To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it. This is one of those.
Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
It had much more freedom. Currently it's up to Cloudflare to decide whether you will read that article or not. Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
The growth of Cloudflare is what makes the law possible.
Several countries have stupid laws around online child protection, that are universally ignored and universally not enforced simply because there is no reasonable way to comply. Others might be tempted to introduce new stupid laws once they become feasible.
That doesn't make it Cloudflare's fault, but the centralization is still a problem.
I think it's being pointed out as an inherent weakness of greater centralization when it comes to the internet's resiliency against government interference and censorship. The internet used to be much more decentralized than it is today.
Also, remember that time that Cloudflare didn't take down a Nazi website because they didn't want to be arbiters of the internet but then everyone accused Cloudflare of supporting Neo Nazis. That this led to boycotts so they ended up taking down the site and wrote a blog post being like "fine, but this is dumb"
That didn't really have to do with the law. You could segue it was a free market action. Though there were definitely legal threats as well. (There's even people here in this thread making similar claims of Cloudflare supporting specific groups/content)
Businesses are not expected to protect your freedom of speech. If you want to say stuff that no one wants to print, you can't sue a business for not printing it.
The government can't stop you from requesting a permit and saying it on public lands, though... And back when telecoms were common carriers, you could have done such from your home Internet, now you can only do it from your voice line.
Right but ISPs and services like CF should be neutral parties just like the Cisco routers and Corning fiber. They should not be arbiters of what’s currently acceptable. Thats not to say they are not subject to jurisdictional law but rather they should not be their own law imposing their views.
Now of course if they want to provide you the user with tools to filter or hide things you disagree with out, by all means.
Yep- your phone or electrical provider don’t monitor your speech for objectionable content and neither should someone like Cloudflare once they achieve ’utility’ like status.
Sorry, but sometimes they are. Laws are reactive so can only be updated when harm is done. But if businesses and people act to hold up the spirit of those laws then the harm doesn't happen in the first place. It's proactive vs reactive.
Plus, bring proactive saves everyone a whole lot of time and money. So many things would be better if people (and every entity) was just trying to do their best and no one was trying to fuck each other over. You may call it a dream and that's fine, but also remember that the vast majority of people already operate that way. A small number of people do the most harm
Are you arguing for a system where employers consider your political views before hiring you?
And no this is not an attempt to in anyway belittle what Nazi German did during WWII. Assuming the employee you are referring to has never been engaged in such acts, though, that feels like a very slippery slope.
> Are you arguing for a system where employers consider your political views before hiring you?
Yes? Such a system already exists and is currently in place in virtually every country in the world.
If I go online and trash talk anyone, that might prevent me from getting hired.
Similarly, if I work someplace, and I call my boss a jackass, I might get fired!
You're trying to invoke "political" as a sort of shield here. No, it's not just politics.
Its called being an asshole. Assholes might be unemployable because that's how human socialization works. Have you met a Nazi that isn't an asshole? Because I haven't. So, there you go.
> If I go online and trash talk anyone, that might prevent me from getting hired.
> Similarly, if I work someplace, and I call my boss a jackass, I might get fired!
Those examples have nothing to do with your specific political views. Both issues there are about how you engages with others and are a reasonable example of why you might cause problems on a team. The specific views you would have shared rudely have nothing to do with the actual problem at hand.
> Those examples have nothing to do with your specific political views.
Yes they do - as I've said, you can't invoke politics as a shield.
You can be fired for your beliefs. Politics are a belief. So you can be fired for politics.
If you're trying to say that you can just be an asshole in private - sure. If you share your political beliefs, it's no longer private.
Most companies don't want to hire people they think are assholes.
Ultimately, it's very simple human behavior. I don't want to work with people who suck. You don't either. Okay, so we must discriminate based on politics or other beliefs.
Hiring, in it of itself, is just discriminating. We're discriminating based on skills, personality, beliefs, and fit. That's what hiring is.
There's only a select couple of things we can't, or shouldn't, discriminate on. Politics isn't one of them. If you think black people need to be exterminated or whatever, there's no gun to my head making me hire you. No, I'm not gonna hire you.
> Yes they do - as I've said, you can't invoke politics as a shield.
That isn't the issue at hand. You are describing using ones political views against them simply for them holding those views, not someone being an asshole and attempting to justify it as a political act.
> Most companies don't want to hire people they think are assholes.
Sure, though they would base that on behavioral tendencies rather than a political survey.
> Ultimately, it's very simple human behavior. I don't want to work with people who suck. You don't either. Okay, so we must discriminate based on politics or other beliefs.
Ultimately you're the one worse off for viewing people this ways. Views and beliefs don't make a person suck, actions do.
Their politics were expressed as behaviors: proclaiming "I'm a nazi" publicly, taking over leadership of GNAA from Stormfront's administrator, etc. These were not private beliefs that were uncovered through surveying. There was no survey.
Or by behavior do you mean that public support of terrorism isn't grounds for an employer to avoid hiring or termination? That the standard for that would be actual terrorist acts?
Part of being a Nazi means the sincere believe that the Aryan race is superior to all others and that eradicating them is a sensible goal.
Thats not a political view. Its one of racism and finding genocide acceptable. I would sincerely hope that any sensible person would refuse to hire someone like this.
I can't say that I have seen any party documents floating around, but I'll take your word for it here. A person having those views or beliefs still isn't a crime, acting on them is.
A person in a workplace can have whatever views they want. Holding a view in no way prevents them from being able to do the work well. Its a different story if they cause a problem at work, but that is viewpoint agnostic - anyone starting political fights or worse at work is a problem.
> I can't say that I have seen any party documents floating around
There are quite literally millions of well recorded documents, pictures, movies, personal accounts of affected people available about what Nazism did and does. If you do need a place to start, feel free give the Wikipedia article a read and use the underlying sources to learn more.
The Nazi Party no longer exists and you're linking to ideology in Germany at the time. We could similarly link to pretty terrible political party views of Republicans or Democrats over our history.
By no means am I defending Nazism here, I would take huge personal issue with any holding those views. That's entirely separate from the topic here though, and I don't agree with discriminating hiring processes based on political views regardless of what they are. If someone can go to work, get the job done, and be a net-positive member of the team I have no reason to act against them.
A person is entitled to hold any political views they wish, and a business is entitled to not hire them for those views. Just like freedom of speech does not entitle you to a platform or give you immunity from the consequences of saying things.
Not hiring people only for personal views they hold is just a weirs bar to set. Judge people by their fit for the role and their actions. Attempting to both uncover and judge a person's beliefs is a losing battle at best.
It is not a weird bar at all when the "personal view" here is being a Nazi. The action of believing in Nazism is actually a disbarring for any role of trust, integrity, or value in our society.
Being a Nazi is not a protected status (yet) and you should expect to be fired immediately if you espoused those views anywhere, at all.
Not sure how they are involved in this discussion nor do I know their current ideology besides the media reports, but collaborators were/are not uncommon. Abraham Gancwajch, for example, seemed to have no issue with betraying his people.
Be careful with your reasoning. Remember that the current ruling party in America (as well as growing movement in Europe) is using the same rhetoric to go after liberals and trans people.
The problem isn't that any sensible person supports genocide, it is that insensible people can get to power and trick normal people into thinking genocide is necessary or not happening at all. They do the former by saying "if we don't commit genocide then they will commit genocide against us".
The problem is who gets to pick who is right and not? The problem is that if you limit the right to limit speech then good rulers won't abuse that power but evil ones will. It's because they are the ones who pick and choose. It's why you have to protect the rights of those you abhor. Because if you don't you build the powder keg of Turnkey Tyranny. Doesn't matter how many signs you put up, eventually someone will light a match. My accident or because they want to watch it burn.
So yes, to protect those groups being persecuted (trans, minorities, and Jews alike) you need to protect the speech of abhorrent groups like Nazis. You don't have to like it. And you don't have to, and shouldn't, protect the actions of Nazis, but you do have to protect the speech. It's exactly why the ACLU has done this in the past because every authoritarian loves to use abhorrent characters to justify overreaching laws.
We're on Hacker News for fuck's sake! How often have we seen the same play but replace "speech" with "encryption" and replace "Nazis" with "pedos and terrorists". It's the same stupid game!
> The problem is who gets to pick who is right and not?
we all do, collectively, as a society
> So yes, to protect those groups being persecuted (trans, minorities, and Jews alike) you need to protect the speech of abhorrent groups like Nazis.
there is actually a categorical difference between advocating the persecution of minorities, and advocating the persecution of nazis. and furthermore it is actually possible and good for a society to say one of these things is bad and should not be allowed, while the other one is good and should be allowed.
Yes. Discrimination in hiring with regard to personal viewpoints (ie adult decisions, not built-in traits) is one of the best ways we have to shape society for the better.
As private entities, we have freedom of association - including freedom to shun certain groups. Use it!
Once we start that, we cannot control if it is going to shape the society for the better or worse. Should feminists be prevented from joining a company? How about pro-choice rights activists? And one persons better society would be totally different from the other person's better society.
We should aim to reduce discrimination not encourage it for select causes.
For anyone not understanding this comment and similar ones try this for me: replace "speech" with "encryption" and "Nazis" with "pedos and terrorists".
Here's the thing, authoritarians use abhorrent groups to justify authoritarian laws. It creates a power creep. Even well meaning rulers will push for more autocratic power with the justification that they can do more good with it. But unless you can place strong guarantees that no malicious ruler can come to power, you should evaluate powers as if they are the ones wielding it.
It's the entire concept of Turnkey Tyranny. A thing we are actively watching being exploited in America and across Europe. Because you can't prevent a malicious ruler from gaining power in a free society, but you can greatly limit their ability to do harm. But this can't be done with myopia.
In my view, this whole stance is completely indefensible, and it frankly shocks me every time I hear this from the progressive side of the political spectrum.
You want to introduce additional discrimination at every workplace in order to get rid of viewpoints you don't agree with?! This is honestly closer to Nazi ideology than the actual Nazi would probably be that you want to discriminate against.
How would you ever prevent policies like this from being leveraged against minorities? How could you ever make sure that you are never gonna be a "Catholic church against Galilei" equivalent?
You do realize that such a policy would've been used like 30 years ago to exclude every pro-LGBT person from hiring, after being used against anti-racial-segregation advocates in the decades before and everyone in favor of womans voting rights well into the 20th century?
If you want some totalitarian society that enforces state-sanctioned viewpoints I would kindly ask you to build your own, preferably as far away as possible, because that stands diametrally opposed to the principles the US was founded on.
What if my neighbor was born gay (can't help it), but I just decide that I want to try gay this week? Is it fine to discriminate against me, but not him? I made an adult choice this week.
Yes. Naziism is terrorism. People lose their jobs for publicly supporting terrorism. The employee was self-proclaimed "Nazi" (including to quote, "I'm a nazi", posted publicly while working there) per views and advocacy. They also took over leadership of "GNAA" from Weev (a Nazi with Nazi tattoos etc.) while employed at Cloudflare (I won't type out what it stands for here)
> Are you arguing for a system where employers consider your political views before hiring you?
Would you put a Nazi and a Jewish person in a room every day (or on a Zoom call or whatever) and expect something productive to happen? Well, no. It's a ticking timebomb. If you have an organization with multiple employees, they'll have to be people who can work together. So as a workplace, you need to either rid your employees of their discriminating views or rid yourself of employees who cause problems.
I don't care what religion or political views they have. Its a workplace, if either person can't check it at the door then that's the problem to deal with.
Honestly its pretty insulting to both of the people involved for you to assume so strongly that they couldn't be professional that (a) you never give them the chance and (b) you chose to hire only the one who you agree with (or disagree with the least).
the people talking to you are talking about something very different than simply "political beliefs that you disagree with"
the appropriate level of capital gains tax at the 80th percentile is a political belief that you can tweet about in your personal time and allowing there to be a civil relationship with your colleagues in a professional environment. this is a political belief that reasonable people can disagree with.
asserting the supremacy of the white race is not a political belief that you can tweet about in your personal time while still allowing a civil relationship with your colleagues in a professional environment. this is not something that reasonable people can disagree with.
If they can be professional, yeah? I have diverse private interests that don't really get mixed with work. Don't see why my political interests should. I've worked with people I don't personally like. It's more tiring since there's less chit chat but the work gets done all the same.
Is this fictitious Nazi working with a fictitious Jewish person acting on those views or discussing them at work? If not then why should their employer care, and why should we actually support the idea of workplace discrimination?
> Is this fictitious Nazi working with a fictitious Jewish person acting on those views or discussing them at work?
