloudflare blends with it, but why the proxied website should be trusted if the challenge is served by Cloudflare?
I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization. This isn't the fault of CloudFlare, they are just exploiting a business opportunity and as you say: At least they're not selling ads.
It is a legitimate business, from my perspective. I'd just wish we weren't in a situation where CloudFlare isn't exactly struggling to sell their services.
> I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization.
I'm perplexed by this sort of comment. Cloudflare doesn't even feature in the top 10 of cloud provider market share, and the number 8 spot already reports 2%. And here you are, complaining about Cloudflare and centralization.
Furthermore, AWS is by far the biggest cloud provider, reporting around 30% market share, and I don't see AWS being referred as a concern.
CDNs always existed IMHO. The world before cloudflare was just much more hidden. In general I find their take at the typical cloud business from a network perspective mostly refreshing.
However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
IMHO it needs other enterprises entering the competition. Maybe it could be new more software defined mobile network providers offering edge compute. Maybe data from IoT could never enter the Internet and we could have some confidential computing power when we need it for our IoT stuff. Maybe we could get a more decentralized Internet again...
> However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
I don't think that's it, and I think the explanation is much more simple and straight-forward.
Cloudflare established a very successful business model around a straight-forward, very transparent, no-bullshit CDN. Now, they started offering other cloud services build around their CDN. Cloudflare Workers kind of extend their CDN pipeline to allow clients to run arbitrary code to customize caching logic, but it turns out their function-as-a-service model is exceptionally good, and higher-level services like email are a low-effort way to meet existing needs.
I'm not entirely aware of all their products, but just thinking about a CDN, isn't that in many ways kind of fungible? Is it really that hard to migrate to your big cloud co's CDN (CloudFront, Google Cloud CDN) or the several other large competitors without an immense amount of work?
Like what? Give an example. I'm struggling to think of something they offer that is particularly unique and not offered by the other public clouds or several SASS companies.
It's not the specialization around hosting that's the problem, but that entities running CDNs realized they're in a privileged position in the network, and decided to capitalize on it.
That's not what CDNs are for.
They exist for primarily two purposes: a) speed up video loading for end-users, and b) anonymize IP addresses and routes for businesses.
Cloudflare built a business around b). This doesn't save on hosting costs, only lowers some operational and legal risks.
> At least they’re not selling ads using your data.
Yet. Since it's an american company with an ever-growing influence, I dread and expect that to change, among other things, down the road. I assume the three-letter agencies also already MITM the traffic.
That’s exactly the part that people forget: all these policies are decided to be applied by the website owners. It started with DDoS blocking and they just extended it to more things.
I feel like people here are forgetting the fact just how hostile bad actors on the internet are / can be.
You could run this business like a protection racket, to drive demand to your service, where you can then provide unencrypted traffic of much of the Internet to other parties.
We said the same thing with Google, "Don't be evil", "They are better than MS", now here we are, Google, became something that doing everything to squeeze every data off us, so that they can sell them to their partners.
And, anything that stops them from doing it, well, you are kind of erased from the Internet. The freedom we had, slowly becoming non-existent now.
Corporates have one and only one target. It is to make money. And this mentality, enables them.
Amazon are no longer the golden standard of e-commerce. I think 5-10 years from today we're going to look back at 2025 as the year Amazon started to destroy itself from within. They are pushing AI to "update" and "optimize" product descriptions. It's already made art supply descriptions a mess and now I see the same thing happening in the music gear section. I noticed that I go to other sites to buy stuff I was planning to buy on Amazon, because I am not sure what I'm buying anymore on Amazon.
Same day shipping was always the norm here. Order something before 14:00 - 16:00, depending on where the company was on the route for package pickups, and you'd have your package the next day. Amazon has normalized multi-day / weeks shipping, so they've made it worse.
Denmark, there is no close Amazon warehouse, so shipping always suck. Not only is shipping times frequently a week or more, it's also overpriced and items are frequently less expensive from local online stores.
Amazons only advantage is it's massive selection, if you can find what you're looking for.
In the US, it's the opposite. If you order directly from the brand, you get multi-day or more often multi-week delivery times. Unless they are using amazon logistic and which case it's the same as buying off amazon - 0/1/2-day delivery times.
> At least they’re not selling ads using your data
Sounds great, until a new CEO steps in. Any company is exactly one (or more often zero) CEO away from doing whatever they want (within legal constraints) with their business, in order to fulfill their fiduciary duty (and greed).
Huge fan of Cloudflare here actually. It’s always such a breath of fresh air compared to the heavyweight configuration hells like AWS. And for doing super convenient stuff like make node:http work on cloud functions recently, but guess only certain DevOps guys realize how cool that is compared to other FaaS wrapping ceremonies.
Too bad you don’t hire senior folks in Germany currently, would probably join in a heartbeat for emotional reasons alone. Keep going, lightweight features on a tap and solid reliability over years is exactly what I need and want at least.
I am genuinely curious what protections are in place to ensure that? What is the plan after you are gone?
It looks like you have voting shares with 10x the power of institutional investors, but activist investors aren't dumb either.
My biggest fear of Cloudflare has always been that one day you'll get hit by a bus and someone will figure out that merging Cloudflare with an ad network would create so much more shareholder value. The road to hell is paved with free DDoS mitigation, so to speak.
At least Brian Thompson wasn't complicit in helping the IC conduct bulk violation of the fourth amendment rights of the entire country, unlike you. He was just a greedy bastard. Your actions, on the other hand, render you a traitor and a threat to the democratic process of the country itself.
> Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
Not to comment on whether they're actually a monopoly or not (since idk much about CF's market share, except that it's big), but how does this prove they aren't a monopoly? If anything, it'd work as evidence to prove that they are.
There are other services, but CloudFlare is too well known. They're close to monopoly in the DDoS protection business unfortunately. But we still have a choice and for long-term success we should be choosing other companies where possible.
I think the point is to keep them in that mindset, and that requires competition and some counterbalance that won't be there is everyone just moves to Cloudflare.
If CF limited their clients to big businesses (just like Akamai and who else?) it might be less bad, but as it is, they're trying to get the whole internet including small sites on board.
If Cloudflare is so vital to the internet, it should be nationalized for the public benefit as having a private entity with so much control over the internet is not a good thing. Corporatized control of the internet should not be encouraged.
I trust a corporation more than I trust the nation you want it nationalized in (America?)
EU maybe. But yes I don't want cloudflare to be part of america after patriotic acts and all the dystopia.
Honestly, cloudflare is not so vital to the internet. Like, The only thing its gonna be a problem if they stop working without giving any way to migrate. Then yes, its gonna be a bit of problem to the internet.
Really? Try distrusting CF certs, and see how much of your internet activity breaks. CF certs should be distrusted, because it's MITM by definition. At the very least, I'd like an addon that makes the URL bar bright red, so I know my connection isn't secure.
Yup, I also meant the same when I was writing my comment and although I agree about regulation, the thing is, that I don't even trust that aspect...
Also, I know that there are sometimes where cloudflare sits in the middle between your servers and your users for DDOS protection, and so yes theoretically its a point of interception but given how their whole thing is security, I doubt that they would exploit it but yes its a point of concern.
On the other hand, if something like this does happen, migrating can be easier or on the same level if something like this happened on like AWS.
But cloudflare still feels safer than AWS y'know?
That being said, I am all in for some regulations as a public utility but not nationalizing it as the GP comment suggested. Just some regulations would be nice but honestly we are in a bit of tough spot and maybe it was the necessity of the internet to have something like cloudflare to prevent DDOS's.
Hm, you raise good points but I just thought when I was writing that comment, that if there was even a single case of somebody using that MITM then that would just make everyone leave cloudflare and find either other mechanism or something else that's safer for sure.
I think that cloudflare is used by most as DDOS protection and so they still have the servers.
There are also cloudflare workers and pages but even migrating them is somewhat doable as I think that cf workers have a local preview option somewhat available in their node etc., so you could run it locally somehow.
Sure its gonna be a huge huge problem but something that the internet might look past of (I think).
Honestly, I kinda wish that there was a way to have something like how the tor onion links work in the sense that the link has the public key of the person running the server and so uh, no matter if its cloudflare serving the link or something else, its still something that can't be MITM'd for the most part.
Am I right in thinking so? Sure, its gonna make the links longer but maybe sacrifices/compromises must be made?
The EU is quickly becoming a dystopian nightmare with age verification, mandated encryption backdoors, and generally an extremely invasive form of government. So no thanks.
No thanks to this level of evaluation which doesn’t even rise to “analysis”, it’s just a word salad association that picks two hobby horses and pretends they represent the apocalypse while ignoring all the measures on which many EU participating countries are producing quality of life and personal freedom at outlier levels.
Lets just hope that EU doesn't add that age verification thing or those Cert based things which is controlled by the govt.
My opinion is simple, age verification won't work unless they block VPN (something which UK wants to do/ is doing) and that sets a really really bad precedent and I doubt if its entirely possible without breaking some aspects of internet or complete internet privacy.
EU in aggregate is net positive but it still has some things which are kinda flawed regulations that are a bad precedent, but germany kinda blocked the verification thing iirc so there is still a lot of hope and EU does look like its trying its best but I think that it can do just a bit better if they don't think of age verification or some other stuff but that's just my 2 cents.
This was why I added "maybe" tbh. They are one of the best options but even they aren't thaat good. Like its questionable I think and needs a much bigger debate
What quality of life improvements? I seriously hope major tech companies pull out of the EU market altogether instead of complying when client-side scanning is mandated. Then you can come back here and brag about how great life is in the EU.
To make sure I understand, your position is that anything vitally important to the internet should not be under the control of a plurality of institutions subject to heterogenous incentive structures, but instead should be under the centralized, monopolistic control of a single institution that is perpetually compromised by perverse incentives and ulterior motives, whose mechanisms of accountability are mostly performative and demonstrably broken?
I'm not sure that sounds like a good idea, if that's what you're saying.
My position is that if something becomes critical it should be under democratic constraints in a democratic society and not private enterprises that have no forms of control by the populace.
Maybe if Cloudflare had workplace democracy my concerns would be different, but they don't and wield too much power.
If it also helps I also think 99.99% of big tech should be broken up into separate, probably a few 100, different companies.
So yes, anything vital for the internet should be controlled by the people through democratic norms, institutions, and values rather than dictatorships by those with money over those with none.
