I read this article and was surprised when I reached the end because the whole thing felt like it was setting the stage for some announcement or new thing. But nothing came..? Forgive me if I'm being thick but what was the takeaway?

I find it hard to judge how much, if at all, this will help, but I'm all for email being more secure, to the point that organizations (banks, governments, insurance companies) stop creating walled-email alternatives: please log in to our secure message center, where you can only see our messages poorly formatted, and for a short time, until we permanently delete them. I like that my Inbox is a somewhat-searchable, historical record of my life, and these alternatives break that.

I love fastmail, I switched from Proton a couple years ago after deciding the trade offs to have encrypted email were not worth it, since even if I fully trust Proton, most emails come from or go to AWS, Outlook, or Gmail anyway. I have been extremely happy with the service. Fairly priced, very fast even with a huge inbox, and they don’t add unnecessary features or bloat. I thought I would use my OS’s mail apps but the fastmail app and website are so good I just use that.

> The second is AI assistance: tools that summarize your inbox, surface action items, draft replies, and in some cases take actions on your behalf.

That is the most evil part. Finally we will have bots talking to bots, no human in the loop.

All email problems can be solved with GPG, but that ruins Fastmail and other email services business, as they won't be able to read and analyze their users' emails. No ads, no selling user profiles to ad companies, not even teaching AI on user data. This is the kind of future of email I would like to see. Sadly, noone uses GPG and it's quite hard to teach people to do it.

We will end up with a situation where all interactions with computers (remote systems), including email, will need an initial step to pair/exchange keys, much like ssh. So when the bank wants to send me email, they can only do so if they have my public key. We should try to make this as frictionless as possible. Or, we generate semi-random email addresses that are short-lived, so that each company I interact with get their own unguesable email address.

Either way, we are getting to a point where offline-2FA will be mandatory for all auth systems and when interacting with another party, it will need something like the above to be sure you are dealing with the correct company.

Counter Point: Until people can migrate their inboxes and steer them to any provider, none of this authentication business seems to hold up actual value at scale.

If anyone can port their phone number, they should be in theory, allowed to port their email addresses as well.

None of the authentication systems here are helpful enough to allow this. You need a valid way to authenticate people irrespective of whatever provider they are on (not their email domain name)

That means that a standard needs to evolve that allows you sign on the behalf of the hosting provider itself.

I really like Fastmail, but I wish they offered a lightweight AI feature. Their filtering system is unmatched, yet I’d love a basic, privacy-focused AI filter powered by a small, private model they run.

For example, I could set rules like “if an email looks like a promotion, move it to the promotions folder.” I could roll my own MCP server sure, but that’s not the direction I want to go.

It's insane that in 2026 signing and encryption of emails still isn't the norm, but as long as the business model of the largest email vendors rely on us not having it, I guess we never will.

It's frustrating not being able to send email for my hobby projects even if I follow all the rules and have the correct headers. I enjoyed reading jeremyevan's post on self hosting email, but it's only for receive and not send https://code.jeremyevans.net/2021-07-29-running-my-own-email...

In 1993, a friend of mine was working at Apple. I wanted to send him a funny message with a spoofed sender. I just typed "telnet apple.com 25" and then typed in the required commands. Apple.com accepted it and delivered it to my friend with a fake sender.

Those were the days, lol!

We’re basically outsourcing email judgment to AI, then trying to compensate by strengthening SPF/DKIM. That feels like hardening the locks while handing out more master keys.

The article makes a reference to the failed ARC (Authenticated Received Chain) proposal which was intended to help DKIM not break email forwarding:

https://www.ietf.org/archive/id/draft-adams-arc-experiment-c...

It will be interesting to see if Google can be convinced to move away from ARC to something else. Gmail is all about email server reputation these days so they can reliably treat email servers they don't like badly.

I was hoping this would be about JMAP.

> A person reading a suspicious email might notice that the sender’s domain has an extra character, or that something about the request feels off. An AI assistant scanning your inbox for items that need action may not slow down to check those things.

I don't quite buy this in either direction (although they are both couched as possibilities, which makes it a pretty safe statement). Humans might notice, but years of annual mandated phishing trainings has led me to believe that humans as a whole are generally not great at noticing.

AI agents OTOH mostly do as they are prompted. If the human prompting them tells them to check these things, they will likely check much more consistently than any human. If the prompt doesn't say to check, the agent won't. But that again falls back to what the human might or might not think about.

A little bit off topic but We need dmarc to prevent phone spoofing. STIR/SHAKEN should adopt the DMARC model from email. The legitimate holder of a phone number should be able to publish a policy declaring that any call claiming to originate from their number without A-level attestation must be blocked by the terminating carrier. Just as domain owners can instruct mail servers to reject unauthenticated email sent in their name, number holders should be able to instruct carriers to reject unauthenticated calls spoofing their numbers.

In my experience since phone scammers tend to scam a small subset of numbers like dell, facebook, Microsoft, the Internal Revenue Service, copying this could allow big companies to block a huge number of phishing calls requiring their numbers. Since many calls originate from authenticating carriers now we need to go to the next level and block fake calls.

We need email end to end encryption. Good to see Google getting into that world, we need Apple and others to join too.

seems like pgp inside emails would solve alot of the issues around auth and confidentiality i think email is fine the way it is i dont need any more solutions that make it harder to host your own servers email is meant to be self hosted. i feel like commercial email services have their usecases but we should avoid having service providers playing with standards, as their motives might be self serving. we should keep decentralized internet tech as decentralized as possible, with a caution against blocking random senders, as this leads to monopolies blocking their competition and demanding compliance to their agendas.