There's a reason I say "ticking time bomb" in my comment. Hypothetical Jewish person keeps kosher for instance. Is that "acting on" being Jewish at work? What about wearing a yarmulke? If that is, how do you rectify it? If you allow yarmulke, is a swastika armband okay? Both are clothing choices depicting "views".
> Would you put a Nazi and a Jewish person in a room every day
Today's Nazis have more diversified targets for discrimination. Concentrated antisemitism was a side effect of the personal issues of the most famous Nazi exponent in history, but they're more about racial supremacy. Today they might be Islamophobic more then antisemitic.
To answer to your question, their thoughts and views don't matter in the office, their behavior does. You can deeply dislike a colleague for various other reasons too but the effect is the same. I don't want to be fired because I unilaterally hate, or even love, my colleague. As long as I don't act on it, that is.
I know people working together in the same office where one's grandfather was in the Nazi military guarding one camp, the other's was a civilian killed in that camp. Whatever their deep feelings, they mind their job as expected.
It's both. In allowing Cloudflare to grow so big, we now have one huge universal button for governments to push. If instead all of these customers were dispersed over hundreds of different services from different countries, good luck with trying to keep them all in line with your specific country's whims.
Worse, governments can also just block Cloudflare's IP ranges wholesale - because Cloudflare is used to launder IP addresses for sites with shady and/or illegal content.
Legitimate sites get blocked too, but most governments probably won't care.
Isn't this an argument in favor of centralization? Right now, those legitimate sites include many government websites which means that most governments do care. You know what IP block they definitely don't use? A tiny provider for DIY blogs or whatever.
Because human nature is what it is. The best way to eat better isn't to be a better person, it's to not keep junk food at the house. It's not Cloudflare's fault that they're successful, but it's now everyone's problem that they're an easy throat for governments to choke.
So, interestingly, the places that actually did the worst in the Holocaust were generally the places where there were the least legal structures--even though you would expect it to be worst for Jews in Germany, it was often Poland and other states that had all legal structures and civil institutions destroyed who had it the worst.
For example, recently certain big corp ask me to verify something. I clicked on the link in the E-Mail and it was suck on Cloudflare the click button over and over again. No matter how many times I clicked.
No, it's a common issue. A bit of traffic is always misclassified and one day you'll be the unlucky one. And there's nothing you can do about it beyond trying different device on a different network.
No VPN (unless your ISP is extremely shady, then do use a VPN or change ISP), no overly zealous adblock (ublock origin on default settings should be fine), no JS blocking / weird privacy extensions / whatever, nno PiHole, just what your average, relatively tech-savvy geek would use.
HN readerships's problems with Cloudflare are mostly their own fault. "normal" internet users don't have these problems[1].
[1] except for people in specific countries, and I do feel sorry for those.
>[1] except for people in specific countries, and I do feel sorry for those.
Normal people also travel, and ended in those said countries sometimes. Which is the time when you need these things to work from any kind of connection.
Hmmmm, it's rare that I'll bite, but in this instance, I just have to
> You need to become more like a "normal person."
Isn't in inherently problematic that there is even a definition of a "normal person"? Who gets to judge this? Why do I have to conform? This immediately creates in-groups and out-groups. We should all know better than to allow this to happen. Classification is fine. Probably even needed to help with inclusion. Restriction based on classification can very quickly become problematic.
> No VPN (unless your ISP is extremely shady, then do use a VPN or change ISP)
That's all ISPs by now. You should never just trust any authority logging what you do. What is fine today might not be fine with tomorrow's government and those logs (as much as some might pretend they are not) are permanent.
VPN bans will start to pop up all over the place soon and everyone half-paying attention knows why
> no overly zealous adblock (ublock origin on default settings should be fine)
And what is the definition of overly zealous? Chrome has already dropped support for ublock, more or less. Adblocking is directly hostile to the data-hoovering machine. That should be enough reason to use very restrictive adblocking. I am using every filter list there is with Firefox on Linux. Cloudflare's checks are basically always fine. ReCaptcha, however, is a nightmare.
> no JS blocking / weird privacy extensions / whatever
Well, most of the web doesn't work when blocking JS outright. So I guess we've lost that battle. Though I'd argue that things like reader-mode and the ability to just get text content is pretty important to quite a lot of people still, especially those with disabilities. I don't understand the derogatory tone used when calling privacy extensions weird and the 'whatever' part is just a flippant dismissal of an entire ecosystem of extensions and applications that have a right to exist
> nno PiHole
PiHole is soon going to be the only way to protect yourself, considering what Google is pushing for with manifest v3. I don't yet use it, because it's a pain in the ass, but I'd rather have less internet and more control than vice versa
> just what your average, relatively tech-savvy geek would use.
Why do you think that you should be the one to define what or who that is? Furthermore, why should anyone be given that right?
What are we really losing by allowing people to have custom setups vs. what are we losing when we don't?
> HN readerships's problems with Cloudflare are mostly their own fault. "normal" internet users don't have these problems
This reliance on the definition of "normal" is problematic, for the aforementioned reasons. You don't know what normal is and having a gate-keeper of this definition will lead to ever-smaller circles of people falling under that definition, until one day you are no longer normal and then what?
> [1] except for people in specific countries, and I do feel sorry for those.
Get ready to feel sorry for yourself in the near future :)
Nearly any company under a government's jurisdiction will comply to a legal order to censor content, especially if its done in the claimed goal of protecting children.
Those companies that don't comply will be shut down or targeted in some way if the legal order had any political teeth behind it.
There's no way around that unfortunately, short of limiting government power in the first place so such an order would never be lawful.
The problem with Cloudflare is that it does business everywhere, so it has to appease all governments.
If you're a news site registered in the US or a porn site registered in Canada, with relatively few ties in other countries, you have far much less pressure to comply with unreasonable demands from India or Bahrain. They just don't have that much leverage. If you use Cloudflare, they can put the pressure on Cloudflare instead.
To make matters worse, some governments will demand worldwide removal / blocking of certain content they don't like.
This is what makes the internet so weird and pre-internet intuitions about how governments work so treacherous.
in other words, i was trying to imply that the only way to prevent gov't overreach is to continue developing technical solutions which are distributed and decentralized, so that there's no single button for which the gov't could press for removal of these fundamental rights.
Yes, it's unfortunate that a network service provider whose primary business model is checks notes preventing network abuse would try to detect and prevent abuse via various heuristics such as captchas.
I also agree that Cloudflare should get all the blame here, since none of their customers voluntarily chose to use them, and Cloudflare doesn't give their customers a huge variety of options for bot detection sensitivity.
Matt Prince personally kidnaps CTOs and waterboards them until they agree to use Cloudflare, and the thousands of configuration options and rule combinations on the WAF are just for show - customers can't actually use them.
So far Cloudflare have generally been good guys on the web. They're in an incredibly abusable position, but so far have refrained from doing that.
So far.
The problem with Cloudflare is that institutions change over time. It's a slow process, doesn't happen overnight, but it does happen to almost all of them sooner or later. Building institutions that stay good is one of the big unsolved problems for humanity.
The problem with Cloudflare is what happens the day this good guy MITM:ing half of the web is no longer a good guy. We need to at least have a plan for dealing with this scenario, because otherwise this could get very ugly.
I've got a treat for you, cloudflare's business model moved heavily towards crime as a service during the last decades, including DDoS botnets that host their own CnCs behind cloudflare, while themselves even relaying cloudflare DNS data to DDoS cloudflare instances itself.
The guy behind Crimeflare, when it was still available, tried to accumulate a dataset by running his own resolver, which filtered out domains in the zones of cloudflare's known ASNs.
This was actually also part of a lawsuit against lieferando (takeaway) because they're registering domains of restaurant owners and blackmail them into using their delivery service, after they already registered the Google business entry with that cloudflare domain to a call center of Takeaway, so the actual owner of that restaurant has no chance in terms of SEO and google searches that people would find them again.
You can probably safely assume the 3-letter agencies are snooping on this data. It is and has always been very hard to resist government pressure. Happens all around the world, China, Russia, EU; all the geopolitical players find various means of eavesdropping where they can.
Also likely part of why ECH is taking such incredibly long time to see widespread adoption and why it's still quite a shit solution to SNI. As it stands, anyone with network level access can see which websites you are visiting, despite HTTPS.
The internet is worse for me with Cloudflare. I'm using a cellphone router for my internet. My guess is I don't get a dedicated IP and probably behind a NAT with other users. 85% of my request needs me to solve a cloudflare captcha. on bad days I have to do this easily 100+ times.
It is not Cloudflare's fault. It means the website operators were so fed up with bots and bad actors that they just applied a carpet ban and called it a day.
Thanks to Cloudflare I was able to reduce my website load threefold and downscale my VMs and my monthly cloud bill, and seeing how 50k daily requests were shown CAPTCHA and not even tried to solve it makes me terrified of running anything without Cloudflare.
Don't blame site owners and service that is trying to help them. Blame the fact that 90% of today's Internet traffic is bots
If I click on a search result and it shows me a CloudFlare CAPTCHA I leave. Immediately and permanently. I get what you are saying but also you will not get a dime from me if I have to waste my time solving a CAPTCHA prompt that half the time is so broken it just gets stuck in a loop.
I guess whatever revenue you lose you make up for in a lower hosting bill. I just go to your competitor that doesn’t have the horrible UX. Usually those websites also tend to have much more optimized web pages too so it is an all around better experience.
Of course it's cloudflare's fault. They monetized and scaled a service that blocks humans from interacting with websites.
They're also essentially a deanonymization reverse proxy that can track everyone's browsing history and decide whether you get to see websites based on social credit.
That I'm not so sure about. If they get too block-happy they'll lose customers.
But I don't think they care if they block firefox users, or people who delete cookies, or VPN users, or Tor users, or people who resist fingerprinting, or people who block ads, etc.
It's cloudlare's fault that it's so common to have very overzealous blocking. Site owners need access to bot protection but that doesn't mean highly flawed protection gets to be blameless.
> It means the website operators were so fed up with bots and bad actors that they just applied a carpet ban and called it a day.
Many of my websites get 98% of their traffic from bots and bad actors, but it doesn’t really matter because the extra load of all these fake requests is absolutely negligible. I have a hard time understanding how someone would be bothered by an extra 50k requests a day. That’s less than a request per second. Most of the sites on even the weakest VM’s can easily do 10r/s these days.
But what's the counterfactual? People use cloudflare because they want protection from ddos attacks and bots. If cloudflare didn't exist there would probably be similar measures.
Businesses want to protect the continuity of their business operations, and to that end they buy such protection as a service, from a business that managed to MitM half the Internet in order to provide such service.
Point being, it's a commercial subverting the Internet from inside, reshaping it to better serve the interests of commerce. It is indeed protection, but it's accomplished by reducing variance. 99% of legitimate commerce on the Internet follows the same patterns, use a small subset of possibilities offered by the technology - so why not just block the remaining 1% that doesn't fit and call it a day? It will stop most of the threats to running businesses on the Internet. The 1% of legitimate commerce that doesn't fit the pattern? It's not being ignored per se, just pressured to adapt and conform to the majority.
What is being ignored is that the Internet is not just a place of commerce, and non-commercial use cases, ideas such as empowering people to better their lives, are gradually becoming impossible, as fundamental Internet infrastructure becomes inhospitable for them.
Some of us still remember the Internet being more than just a virtual mall, and are unhappy about it gradually becoming one. And it's not like CloudFlare, et al. are hostile to non-commercial interests as a matter of principle - it's just out of scope for them.
I actually think that Cloudflare has made publishing on the internet _more_ accessible for many individuals. I’ve helped a few people get personal websites running on Cloudflare pages and run my own there—it’s free and extremely easy. They could obviously pull the plug at any point, but with static sites it’s easy to avoid lock-in. If it weren’t for Cloudflare and other services that give free, easy hosting, I suspect there would be even fewer of the non-commercial small-internet sites that you value.
There have been places that host personal and hobby websites for free for at least the last 30 years. Some older ones have left, and newer ones keep coming along. Cloudflare didn't make this any more accessible.
Your first paragraph summarize why businesses want to use Cloudflare and how it helps them maintain their business.
Your second paragraph talks about other (non-commercial) sites. I think I'm missing the link here. Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
I think the issue is that the general threat level has massively increased compared to the past - not in terms of sophistication but frequency/scale. But that's a consequence of widespread adoption, nothing Cloudflare in particular is responsible for.
> Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
Marketing and free tiers.
But my point is that Cloudflare is addressing threats that predominantly affect businesses, and does so well, but the way it does is effectively changing the whole Internet to be more hospitable for commerce, and less hospitable for any other kind of use.