No such thing as "democratic constraints" or "democratic society" at the level you're discussing. Democracy is an imperfect safeguard against certain types of extreme dysfunction of the political system -- a necessary one for sure, but not nearly sufficient to make the institutions it applies to trustworthy with monopolistic control over other aspects of society.
Everything reduces to specific people acting on their a priori motivations in bounded contexts, and any system of centralized control is guaranteed to enable expressions of the worst motivations of the people involved. The distinctions you're making -- "private" vs. "public", "corporations" vs. "governments", etc. -- are fundamentally meaningless.
There are no "democratic norms", just norms adhered to by specific people and the factions they form, contesting against each other for power over others. Performative "democracy" is often just cover to allow the currently dominant factions to function as "dictatorships".
Decentralization and individual autonomy are the only solution to the problems you rightly care about, but what you're proposing is literally the opposite of that.
I would say if the political environment pre 1980s was still in existence that might be true. Today that would just mean the entire thing would unravel as it ate its own tail in the race to the bottom environment we are currently in.
You can create democratic policies to thwart this. Even something as basic as nationalizing Cloudflare then forcing workplace democracy provisions on it would probably do more good for, not just the Cloudflare workers, but society writ large.
I can't imagine what a court case about whether the US president has the power to unilaterally dismiss officials in executive-branch agencies could possibly have to do with this.
At least you're referencing the United States in 1934, though. Things were very dysfunctional politically in the US at that time, but not nearly as bad as what was going on in some other parts of the world.
> can't imagine what a court case about whether the US president has the power to unilaterally dismiss officials in executive-branch agencies could possibly have to do with this
Seriously? You don't see the relevance of independent agencies to this discussion?
And the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place (nb: it isn't).
> the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place
You don’t see a reliability difference between a self-moderating and unmoderated system?
I don't think there has ever been a perfect time but I also think there has been an ever increasing weakness in the governments desire/ability to enforce regulation roughly since that time period.
I mean the reconstitution of AT&T was one of the IMO the biggest middle fingers to the public I've seen. It was broken up because it was a bad actor and now its back again as a worse than ever bad actor. That was kind my wake up call. I'm sure there is worse though that I don't remember because it was not tech related.
I could be wrong I'm not a huge politics person. Either way I don't think any response to me invalidates my opinion that the current government would not do a better job than cloudflare currently is.
I dunno, I am basically a dick to Big Tech all the time, give me an opening and I will go after them with gusto, but I can't really find fault in Cloudflare offering email sending infrastructure.
The ire should be reserved for if and when they establish some kind of monopoly or other anti-consumer practices, fall afoul of anti-trust law, and inevitably the US government gives them a free pass for criminality like it has been doing for years with dozens of other Big Tech mergers, rollups, exclusivity dealings, etc. and appears to have just done again with Google a few weeks ago.
It is fine for big companies to offer competing email sending services. It is not fine for them to break competition laws.
Also yes, please do set up SPF, DKIM and DMARC for me. I may very well end up using this down the road because they say they'll do that for me and I just don't want to think about them in some situations.
I usually have the same (residential) IP for weeks on end and there's absolutely no malware or scraping or whatever the heck it is that Cloudflare thinks it's protecting against going on in my house. Yet I still get blocked or captcha'd.
Website owners may understandably be appreciative of CF. But as as someone browsing the web, I think it's done a lot of irreversible* damage to the open internet.
* I say irreversible because I don't think they'll be looking to improve this anytime soon, but rather add more restrictions.
As a website owner who uses Cloudflare after having being DDOS'd, I agree whole heartedly.
Cloudflare succeeded to do what Google tried and failed with AMP, and we are all the worse off for it. [Though at least it is not Google, that would be worse.]
I cannot afford to be DDOS'ed and there are bad actors that have already proven that they _will_ take me down if they could. So, I feel bad for the internet being walled up, and I feel bad for users that will lose access. And I fret that one day CF may just decide to take all my content and use it somehow to shut me down.
Meanwhile though, I hold my nose, cry inwardly, and continue to use Cloudflare.
What was your infrastructure like? Were the DDoSes affecting you at the application or network layer? I wonder if there's the case to be made for something like CF but integrated into your L4 and L7 LB infrastructure.
CFs single biggest piece of leverage on L7 DDoS is that once a node in a botnet attacks one of their properties, it usually can’t be used to attack any others for a substantial duration. Botnets rely on being retasked frequently so this dramatically reduces their effectiveness. Volumetric DDoS is even worse: you need to have the peering relationships and hardware to handle Tbps of traffic to an IP you announce. Doing either of these in your own infra is not feasible if you’re much smaller than a hyperscaler.
right, CF (along with Google and Meta) is already servicing double-digit percentages of the world's traffic so it can absorb whatever packets you can toss at it. On the other hand, I suspect most services are going to fall over at L7 first due to common patterns like pre-forked ruby/python servers that struggle to process more than 1k qps per node, unauthenticated user actions putting load on hard-to-scale resources like RDBMS, next to no load shedding designed into the system, etc.
Yes, but also you can't send an email in any meaningful way on the internet without going through a middleman anyways so while philosophically you're correct, in reality it's already the case.
Yeah it's already a known point of failure. The annual chaos is always when they have some downtime. They do offer an incredible service though. Would like to see some competition but it's not easy.
I’ve never understood the evil MITM endgame here. Cloudflare’s ToS and contracts prevent them from doing nastiness with your data without breach, and approximately all their revenue comes from large enterprises that will leave in droves (and some will actually sue them) if they started exploiting it.
The thing where they let DDoSers use them to protect their public sites from rival DDoSers is sketchy as hell, but doesn’t rely on having your data.
I don't think Cloudflare did anything major wrong, most of what they offer have plenty of alternatives, but Cloudflare is able to do a lot for free which really isn't their fault.
There are complain about its cache's captcha, I get it, ideally it should not discriminate any human user, but IMO it's an economical problem unless we collectively decide what they do is public utilities.
Was about to comment on this but you got right to the point. All of this is because people are lazy to build, let alone maintain, their own damn programs and servers.
I have more money than time. Take my money to do things I do not have time for. What you call lazy, I call time and capital/cashflow efficient.
(cloudflare customer, in both personal and professional capacities; i pay Fastmail to host family email; both can easily be switched if needed to prevent lock in, with DNS changes and in the case of hosted email, an export of mailboxes and tenant config)
What GP is effectively saying is that you don’t value independence enough to invest the necessary money and (for personal use) time into self-hosting.
And there is a spectrum to this. For example, using a small, independent email or hosting provider may cost a little more time, but makes you more independent from big tech, and maybe more importantly, contributes to reducing the power of big tech. We are all paying for it, down the line.
This is a fallacy, as self hosting means you remain at the whims of receiving or interfacing systems. Does you hosting your own email change the concentration of email accounts hosted at Yahoo, Microsoft, and Gmail? It doesn't. Does hosting your own domain or website change Cloudflare's concentration and centralization of internet traffic? It doesn't. You vote with your dollars by picking providers who won't lock you in, you vote with your dollars by picking protocols over platforms that cannot lock you in.
Paying Fastmail, along with others who do so, means Fastmail will remain as a non Big Tech option, for example (they also developed and championed, JMAP, for a more efficient user experience). Paying Kagi means Kagi will remain as a non Big Tech option. Donating to Let's Encrypt means Let's Encrypt will remain as a public good independent of Big Tech. I could go down the list of every service I pay for to de-Google and de-Big Tech, but that's likely unhelpful to further demonstrate the point.
> We are all paying for it, down the line.
Indeed, so establish and fund organizations that provide systems and services for benefit vs profit and control that cannot be captured. Self hosting your own box at home helps you (which is totally fine and reasonable, I run my own on prem infra across two continents at small business enterprise scale for use cases I cannot procure commercially at reasonable cost), but does nothing else, and doesn't scale.
You will still be required to hand it over, or sit in jail while your confiscated, inventoried equipment is processed by forensics. If I want to be subpoena proof, I’d host the subject system outside the jurisdiction with an org having no connection or nexus in the adversary jurisdiction. Admittedly, this is up to your threat model. Do you want to know, but still be legally required to provide access? Or do you want to be out of reach entirely? The answer to that will guide your implementation and operating model in this context.
Why do you mind that? Your life is exactly the same one way or another. Principles, I guess, but it looks to me its just for the sake of it. For me, time is precious, all I need is data safety so I backup stuff offline constantly.
Citation requested. Big tech considers your IP address dishonorable, and blackholes your emails. How independent are you now when you can't email any providers that use blacklists?
> contributes to reducing the power of big tech
Again, citation requested. Big tech will just blackhole your emails and you'll only find out when your users complain.
Everyone says this about self hosting email but I've had fewer problems self hosting email than any other service - though I don't use residential IPs I use dedicated servers or VPS. I've also seen plenty of comments from others who selfhost email whose experience matches mine.
I also see a lot of comments from those who have admittedly never tried, telling me that I'll be blacklisted and not even know.
I don't know if this is some kind of confirmation bias, or if there's just a very vocal bubble of people without experience talking about how difficult it is.
A lot more people and organizations would self-host email if it wasn't a minefield. It's not laziness that Google and Microsoft have effectively decided nobody's allowed to do that.
I was part of a team ran EMail services for a ~15,000 person campus of a ~80,000 person university in the late 90s and early 00s. It was a full-time job for a team of people to keep things running, up to date, control spam, etc. It was a minefield 25 years ago! Literal years before GMail was a thing.
Is this even true for such a sensitive subject like email where there are insane blacklists/whitelists everywhere in which you are forced to use a middleman either way so your emails enter someone's inbox?
What's the problem? GP is addressing a market need consistent with their comment above. I wouldn't be surprised by a auto mechanic stating that (too) many people are too lazy to change their oil - they might be the best person to manke that observation, given their PoV.
I think first they were hugely successful in their DDoS protection product that consisted of a DNS connected load balancer.
But now they took the excuse of security to act as a MiTM for everything else, when conveniently, it makes for a great business model to just be slapped in the middle of every connection.
Email is already MITMed by gmail. 90% of my time managing transactional/marketing emails is just keeping gmail from moving my legit customer communications to spam.
> Today, we're excited to announce just that: the private beta of Email Sending, a new capability that allows you to send transactional emails directly from Cloudflare Workers.