I feel we need a "proof of work by human" for emails. Something that could be signed that attests that someone took the time to write the email, not just sent a template / used AI to auto-generate a personal looking email, etc. Sure that could be gamed as well (have an AI write characters one by one to look more human-like), but taking more time usually is a fairly good blocker for spammers / salespersons / etc.

respectfully the title is clickbait, so maybe a more objective one would be better?

> Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.

https://news.ycombinator.com/newsguidelines.html

I've been a happy Fastmail customer for years, and one of the best things about Fastmail has been how they just incrementally make things slightly better, as if they somehow haven't learnt how to enshittify.

So on seeing this title, I was a bit worried.

> It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t.

Phew.

BIMI certificates cost over $1,000 / yr right now. For me that's a feature. I wish the fallback in my mail client was a big untrusted symbol rather than sender initials when they aren't in my address book.

Recent discussion:

Gmail Thinks I'm Stupid, So I Left: https://news.ycombinator.com/item?id=48375016

> Email is not going anywhere

time and time again it's worth stressing how the Lindy effect directly applies here to email or other layers of the protocol stack.

https://en.wikipedia.org/wiki/Lindy_effect

In the world of AI, I think the future of email is deliver-ability.

The new fad is "loop". And any loop should have a trigger. Rather having countless integrations, let all the triggers to got email, and those triggers trigger loops. I feel AI can kick off from personal/shared inboxes to deliver meaningful outcomes

seems like pgp would solve alot of the issues around auth and confidentiality i think email is fine the way it is

As a Fastmail user for both personal use, as well as for my business, the best thing I can say about them is that I haven't thought about them in...a decade?

We built a Discord integration so that new emails to our support address would ping us in a Discord channel using the JMAP API. It's only failed to work once that I can recall - and that ultimately ending up being on Discord - not Fastmail.

Just rock solid service all around with no bullshit.

A lot of nonsense about AI and this The inbox of the future will be faster, smarter, and more capable than what most of us use today

Please, Fastmail, don't fuck this up. I have been a happy customer for years. Do not fuck this up with idiotic AI systems. I just want reliable email.

What's the point of this article? The most I got was "email is here to stay," followed by some discussion of an MCP server for their proprietary mail platform.

I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.

These days, it seems that what they call security is just isolating oneself

Are there any options left at all to self host email?

>Anyone can put anything in the “From” field of an email.

... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.

I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.

Everybody who has a Fastmail e-mail in their profile here on HN has received several targeted phishing mails with senders who are registered with @fastmail accounts that sound official. And Fastmail doesn't seem to do much about it.

It's absolutely the worst part of using Fastmail, that they don't clean up in their own house.

What's the point of the article?

pgp exists, sheesh

If only there were some interest on the part of Big Telco to solve these types of problems.

The easiest and best filter is to screen emails. Only emails that were screened in once go to your inbox. It's that easy. HEY.com introduced it, and I can't see email without it; that's why I integrated it into my TUI email client, neomd [1]. Since then, when I get an email from Amazon that lands in my "To Screen" box, I am automatically alerted and know it is potentially spam, because I have approved Amazon and legit emails land in my inbox. Check it out, it's that easy. Neomd works with Fastmail or any other IMAP/SMTP email provider.

No AI needed, and also no stupid AI summary, as you only get a few legit emails to your inbox, never spam anymore.

[1] https://neomd.ssp.sh

> The first is AI filtering: the systems that decide what’s spam, what’s phishing, and what deserves your attention.

Not so for Google Workspace. I get more spam and fake invoices and DocuSign contracts than I used to.

> In early 2024, Google and Yahoo began requiring

Here's a big part of the problem right there. Google requires something, it becomes a requirement. In fact, Google's hold on email is a problem in itself. Among other things we need variety. Without it, "Google begins requiring" will be a recurring theme. It's happening again now with mobile phone apps! "Google begins requiring" that you register with them so that the apps you write can be installed on Android phones.

> This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes.

And later, Google and a few other large players could just prevent individuals and smaller email service providers from being able to send email, at all.

> so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties.

Be ready for people who don't register with the big corporations to be marked as having "bad reputation" and being simply blocked. There might be some technical excuse.

> The inbox of the future will be faster, smarter, and more capable than what most of us use today.

That sounds like the inbox of the future might be controlled by somebody else. I don't like that at all.

E-Mail should have died in the early 2000's. It's an absolute shit communication system and isn't fit for purpose, and wasn't even then....

Postage. Postage. Postage.

email is turning into a walled-garden of big tech.

For instance, I am self-hosted, that without DNS. The email designers were carefull to make the email system work without DNS, that with email addresses with IP literals: mailbox@[x.x.x.x] and mailbox@[ipv6:...] (and I guess once ipv4 is really gone, the ipv6: prefix will be dropped).

This is stronger thas SPF, since as soon as a IP literals in the envelope and the various "from" headers does not match the actually IP from the sending SMTP server, the email is dropped, not even going in spam.

If I send such email to gmail for instance... I get a 'missing a DNS PTR' record, go to hell. How, convenient, to send an email there, you must have bought a DNS domain, knowing perfectly that most registrars nowadays are gated by the web engines of the whatng cartel... which gogol, then gmail does belong to... how convenient, the crime is almost perfect, I don't put that on the account of incompetence, this is beyond that, we are in the realm of toxic malice.

I do presume now they know what they are doing, killing all small tech, or self-hosting is in their agenda of dominant internet corporation.

Bit of a nothing burger.

Big title, little content.

They really want to kill anonymity. That's a hit piece if ever I saw one - and a very poor, unconvincing attempt at promo. Shame on you, Fastmail.

good luck

The Future of Email is obsolescence.

Paying for email will never be the future of email.

Another subscription for software- and people outside HN hate paying for software- when outlook, apple and Gmail exist?

Emails are very important especially at this age of rapidly changing technological landscape.

It's important that they're secure.

Is it possible to have E2E encryption on emails?