I don't know what kind of internet you used but mine didn't randomly decide to block my access to a website because some quasi monopolist decided I wasn't allowed to use a certain website for intransparent reasons.
Being blocked from a web site and having to hit a little box are two different things. Are you talking about the former or the latter? If it's the former ... that has literally never happened to me unless I'm on a VPN and even then it's rarely (if ever) CF that's doing the blocking.
If it's the latter then it reflects the sad truth that we can't have nice things anymoret. I have lots of problems with the accessibility of that box, but either Cloudflare would be implementing it, somebody else would be implementing it, or a huge chunk of data would be unavailable to you anyway because of accidental DDoS attacks caused by irresponsibly deployed bots.
It was implied that the "let's check you're human" didn't do a good job at that, causing the block - without a VPN. Meanwhile, certain bots just circumvent it (there's even a couple of videos showing robot arms/fingers prove their humaness) while legit users, even coming from Tor, get blocked. That's the internet I used to know. (I am not in the "everything was better" camp though.)
I can’t book a table at a local restaurant without calling because their resy link is behind Cloudflare and Cloudflare has decided that my up-to-date Firefox is out of date and therefore can’t pass the challenge. In reality it’s more likely that one of my ad blockers is stopping it from doing what it wants. It doesn’t even let me hit the box.
Due to implementation chosen by Cloudflare, allowing Cloudflare also allows the proxied website to run code, because Cloudflare blends with it, but why the proxied website should be trusted if the challenge is served by Cloudflare?
That's like saying that you're blocking yourself when installing an adblocker.
No, it's for safety and hygiene.
> Seems really disingenuous to imply it's someone's fault
That's because it is. I didn't make the web and I don't work on websites. But I have to deal with it because some fucking dumbasses decided they wanted to save some server cycles by offloading all the hard work onto the client and ruining internet safety in the process, while also offloading the cost of power and performance onto users.
So if disabling javascript is what's needed to keep my safety? So be it. If it breaks some asshats' websites, then they're websites I don't want to use anyway.
> "Never happens to me means never happens to anyone"
I see your point.
> Also it's quite amusing what if you had got hit with an infinite captcha here then you couldn't post your comment.
And you couldn't have hit me with that sick burn ;)
Seriously though I see where you're coming from in that I was implying that there must be something wrong with the original person's set-up that causes this, and that is not the case.
The thing is that while there's plenty of complaining about CF's approach nobody is offering a better alternative.
The thing is what CF essentially became a monopolist and if for whatever reason you are on the CF's naughty list you are essentially blocked from a lot of resources even if the resource itself pretty fine with you. And yes, there are no alternatives because guess who isvthe first one both in Google's top search and word of mouth?
Sure, the restaurant down the street chose to protect themselves against the likely risk of their competitor running DDoS against their website instead of their website agency getting a kickback out of a cloudflare partnership.
CDNs always existed IMHO. The world before cloudflare was just much more hidden. In general I find their take at the typical cloud business from a network perspective mostly refreshing.
However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
IMHO it needs other enterprises entering the competition. Maybe it could be new more software defined mobile network providers offering edge compute. Maybe data from IoT could never enter the Internet and we could have some confidential computing power when we need it for our IoT stuff. Maybe we could get a more decentralized Internet again...
> However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
I don't think that's it, and I think the explanation is much more simple and straight-forward.
Cloudflare established a very successful business model around a straight-forward, very transparent, no-bullshit CDN. Now, they started offering other cloud services build around their CDN. Cloudflare Workers kind of extend their CDN pipeline to allow clients to run arbitrary code to customize caching logic, but it turns out their function-as-a-service model is exceptionally good, and higher-level services like email are a low-effort way to meet existing needs.
> had they not been VC funded and given away free service I suspect many would still never have heard of them.
What does this purity test accomplish? that's just how things work in this industry. Can you name a company that has innovated on their scale that hasn't taken VC?
I'm not entirely aware of all their products, but just thinking about a CDN, isn't that in many ways kind of fungible? Is it really that hard to migrate to your big cloud co's CDN (CloudFront, Google Cloud CDN) or the several other large competitors without an immense amount of work?
Like what? Give an example. I'm struggling to think of something they offer that is particularly unique and not offered by the other public clouds or several SASS companies.
It's not the specialization around hosting that's the problem, but that entities running CDNs realized they're in a privileged position in the network, and decided to capitalize on it.
That's not what CDNs are for.
They exist for primarily two purposes: a) speed up video loading for end-users, and b) anonymize IP addresses and routes for businesses.
Cloudflare built a business around b). This doesn't save on hosting costs, only lowers some operational and legal risks.
I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization. This isn't the fault of CloudFlare, they are just exploiting a business opportunity and as you say: At least they're not selling ads.
It is a legitimate business, from my perspective. I'd just wish we weren't in a situation where CloudFlare isn't exactly struggling to sell their services.
> I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization.
I'm perplexed by this sort of comment. Cloudflare doesn't even feature in the top 10 of cloud provider market share, and the number 8 spot already reports 2%. And here you are, complaining about Cloudflare and centralization.
Furthermore, AWS is by far the biggest cloud provider, reporting around 30% market share, and I don't see AWS being referred as a concern.
Blocking access to everyone or to scraping crawlers?
They have detailed stats about the behavior of all visitors, including how bot-like they are and how likely they are to scrape your (their users’) content.
> At least they’re not selling ads using your data.
Yet. Since it's an american company with an ever-growing influence, I dread and expect that to change, among other things, down the road. I assume the three-letter agencies also already MITM the traffic.
That’s exactly the part that people forget: all these policies are decided to be applied by the website owners. It started with DDoS blocking and they just extended it to more things.
I feel like people here are forgetting the fact just how hostile bad actors on the internet are / can be.
That brings up opt-in vs opt-out tho, and last time I looked, Cloudflare defaulted to automatically signing website owners for it. That is to say, if you just mash next, Cloudflare blocks "AI", whatever that means.
We said the same thing with Google, "Don't be evil", "They are better than MS", now here we are, Google, became something that doing everything to squeeze every data off us, so that they can sell them to their partners.
And, anything that stops them from doing it, well, you are kind of erased from the Internet. The freedom we had, slowly becoming non-existent now.
Corporates have one and only one target. It is to make money. And this mentality, enables them.
> To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it. This is one of those.
Who here remembers exactly the same being said by large swaths of the "technologist" community about Google starting the development of Chrome and Chromium?
It's usually good until it isn't. It's still a company that has to make profits, so when the moment comes when they have to chose between "making money" and "provide good service", we all know what choice companies tend to lean towards.
> To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it.
Internet had problems before Cloudflare, but for the most part it was useable. Now, suddenly I've been getting IP blocked by Cloudflare on large swaths of websites. Cloudflare is a monopoly when you're a user trying to get to a website.
Same day shipping was always the norm here. Order something before 14:00 - 16:00, depending on where the company was on the route for package pickups, and you'd have your package the next day. Amazon has normalized multi-day / weeks shipping, so they've made it worse.
Denmark, there is no close Amazon warehouse, so shipping always suck. Not only is shipping times frequently a week or more, it's also overpriced and items are frequently less expensive from local online stores.
Amazons only advantage is it's massive selection, if you can find what you're looking for.
In the US, it's the opposite. If you order directly from the brand, you get multi-day or more often multi-week delivery times. Unless they are using amazon logistic and which case it's the same as buying off amazon - 0/1/2-day delivery times.
Amazon are no longer the golden standard of e-commerce. I think 5-10 years from today we're going to look back at 2025 as the year Amazon started to destroy itself from within. They are pushing AI to "update" and "optimize" product descriptions. It's already made art supply descriptions a mess and now I see the same thing happening in the music gear section. I noticed that I go to other sites to buy stuff I was planning to buy on Amazon, because I am not sure what I'm buying anymore on Amazon.
If CF limited their clients to big businesses (just like Akamai and who else?) it might be less bad, but as it is, they're trying to get the whole internet including small sites on board.
If you're a normal person in a country that Cloudflare considers "scammy" - your internet experience is very different from someone based in the US. Your personal online behaviour is irrelevant
> At least they’re not selling ads using your data
Sounds great, until a new CEO steps in. Any company is exactly one (or more often zero) CEO away from doing whatever they want (within legal constraints) with their business, in order to fulfill their fiduciary duty (and greed).
I am genuinely curious what protections are in place to ensure that? What is the plan after you are gone?
It looks like you have voting shares with 10x the power of institutional investors, but activist investors aren't dumb either.
My biggest fear of Cloudflare has always been that one day you'll get hit by a bus and someone will figure out that merging Cloudflare with an ad network would create so much more shareholder value. The road to hell is paved with free DDoS mitigation, so to speak.
Huge fan of Cloudflare here actually. It’s always such a breath of fresh air compared to the heavyweight configuration hells like AWS. And for doing super convenient stuff like make node:http work on cloud functions recently, but guess only certain DevOps guys realize how cool that is compared to other FaaS wrapping ceremonies.
Too bad you don’t hire senior folks in Germany currently, would probably join in a heartbeat for emotional reasons alone. Keep going, lightweight features on a tap and solid reliability over years is exactly what I need and want at least.
At least Brian Thompson wasn't complicit in helping the IC conduct bulk violation of the fourth amendment rights of the entire country, unlike you. He was just a greedy bastard. Your actions, on the other hand, render you a traitor and a threat to the democratic process of the country itself.
> Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
Not to comment on whether they're actually a monopoly or not (since idk much about CF's market share, except that it's big), but how does this prove they aren't a monopoly? If anything, it'd work as evidence to prove that they are.
You could run this business like a protection racket, to drive demand to your service, where you can then provide unencrypted traffic of much of the Internet to other parties.
Cloudflare acts as a proxy for dynamic content, thereby slowing down the internet.
Their existence (and success) suggests a lack of infrastructure or solutions (ie. DDOS, CDN) from data centers on their own and by default, what is... sad, as if the data centers were falling asleep without adapting to the times.
Soon we may have this picture: User > ISP > VPN (or proxy) > Cloudflare (proxy) > Server.
Intermediaries are slowness... and in the case of Cloudflare sniffing if they want (if they manage the TLS certs).
Cache of static content, ie. images, css, js or an static html, the CDNs purpose, to shorten location.
At moment you serve dynamic content, you are literally redirecting the request through an intermediary server (from Cloudflare/Homologous to the original server and come back, they are acting as a proxy).
This results in a slowdown of the internet. In fact, it's easy to tell when a regularly visited site has changed and put Cloudflare in between, because it takes longer to load.
> It also keeps hackers from knowing origin's ip which is nice.
Only if you put extra care trying to hide tracks. But certainly it keeps script kiddies from knowing origin's ip, what it is the only one nice feature.
Datacenters should deal with this, but their passivity over the years seems to know no bounds.
I believe you that this is your experience, but this is not the case in general. Cloudflare will generally result in a faster experience for a correctly configured setup. That's kind the whole point of using them.
CDN (can't say specifically about Cloudflare but that's true for other) may allow picking faster routes than BGP (BGP tends to optimize cost rather than perf), sometimes better compression than Origin on the path, and fast handshakes at Edge with already hot connections towards Origin.
Edgecomputing can also help accelerating dynamic content.
I think the point is to keep them in that mindset, and that requires competition and some counterbalance that won't be there is everyone just moves to Cloudflare.
There are other services, but CloudFlare is too well known. They're close to monopoly in the DDoS protection business unfortunately. But we still have a choice and for long-term success we should be choosing other companies where possible.
If Cloudflare is so vital to the internet, it should be nationalized for the public benefit as having a private entity with so much control over the internet is not a good thing. Corporatized control of the internet should not be encouraged.
I trust a corporation more than I trust the nation you want it nationalized in (America?)
EU maybe. But yes I don't want cloudflare to be part of america after patriotic acts and all the dystopia.
Honestly, cloudflare is not so vital to the internet. Like, The only thing its gonna be a problem if they stop working without giving any way to migrate. Then yes, its gonna be a bit of problem to the internet.
Really? Try distrusting CF certs, and see how much of your internet activity breaks. CF certs should be distrusted, because it's MITM by definition. At the very least, I'd like an addon that makes the URL bar bright red, so I know my connection isn't secure.
Yup, I also meant the same when I was writing my comment and although I agree about regulation, the thing is, that I don't even trust that aspect...
Also, I know that there are sometimes where cloudflare sits in the middle between your servers and your users for DDOS protection, and so yes theoretically its a point of interception but given how their whole thing is security, I doubt that they would exploit it but yes its a point of concern.