So many comments here assumed from the title they're offering a hosted email service, they aren't, they are announcing their own Sendgrid.
What’s the point of it for Cloudflare? It feels like they’re randomly offering different products. Are they trying to be a full cloud platform like everyone else? If not, then what?
It's unfortunate that email hosting and email infrastructure can really be done only well by major players. The days of people running and maintaining their own are pretty much long gone.
Fwiw, not a knock against CF. I like their products, mostly simple, fair pricing, etc. Just a bit unfortunate commentary on the state of email infra on the internet.
I run my own email server and you couldn't pay me to use a commercial provider like Google instead. The privacy benefits are huge and there is no one to restrict my storage or change my "terms and conditions" overnight.
The days of people running their own servers are gone because of the shortsightedness and laziness of IT managers. They though the "cloud" would be easier and cheaper, and they are now trapped.
I entertained the idea of running my own mail servers for a while. After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
So it looks like we've gotta be well connected to federate with the other email servers now. A nobody like me can't just start up his own mail server at home and expect to deliver email to his family members who use gmail or outlook. So I became a Proton Mail customer instead.
I've run my own mail servers for many decades and have never had any deliverability issues. I've also never used bargain basement cloud VPS services with horrible reputations.
The best way to ensure a good reputation is to obtain your own address space from a RIR. Barring that, you need to choose a provider with a decent reputation to delegate the space to you.
Not true, at least for ARIN. If you have an IPv6 allocation, you can obtain one or more IPv4 /24 allocations, so long as their stated purpose is to provide IPv4/IPv6 compatibility (e.g. for dual-stack services or NAT): https://www.arin.net/participate/policy/nrpm/#4-10-dedicated...
From your HN profile, I see you're in Brazil, which is part of the region IANA has delegated to LACNIC. Per [0], LACNIC has further delegated numbering authority in Brazil to Registro.br.
Before I even start this bureaucratic process, I need to create an actual organization. Then I need to be assigned an ASN. Only then I'll be allowed to beg them for IPs. Once all that's taken care of, I need to tell them things like what the IPs will be used for and what my infrastructure is. If they like my answer, then they'll approve my request and finally tell me what the prices are.
> After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
You have to buy/rent a dedicated IP address (that you'll be able to keep long term), and it warm it up by gradually increasing mail volume over a few months to weeks. But once you have, deliverability shoudl be fine.
I think the bigger issue is needing to keep on top of mainenance of the server.
Like the parent have ran Email servers for many years now. If you get a bad IP, as long as you get the DKIM records right, over time it will 'warm' up the IP. And the more you use the email on that IP and NOT spam people. The IP will warm up. Make sure you actually own that IP!!! It will become valuable.
I don't have deliverability issues to the big providers, but that comes down to the age of my domain and my IP in a clean non-residential block. But you won't have reputation issues if your friends and family also run their own server and don't enforce such arbitrary requirements. Running your own servers, not only for email, is the only way to regain control over your computing.
FWIW, a huge percentage of the spam I get is via Sendgrid, and at some point in the past year or two their abuse reporting mechanisms all turned into black holes, so mail sent via Sendgrid is heavily penalized in my spam rules.
Sending reputation is just as applicable if you're using a third party as if you're hosting it yourself, but much less under your control.
I have arrived at the opinion that what I would do if I moved to selfhost would just be to pay some trivial amount for outbound email via a provider like sendgrid as someone else in these comments has also mentioned. Since I send out maybe a half dozen emails a month I don't think this would be a big deal.
But when I relied on selfhosted email several years ago, I was always inundated with spam, which SpamAssassin was wildly undermatched to handle -- that was one of the main reasons I moved to gmail. So I'm curious what people who are happy self-hosting today are using.
My suggestion would be to use a unique alias for each website/company. This way, if you start receiving spam at that address, you know who leaked it, and can simply delete the alias. You should also then publicly name and shame the source of spam.
I also run SpamAssassin on my server, but I don't believe it ever had to do anything.
I've run my own mail for 10 years (postfix/dovecot/rspamd), no issues. Reverse DNS, SPF, and DKIM records need to be in place, but that's a small lift.
Well, one time I was unable to send mail to a guy with an ancient @att.com email address from his ISP. I got a nice bounce message back with instructions to contact their sysadmins to get unblocked.
To my surprise, they unblocked the IP of my mail server in a matter of hours.
Private email will have no problems. I also ran my own mail server for personal use and had almost zero problem (and this was on an AWS IP!).
Where people will absolutely have problems is trying to run a marketing campaign through their own IP. You absolutely will (and should) get blocked. This is why these mixer companies exist and why you pay for an intermediary to delivery your mail.
I suspect if you shared more info about your mail infrastructure, it might reveal that what is working for you is too complicated for 99.9% of people to set up and maintain themselves.
I don't think the goal is that every non technical person can host their own mail infra.
But most people who can run a server should be able to setup OpenSMTPd with the DKIM filter and Dovecot. It's much easier than configuring postfix like we had to do in the past.
To answer a sibling comment, the last time I received an answer is a few minutes ago. The correspondent's email infra is hosted by Google.
You're right, it used to be a bit complicated. Now you just need to have a reputable and clean IP address, and knowledge of running some services in docker and of course understanding DNS and its crucial role for running a mail server.
I used to run all the components and maintain it (even that wasn't bad), but I changed to mailu[1] about a year ago
It is probably because you have run it so long that you have good reputation and less issues. Too bad we don't have time machine to go back to ninties to start building up reputation.
Cloudflare's customers are companies that have to send out, say, reset password emails and verify account emails and other crumbs of the modern web. You want me to build my own infrastructure for that? Personally I can't wait for them to expand to SMS and crush Twilio.
The problem is that Gmail will bounce any emails from DigitalOcean IP, even if you sit on this IP for years (so no recent spam), even if replying to someone, even if you registered as 'Postmaster' on Google.
So if you want to selfhost, you'll first need to find an IP that's not blocked to begin with.
> The days of people running and maintaining their own are pretty much long gone
This is very much a myth. There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster (professionally, I'm responsible for both at my org, so I can make this comparison with some authority).
Honestly `apt install postfix dovecot` gets you 90% of the way there. Getting spambinned isn't a problem in my experience, as long as you're doing SPF and DKIM and not using an often-abused IP range (yes, this means you can't use AWS). The MTA/MDA software is rock-solid and will happily run for years on end without human intervention. There really isn't anything to maintain on a regular basis apart from patches/updates every few months.
I think that there's a mindset among younger coders that "if it's not a modern post-AWS cloud provider, servers will take ages to come online and aren't going to give me full access, that's why EC2 exists." And this is conflated with the myth that running a mail server is hard.
But in practice, you can find any number of VPS providers, running in local datacenters, with modern self-service interfaces, with at least some IPs that aren't already spam flagged (and you can usually file a ticket to get a new IP if you need it), that are often cheaper per month than AWS, and give full root and everything. Find a service that will help you warm the IPs before you send to customers, and you're good to go!
> There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster
The main difference is that you're fully in control of the k8s cluster, but no matter what you do, you don't have control over the email infrastructure, because deliverability depends on the receiver. On every receiver you send to.
People say "I don't have deliverability problems!" but how do you know? Most places don't tell you they rejected your email.
This is 100% my experience too. Self-hosting email isn't any harder than self-hosting something else and there is no maintenance beyond apt update and apt upgrade. Even if you choose to do this in hard mode using postfix/dovecot instead of a dockerized stack, you can get a working config in a few minutes from an LLM these days.
There is a sweet spot between Gmail and self-hosting. I use Runbox and generally separate contexts, with CF being an exception as I use CF pages for static blog websites, some of their core services, AND as a registrar. For the latter, the default setting is porkbun. The reason for this is not CF's mandatory in-house DNS servers, but the simple fact that they do not register .de domains.
I see this common pattern where a previously private infrastructure is opened up (usually from low abstraction), and the ecosystem is split into an open base and a private thin layer, and that private layer might just reimplement the same tradeoffs that the incumbent private monoliths made.
Examples being Git/Github, Crypto/Centralized Exchanges, and as per the topic, email.
But I think that it's an important distinction that the base infrastructure is open, and that technically an incumbent could join the fray, albeit with a lot of catching up to do, and mix it up.
Great move. Will probably switch to it immediately from Sendgrid as soon as it goes GA.
Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
Even with those pricing structures, 95%[1] of the spam I get comes from sendgrid. To their credit, their abuse@ address is good at handling the reports and they reply with a followup that the report was received and able to be acted upon[2].
The volume of spam (for me) doesn't seem to be decreasing from them, so there's a lot of moles to whack.
[1] Just a guess from looking at the last weeks
[2] I know it's automated, but often there's 2 that come with the 2nd one stating it's acted upon, so i'm hopeful.
These services are just spam-circumvention as a service. It's cheaper and easier to pay 20 bucks to sendgrid and let them fight the fight with google/microsoft/yahoo than to circumvent spam protections of the big providers.
You can very reasonably and reliably expect spam amount to correlate with the cost of sending said spam or expected return. At any service. There used to be a time where you HAD to check your mailbox several times a week or it would (literally) overflow with spam.
Yes, honestly been much more reliable than my previous provider (mailgun). Their IPs were constantly getting on spam blocklists with yahoo and hotmail. No issues with zepto so far, been using about 9 months.
Re: Sendgrid killing their free tier - I used them for the contact form on my personal website, and after they ended the free tier I was able to move to Resend (who has a similar free tier) without too much work. Pretty happy with it so far.
Thanks for recommending mailpace, £7.50/month for 10,000 emails is very reasonable, _and_ they support idempotency! Definitely makes me consider switching to them..
> Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
With a pricing structure like that it appears they became too tired of verifying/validating users to not send spam. Unfortunately I don't blame them.
$10/year for 10,000 messages/year is 10 cents per message. (Or some other volume at 10 cents/message.) Surely too high for spammers but cheap enough for an app with a low message volume.
Well, I was responding to your claim that "it appears they became too tired of verifying/validating users to not send spam" is the reason for killing their low-volume free tier. It's a different story if they dropped the free tier to focus on large-volume customers.
Sure, and then the spammers figure out how to fool the checks. And sendgrid has to figure out how to detect the new and improved spammers. Then the spammers figure out how to fool the new and improved checks... and so on.
The part where sendgrid has to keep figuring out how to make new and improved validation is expensive.