On the other hand, if something like this does happen, migrating can be easier or on the same level if something like this happened on like AWS.
But cloudflare still feels safer than AWS y'know?
That being said, I am all in for some regulations as a public utility but not nationalizing it as the GP comment suggested. Just some regulations would be nice but honestly we are in a bit of tough spot and maybe it was the necessity of the internet to have something like cloudflare to prevent DDOS's.
Hm, you raise good points but I just thought when I was writing that comment, that if there was even a single case of somebody using that MITM then that would just make everyone leave cloudflare and find either other mechanism or something else that's safer for sure.
I think that cloudflare is used by most as DDOS protection and so they still have the servers.
There are also cloudflare workers and pages but even migrating them is somewhat doable as I think that cf workers have a local preview option somewhat available in their node etc., so you could run it locally somehow.
Sure its gonna be a huge huge problem but something that the internet might look past of (I think).
Honestly, I kinda wish that there was a way to have something like how the tor onion links work in the sense that the link has the public key of the person running the server and so uh, no matter if its cloudflare serving the link or something else, its still something that can't be MITM'd for the most part.
Am I right in thinking so? Sure, its gonna make the links longer but maybe sacrifices/compromises must be made?
The EU is quickly becoming a dystopian nightmare with age verification, mandated encryption backdoors, and generally an extremely invasive form of government. So no thanks.
No thanks to this level of evaluation which doesn’t even rise to “analysis”, it’s just a word salad association that picks two hobby horses and pretends they represent the apocalypse while ignoring all the measures on which many EU participating countries are producing quality of life and personal freedom at outlier levels.
Lets just hope that EU doesn't add that age verification thing or those Cert based things which is controlled by the govt.
My opinion is simple, age verification won't work unless they block VPN (something which UK wants to do/ is doing) and that sets a really really bad precedent and I doubt if its entirely possible without breaking some aspects of internet or complete internet privacy.
EU in aggregate is net positive but it still has some things which are kinda flawed regulations that are a bad precedent, but germany kinda blocked the verification thing iirc so there is still a lot of hope and EU does look like its trying its best but I think that it can do just a bit better if they don't think of age verification or some other stuff but that's just my 2 cents.
This was why I added "maybe" tbh. They are one of the best options but even they aren't thaat good. Like its questionable I think and needs a much bigger debate
What quality of life improvements? I seriously hope major tech companies pull out of the EU market altogether instead of complying when client-side scanning is mandated. Then you can come back here and brag about how great life is in the EU.
I would say if the political environment pre 1980s was still in existence that might be true. Today that would just mean the entire thing would unravel as it ate its own tail in the race to the bottom environment we are currently in.
You can create democratic policies to thwart this. Even something as basic as nationalizing Cloudflare then forcing workplace democracy provisions on it would probably do more good for, not just the Cloudflare workers, but society writ large.
I can't imagine what a court case about whether the US president has the power to unilaterally dismiss officials in executive-branch agencies could possibly have to do with this.
At least you're referencing the United States in 1934, though. Things were very dysfunctional politically in the US at that time, but not nearly as bad as what was going on in some other parts of the world.
> can't imagine what a court case about whether the US president has the power to unilaterally dismiss officials in executive-branch agencies could possibly have to do with this
Seriously? You don't see the relevance of independent agencies to this discussion?
And the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place (nb: it isn't).
> the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place
You don’t see a reliability difference between a self-moderating and unmoderated system?
I don't think there has ever been a perfect time but I also think there has been an ever increasing weakness in the governments desire/ability to enforce regulation roughly since that time period.
I mean the reconstitution of AT&T was one of the IMO the biggest middle fingers to the public I've seen. It was broken up because it was a bad actor and now its back again as a worse than ever bad actor. That was kind my wake up call. I'm sure there is worse though that I don't remember because it was not tech related.
I could be wrong I'm not a huge politics person. Either way I don't think any response to me invalidates my opinion that the current government would not do a better job than cloudflare currently is.
To make sure I understand, your position is that anything vitally important to the internet should not be under the control of a plurality of institutions subject to heterogenous incentive structures, but instead should be under the centralized, monopolistic control of a single institution that is perpetually compromised by perverse incentives and ulterior motives, whose mechanisms of accountability are mostly performative and demonstrably broken?
I'm not sure that sounds like a good idea, if that's what you're saying.
My position is that if something becomes critical it should be under democratic constraints in a democratic society and not private enterprises that have no forms of control by the populace.
Maybe if Cloudflare had workplace democracy my concerns would be different, but they don't and wield too much power.
If it also helps I also think 99.99% of big tech should be broken up into separate, probably a few 100, different companies.
So yes, anything vital for the internet should be controlled by the people through democratic norms, institutions, and values rather than dictatorships by those with money over those with none.
No such thing as "democratic constraints" or "democratic society" at the level you're discussing. Democracy is an imperfect safeguard against certain types of extreme dysfunction of the political system -- a necessary one for sure, but not nearly sufficient to make the institutions it applies to trustworthy with monopolistic control over other aspects of society.
Everything reduces to specific people acting on their a priori motivations in bounded contexts, and any system of centralized control is guaranteed to enable expressions of the worst motivations of the people involved. The distinctions you're making -- "private" vs. "public", "corporations" vs. "governments", etc. -- are fundamentally meaningless.
There are no "democratic norms", just norms adhered to by specific people and the factions they form, contesting against each other for power over others. Performative "democracy" is often just cover to allow the currently dominant factions to function as "dictatorships".
Decentralization and individual autonomy are the only solution to the problems you rightly care about, but what you're proposing is literally the opposite of that.
I dunno, I am basically a dick to Big Tech all the time, give me an opening and I will go after them with gusto, but I can't really find fault in Cloudflare offering email sending infrastructure.
The ire should be reserved for if and when they establish some kind of monopoly or other anti-consumer practices, fall afoul of anti-trust law, and inevitably the US government gives them a free pass for criminality like it has been doing for years with dozens of other Big Tech mergers, rollups, exclusivity dealings, etc. and appears to have just done again with Google a few weeks ago.
It is fine for big companies to offer competing email sending services. It is not fine for them to break competition laws.
Also yes, please do set up SPF, DKIM and DMARC for me. I may very well end up using this down the road because they say they'll do that for me and I just don't want to think about them in some situations.
I usually have the same (residential) IP for weeks on end and there's absolutely no malware or scraping or whatever the heck it is that Cloudflare thinks it's protecting against going on in my house. Yet I still get blocked or captcha'd.
Website owners may understandably be appreciative of CF. But as as someone browsing the web, I think it's done a lot of irreversible* damage to the open internet.
* I say irreversible because I don't think they'll be looking to improve this anytime soon, but rather add more restrictions.
As a website owner who uses Cloudflare after having being DDOS'd, I agree whole heartedly.
Cloudflare succeeded to do what Google tried and failed with AMP, and we are all the worse off for it. [Though at least it is not Google, that would be worse.]
I cannot afford to be DDOS'ed and there are bad actors that have already proven that they _will_ take me down if they could. So, I feel bad for the internet being walled up, and I feel bad for users that will lose access. And I fret that one day CF may just decide to take all my content and use it somehow to shut me down.
Meanwhile though, I hold my nose, cry inwardly, and continue to use Cloudflare.
What was your infrastructure like? Were the DDoSes affecting you at the application or network layer? I wonder if there's the case to be made for something like CF but integrated into your L4 and L7 LB infrastructure.
CFs single biggest piece of leverage on L7 DDoS is that once a node in a botnet attacks one of their properties, it usually can’t be used to attack any others for a substantial duration. Botnets rely on being retasked frequently so this dramatically reduces their effectiveness. Volumetric DDoS is even worse: you need to have the peering relationships and hardware to handle Tbps of traffic to an IP you announce. Doing either of these in your own infra is not feasible if you’re much smaller than a hyperscaler.
right, CF (along with Google and Meta) is already servicing double-digit percentages of the world's traffic so it can absorb whatever packets you can toss at it. On the other hand, I suspect most services are going to fall over at L7 first due to common patterns like pre-forked ruby/python servers that struggle to process more than 1k qps per node, unauthenticated user actions putting load on hard-to-scale resources like RDBMS, next to no load shedding designed into the system, etc.
And when you use decent protections against the worst bad actors on the internet (dns blackholing, adblocking, cookie dropping/corrupting, vpns) cloudflare again causes problems
Yes, but also you can't send an email in any meaningful way on the internet without going through a middleman anyways so while philosophically you're correct, in reality it's already the case.
You can roll your own email if you can get your head around setting up an OpenBSD box and configuring OpenSMTPD and the correct domain DNS records - but the issue will be email deliverability. Gmail etc are going to treat as spam most emails that turn up from a residential or VPS linked IP address.
Personal email servers will communicate with each other happily but you need a middleman one for important recipients if you want to be sure it gets into an inbox.
Having hosted a small mail server for friends for over a decade now, I can only think of this as a myth.
Gmail has specific bulk (!) sender requirements, which to my knowledge don’t include a blanket downranking of residential and „VPS“ IPs (the latter are just datacenter IPs anyways). You need TLS, SPF, DKIM, DNS and reverse DNS entries that align, ideally DMARC and that’s pretty much it.
At one point I misconfigured a relay as unauthenticated and we got abused by spammers for a day. We got put on all sorts of blacklists within hours and got our IPs cleared self-service immediately after fixing the issue.
If you just send emails completely unauthenticated, yes they will be blocked.
In my experience deliverability to gmail is not that hard if you configure stuff correctly. You need a clean IP and domain, rDNS and the usual email stuff like DKIM, DMARC, SPF, but not much else.
Also not sure why you would choose OpenBSD and OpenSMTPD unless OpenBSD is your style. For example I run maddy on linux, which is pretty easy to configure.
Yeah it's already a known point of failure. The annual chaos is always when they have some downtime. They do offer an incredible service though. Would like to see some competition but it's not easy.
I’ve never understood the evil MITM endgame here. Cloudflare’s ToS and contracts prevent them from doing nastiness with your data without breach, and approximately all their revenue comes from large enterprises that will leave in droves (and some will actually sue them) if they started exploiting it.
The thing where they let DDoSers use them to protect their public sites from rival DDoSers is sketchy as hell, but doesn’t rely on having your data.
Sure, they could try adding “your data is our data” on the renewal of a few million dollar enterprise contract and see how that goes - probably a redline with a nasty Zoom call attached. They could rug-pull this on free and small business users to a degree, but I don’t even see how it would be worth it. It’s such a small proportion of their traffic, and the fact that this is even a thing on their platform would scare away regulated customers for sure.
>Cloudflare’s ToS and contracts prevent them from doing nastiness
Crypto AG's ToS also presumably said "we pinky promise not to backdoor our devices" when selling it to foreign governments, and look how they ended up.
Yes, Cloudflare would be the ideal point for spy agencies to MITM things. It wouldn't surprise me if the funding for it came from them. And since they sit in between, many API audit logs wouldn't even flag intrusions because everything would look like you'd done it.
I don't think Cloudflare did anything major wrong, most of what they offer have plenty of alternatives, but Cloudflare is able to do a lot for free which really isn't their fault.
There are complain about its cache's captcha, I get it, ideally it should not discriminate any human user, but IMO it's an economical problem unless we collectively decide what they do is public utilities.
Was about to comment on this but you got right to the point. All of this is because people are lazy to build, let alone maintain, their own damn programs and servers.
I have more money than time. Take my money to do things I do not have time for. What you call lazy, I call time and capital/cashflow efficient.
(cloudflare customer, in both personal and professional capacities; i pay Fastmail to host family email; both can easily be switched if needed to prevent lock in, with DNS changes and in the case of hosted email, an export of mailboxes and tenant config)
What GP is effectively saying is that you don’t value independence enough to invest the necessary money and (for personal use) time into self-hosting.
And there is a spectrum to this. For example, using a small, independent email or hosting provider may cost a little more time, but makes you more independent from big tech, and maybe more importantly, contributes to reducing the power of big tech. We are all paying for it, down the line.
This is a fallacy, as self hosting means you remain at the whims of receiving or interfacing systems. Does you hosting your own email change the concentration of email accounts hosted at Yahoo, Microsoft, and Gmail? It doesn't. Does hosting your own domain or website change Cloudflare's concentration and centralization of internet traffic? It doesn't. You vote with your dollars by picking providers who won't lock you in, you vote with your dollars by picking protocols over platforms that cannot lock you in.
Paying Fastmail, along with others who do so, means Fastmail will remain as a non Big Tech option, for example (they also developed and championed, JMAP, for a more efficient user experience). Paying Kagi means Kagi will remain as a non Big Tech option. Donating to Let's Encrypt means Let's Encrypt will remain as a public good independent of Big Tech. I could go down the list of every service I pay for to de-Google and de-Big Tech, but that's likely unhelpful to further demonstrate the point.
> We are all paying for it, down the line.
Indeed, so establish and fund organizations that provide systems and services for benefit vs profit and control that cannot be captured. Self hosting your own box at home helps you (which is totally fine and reasonable, I run my own on prem infra across two continents at small business enterprise scale for use cases I cannot procure commercially at reasonable cost), but does nothing else, and doesn't scale.
You will still be required to hand it over, or sit in jail while your confiscated, inventoried equipment is processed by forensics. If I want to be subpoena proof, I’d host the subject system outside the jurisdiction with an org having no connection or nexus in the adversary jurisdiction. Admittedly, this is up to your threat model. Do you want to know, but still be legally required to provide access? Or do you want to be out of reach entirely? The answer to that will guide your implementation and operating model in this context.
Why do you mind that? Your life is exactly the same one way or another. Principles, I guess, but it looks to me its just for the sake of it. For me, time is precious, all I need is data safety so I backup stuff offline constantly.
Citation requested. Big tech considers your IP address dishonorable, and blackholes your emails. How independent are you now when you can't email any providers that use blacklists?
> contributes to reducing the power of big tech
Again, citation requested. Big tech will just blackhole your emails and you'll only find out when your users complain.
Everyone says this about self hosting email but I've had fewer problems self hosting email than any other service - though I don't use residential IPs I use dedicated servers or VPS. I've also seen plenty of comments from others who selfhost email whose experience matches mine.
I also see a lot of comments from those who have admittedly never tried, telling me that I'll be blacklisted and not even know.
I don't know if this is some kind of confirmation bias, or if there's just a very vocal bubble of people without experience talking about how difficult it is.
A lot more people and organizations would self-host email if it wasn't a minefield. It's not laziness that Google and Microsoft have effectively decided nobody's allowed to do that.
I was part of a team ran EMail services for a ~15,000 person campus of a ~80,000 person university in the late 90s and early 00s. It was a full-time job for a team of people to keep things running, up to date, control spam, etc. It was a minefield 25 years ago! Literal years before GMail was a thing.
I was obviously not talking about end customers but businesses. In my case, digital content creators should just do that - create digital content. They have no reason to tackle hosting, payments, access rules... as that is not their business. It's mine.
Is this even true for such a sensitive subject like email where there are insane blacklists/whitelists everywhere in which you are forced to use a middleman either way so your emails enter someone's inbox?
Yes, this guy's business is that. And it is MY business, not my customers'. If you do not understand the nuance of what I am saying, rather keep your thoughts to yourself as you portray yourself in very ignorant light.
What's the problem? GP is addressing a market need consistent with their comment above. I wouldn't be surprised by a auto mechanic stating that (too) many people are too lazy to change their oil - they might be the best person to manke that observation, given their PoV.
I think first they were hugely successful in their DDoS protection product that consisted of a DNS connected load balancer.
But now they took the excuse of security to act as a MiTM for everything else, when conveniently, it makes for a great business model to just be slapped in the middle of every connection.
Email is already MITMed by gmail. 90% of my time managing transactional/marketing emails is just keeping gmail from moving my legit customer communications to spam.
> Today, we're excited to announce just that: the private beta of Email Sending, a new capability that allows you to send transactional emails directly from Cloudflare Workers.
So many comments here assumed from the title they're offering a hosted email service, they aren't, they are announcing their own Sendgrid.
What’s the point of it for Cloudflare? It feels like they’re randomly offering different products. Are they trying to be a full cloud platform like everyone else? If not, then what?
It's unfortunate that email hosting and email infrastructure can really be done only well by major players. The days of people running and maintaining their own are pretty much long gone.
Fwiw, not a knock against CF. I like their products, mostly simple, fair pricing, etc. Just a bit unfortunate commentary on the state of email infra on the internet.
I run my own email server and you couldn't pay me to use a commercial provider like Google instead. The privacy benefits are huge and there is no one to restrict my storage or change my "terms and conditions" overnight.
The days of people running their own servers are gone because of the shortsightedness and laziness of IT managers. They though the "cloud" would be easier and cheaper, and they are now trapped.
I entertained the idea of running my own mail servers for a while. After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
So it looks like we've gotta be well connected to federate with the other email servers now. A nobody like me can't just start up his own mail server at home and expect to deliver email to his family members who use gmail or outlook. So I became a Proton Mail customer instead.
I've run my own mail servers for many decades and have never had any deliverability issues. I've also never used bargain basement cloud VPS services with horrible reputations.
The best way to ensure a good reputation is to obtain your own address space from a RIR. Barring that, you need to choose a provider with a decent reputation to delegate the space to you.
Not true, at least for ARIN. If you have an IPv6 allocation, you can obtain one or more IPv4 /24 allocations, so long as their stated purpose is to provide IPv4/IPv6 compatibility (e.g. for dual-stack services or NAT): https://www.arin.net/participate/policy/nrpm/#4-10-dedicated...
From your HN profile, I see you're in Brazil, which is part of the region IANA has delegated to LACNIC. Per [0], LACNIC has further delegated numbering authority in Brazil to Registro.br.
Before I even start this bureaucratic process, I need to create an actual organization. Then I need to be assigned an ASN. Only then I'll be allowed to beg them for IPs. Once all that's taken care of, I need to tell them things like what the IPs will be used for and what my infrastructure is. If they like my answer, then they'll approve my request and finally tell me what the prices are.
I've been through the process about 10 times now at various companies, and the paperwork (at least for ARIN) is no more difficult than what would be expected to justify IP space from your typical ISP. If anything, the ARIN folks are more responsive and technically competent than your average ISP support agent, which makes the process easier.
> After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
You have to buy/rent a dedicated IP address (that you'll be able to keep long term), and it warm it up by gradually increasing mail volume over a few months to weeks. But once you have, deliverability shoudl be fine.
I think the bigger issue is needing to keep on top of mainenance of the server.
Like the parent have ran Email servers for many years now. If you get a bad IP, as long as you get the DKIM records right, over time it will 'warm' up the IP. And the more you use the email on that IP and NOT spam people. The IP will warm up. Make sure you actually own that IP!!! It will become valuable.
Key point - own the IP. We own our IPs and we also buy elastic IPs from AWS. The entire AWS subnet (it seems their entire address space) is universally garbage and unwarmable. Our own IPs have hummed along for years with zero issues.
FWIW, a huge percentage of the spam I get is via Sendgrid, and at some point in the past year or two their abuse reporting mechanisms all turned into black holes, so mail sent via Sendgrid is heavily penalized in my spam rules.
Sending reputation is just as applicable if you're using a third party as if you're hosting it yourself, but much less under your control.
I don't have deliverability issues to the big providers, but that comes down to the age of my domain and my IP in a clean non-residential block. But you won't have reputation issues if your friends and family also run their own server and don't enforce such arbitrary requirements. Running your own servers, not only for email, is the only way to regain control over your computing.
I have arrived at the opinion that what I would do if I moved to selfhost would just be to pay some trivial amount for outbound email via a provider like sendgrid as someone else in these comments has also mentioned. Since I send out maybe a half dozen emails a month I don't think this would be a big deal.
But when I relied on selfhosted email several years ago, I was always inundated with spam, which SpamAssassin was wildly undermatched to handle -- that was one of the main reasons I moved to gmail. So I'm curious what people who are happy self-hosting today are using.
My suggestion would be to use a unique alias for each website/company. This way, if you start receiving spam at that address, you know who leaked it, and can simply delete the alias. You should also then publicly name and shame the source of spam.
I also run SpamAssassin on my server, but I don't believe it ever had to do anything.
I've run my own mail for 10 years (postfix/dovecot/rspamd), no issues. Reverse DNS, SPF, and DKIM records need to be in place, but that's a small lift.
Well, one time I was unable to send mail to a guy with an ancient @att.com email address from his ISP. I got a nice bounce message back with instructions to contact their sysadmins to get unblocked.
To my surprise, they unblocked the IP of my mail server in a matter of hours.
Private email will have no problems. I also ran my own mail server for personal use and had almost zero problem (and this was on an AWS IP!).
Where people will absolutely have problems is trying to run a marketing campaign through their own IP. You absolutely will (and should) get blocked. This is why these mixer companies exist and why you pay for an intermediary to delivery your mail.
I suspect if you shared more info about your mail infrastructure, it might reveal that what is working for you is too complicated for 99.9% of people to set up and maintain themselves.
I don't think the goal is that every non technical person can host their own mail infra.
But most people who can run a server should be able to setup OpenSMTPd with the DKIM filter and Dovecot. It's much easier than configuring postfix like we had to do in the past.
To answer a sibling comment, the last time I received an answer is a few minutes ago. The correspondent's email infra is hosted by Google.
You're right, it used to be a bit complicated. Now you just need to have a reputable and clean IP address, and knowledge of running some services in docker and of course understanding DNS and its crucial role for running a mail server.
I used to run all the components and maintain it (even that wasn't bad), but I changed to mailu[1] about a year ago
It is probably because you have run it so long that you have good reputation and less issues. Too bad we don't have time machine to go back to ninties to start building up reputation.
Cloudflare's customers are companies that have to send out, say, reset password emails and verify account emails and other crumbs of the modern web. You want me to build my own infrastructure for that? Personally I can't wait for them to expand to SMS and crush Twilio.
The problem is that Gmail will bounce any emails from DigitalOcean IP, even if you sit on this IP for years (so no recent spam), even if replying to someone, even if you registered as 'Postmaster' on Google.
So if you want to selfhost, you'll first need to find an IP that's not blocked to begin with.
That is not my experience at all. Using a pretty fresh IP and domain I get pretty good deliverability as long as I have proper rDNS and all the other normal steps (like DKIM, etc.)
> It's not hard, if you do it in a way that you can't send to like 50% of the recipients.
So it's hard (to do well)
>The problem is that Gmail will bounce any emails from DigitalOcean IP, even if you sit on this IP for years (so no recent spam), even if replying to someone, even if you registered as 'Postmaster' on Google.
>So if you want to selfhost, you'll first need to find an IP that's not blocked to begin with.
I'd say this is just the thing antitrust was made for. Hopefully some incumbent can get them to court.
> The days of people running and maintaining their own are pretty much long gone
This is very much a myth. There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster (professionally, I'm responsible for both at my org, so I can make this comparison with some authority).
Honestly `apt install postfix dovecot` gets you 90% of the way there. Getting spambinned isn't a problem in my experience, as long as you're doing SPF and DKIM and not using an often-abused IP range (yes, this means you can't use AWS). The MTA/MDA software is rock-solid and will happily run for years on end without human intervention. There really isn't anything to maintain on a regular basis apart from patches/updates every few months.
I think that there's a mindset among younger coders that "if it's not a modern post-AWS cloud provider, servers will take ages to come online and aren't going to give me full access, that's why EC2 exists." And this is conflated with the myth that running a mail server is hard.
But in practice, you can find any number of VPS providers, running in local datacenters, with modern self-service interfaces, with at least some IPs that aren't already spam flagged (and you can usually file a ticket to get a new IP if you need it), that are often cheaper per month than AWS, and give full root and everything. Find a service that will help you warm the IPs before you send to customers, and you're good to go!
This is 100% my experience too. Self-hosting email isn't any harder than self-hosting something else and there is no maintenance beyond apt update and apt upgrade. Even if you choose to do this in hard mode using postfix/dovecot instead of a dockerized stack, you can get a working config in a few minutes from an LLM these days.
> There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster
The main difference is that you're fully in control of the k8s cluster, but no matter what you do, you don't have control over the email infrastructure, because deliverability depends on the receiver. On every receiver you send to.
People say "I don't have deliverability problems!" but how do you know? Most places don't tell you they rejected your email.
Meh, one could also complain they don't have control over backbone networks, transit, peering agreements, and intermediary routing therefore hosting a service on k8s is futile without using a managed provider / PaaS.
> People say "I don't have deliverability problems!" but how do you know?
Because people reply to my emails.. because I email documents to family/friends/landlord/etc and they receive it as expected..
> Most places don't tell you they rejected your email.
> intermediary routing therefore hosting a service on k8s is futile without using a managed provider / PaaS.
Except that a managed service doesn't solve that for you. They are no better at that than you are. Email services are better at deliverability than you are, because they spend lots of time building their IP reputations and more importantly negotiating with mail providers to guarantee their emails show up.
> Because people reply to my emails.. because I email documents to family/friends/landlord/etc and they receive it as expected..