> Imagine a user emails your support address. A Worker can receive the email, parse its content, call a third-party API to create a ticket, and then use the Email Sending binding to send an immediate confirmation back to the user with their ticket number. That’s the power of a unified Email Service.
This is/was already possible. You can just reply to an email from an email worker.
I had the exact same thought. I guess now you could put something in a queue if you have to do non-trivial processing before replying, but that’s not what they wrote
Finally. My two production projects are built entirely on Cloudflare workers platform, and I dread every time I have to login into AWS to manage SES. I even wrote a note for myself with instructions which buttons to press and where to navigate, like you'd write for your elderly relative who's "not good with technology".
Honestly this is why I like what Cloudflare is building nowadays. They aren’t just a CDN but rather they’re becoming a full on cloud, like AWS and Azure are - except their developer experience is just so incredibly better than any other cloud
So far I have used Resend, Sendgrid, Loops (for a person throw away project so don't have good exposure) but I found Resend the most easiest, convenient and straightforward. Especially their React Email library made it so easier to compose emails using React components. I really love that. Back then we had to manually craft HTML emails, worry about inline styles, and constantly test across different clients, which was a pretty painful process compared to how smooth it is now with React Emails.
One key part of my workflow is validating emails before sending so I'm not blowing up my bills or getting labelled as spam. And since Resend doesn’t support that natively, I'm currently having to use Emailable’s API to check if addresses are actually deliverable. Having that built-in would be a huge plus. And I know it's not usually something that email providers should care about but it would be so much better if Cloudflare makes this a native offering.
Kind of off-topic, but it's such a pity that we arrived at email as the local minimum for the best communication protocol for transactional messages. Having to set up an email service just to be able to enable authentication flows on a new website is such a hindrance that I keep wondering if it would be different if sending push notifications to a cell phone was made an open protocol..
It's because every communication protocol since has been a walled-garden with a rent-seeker attached. This is why open, federated protocols are so critically important.
I hear your pain. However I think if you really look at it email is a good thing. Its brokenness is a highly desired feature. It is the last generally accepted tech bastion that keeps us from becoming some sort of always on the job star trek borg style creatures that cannot have plausible deniability that the computer failed.
This is the fate of most open protocols. It becomes too hard to migrate to a new spec due to the increasing difficulty of coordination and then the protocol gets stuck in time.
For registering/authenticating to service, SMS mostly. Same deal in Russia in my experience, basically every website/service signup asks for your mobile number and just texts verification codes.
So smart-phone is required for everything there? No computer flows for website access?
"We" definitely don't want that... but many others do as it takes control away from people.
Smartphone is required for everything there, yes. Signing up for services, authenticating yourself (e.g. when entering a train station), payment, social media, etc.
Computers used to be expensive and people had less money back then, so most of the country essentially just directly upgraded to smartphones. Many don't and never used to own a PC outside of work.
No, any kind of phone that can receive codes over SMS will work (like the ultra-cheap feature phones you can probably get at your local corner store). From a computer browser, you still enter your mobile number to login, then enter the verification code it sends you over SMS. I've also seen sites that offer phone call as an alternative to SMS, so you can presumably also login from a landline.
For just SMS authentication, you just need a phone. Any kind of phone.
But it also just so happens that in both of those countries, you must have your identity attached to any SIM you purchase. So, anything that makes you register with your phone number will indirectly link your real identity to that registration. It must be very convenient for their governments!
Question for the Cloudflare people: We use sendgrid today, and create subaccounts through it (entirely with API calls) to allow our customers to add and verify their own domains (with a couple of DNS entries the customer can create). Then we can send out email on their behalf "from" their domains -- with DKIM, SPF, and all that still being happy.
Does the Cloudflare email routing product provide this same capability?
I keep thinking that Email would be a pretty natural extension process with the workers model in general... if they offered workers that could handle a tcp connection as stdin/out from the application perspective. Especially in concert with D1, R2 and other services.
I think the biggest issues would come down to server-side search functionality though. For very basic services, and even most of common IMAP/JMAP, it could be pretty great. Working on an a major email platform is something I've really wanted to do for a while now. (cloudflare, call me)
For those who may be interested: I’ve built a project called Guten Email Notification, based on Cloudflare Email Service. It provides a simple way to send notifications to yourself from NAS, homelab servers, or GitHub Actions. You can check it out here: https://github.com/gutenye/email-notification
Been waiting for this for a long time! CloudFlare developer platform is underrated. The ability to use queues, cache (KV), Hyperdrive, and R2 (an S3 equivalent) with one line of code is just brilliant.
Same here. Cloudflare products are a really good balance for small projects that could eventually need to scale up. Durable objects is such a cool concept in itself that I don't know why it didn't catchup the same way in other providers.
I really like CF focus on developers but their R2 is not quite configurable yet as S3. I am looking forward to move away from S3 if R2 can get their bucket policies and permissions as advanced as S3.
>// Classify incoming emails using Workers AI
const { score, label } = env.AI.run("@cf/huggingface/distilbert-sst-2-int8", { text: message.raw" })
This is neat but be careful using an LLM to parse email content. The demo is a BERT model which is a good but I can see how someone might swap this without realising the implications
Also really nice to see emails from workers, its something I have wanted for a while!
This is great. I’ve had many side projects with Cloudflare where I’ve wanted a way to send emails as a part of it, and it’s slightly annoying having to go find another service to use to get that done. Having this baked-in will he sweet!
What are people's experiences using their current Email Routing service? Mine wasn't great -- right after I set it up I could not get a single test email through to my recipient account despite multiple attempts. No delivery failure emails or any responses at all. Nothing on their dashboards either.
Searching their community threads turned up several other folks who had encountered similar silent failures that were never reported on the dashboards or any status page, leading them to question the company's interest in supporting this feature. I tabled that idea at that point as it was not critical.
A few months later, I randomly tried sending a test email again and it just worked. However, the initial experience left a bad taste in my mouth. Could I trust it to start routing critical emails?
Wondering what other folks here have experienced...
They enforced ARC without any notice which failed deliverability by about 50% for my catch-all address. I only noticed when someone told me they had emailed and it didn’t come through.
I just don’t trust them now. That was a huge misstep.
My understanding is that "Best Practice" is to use different companies for different services (not to have all of your "eggs in one basket") in case something goes wrong with one company and they take everything down.
This is what I have...
Domain Name Registrar: Dynadot
DNS: Cloudlare
Hosting: Dreamhost
Email: Fastmail
Should everything be under Cloudflare? I think they also do domain name registration and now, soon email. Not sure off the top of my head if they do hosting.
You can't connect to your email or hosting if your DNS with Cloudflare is down.
Plus, Dynadot uses Cloudflare for their site, so you couldn't even change your nameservers if CF is down.
A random scatter won't protect you from a service like CF / AWS / GCP being down, and most users won't benefit from protecting from that sort of unlikely and major scenario anyway...
That's a good catch about Dynadot using Cloudflare.
Ideally there would be a setup to avoid having the domain name registrar use a different DNS than me.
I'm more concerned if an over-zealous algorithm or employee shutting down an account and being able to just switch that one service to another company rather than losing everything.
I'm not sure what best practice actually is, but each different company you depend on is a different failure point. If CloudFlare goes down half the internet does (which is a problem of course, but not my problem), so from a purely utilitarian perspective depending on them feels like a safe bet.
Cloudflare have great products and engineering expertise, but it starts to get into a concerning territory; what kind of influence over various protocols of the Internet they (might) have.
To be clear, Cloudflare Email Service is not a full-blown email provider like Fastmail, nor is it even comparable to email services like AWS SES or SendGrid. Cloudflare already offered email routing and Cloudflare Email Service just adds the ability to send email via Cloudflare Workers, so there’s a long way to go before Cloudflare could be an option for replacing Fastmail.
You know, it might be closer to AWS SES and SendGrid than I thought initially. My first reading of blog post gave me the impression that Cloudflare Email Service was designed for Cloudflare Workers only because that’s what they emphasized upfront. But I missed this piece:
> We’re also making sure Email Service seamlessly fits into your existing applications. If you need to send emails from external services, you can do so using either REST APIs or SMTP.
Now that it’s possible, for anyone looking to start a new FOSS project… I would like if someone could please make a serverless spam catcher service that runs on workers so we can host it in front of self hosted email.
Something like:
- Blacklists/whitelists and wildcards
- Phishing detection
- Spam digest/rollup spam into single email every day with buttons to release
- Virus scanning of attachments
- Replace inbound links with hosted link previews/malware scans
Strategically looking to get off the MS email stack, but this is a big part of it.
Tangental - could you deploy something like webtorrent which uses seeds, mitigating a DDOS attack? Is this what IPFS would theoretically do, if web gateways were not used?
Cloudflare at some point will basically compete with AWS as the entire infra platform for developers. They are slowly building tools one after another.
I am really excited to follow how their Containers platform matures as it is still too early.
Yup and why their share price has rocketed. Nobody in the CDN industry is making money - a large player went bankrupt recently. You don't want to look at Fastlys financials and share price
Cloud is where the money is.
I’m interested to see pricing and what the backend dashboards look like for this. I’m currently using PostmarkApp for my transactional emails and they keep bumping the monthly price and my usage is tiny. If I could just pay per email that would be better.
That said, I’m hosted on AWS so maybe I should look into SES as well if I’m going to replace my email sending service.
I haven't experienced any price increase on the cheapest Postmark tier over the past 3 years or so? In any case they deliver excellent service and as a business earning money and sending emails per transaction it's almost free.
I wonder what the pricing will be. I would love to have it be where X number are free, then each one additionally will be a small price. I hate having to change tiers based on usage. I would have no problem funding an account and using that to pay for the overage.
Oh sure, a nice emailing experience (compared with SES) seems positive. But there are negative comments like Cloudflare shipping this is net negative, so just trying to understand the context.
This is exactly the service I was looking for. I am using cloudflare email forwarding but couldn't find anything about how to send form data from webpage to email.
All the email service that I could find has monthly subscription, no pay as you go offer. Hopefully, cloudflare will offer pay as you go.
Is there a way to get priority in waitlist? I don't mind bugs.
I would actually use an email service from Cloudflare. That literally means I don't have to rely on anything else to host my apps. Currently I use email forwarding to send emails to a different email address from my custom domain. This would help a lot
How is that a good thing? Are we, as a society, forgetting the value of diversification, or just ignoring it because convenience is good? Do you really want to be just one wrongful ban away from being completely offline?