I'm guessing you don't confirm every email you send with every person though.
> Of course they do, this is what DMARC is for.
I was involved in the creation of DMARC (and SPF and DKIM) so I know how it's supposed to work, but in the real world, most providers do not honor the "reject" flag and actually send the bounces. Last time I dealt with it was a few years ago, maybe it's better now.
For context, I started my career at Sendmail, and I worked on the SPF and DKIM specs, so I've dealt with deliverability for 25+ years. I also ran my own mail server until around 2009. But I switched to Gmail as my primary around 2008, when deliverability just got too hard. But I still worked on commercial deliverability for years after that.
Granted, SPF and DKIM wasn't widely adopted at that point (and DMARK didn't exist), so maybe it's easier now. But at the same time, most of AWS/Azure/GCP are marked as bad automatically, as well as most home internet blocks.
So if you want to run your own mail server, you can't do it on your home router anymore, you have to rent a server in a rack and get a clean IP that's just for you. That costs $$$.
We are working on an open-source, self-hosted solution [0] to make this easier. When you correctly set up DKIM, SPF, reverse/forward DNS for IPs, it is not much hard to get emails delivered. IPs can still get blacklisted and you need to monitor blacklists and contact them if it happens. Solutions like Postfix are great, but they lack observability. In our solution, we have developed dashboards and health checks to make it easier to find problems with the set up.
We are currently running beta tests (really appreciate it if you can join).
There is a sweet spot between Gmail and self-hosting. I use Runbox and generally separate contexts, with CF being an exception as I use CF pages for static blog websites, some of their core services, AND as a registrar. For the latter, the default setting is porkbun. The reason for this is not CF's mandatory in-house DNS servers, but the simple fact that they do not register .de domains.
I see this common pattern where a previously private infrastructure is opened up (usually from low abstraction), and the ecosystem is split into an open base and a private thin layer, and that private layer might just reimplement the same tradeoffs that the incumbent private monoliths made.
Examples being Git/Github, Crypto/Centralized Exchanges, and as per the topic, email.
But I think that it's an important distinction that the base infrastructure is open, and that technically an incumbent could join the fray, albeit with a lot of catching up to do, and mix it up.
> It's unfortunate that email hosting and email infrastructure can really be done only well by major players. The days of people running and maintaining their own are pretty much long gone.
Its really not. Everyone can do that (doesn't mean everyone should). I'm running it for millions of emails daily and don't see why I would crappy proprietary service instead.
Great move. Will probably switch to it immediately from Sendgrid as soon as it goes GA.
Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
Even with those pricing structures, 95%[1] of the spam I get comes from sendgrid. To their credit, their abuse@ address is good at handling the reports and they reply with a followup that the report was received and able to be acted upon[2].
The volume of spam (for me) doesn't seem to be decreasing from them, so there's a lot of moles to whack.
[1] Just a guess from looking at the last weeks
[2] I know it's automated, but often there's 2 that come with the 2nd one stating it's acted upon, so i'm hopeful.
These services are just spam-circumvention as a service. It's cheaper and easier to pay 20 bucks to sendgrid and let them fight the fight with google/microsoft/yahoo than to circumvent spam protections of the big providers.
You can very reasonably and reliably expect spam amount to correlate with the cost of sending said spam or expected return. At any service. There used to be a time where you HAD to check your mailbox several times a week or it would (literally) overflow with spam.
Yes, honestly been much more reliable than my previous provider (mailgun). Their IPs were constantly getting on spam blocklists with yahoo and hotmail. No issues with zepto so far, been using about 9 months.
> Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
With a pricing structure like that it appears they became too tired of verifying/validating users to not send spam. Unfortunately I don't blame them.
$10/year for 10,000 messages/year is 10 cents per message. (Or some other volume at 10 cents/message.) Surely too high for spammers but cheap enough for an app with a low message volume.
Well, I was responding to your claim that "it appears they became too tired of verifying/validating users to not send spam" is the reason for killing their low-volume free tier. It's a different story if they dropped the free tier to focus on large-volume customers.
Sure, and then the spammers figure out how to fool the checks. And sendgrid has to figure out how to detect the new and improved spammers. Then the spammers figure out how to fool the new and improved checks... and so on.
The part where sendgrid has to keep figuring out how to make new and improved validation is expensive.
Re: Sendgrid killing their free tier - I used them for the contact form on my personal website, and after they ended the free tier I was able to move to Resend (who has a similar free tier) without too much work. Pretty happy with it so far.
Sounds expensive. Amazon SES has 1k emails/month included for free (if you use an API to send). When sending via SMTP that quota does not apply, but still 1k Emails just costs 0.1$ (yes, 10 cents). I do not use any other AWS services but SES for my emails because of the pricing, I host everything else on Hetzner.
That doesn't seem like even close to the truth, else Amazon SES would have no business. I use it myself in my Webapp to deliver signup verification and haven't gotten a single complaint so far.
Thanks for recommending mailpace, £7.50/month for 10,000 emails is very reasonable, _and_ they support idempotency! Definitely makes me consider switching to them..
Finally. My two production projects are built entirely on Cloudflare workers platform, and I dread every time I have to login into AWS to manage SES. I even wrote a note for myself with instructions which buttons to press and where to navigate, like you'd write for your elderly relative who's "not good with technology".
Honestly this is why I like what Cloudflare is building nowadays. They aren’t just a CDN but rather they’re becoming a full on cloud, like AWS and Azure are - except their developer experience is just so incredibly better than any other cloud
One thing I like about Cloudflare is that each product makes sense on its own, not like AWS: go make access policies in one place, ACLs in another, and before you know it you have no idea how anything works without taking an AWS Certified Consultant course.
Cloudflare feels like separate silos, each individually complete and usable. And the “minimum viable path to make-this-work” is usually 1-2 button presses, rather than filling in pages and pages of configs.
I also love that Cloudflare is scoped under each domain, it helps keep my projects separate.
My experience is pretty much the opposite. Bad support for common APIs like S3, terrible support for terraform/opentofu, none/lackluster help in support or github issues.
> Imagine a user emails your support address. A Worker can receive the email, parse its content, call a third-party API to create a ticket, and then use the Email Sending binding to send an immediate confirmation back to the user with their ticket number. That’s the power of a unified Email Service.
This is/was already possible. You can just reply to an email from an email worker.
I had the exact same thought. I guess now you could put something in a queue if you have to do non-trivial processing before replying, but that’s not what they wrote
I keep thinking that Email would be a pretty natural extension process with the workers model in general... if they offered workers that could handle a tcp connection as stdin/out from the application perspective. Especially in concert with D1, R2 and other services.
I think the biggest issues would come down to server-side search functionality though. For very basic services, and even most of common IMAP/JMAP, it could be pretty great. Working on an a major email platform is something I've really wanted to do for a while now. (cloudflare, call me)
Kind of off-topic, but it's such a pity that we arrived at email as the local minimum for the best communication protocol for transactional messages. Having to set up an email service just to be able to enable authentication flows on a new website is such a hindrance that I keep wondering if it would be different if sending push notifications to a cell phone was made an open protocol..
It's because every communication protocol since has been a walled-garden with a rent-seeker attached. This is why open, federated protocols are so critically important.
I hear your pain. However I think if you really look at it email is a good thing. Its brokenness is a highly desired feature. It is the last generally accepted tech bastion that keeps us from becoming some sort of always on the job star trek borg style creatures that cannot have plausible deniability that the computer failed.
This is the fate of most open protocols. It becomes too hard to migrate to a new spec due to the increasing difficulty of coordination and then the protocol gets stuck in time.
For registering/authenticating to service, SMS mostly. Same deal in Russia in my experience, basically every website/service signup asks for your mobile number and just texts verification codes.
So smart-phone is required for everything there? No computer flows for website access?
"We" definitely don't want that... but many others do as it takes control away from people.
For just SMS authentication, you just need a phone. Any kind of phone.
But it also just so happens that in both of those countries, you must have your identity attached to any SIM you purchase. So, anything that makes you register with your phone number will indirectly link your real identity to that registration. It must be very convenient for their governments!
Smartphone is required for everything there, yes. Signing up for services, authenticating yourself (e.g. when entering a train station), payment, social media, etc.
Computers used to be expensive and people had less money back then, so most of the country essentially just directly upgraded to smartphones. Many don't and never used to own a PC outside of work.
No, any kind of phone that can receive codes over SMS will work (like the ultra-cheap feature phones you can probably get at your local corner store). From a computer browser, you still enter your mobile number to login, then enter the verification code it sends you over SMS. I've also seen sites that offer phone call as an alternative to SMS, so you can presumably also login from a landline.
Question for the Cloudflare people: We use sendgrid today, and create subaccounts through it (entirely with API calls) to allow our customers to add and verify their own domains (with a couple of DNS entries the customer can create). Then we can send out email on their behalf "from" their domains -- with DKIM, SPF, and all that still being happy.
Does the Cloudflare email routing product provide this same capability?
Been waiting for this for a long time! CloudFlare developer platform is underrated. The ability to use queues, cache (KV), Hyperdrive, and R2 (an S3 equivalent) with one line of code is just brilliant.
Same here. Cloudflare products are a really good balance for small projects that could eventually need to scale up. Durable objects is such a cool concept in itself that I don't know why it didn't catchup the same way in other providers.
I really like CF focus on developers but their R2 is not quite configurable yet as S3. I am looking forward to move away from S3 if R2 can get their bucket policies and permissions as advanced as S3.
My understanding is that "Best Practice" is to use different companies for different services (not to have all of your "eggs in one basket") in case something goes wrong with one company and they take everything down.
This is what I have...
Domain Name Registrar: Dynadot
DNS: Cloudlare
Hosting: Dreamhost
Email: Fastmail
Should everything be under Cloudflare? I think they also do domain name registration and now, soon email. Not sure off the top of my head if they do hosting.
You can't connect to your email or hosting if your DNS with Cloudflare is down.
Plus, Dynadot uses Cloudflare for their site, so you couldn't even change your nameservers if CF is down.
A random scatter won't protect you from a service like CF / AWS / GCP being down, and most users won't benefit from protecting from that sort of unlikely and major scenario anyway...
That's a good catch about Dynadot using Cloudflare.
Ideally there would be a setup to avoid having the domain name registrar use a different DNS than me.
I'm more concerned if an over-zealous algorithm or employee shutting down an account and being able to just switch that one service to another company rather than losing everything.
I'm not sure what best practice actually is, but each different company you depend on is a different failure point. If CloudFlare goes down half the internet does (which is a problem of course, but not my problem), so from a purely utilitarian perspective depending on them feels like a safe bet.
To be clear, Cloudflare Email Service is not a full-blown email provider like Fastmail, nor is it even comparable to email services like AWS SES or SendGrid. Cloudflare already offered email routing and Cloudflare Email Service just adds the ability to send email via Cloudflare Workers, so there’s a long way to go before Cloudflare could be an option for replacing Fastmail.
You know, it might be closer to AWS SES and SendGrid than I thought initially. My first reading of blog post gave me the impression that Cloudflare Email Service was designed for Cloudflare Workers only because that’s what they emphasized upfront. But I missed this piece:
> We’re also making sure Email Service seamlessly fits into your existing applications. If you need to send emails from external services, you can do so using either REST APIs or SMTP.
>// Classify incoming emails using Workers AI
const { score, label } = env.AI.run("@cf/huggingface/distilbert-sst-2-int8", { text: message.raw" })
This is neat but be careful using an LLM to parse email content. The demo is a BERT model which is a good but I can see how someone might swap this without realising the implications
Also really nice to see emails from workers, its something I have wanted for a while!
This is great. I’ve had many side projects with Cloudflare where I’ve wanted a way to send emails as a part of it, and it’s slightly annoying having to go find another service to use to get that done. Having this baked-in will he sweet!
Cloudflare have great products and engineering expertise, but it starts to get into a concerning territory; what kind of influence over various protocols of the Internet they (might) have.
What are people's experiences using their current Email Routing service? Mine wasn't great -- right after I set it up I could not get a single test email through to my recipient account despite multiple attempts. No delivery failure emails or any responses at all. Nothing on their dashboards either.
Searching their community threads turned up several other folks who had encountered similar silent failures that were never reported on the dashboards or any status page, leading them to question the company's interest in supporting this feature. I tabled that idea at that point as it was not critical.
A few months later, I randomly tried sending a test email again and it just worked. However, the initial experience left a bad taste in my mouth. Could I trust it to start routing critical emails?
Wondering what other folks here have experienced...
They enforced ARC without any notice which failed deliverability by about 50% for my catch-all address. I only noticed when someone told me they had emailed and it didn’t come through.
I just don’t trust them now. That was a huge misstep.
Cloudflare at some point will basically compete with AWS as the entire infra platform for developers. They are slowly building tools one after another.
I am really excited to follow how their Containers platform matures as it is still too early.
Yup and why their share price has rocketed. Nobody in the CDN industry is making money - a large player went bankrupt recently. You don't want to look at Fastlys financials and share price
Cloud is where the money is.
Interesting read, thanks! One almost LOL moment for me was at the end of this paragraph:
That is also an important part of AWS’s retention strategy: for most AWS customers the easiest solution to rising costs is to simply sign a long-term contract, dramatically decreasing their prices (again, Amazon has the margin to spare) while ensuring they stay on AWS that much longer, accumulating that much more data and relying on that many more AWS-specific services. Hotel Seattle, as it were.
For those who may be interested: I’ve built a project called Guten Email Notification, based on Cloudflare Email Service. It provides a simple way to send notifications to yourself from NAS, homelab servers, or GitHub Actions. You can check it out here: https://github.com/gutenye/email-notification
So far I have used Resend, Sendgrid, Loops (for a person throw away project so don't have good exposure) but I found Resend the most easiest, convenient and straightforward. Especially their React Email library made it so easier to compose emails using React components. I really love that. Back then we had to manually craft HTML emails, worry about inline styles, and constantly test across different clients, which was a pretty painful process compared to how smooth it is now with React Emails.
One key part of my workflow is validating emails before sending so I'm not blowing up my bills or getting labelled as spam. And since Resend doesn’t support that natively, I'm currently having to use Emailable’s API to check if addresses are actually deliverable. Having that built-in would be a huge plus. And I know it's not usually something that email providers should care about but it would be so much better if Cloudflare makes this a native offering.
I’m interested to see pricing and what the backend dashboards look like for this. I’m currently using PostmarkApp for my transactional emails and they keep bumping the monthly price and my usage is tiny. If I could just pay per email that would be better.
That said, I’m hosted on AWS so maybe I should look into SES as well if I’m going to replace my email sending service.
I haven't experienced any price increase on the cheapest Postmark tier over the past 3 years or so? In any case they deliver excellent service and as a business earning money and sending emails per transaction it's almost free.
In July 2025 they raised the price for me from $10.60 to $13.04 (what was actually charged to my card), I know that is minor but I use essentially 0 emails 9 out of 12 months of the year and a pittance in those other months, not getting anywhere close to the limits.
My statement of "they keep bumping the monthly price" was incorrect, they only did it the one time it appears. However my plan is no longer available and the lowest plan they offer is now $15/mo which makes me concerned they will raise my prices again within a year or so.
Again, I know we are talking about a very small amount of money but I'm not super interested in staying with a provider that will just keep raising my prices while I have such low usage. I'd much rather switch to a pay-per-use-type service.
This is exactly the service I was looking for. I am using cloudflare email forwarding but couldn't find anything about how to send form data from webpage to email.
All the email service that I could find has monthly subscription, no pay as you go offer. Hopefully, cloudflare will offer pay as you go.
Is there a way to get priority in waitlist? I don't mind bugs.
It's always shocking to me how many people blindly sacrifice the principles that make the things their lives depend on actually worthwhile. The internet isn't just a thing that happened, it was developed and rolled out under specific principles and vision, and violating those principles destroys the system.
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.
or if CloudFlare gets conscripted as the new PRISM or NSA censorship
PRISM and the NSA are not involved in censorship but they do like to ingest a lot of data, the more the merrier. Only certain members of CF would know if they are already looped in and would have signed scary things preventing disclosure if that were the case. I just assume everything going through a CDN is monitored since it is a MitM by design. A long while back Akamai got in a lot of trouble for some of their people selling data to a country in the middle east, I forgot which one.
The way the censorious game works in the Ministry of Truth a sub-committee in the DHS sends private messages to former federal employees that work in high positions at tech platforms and advises them what to censor giving the company a way to say they did not officially comply with censorship demands. I will let the Queen of the internet explain [1]. Letting federal employees message people outside of logged government chat platforms is problematic.
Sure, I wouldn’t want the Linux foundation or other pieces of critical FOSS infrastructure to be routed via Cloudflair. But if I am setting up a web shop for somebody they usually care much more about someone at least pretending to be doing something about a ddos they got hit with that the decentralised internet.
To quote Raytheon “Morals are cool but 90k/year sounds a lot cooler”.
Use other services where necessary, and sparingly. Use only what's functionally necessary, and diversify. Encourage your employer or organization to avoid vendor lock. Don't ever meet with salespeople, stay in charge of your websites and infrastructure. Find a highly disagreeable technical engineer to tell you what you can get away with; you probably don't need the scale of the things CloudFlare, AWS, et al impose by default.
AI right now can do all of that for you; pay for the best initially, have it do deep searches that meet what you need, and find appropriate contractors and services. Drop down to the plus tier after you get what you need initially, if the $200+ versions are too steep, but you can absolutely afford one month to plan an overhaul that doesn't empty your wallet.
Mandate open standards and bake in flexibility to your organization; pivot frequently and aggressively away from companies and services that don't meet your principles or standards.
Wherever possible use self hosting, decentralized protocols, open standards, FOSS software, and pay for expertise over the massive overkill "but wait, there's more!" the conglomerators offer. Their economies of scale serve to consolidate unearned and unaccountable power, often in cooperation with very shady players.
Yeah, tragedy of the commons, this is why we can't have nice things, because it's hard, and complex, and actual evil people exist who will absolutely ddos sites and exploit every and any opportunity to grift people out of their money. Cloudflare is a well marketed bundle of solutions for real problems, but it's definitely not the only solution.
It's up to you to what extent you compromise on principles - with AI it's becoming much easier to find acceptable alternatives without having extensive domain expertise. Normal search engines are almost completely captured by SEO and big market players, and we have a window of opportunity to use new AI search to find things that defy the status quo. The window will probably close sometime in the near future, but until then, take full advantage and position yourself to not be subject to companies or industries that shouldn't be taking it upon themselves to gatekeep the internet.
Also, yell at your representatives about getting a digital bill of rights, protecting the open internet, breaking apart monopolies, and cultivating what's best for the internet, and the world.
We have to stop pissing away the good for the convenience of the cheap.
DDoS via AI bots doesn't have a straightforward solution at the individual level (Anubis-like solutions only neutralize the dumbest of bots). If you have a reference otherwise, I'd love to have it.
Digital bill of rights and enforcing laws already on the books, imposing requirements on ISPs to remove bad actors, and having governments and law enforcement agencies actually do the boring and tedious work of tracking these people down and shutting them down. Disconnecting ISPs from the rest of the internet when they cannot police themselves. Shutting down "VPN" services that harvest and abuse residential IP blocks of their users to evade detection while accepting money from bot herders, and other criminal activity that gets ignored.
We have sensible laws on the books, treaties, and all sorts of agreements with entities ranging from big corporations to ISPs to countries, but they aren't enforced. Just look at how long spam call centers have been an issue - if we start playing hardball and simply shutting off entire regions until providers and governments comply with basic enforcement, we can have a civilized internet.
These botnets are not magic. They're not subtle. They're not ultra-secure beyond the reach of mere mortals to do anything about.
They're allowed to persist for all sorts of reasons, ranging from utility to nation state level threat actors to local ISP corruption and bribery to simple laziness and incompetence.
From the top down, governments merely need to enforce the rules that are already in play. I guarantee if you disconnect large regions of India where many of these sorts of problems originate, the people there will convince their local officials to take appropriate action - and if that doesn't work, we don't need them on the internet anyway.
Same goes for any regional ISPs in the US, or Canada, or anywhere else in the world.
We have rules, let's try following them before we decide on mechanisms like CloudFlare or other centralized controls.
One thing I've grown concerned about, after watching the Twitter migration fizzle out, is we can imitate the old internet on a small scale, but on a large scale it just doesn't work. For Twitter specifically, the outcome was even worse, many users just migrated to other more centralized services or existing monopolies (like Instagram.)
Users are too used to being able to instantly stream 4k HDR 60fps. They are too used to limited amounts of spam. They are too used to having most non-agreeable content filtered. All of this stuff that big tech delivered now is replicate-able at the cost of tens of billions of dollars. The only business model that can pay for that is owning a giant ad platform.
Thinking about all of the issues the EU has had enforcing things like GDPR, which big tech companies largely haven't followed for years or straight up lied to their customers about, along with a possible failure of the DMA now due to tariffs.. and yet on the other side of the Atlantic, the US utterly failed to ban or control Tiktok. Endless announcements of upcoming deals that were either lies (Oracle protecting American's data) or postponements.
Meanwhile, all of the spam, hacking, bots, and DDoS attacks persist and grow, along with layer upon layer of (probably intentionally) poorly written and often conflicting legislation across multiple jurisdictions have truly made it impossible for the internet as it was designed and meant to exist to continue. (Sure you can just set up a basic web forum like you could do 20 years ago, not use Cloudflare, not host it at a major datacenter, and ignore all of the GDPR and age verification laws, but good luck. Hell, it doesn't even sound like it's really legal to run a Mastodon server anymore.)
One small hope is that if internet companies follow any pattern we've seen in other industries, when the growth ends, the managers will switch to tearing the conglomerates apart in to pieces and selling them off. One day CloudFlare might be split in to 30 pieces, along with Alphabet, Meta, and Amazon. But it could be a while.
I think this is amazingly great. If they can compete with AWS SES on pricing then, why should I work and pay to 2 services if I already use cloudflare and just use AWS SES for transactional emails.
BUT and this is a big one. Most OSS already integrates with SES, so I doubt it will be easy to replace, it may take years, unless.... they can replace them completely as is without adding new codes and apis...
Now that it’s possible, for anyone looking to start a new FOSS project… I would like if someone could please make a serverless spam catcher service that runs on workers so we can host it in front of self hosted email.
Something like:
- Blacklists/whitelists and wildcards
- Phishing detection
- Spam digest/rollup spam into single email every day with buttons to release
- Virus scanning of attachments
- Replace inbound links with hosted link previews/malware scans
Strategically looking to get off the MS email stack, but this is a big part of it.
You might want to check out MailTrigger (https://www.mailtrigger.net/) — it's a programmable SMTP server that can even call an LLM before sending emails, so everything you listed is technically doable: blacklists/whitelists, phishing detection, spam rollups, virus scans, link previews, etc.
It’s not directly related to the MS email stack, but if you're self-hosting and looking for a flexible, programmable layer in front of your mail server, it could be a good fit. It’s still under development (though already running in production for my own company and a few early adopters), and the pricing page is just a placeholder for now. But the docs are public, and I believe it can cover what you're aiming for.
One thing to note: while the website mainly talks about multi-channel notifications, MailTrigger is actually more like IFTTT or Zapier, but specialized for email — when a message arrives, it can trigger smart, programmable actions.
You can turn your existing email system into an IFTTT-style automation engine. It supports JS and WASM for preprocessing and routing, so you could, for example, auto-reply with an LLM-generated joke or handle customer support queries dynamically.
The website might not fully reflect this yet, but the docs are more complete and show what’s possible.
Mailjet / Mailgun are one and the same service and since the acquisition, I haven't heard of anyone still happy with them. But yes good point, Mailjet is another one.
Interesting development. Not really sure I trust Cloudflare on this one, the last time they tried this with "MailChannels" they got a bunch of people to use it and then killed it off a few months later. Still, their blog post was never updated to say the feature was removed: https://blog.cloudflare.com/sending-email-from-workers-with-...
MailChannels is a separate company from Cloudflare. At one point they offered a Workers integration, and Cloudflare blogged about it because we like to encourage such things. Unfortunately MailChannels later decided to discontinue their integration.
The new email product is built and operated by Cloudflare itself.
Oh sure, a nice emailing experience (compared with SES) seems positive. But there are negative comments like Cloudflare shipping this is net negative, so just trying to understand the context.
This could enable anyone serve one self with email. Not that it was not possible, but eleminates tech challenges, reverse dns and configs where you need to spiral down with ISP bureaucracy.
This is indeed great. I've been using emailjs dot com for low volume sending so far but they connect to your account and send it through there which is obviously problematic.. Will be interesting to see how pricing for low volumes is there. So far, I've found CF to be more than fair, esp. given their potential for abusive pricing.
I wonder what the pricing will be. I would love to have it be where X number are free, then each one additionally will be a small price. I hate having to change tiers based on usage. I would have no problem funding an account and using that to pay for the overage.