As someone not currently using Cloudflare Workers, I'm not sure I want to build a worker and figure out how to interface with it though my existing application just to send email. What happened to SMTP?
That is exactly a service I was hoping Cloudflare would provide.
Simple binding using wrangler is really a life quality upgrade when starting new projects.
It's always shocking to me how many people blindly sacrifice the principles that make the things their lives depend on actually worthwhile. The internet isn't just a thing that happened, it was developed and rolled out under specific principles and vision, and violating those principles destroys the system.
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.
Sure, I wouldn’t want the Linux foundation or other pieces of critical FOSS infrastructure to be routed via Cloudflair. But if I am setting up a web shop for somebody they usually care much more about someone at least pretending to be doing something about a ddos they got hit with that the decentralised internet.
To quote Raytheon “Morals are cool but 90k/year sounds a lot cooler”.
Use other services where necessary, and sparingly. Use only what's functionally necessary, and diversify. Encourage your employer or organization to avoid vendor lock. Don't ever meet with salespeople, stay in charge of your websites and infrastructure. Find a highly disagreeable technical engineer to tell you what you can get away with; you probably don't need the scale of the things CloudFlare, AWS, et al impose by default.
AI right now can do all of that for you; pay for the best initially, have it do deep searches that meet what you need, and find appropriate contractors and services. Drop down to the plus tier after you get what you need initially, if the $200+ versions are too steep, but you can absolutely afford one month to plan an overhaul that doesn't empty your wallet.
Mandate open standards and bake in flexibility to your organization; pivot frequently and aggressively away from companies and services that don't meet your principles or standards.
Wherever possible use self hosting, decentralized protocols, open standards, FOSS software, and pay for expertise over the massive overkill "but wait, there's more!" the conglomerators offer. Their economies of scale serve to consolidate unearned and unaccountable power, often in cooperation with very shady players.
Yeah, tragedy of the commons, this is why we can't have nice things, because it's hard, and complex, and actual evil people exist who will absolutely ddos sites and exploit every and any opportunity to grift people out of their money. Cloudflare is a well marketed bundle of solutions for real problems, but it's definitely not the only solution.
It's up to you to what extent you compromise on principles - with AI it's becoming much easier to find acceptable alternatives without having extensive domain expertise. Normal search engines are almost completely captured by SEO and big market players, and we have a window of opportunity to use new AI search to find things that defy the status quo. The window will probably close sometime in the near future, but until then, take full advantage and position yourself to not be subject to companies or industries that shouldn't be taking it upon themselves to gatekeep the internet.
Also, yell at your representatives about getting a digital bill of rights, protecting the open internet, breaking apart monopolies, and cultivating what's best for the internet, and the world.
We have to stop pissing away the good for the convenience of the cheap.
One thing I've grown concerned about, after watching the Twitter migration fizzle out, is we can imitate the old internet on a small scale, but on a large scale it just doesn't work. For Twitter specifically, the outcome was even worse, many users just migrated to other more centralized services or existing monopolies (like Instagram.)
Users are too used to being able to instantly stream 4k HDR 60fps. They are too used to limited amounts of spam. They are too used to having most non-agreeable content filtered. All of this stuff that big tech delivered now is replicate-able at the cost of tens of billions of dollars. The only business model that can pay for that is owning a giant ad platform.
Thinking about all of the issues the EU has had enforcing things like GDPR, which big tech companies largely haven't followed for years or straight up lied to their customers about, along with a possible failure of the DMA now due to tariffs.. and yet on the other side of the Atlantic, the US utterly failed to ban or control Tiktok. Endless announcements of upcoming deals that were either lies (Oracle protecting American's data) or postponements.
Meanwhile, all of the spam, hacking, bots, and DDoS attacks persist and grow, along with layer upon layer of (probably intentionally) poorly written and often conflicting legislation across multiple jurisdictions have truly made it impossible for the internet as it was designed and meant to exist to continue. (Sure you can just set up a basic web forum like you could do 20 years ago, not use Cloudflare, not host it at a major datacenter, and ignore all of the GDPR and age verification laws, but good luck. Hell, it doesn't even sound like it's really legal to run a Mastodon server anymore.)
One small hope is that if internet companies follow any pattern we've seen in other industries, when the growth ends, the managers will switch to tearing the conglomerates apart in to pieces and selling them off. One day CloudFlare might be split in to 30 pieces, along with Alphabet, Meta, and Amazon. But it could be a while.
They had it a few years ago, but the company offering the free integration essentially stopped offering the free part. I'm currently grandfathered in to mail channels.
Fun fact, you can actually use the current send_email binding to send emails to verified emails in your account (but this announcement will make it possible to send emails to everyone)
You can also reply to incoming emails from what I know, you just cannot initiate any email directly to prevent the obvious abuse. I wonder how they plan to mitigate that apart from keeping the pricing sane.
This is good and I am fairly certain email is dead with AI, hopefully soon.
I went from hosting my own pop/imap/smtp email to ignoring it almost completely at work and personal for a variety of reasons.
Text messages and chat or X/message boards are all I use now. I have the same ability to deliver messages, content, forward, save, export, and migrate between platforms. The spam in SMS is tolerable at this point.
Please tell me this supports some kind of idempotency.. I fear it wont.
The kind of hoops I've had to jump through to achieve DIY idempotency with Postmark would make you cringe, a shared lock to avoid race conditions, and then using the API to check if an email with the unique id (manually added to the metadata when sending) has not already been sent before sending an email.
Being safe in the knowledge that an email with some unique key will only be delivered once regardless of bugs, processes dying mid task, network issues etc. just makes life so much simpler. The risk of sending duplicate emails or at worst spamming your users due to some more nefarious bug is something that you really want to guard against at as low a level as possible. Sure this might not be quite as consequential as duplicate charges through the Stripe API for example (Stripe have always seemed to lead the way with good API design in this regard).. doThing(data) is _not_ good enough for executing tasks over a network that are effectful, have a cost, and potentially risk your reputation if things go wrong. Idempotency keys should far more widely supported!
I just shared this with the team:
Today, Cloudflare entered the email sending market.
While I didn't expect this to happen today, it didn't come as a surprise either. It was never a question of if Cloudflare would add an email sending API, but when. Back in 2022, they introduced Email Routing, and it was only a matter of time until they added the sending part.
Some people will see this and will want to migrate off Resend, others will say we're dead. The reality is that they are after our target audience, otherwise they wouldn't create an example showing how to use React Email on their announcement post.
Still, I truly believe this is good news. Here's why:
When Cloudflare introduces millions of users to their email API, they're creating our next users. Developers will run into limitations and will want more from an email service. They will need bulk sending, advanced templates, no-code editors, and a lot more. That's where we step in.
Email is not a winner-takes-all kind of market, and that's why we've been able to enter such a competitive space and still thrive. Competition is good because it forces the best product to win.
We cannot let our guards down, and lose our sense of urgency. The bar is higher for us right now, but if there's a team that knows how to increase the bar, that team is this.
> Now, sending an email is as easy as adding a binding to a Worker and calling send
I hope it's easier to setup then the current mess of needing to use Wrangler to setup the send_mail binding the CF worker console can't even show in its binding list.
Will be interesting to see how good of a reputation they can keep (IP/sender reputation, specifically) given their historically very libertarian attitude to compliance.
Interesting development. Not really sure I trust Cloudflare on this one, the last time they tried this with "MailChannels" they got a bunch of people to use it and then killed it off a few months later. Still, their blog post was never updated to say the feature was removed: https://blog.cloudflare.com/sending-email-from-workers-with-...
MailChannels is a separate company from Cloudflare. At one point they offered a Workers integration, and Cloudflare blogged about it because we like to encourage such things. Unfortunately MailChannels later decided to discontinue their integration.
The new email product is built and operated by Cloudflare itself.
This is indeed great. I've been using emailjs dot com for low volume sending so far but they connect to your account and send it through there which is obviously problematic.. Will be interesting to see how pricing for low volumes is there. So far, I've found CF to be more than fair, esp. given their potential for abusive pricing.
Mailjet / Mailgun are one and the same service and since the acquisition, I haven't heard of anyone still happy with them. But yes good point, Mailjet is another one.
Cloudflare's email routing has been abused by malicious users for so long that I can no longer reliably use it with my domain, most times Outlook just blocks Cloudflare IP ranges and emails never get routed to my Outlook mail box.
better off using your own mail server. Stalwart collaboration server makes this stupid simple. Although dealing with poorly configured mail servers and draconian mail server policies can become tedious.
If really concerned about deliverability of transactional or marketing email messages, then relay through one of the many bulk senders.
adding yet another cf product as a single point of failure is not good.
No doubt cloudflare will refuse to receive emails from any mailservers except those that run special cloudflare extensions or whatever. It'll be a whitelist that's mostly corps only. For "security" of course.
And eventually it'll be so popular other mailservers will stop accepting mail from any except cloudflare/ms/apple/etc.
How cloudflare treats web browsers and their proposals for acting as gatekeeping for allowing websites to be spidered re: AI motivated corporations. Also cloudflare's near weekly proposals of unilateral protocol features that should be IETF'd but instead they just do and make others do because they're gatekeepers and they can. I expect them to keep behaving as they have and so posited likely 'cloudflare'-like actions for their announced attack on email.
I get that most people never feel the discimination and exclusion mediated by cloudflare because most people are just using chrome or whatever standard browser on their phones. But just because one doesn't have the lived experience of discrimination doesn't mean it isn't actively happening to lots of people.
Sorry... I though Cloudflare was offering full service email (SMTP/MTA). If it is just SMTP outbound email, then SMTP2Go would be a better alternative.
Fastmail is mentioned on every email provider suggestion thread on HN (Because they are great, happy user!), but they are not a transactional email provider which is what this product is about.
Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
At least they’re not selling ads using your data.
It had much more freedom. Currently it's up to Cloudflare to decide whether you will read that article or not. Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
1. https://en.wikipedia.org/wiki/Think_of_the_children
Legitimate sites get blocked too, but most governments probably won't care.
Do I need to find another internet access now?
How is Cloudflare gatekeeping things? I believe you but don't understand the mechanism.
...right up until you got DDoS'd off the internet by some script kiddie "for the lolz".
Cloudflare not only blocking IA but asking for money on behalf of a website operator, as a "service"
https://web.archive.org/web/20250920180605if_/https://www.th...
https://blog.cloudflare.com/introducing-pay-per-crawl/
Looks like The Verge either set up an excessively tight pay-per-crawl policy or doesn't want IA scraping their stuff.
They have detailed stats about the behavior of all visitors, including how bot-like they are and how likely they are to scrape your (their users’) content.
Is it that bad that Cloudflare offers people these choices?
Don't blame site owners and service that is trying to help them. Blame the fact that 90% of today's Internet traffic is bots
I guess whatever revenue you lose you make up for in a lower hosting bill. I just go to your competitor that doesn’t have the horrible UX. Usually those websites also tend to have much more optimized web pages too so it is an all around better experience.
- site owners can have protection as long as it doesn't inconvenience me.
Replace "me" with "legitimate users" and replace "inconvenience" with "very aggressively inconvenience or entirely block".
Then yeah you have it.
They're also essentially a deanonymization reverse proxy that can track everyone's browsing history and decide whether you get to see websites based on social credit.
But I don't think they care if they block firefox users, or people who delete cookies, or VPN users, or Tor users, or people who resist fingerprinting, or people who block ads, etc.
Point being, it's a commercial subverting the Internet from inside, reshaping it to better serve the interests of commerce. It is indeed protection, but it's accomplished by reducing variance. 99% of legitimate commerce on the Internet follows the same patterns, use a small subset of possibilities offered by the technology - so why not just block the remaining 1% that doesn't fit and call it a day? It will stop most of the threats to running businesses on the Internet. The 1% of legitimate commerce that doesn't fit the pattern? It's not being ignored per se, just pressured to adapt and conform to the majority.
What is being ignored is that the Internet is not just a place of commerce, and non-commercial use cases, ideas such as empowering people to better their lives, are gradually becoming impossible, as fundamental Internet infrastructure becomes inhospitable for them.
Some of us still remember the Internet being more than just a virtual mall, and are unhappy about it gradually becoming one. And it's not like CloudFlare, et al. are hostile to non-commercial interests as a matter of principle - it's just out of scope for them.
Your second paragraph talks about other (non-commercial) sites. I think I'm missing the link here. Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
I think the issue is that the general threat level has massively increased compared to the past - not in terms of sophistication but frequency/scale. But that's a consequence of widespread adoption, nothing Cloudflare in particular is responsible for.
Marketing and free tiers.
But my point is that Cloudflare is addressing threats that predominantly affect businesses, and does so well, but the way it does is effectively changing the whole Internet to be more hospitable for commerce, and less hospitable for any other kind of use.
If it's the latter then it reflects the sad truth that we can't have nice things anymoret. I have lots of problems with the accessibility of that box, but either Cloudflare would be implementing it, somebody else would be implementing it, or a huge chunk of data would be unavailable to you anyway because of accidental DDoS attacks caused by irresponsibly deployed bots.
(Check the box, and get redirected to check the box again.)
Maybe for you.
But I don't let random unvetted websites run code on my computer. Checking that box requires it.
--childhood bullies
"Never happens to me means never happens to anyone"
Also it's quite amusing what if you had got hit with an infinite captcha here then you couldn't post your comment.
It is a legitimate business, from my perspective. I'd just wish we weren't in a situation where CloudFlare isn't exactly struggling to sell their services.
I'm perplexed by this sort of comment. Cloudflare doesn't even feature in the top 10 of cloud provider market share, and the number 8 spot already reports 2%. And here you are, complaining about Cloudflare and centralization.
Furthermore, AWS is by far the biggest cloud provider, reporting around 30% market share, and I don't see AWS being referred as a concern.
1) https://www.theregister.com/2024/12/13/cloudflare_2024_revie...
2) https://en.wikipedia.org/wiki/Cloudflare
However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
IMHO it needs other enterprises entering the competition. Maybe it could be new more software defined mobile network providers offering edge compute. Maybe data from IoT could never enter the Internet and we could have some confidential computing power when we need it for our IoT stuff. Maybe we could get a more decentralized Internet again...
I don't think that's it, and I think the explanation is much more simple and straight-forward.
Cloudflare established a very successful business model around a straight-forward, very transparent, no-bullshit CDN. Now, they started offering other cloud services build around their CDN. Cloudflare Workers kind of extend their CDN pipeline to allow clients to run arbitrary code to customize caching logic, but it turns out their function-as-a-service model is exceptionally good, and higher-level services like email are a low-effort way to meet existing needs.
I'm not discounting their innovations but had they not been VC funded and given away free service I suspect many would still never have heard of them.
Please, educate me and tell me what's up.
Trying to unravel all that is an absolute nightmare.
Cloudflare built a business around b). This doesn't save on hosting costs, only lowers some operational and legal risks.
Yet. Since it's an american company with an ever-growing influence, I dread and expect that to change, among other things, down the road. I assume the three-letter agencies also already MITM the traffic.
It was better. 'Wget' and 'links' worked with most of the sites.
I feel like people here are forgetting the fact just how hostile bad actors on the internet are / can be.
And, anything that stops them from doing it, well, you are kind of erased from the Internet. The freedom we had, slowly becoming non-existent now.
Corporates have one and only one target. It is to make money. And this mentality, enables them.
Amazons only advantage is it's massive selection, if you can find what you're looking for.
Sounds great, until a new CEO steps in. Any company is exactly one (or more often zero) CEO away from doing whatever they want (within legal constraints) with their business, in order to fulfill their fiduciary duty (and greed).
Too bad you don’t hire senior folks in Germany currently, would probably join in a heartbeat for emotional reasons alone. Keep going, lightweight features on a tap and solid reliability over years is exactly what I need and want at least.
It looks like you have voting shares with 10x the power of institutional investors, but activist investors aren't dumb either.
My biggest fear of Cloudflare has always been that one day you'll get hit by a bus and someone will figure out that merging Cloudflare with an ad network would create so much more shareholder value. The road to hell is paved with free DDoS mitigation, so to speak.
At least Brian Thompson wasn't complicit in helping the IC conduct bulk violation of the fourth amendment rights of the entire country, unlike you. He was just a greedy bastard. Your actions, on the other hand, render you a traitor and a threat to the democratic process of the country itself.
Not to comment on whether they're actually a monopoly or not (since idk much about CF's market share, except that it's big), but how does this prove they aren't a monopoly? If anything, it'd work as evidence to prove that they are.
That is how it works LOL, just because someone only has the capacity to compete with a monopoly doesn't mean that the monopoly has competition.
internet is made sooo much better by negating all encryption effort of the last 20 years
I trust a corporation more than I trust the nation you want it nationalized in (America?)
EU maybe. But yes I don't want cloudflare to be part of america after patriotic acts and all the dystopia.
Honestly, cloudflare is not so vital to the internet. Like, The only thing its gonna be a problem if they stop working without giving any way to migrate. Then yes, its gonna be a bit of problem to the internet.
Really? Try distrusting CF certs, and see how much of your internet activity breaks. CF certs should be distrusted, because it's MITM by definition. At the very least, I'd like an addon that makes the URL bar bright red, so I know my connection isn't secure.
Though arguably neither should be in a position to do so without being regulate as a public utility
Also, I know that there are sometimes where cloudflare sits in the middle between your servers and your users for DDOS protection, and so yes theoretically its a point of interception but given how their whole thing is security, I doubt that they would exploit it but yes its a point of concern.
On the other hand, if something like this does happen, migrating can be easier or on the same level if something like this happened on like AWS.
But cloudflare still feels safer than AWS y'know?
That being said, I am all in for some regulations as a public utility but not nationalizing it as the GP comment suggested. Just some regulations would be nice but honestly we are in a bit of tough spot and maybe it was the necessity of the internet to have something like cloudflare to prevent DDOS's.
I think that cloudflare is used by most as DDOS protection and so they still have the servers.
There are also cloudflare workers and pages but even migrating them is somewhat doable as I think that cf workers have a local preview option somewhat available in their node etc., so you could run it locally somehow.
Sure its gonna be a huge huge problem but something that the internet might look past of (I think).
Honestly, I kinda wish that there was a way to have something like how the tor onion links work in the sense that the link has the public key of the person running the server and so uh, no matter if its cloudflare serving the link or something else, its still something that can't be MITM'd for the most part.
Am I right in thinking so? Sure, its gonna make the links longer but maybe sacrifices/compromises must be made?
My opinion is simple, age verification won't work unless they block VPN (something which UK wants to do/ is doing) and that sets a really really bad precedent and I doubt if its entirely possible without breaking some aspects of internet or complete internet privacy.
EU in aggregate is net positive but it still has some things which are kinda flawed regulations that are a bad precedent, but germany kinda blocked the verification thing iirc so there is still a lot of hope and EU does look like its trying its best but I think that it can do just a bit better if they don't think of age verification or some other stuff but that's just my 2 cents.
This was why I added "maybe" tbh. They are one of the best options but even they aren't thaat good. Like its questionable I think and needs a much bigger debate
I'm not sure that sounds like a good idea, if that's what you're saying.
Maybe if Cloudflare had workplace democracy my concerns would be different, but they don't and wield too much power.
If it also helps I also think 99.99% of big tech should be broken up into separate, probably a few 100, different companies.
So yes, anything vital for the internet should be controlled by the people through democratic norms, institutions, and values rather than dictatorships by those with money over those with none.
Everything reduces to specific people acting on their a priori motivations in bounded contexts, and any system of centralized control is guaranteed to enable expressions of the worst motivations of the people involved. The distinctions you're making -- "private" vs. "public", "corporations" vs. "governments", etc. -- are fundamentally meaningless.
There are no "democratic norms", just norms adhered to by specific people and the factions they form, contesting against each other for power over others. Performative "democracy" is often just cover to allow the currently dominant factions to function as "dictatorships".
Decentralization and individual autonomy are the only solution to the problems you rightly care about, but what you're proposing is literally the opposite of that.
1934 [1].
[1] https://tile.loc.gov/storage-services/service/ll/usrep/usrep... Humphrey's Executor vs. United States
At least you're referencing the United States in 1934, though. Things were very dysfunctional politically in the US at that time, but not nearly as bad as what was going on in some other parts of the world.
Seriously? You don't see the relevance of independent agencies to this discussion?
And the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place (nb: it isn't).
You don’t see a reliability difference between a self-moderating and unmoderated system?
Do you see any value in QC?
I mean the reconstitution of AT&T was one of the IMO the biggest middle fingers to the public I've seen. It was broken up because it was a bad actor and now its back again as a worse than ever bad actor. That was kind my wake up call. I'm sure there is worse though that I don't remember because it was not tech related.
I could be wrong I'm not a huge politics person. Either way I don't think any response to me invalidates my opinion that the current government would not do a better job than cloudflare currently is.
The ire should be reserved for if and when they establish some kind of monopoly or other anti-consumer practices, fall afoul of anti-trust law, and inevitably the US government gives them a free pass for criminality like it has been doing for years with dozens of other Big Tech mergers, rollups, exclusivity dealings, etc. and appears to have just done again with Google a few weeks ago.
It is fine for big companies to offer competing email sending services. It is not fine for them to break competition laws.
Also yes, please do set up SPF, DKIM and DMARC for me. I may very well end up using this down the road because they say they'll do that for me and I just don't want to think about them in some situations.
I'm going to take this opportunity, because hopefully Cloudflare will see it, to request they support SPF record flattening natively.
New but non-standard niche browsers are also problematic.
Website owners may understandably be appreciative of CF. But as as someone browsing the web, I think it's done a lot of irreversible* damage to the open internet.
* I say irreversible because I don't think they'll be looking to improve this anytime soon, but rather add more restrictions.
Cloudflare succeeded to do what Google tried and failed with AMP, and we are all the worse off for it. [Though at least it is not Google, that would be worse.]
I cannot afford to be DDOS'ed and there are bad actors that have already proven that they _will_ take me down if they could. So, I feel bad for the internet being walled up, and I feel bad for users that will lose access. And I fret that one day CF may just decide to take all my content and use it somehow to shut me down.
Meanwhile though, I hold my nose, cry inwardly, and continue to use Cloudflare.
That such a database has other uses would be a happy coincidence.
The thing where they let DDoSers use them to protect their public sites from rival DDoSers is sketchy as hell, but doesn’t rely on having your data.
Contracts can be and regularly are changed. Ebay, PayPal, Etsy, Google, Microsoft, ad nauseum all have done this many times.
Contract-based protections mean very little if those clauses are non-perpetual and revokable.
That's great - and maybe I'm cynical - but that's right where my mind went when I read that. Trading income for control isn't a bad game..
I don't think Cloudflare did anything major wrong, most of what they offer have plenty of alternatives, but Cloudflare is able to do a lot for free which really isn't their fault.
There are complain about its cache's captcha, I get it, ideally it should not discriminate any human user, but IMO it's an economical problem unless we collectively decide what they do is public utilities.
(cloudflare customer, in both personal and professional capacities; i pay Fastmail to host family email; both can easily be switched if needed to prevent lock in, with DNS changes and in the case of hosted email, an export of mailboxes and tenant config)
And there is a spectrum to this. For example, using a small, independent email or hosting provider may cost a little more time, but makes you more independent from big tech, and maybe more importantly, contributes to reducing the power of big tech. We are all paying for it, down the line.
Paying Fastmail, along with others who do so, means Fastmail will remain as a non Big Tech option, for example (they also developed and championed, JMAP, for a more efficient user experience). Paying Kagi means Kagi will remain as a non Big Tech option. Donating to Let's Encrypt means Let's Encrypt will remain as a public good independent of Big Tech. I could go down the list of every service I pay for to de-Google and de-Big Tech, but that's likely unhelpful to further demonstrate the point.
> We are all paying for it, down the line.
Indeed, so establish and fund organizations that provide systems and services for benefit vs profit and control that cannot be captured. Self hosting your own box at home helps you (which is totally fine and reasonable, I run my own on prem infra across two continents at small business enterprise scale for use cases I cannot procure commercially at reasonable cost), but does nothing else, and doesn't scale.
(think in systems)
You get to respond to requests and your data cannot be handed over without your knowledge.
but I do mind my data being drag-netted, or hoovered up by scummy big tech and then sold on
(whether that's for slop training, ads, anything really)
Citation requested. Big tech considers your IP address dishonorable, and blackholes your emails. How independent are you now when you can't email any providers that use blacklists?
> contributes to reducing the power of big tech
Again, citation requested. Big tech will just blackhole your emails and you'll only find out when your users complain.
I also see a lot of comments from those who have admittedly never tried, telling me that I'll be blacklisted and not even know.
I don't know if this is some kind of confirmation bias, or if there's just a very vocal bubble of people without experience talking about how difficult it is.
Are digital content creators lazy too? Why don't they just host their content on their own damn servers?
And always will be.
Do you talk to your customers with that mouth?
For those who are lazy to click, this guy's business is hosting and maintaining a sales platform for people.
But now they took the excuse of security to act as a MiTM for everything else, when conveniently, it makes for a great business model to just be slapped in the middle of every connection.
https://blog.cloudflare.com/sending-email-from-workers-with-...
Today's announcement is a feature offered directly by Cloudflare.
So many comments here assumed from the title they're offering a hosted email service, they aren't, they are announcing their own Sendgrid.
Yes.
Or do you mean if I get access to the beta? I probably won't :(
Fwiw, not a knock against CF. I like their products, mostly simple, fair pricing, etc. Just a bit unfortunate commentary on the state of email infra on the internet.
The days of people running their own servers are gone because of the shortsightedness and laziness of IT managers. They though the "cloud" would be easier and cheaper, and they are now trapped.
I entertained the idea of running my own mail servers for a while. After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
So it looks like we've gotta be well connected to federate with the other email servers now. A nobody like me can't just start up his own mail server at home and expect to deliver email to his family members who use gmail or outlook. So I became a Proton Mail customer instead.
The best way to ensure a good reputation is to obtain your own address space from a RIR. Barring that, you need to choose a provider with a decent reputation to delegate the space to you.
There is the slight problem that RIRs ran out of (v4) addresses almost a decade ago.
How does one do that? And what are the costs involved?
Following the links on that page (or performing a simple Google search) leads one to: https://registro.br/tecnologia/numeracao/como-solicitar/
[0]: https://www.lacnic.net/1016/2/lacnic/ip-request
Before I even start this bureaucratic process, I need to create an actual organization. Then I need to be assigned an ASN. Only then I'll be allowed to beg them for IPs. Once all that's taken care of, I need to tell them things like what the IPs will be used for and what my infrastructure is. If they like my answer, then they'll approve my request and finally tell me what the prices are.
You have to buy/rent a dedicated IP address (that you'll be able to keep long term), and it warm it up by gradually increasing mail volume over a few months to weeks. But once you have, deliverability shoudl be fine.
I think the bigger issue is needing to keep on top of mainenance of the server.
Where sendgrid=any major player, could be Mimecast, proofpoint or anyone else who will forward outgoing email.
Sending reputation is just as applicable if you're using a third party as if you're hosting it yourself, but much less under your control.
Are they? I'd bet 90% of the email in your archive went through Google or Microsoft or Yahoo's servers, and most likely a copy still resides there.
If you're sending to or getting a message from a Gmail account, Google still has a copy.
I have arrived at the opinion that what I would do if I moved to selfhost would just be to pay some trivial amount for outbound email via a provider like sendgrid as someone else in these comments has also mentioned. Since I send out maybe a half dozen emails a month I don't think this would be a big deal.
But when I relied on selfhosted email several years ago, I was always inundated with spam, which SpamAssassin was wildly undermatched to handle -- that was one of the main reasons I moved to gmail. So I'm curious what people who are happy self-hosting today are using.
I also run SpamAssassin on my server, but I don't believe it ever had to do anything.
Well, one time I was unable to send mail to a guy with an ancient @att.com email address from his ISP. I got a nice bounce message back with instructions to contact their sysadmins to get unblocked.
To my surprise, they unblocked the IP of my mail server in a matter of hours.
Where people will absolutely have problems is trying to run a marketing campaign through their own IP. You absolutely will (and should) get blocked. This is why these mixer companies exist and why you pay for an intermediary to delivery your mail.
But most people who can run a server should be able to setup OpenSMTPd with the DKIM filter and Dovecot. It's much easier than configuring postfix like we had to do in the past.
To answer a sibling comment, the last time I received an answer is a few minutes ago. The correspondent's email infra is hosted by Google.
I used to run all the components and maintain it (even that wasn't bad), but I changed to mailu[1] about a year ago
[1] https://mailu.io
I don't know why. At the same time they don't want to get rid of the bbdd servers, or the app servers.
Maintaining a email service must not be as easy for them.
when was the last time you got a reply to an email you sent?
The problem is that Gmail will bounce any emails from DigitalOcean IP, even if you sit on this IP for years (so no recent spam), even if replying to someone, even if you registered as 'Postmaster' on Google.
So if you want to selfhost, you'll first need to find an IP that's not blocked to begin with.
I do, too. What I don't like is that they became too large and now are effectively in position to gatekeep the whole internet.
This is very much a myth. There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster (professionally, I'm responsible for both at my org, so I can make this comparison with some authority).
Honestly `apt install postfix dovecot` gets you 90% of the way there. Getting spambinned isn't a problem in my experience, as long as you're doing SPF and DKIM and not using an often-abused IP range (yes, this means you can't use AWS). The MTA/MDA software is rock-solid and will happily run for years on end without human intervention. There really isn't anything to maintain on a regular basis apart from patches/updates every few months.
But in practice, you can find any number of VPS providers, running in local datacenters, with modern self-service interfaces, with at least some IPs that aren't already spam flagged (and you can usually file a ticket to get a new IP if you need it), that are often cheaper per month than AWS, and give full root and everything. Find a service that will help you warm the IPs before you send to customers, and you're good to go!
The main difference is that you're fully in control of the k8s cluster, but no matter what you do, you don't have control over the email infrastructure, because deliverability depends on the receiver. On every receiver you send to.
People say "I don't have deliverability problems!" but how do you know? Most places don't tell you they rejected your email.
> > The days of people running and maintaining their own are pretty much long gone
Is less about the pieces you've mentioned, and more about reliable delivery without fighting blacklists, ip/domain reputation blackholes, etc.
Examples being Git/Github, Crypto/Centralized Exchanges, and as per the topic, email.
But I think that it's an important distinction that the base infrastructure is open, and that technically an incumbent could join the fray, albeit with a lot of catching up to do, and mix it up.
Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
The volume of spam (for me) doesn't seem to be decreasing from them, so there's a lot of moles to whack.
[1] Just a guess from looking at the last weeks [2] I know it's automated, but often there's 2 that come with the 2nd one stating it's acted upon, so i'm hopeful.
You can very reasonably and reliably expect spam amount to correlate with the cost of sending said spam or expected return. At any service. There used to be a time where you HAD to check your mailbox several times a week or it would (literally) overflow with spam.
The lowest plan $40/year for 1k emails/month isn’t on the Pricing page, but you can select it when signing up.
Has been a 10/10 experience -- rock solid and extremely good deliverability.
Wish the pricing increased non-linearly though at higher volumes.
[1] https://www.mailgun.com/pricing/
With a pricing structure like that it appears they became too tired of verifying/validating users to not send spam. Unfortunately I don't blame them.
Barrier to entry for (12 * $20) is much higher than $10/year and they figure that was worth the tradeoff of losing small fish customers.
The part where sendgrid has to keep figuring out how to make new and improved validation is expensive.
This is/was already possible. You can just reply to an email from an email worker.
So far I have used Resend, Sendgrid, Loops (for a person throw away project so don't have good exposure) but I found Resend the most easiest, convenient and straightforward. Especially their React Email library made it so easier to compose emails using React components. I really love that. Back then we had to manually craft HTML emails, worry about inline styles, and constantly test across different clients, which was a pretty painful process compared to how smooth it is now with React Emails.
One key part of my workflow is validating emails before sending so I'm not blowing up my bills or getting labelled as spam. And since Resend doesn’t support that natively, I'm currently having to use Emailable’s API to check if addresses are actually deliverable. Having that built-in would be a huge plus. And I know it's not usually something that email providers should care about but it would be so much better if Cloudflare makes this a native offering.
Oh i didn't get that email.
Oh spam filter.
Oh so backlogged on email.
Computers used to be expensive and people had less money back then, so most of the country essentially just directly upgraded to smartphones. Many don't and never used to own a PC outside of work.
But it also just so happens that in both of those countries, you must have your identity attached to any SIM you purchase. So, anything that makes you register with your phone number will indirectly link your real identity to that registration. It must be very convenient for their governments!
Does the Cloudflare email routing product provide this same capability?
I think the biggest issues would come down to server-side search functionality though. For very basic services, and even most of common IMAP/JMAP, it could be pretty great. Working on an a major email platform is something I've really wanted to do for a while now. (cloudflare, call me)
This is neat but be careful using an LLM to parse email content. The demo is a BERT model which is a good but I can see how someone might swap this without realising the implications
Also really nice to see emails from workers, its something I have wanted for a while!
Searching their community threads turned up several other folks who had encountered similar silent failures that were never reported on the dashboards or any status page, leading them to question the company's interest in supporting this feature. I tabled that idea at that point as it was not critical.
A few months later, I randomly tried sending a test email again and it just worked. However, the initial experience left a bad taste in my mouth. Could I trust it to start routing critical emails?
Wondering what other folks here have experienced...
I just don’t trust them now. That was a huge misstep.
This is what I have...
Domain Name Registrar: Dynadot
DNS: Cloudlare
Hosting: Dreamhost
Email: Fastmail
Should everything be under Cloudflare? I think they also do domain name registration and now, soon email. Not sure off the top of my head if they do hosting.
Plus, Dynadot uses Cloudflare for their site, so you couldn't even change your nameservers if CF is down.
A random scatter won't protect you from a service like CF / AWS / GCP being down, and most users won't benefit from protecting from that sort of unlikely and major scenario anyway...
Ideally there would be a setup to avoid having the domain name registrar use a different DNS than me.
I'm more concerned if an over-zealous algorithm or employee shutting down an account and being able to just switch that one service to another company rather than losing everything.
Sign up to the waitlist here. https://forms.gle/BX6ECfkar3oVLQxs7
Edit: I see its an email sending service not client.
> We’re also making sure Email Service seamlessly fits into your existing applications. If you need to send emails from external services, you can do so using either REST APIs or SMTP.
It shouldn't.
They are not launching a complete emailing service, this is just a service that you use to send emails from an app.
"Moving" to their service is as easy as updating your DNS records so they can be seen as an authorized sender.
Something like:
- Blacklists/whitelists and wildcards
- Phishing detection
- Spam digest/rollup spam into single email every day with buttons to release
- Virus scanning of attachments
- Replace inbound links with hosted link previews/malware scans
Strategically looking to get off the MS email stack, but this is a big part of it.
I am really excited to follow how their Containers platform matures as it is still too early.
https://stratechery.com/2021/cloudflares-disruption/
That said, I’m hosted on AWS so maybe I should look into SES as well if I’m going to replace my email sending service.
Open source and available here: https://xmox.nl/
If they launch an email service and are as successful, they could become the master of the email (25/465)
So soon, they'll be the master of the entire Internet
To be clear: I don't share this view, in part because Google and Microsoft already are the masters of the email
All the email service that I could find has monthly subscription, no pay as you go offer. Hopefully, cloudflare will offer pay as you go.
Is there a way to get priority in waitlist? I don't mind bugs.
Or is this going after Gmail/M365 (personal inboxes)?
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.
To quote Raytheon “Morals are cool but 90k/year sounds a lot cooler”.
AI right now can do all of that for you; pay for the best initially, have it do deep searches that meet what you need, and find appropriate contractors and services. Drop down to the plus tier after you get what you need initially, if the $200+ versions are too steep, but you can absolutely afford one month to plan an overhaul that doesn't empty your wallet.
Mandate open standards and bake in flexibility to your organization; pivot frequently and aggressively away from companies and services that don't meet your principles or standards.
Wherever possible use self hosting, decentralized protocols, open standards, FOSS software, and pay for expertise over the massive overkill "but wait, there's more!" the conglomerators offer. Their economies of scale serve to consolidate unearned and unaccountable power, often in cooperation with very shady players.
Yeah, tragedy of the commons, this is why we can't have nice things, because it's hard, and complex, and actual evil people exist who will absolutely ddos sites and exploit every and any opportunity to grift people out of their money. Cloudflare is a well marketed bundle of solutions for real problems, but it's definitely not the only solution.
It's up to you to what extent you compromise on principles - with AI it's becoming much easier to find acceptable alternatives without having extensive domain expertise. Normal search engines are almost completely captured by SEO and big market players, and we have a window of opportunity to use new AI search to find things that defy the status quo. The window will probably close sometime in the near future, but until then, take full advantage and position yourself to not be subject to companies or industries that shouldn't be taking it upon themselves to gatekeep the internet.
Also, yell at your representatives about getting a digital bill of rights, protecting the open internet, breaking apart monopolies, and cultivating what's best for the internet, and the world.
We have to stop pissing away the good for the convenience of the cheap.
/soapbox
One thing I've grown concerned about, after watching the Twitter migration fizzle out, is we can imitate the old internet on a small scale, but on a large scale it just doesn't work. For Twitter specifically, the outcome was even worse, many users just migrated to other more centralized services or existing monopolies (like Instagram.)
Users are too used to being able to instantly stream 4k HDR 60fps. They are too used to limited amounts of spam. They are too used to having most non-agreeable content filtered. All of this stuff that big tech delivered now is replicate-able at the cost of tens of billions of dollars. The only business model that can pay for that is owning a giant ad platform.
Thinking about all of the issues the EU has had enforcing things like GDPR, which big tech companies largely haven't followed for years or straight up lied to their customers about, along with a possible failure of the DMA now due to tariffs.. and yet on the other side of the Atlantic, the US utterly failed to ban or control Tiktok. Endless announcements of upcoming deals that were either lies (Oracle protecting American's data) or postponements.
Meanwhile, all of the spam, hacking, bots, and DDoS attacks persist and grow, along with layer upon layer of (probably intentionally) poorly written and often conflicting legislation across multiple jurisdictions have truly made it impossible for the internet as it was designed and meant to exist to continue. (Sure you can just set up a basic web forum like you could do 20 years ago, not use Cloudflare, not host it at a major datacenter, and ignore all of the GDPR and age verification laws, but good luck. Hell, it doesn't even sound like it's really legal to run a Mastodon server anymore.)
One small hope is that if internet companies follow any pattern we've seen in other industries, when the growth ends, the managers will switch to tearing the conglomerates apart in to pieces and selling them off. One day CloudFlare might be split in to 30 pieces, along with Alphabet, Meta, and Amazon. But it could be a while.
They had it a few years ago, but the company offering the free integration essentially stopped offering the free part. I'm currently grandfathered in to mail channels.
I went from hosting my own pop/imap/smtp email to ignoring it almost completely at work and personal for a variety of reasons.
Text messages and chat or X/message boards are all I use now. I have the same ability to deliver messages, content, forward, save, export, and migrate between platforms. The spam in SMS is tolerable at this point.
The kind of hoops I've had to jump through to achieve DIY idempotency with Postmark would make you cringe, a shared lock to avoid race conditions, and then using the API to check if an email with the unique id (manually added to the metadata when sending) has not already been sent before sending an email.
Being safe in the knowledge that an email with some unique key will only be delivered once regardless of bugs, processes dying mid task, network issues etc. just makes life so much simpler. The risk of sending duplicate emails or at worst spamming your users due to some more nefarious bug is something that you really want to guard against at as low a level as possible. Sure this might not be quite as consequential as duplicate charges through the Stripe API for example (Stripe have always seemed to lead the way with good API design in this regard).. doThing(data) is _not_ good enough for executing tasks over a network that are effectful, have a cost, and potentially risk your reputation if things go wrong. Idempotency keys should far more widely supported!
I hope it's easier to setup then the current mess of needing to use Wrangler to setup the send_mail binding the CF worker console can't even show in its binding list.
The new email product is built and operated by Cloudflare itself.
What other "root" email services are there out there? Even Google Cloud doesn't provide one...
Sparkpost to my knowledge is built on SES.
If really concerned about deliverability of transactional or marketing email messages, then relay through one of the many bulk senders.
adding yet another cf product as a single point of failure is not good.
And eventually it'll be so popular other mailservers will stop accepting mail from any except cloudflare/ms/apple/etc.
I get that most people never feel the discimination and exclusion mediated by cloudflare because most people are just using chrome or whatever standard browser on their phones. But just because one doesn't have the lived experience of discrimination doesn't mean it isn't actively happening to lots of people.
https://www.fastmail.com/