I would actually use an email service from Cloudflare. That literally means I don't have to rely on anything else to host my apps. Currently I use email forwarding to send emails to a different email address from my custom domain. This would help a lot
How is that a good thing? Are we, as a society, forgetting the value of diversification, or just ignoring it because convenience is good? Do you really want to be just one wrongful ban away from being completely offline?
Cloudflare's email routing has been abused by malicious users for so long that I can no longer reliably use it with my domain, most times Outlook just blocks Cloudflare IP ranges and emails never get routed to my Outlook mail box.
Tangental - could you deploy something like webtorrent which uses seeds, mitigating a DDOS attack? Is this what IPFS would theoretically do, if web gateways were not used?
As someone not currently using Cloudflare Workers, I'm not sure I want to build a worker and figure out how to interface with it though my existing application just to send email. What happened to SMTP?
That is exactly a service I was hoping Cloudflare would provide.
Simple binding using wrangler is really a life quality upgrade when starting new projects.
They had it a few years ago, but the company offering the free integration essentially stopped offering the free part. I'm currently grandfathered in to mail channels.
Fun fact, you can actually use the current send_email binding to send emails to verified emails in your account (but this announcement will make it possible to send emails to everyone)
You can also reply to incoming emails from what I know, you just cannot initiate any email directly to prevent the obvious abuse. I wonder how they plan to mitigate that apart from keeping the pricing sane.
This is good and I am fairly certain email is dead with AI, hopefully soon.
I went from hosting my own pop/imap/smtp email to ignoring it almost completely at work and personal for a variety of reasons.
Text messages and chat or X/message boards are all I use now. I have the same ability to deliver messages, content, forward, save, export, and migrate between platforms. The spam in SMS is tolerable at this point.
Please tell me this supports some kind of idempotency.. I fear it wont.
The kind of hoops I've had to jump through to achieve DIY idempotency with Postmark would make you cringe, a shared lock to avoid race conditions, and then using the API to check if an email with the unique id (manually added to the metadata when sending) has not already been sent before sending an email.
Being safe in the knowledge that an email with some unique key will only be delivered once regardless of bugs, processes dying mid task, network issues etc. just makes life so much simpler. The risk of sending duplicate emails or at worst spamming your users due to some more nefarious bug is something that you really want to guard against at as low a level as possible. Sure this might not be quite as consequential as duplicate charges through the Stripe API for example (Stripe have always seemed to lead the way with good API design in this regard).. doThing(data) is _not_ good enough for executing tasks over a network that are effectful, have a cost, and potentially risk your reputation if things go wrong. Idempotency keys should far more widely supported!
I'm sick of Cloudflare making me prove I'm not a bot - just because I run Ubuntu. I have a static IP. I visit my bank website regularly, can they not figure out that I'm legit? No, they can not.
Can't wait for them to get involved in email... looks like I don't have to!
Sorry... I though Cloudflare was offering full service email (SMTP/MTA). If it is just SMTP outbound email, then SMTP2Go would be a better alternative.
Fastmail is mentioned on every email provider suggestion thread on HN (Because they are great, happy user!), but they are not a transactional email provider which is what this product is about.
Will be interesting to see how good of a reputation they can keep (IP/sender reputation, specifically) given their historically very libertarian attitude to compliance.
> Now, sending an email is as easy as adding a binding to a Worker and calling send
I hope it's easier to setup then the current mess of needing to use Wrangler to setup the send_mail binding the CF worker console can't even show in its binding list.
Cloudflare is an evil company in the making. I would rather stop using email altogether than using their "private" service. No for-profit company should be in the business of blocking IP addresses' access to the Internet. I am sick of their "are you human?" and "we are seeing a lot of traffic from your address" shit already.
I just shared this with the team:
Today, Cloudflare entered the email sending market.
While I didn't expect this to happen today, it didn't come as a surprise either. It was never a question of if Cloudflare would add an email sending API, but when. Back in 2022, they introduced Email Routing, and it was only a matter of time until they added the sending part.
Some people will see this and will want to migrate off Resend, others will say we're dead. The reality is that they are after our target audience, otherwise they wouldn't create an example showing how to use React Email on their announcement post.
Still, I truly believe this is good news. Here's why:
When Cloudflare introduces millions of users to their email API, they're creating our next users. Developers will run into limitations and will want more from an email service. They will need bulk sending, advanced templates, no-code editors, and a lot more. That's where we step in.
Email is not a winner-takes-all kind of market, and that's why we've been able to enter such a competitive space and still thrive. Competition is good because it forces the best product to win.
We cannot let our guards down, and lose our sense of urgency. The bar is higher for us right now, but if there's a team that knows how to increase the bar, that team is this.
better off using your own mail server. Stalwart collaboration server makes this stupid simple. Although dealing with poorly configured mail servers and draconian mail server policies can become tedious.
If really concerned about deliverability of transactional or marketing email messages, then relay through one of the many bulk senders.
adding yet another cf product as a single point of failure is not good.
Cloudflare this, Cloudflare that. Fuck Cloudflare; they become more and more of a gatekeeper.
(Oh so you like to browse sites that you expect to visit maybe once in "Private" mode? Nah, can't have that - let's try to push this weirdo away by using the ever-spinning "verification" circle.)
No doubt cloudflare will refuse to receive emails from any mailservers except those that run special cloudflare extensions or whatever. It'll be a whitelist that's mostly corps only. For "security" of course.
And eventually it'll be so popular other mailservers will stop accepting mail from any except cloudflare/ms/apple/etc.
How cloudflare treats web browsers and their proposals for acting as gatekeeping for allowing websites to be spidered re: AI motivated corporations. Also cloudflare's near weekly proposals of unilateral protocol features that should be IETF'd but instead they just do and make others do because they're gatekeepers and they can. I expect them to keep behaving as they have and so posited likely 'cloudflare'-like actions for their announced attack on email.
I get that most people never feel the discimination and exclusion mediated by cloudflare because most people are just using chrome or whatever standard browser on their phones. But just because one doesn't have the lived experience of discrimination doesn't mean it isn't actively happening to lots of people.
Eventually all Internet protocols will be MITMed by cloudflare. Your single point of interception!
To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it. This is one of those.
Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
At least they’re not selling ads using your data.
> the internet was worse without Cloudflare
It had much more freedom. Currently it's up to Cloudflare to decide whether you will read that article or not. Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
1. https://en.wikipedia.org/wiki/Think_of_the_children
How is this not a problem with the law rather than a problem with Cloudflare?
The growth of Cloudflare is what makes the law possible.
Several countries have stupid laws around online child protection, that are universally ignored and universally not enforced simply because there is no reasonable way to comply. Others might be tempted to introduce new stupid laws once they become feasible.
That doesn't make it Cloudflare's fault, but the centralization is still a problem.
I think it's being pointed out as an inherent weakness of greater centralization when it comes to the internet's resiliency against government interference and censorship. The internet used to be much more decentralized than it is today.
Also, remember that time that Cloudflare didn't take down a Nazi website because they didn't want to be arbiters of the internet but then everyone accused Cloudflare of supporting Neo Nazis. That this led to boycotts so they ended up taking down the site and wrote a blog post being like "fine, but this is dumb"
That didn't really have to do with the law. You could segue it was a free market action. Though there were definitely legal threats as well. (There's even people here in this thread making similar claims of Cloudflare supporting specific groups/content)
https://blog.cloudflare.com/why-we-terminated-daily-stormer/
Not a fan of XYZ service deciding what you can or can not say / host online.
Freedom of speech is not about protecting speech you find agreeable.
Businesses are not expected to protect your freedom of speech. If you want to say stuff that no one wants to print, you can't sue a business for not printing it.
The government can't stop you from requesting a permit and saying it on public lands, though... And back when telecoms were common carriers, you could have done such from your home Internet, now you can only do it from your voice line.
Right but ISPs and services like CF should be neutral parties just like the Cisco routers and Corning fiber. They should not be arbiters of what’s currently acceptable. Thats not to say they are not subject to jurisdictional law but rather they should not be their own law imposing their views.
Now of course if they want to provide you the user with tools to filter or hide things you disagree with out, by all means.
Yep- your phone or electrical provider don’t monitor your speech for objectionable content and neither should someone like Cloudflare once they achieve ’utility’ like status.
>your phone or electrical provider don’t monitor your speech
not yet.
I guess you missed the case of Google and SFPD going after a dad for taking a photo of his son's genitals to share with mom and doctor.
Sorry, but sometimes they are. Laws are reactive so can only be updated when harm is done. But if businesses and people act to hold up the spirit of those laws then the harm doesn't happen in the first place. It's proactive vs reactive.
Plus, bring proactive saves everyone a whole lot of time and money. So many things would be better if people (and every entity) was just trying to do their best and no one was trying to fuck each other over. You may call it a dream and that's fine, but also remember that the vast majority of people already operate that way. A small number of people do the most harm
And yet then instantly threw a hissy fit when a certain trans individual started their crusade against the Kiwi Farms.
Or the time they knowingly employed a Nazi
Are you arguing for a system where employers consider your political views before hiring you?
And no this is not an attempt to in anyway belittle what Nazi German did during WWII. Assuming the employee you are referring to has never been engaged in such acts, though, that feels like a very slippery slope.
> Are you arguing for a system where employers consider your political views before hiring you?
Yes? Such a system already exists and is currently in place in virtually every country in the world.
If I go online and trash talk anyone, that might prevent me from getting hired.
Similarly, if I work someplace, and I call my boss a jackass, I might get fired!
You're trying to invoke "political" as a sort of shield here. No, it's not just politics.
Its called being an asshole. Assholes might be unemployable because that's how human socialization works. Have you met a Nazi that isn't an asshole? Because I haven't. So, there you go.
> If I go online and trash talk anyone, that might prevent me from getting hired.
> Similarly, if I work someplace, and I call my boss a jackass, I might get fired!
Those examples have nothing to do with your specific political views. Both issues there are about how you engages with others and are a reasonable example of why you might cause problems on a team. The specific views you would have shared rudely have nothing to do with the actual problem at hand.
> Those examples have nothing to do with your specific political views.
Yes they do - as I've said, you can't invoke politics as a shield.
You can be fired for your beliefs. Politics are a belief. So you can be fired for politics.
If you're trying to say that you can just be an asshole in private - sure. If you share your political beliefs, it's no longer private.
Most companies don't want to hire people they think are assholes.
Ultimately, it's very simple human behavior. I don't want to work with people who suck. You don't either. Okay, so we must discriminate based on politics or other beliefs.
Hiring, in it of itself, is just discriminating. We're discriminating based on skills, personality, beliefs, and fit. That's what hiring is.
There's only a select couple of things we can't, or shouldn't, discriminate on. Politics isn't one of them. If you think black people need to be exterminated or whatever, there's no gun to my head making me hire you. No, I'm not gonna hire you.
Okay, I'll try to take this from the top.
> Yes they do - as I've said, you can't invoke politics as a shield.
That isn't the issue at hand. You are describing using ones political views against them simply for them holding those views, not someone being an asshole and attempting to justify it as a political act.
> Most companies don't want to hire people they think are assholes.
Sure, though they would base that on behavioral tendencies rather than a political survey.
> Ultimately, it's very simple human behavior. I don't want to work with people who suck. You don't either. Okay, so we must discriminate based on politics or other beliefs.
Ultimately you're the one worse off for viewing people this ways. Views and beliefs don't make a person suck, actions do.
Their politics were expressed as behaviors: proclaiming "I'm a nazi" publicly, taking over leadership of GNAA from Stormfront's administrator, etc. These were not private beliefs that were uncovered through surveying. There was no survey.
Or by behavior do you mean that public support of terrorism isn't grounds for an employer to avoid hiring or termination? That the standard for that would be actual terrorist acts?
Part of being a Nazi means the sincere believe that the Aryan race is superior to all others and that eradicating them is a sensible goal.
Thats not a political view. Its one of racism and finding genocide acceptable. I would sincerely hope that any sensible person would refuse to hire someone like this.
I can't say that I have seen any party documents floating around, but I'll take your word for it here. A person having those views or beliefs still isn't a crime, acting on them is.
A person in a workplace can have whatever views they want. Holding a view in no way prevents them from being able to do the work well. Its a different story if they cause a problem at work, but that is viewpoint agnostic - anyone starting political fights or worse at work is a problem.
> I can't say that I have seen any party documents floating around There are quite literally millions of well recorded documents, pictures, movies, personal accounts of affected people available about what Nazism did and does. If you do need a place to start, feel free give the Wikipedia article a read and use the underlying sources to learn more.
https://en.wikipedia.org/wiki/Nazism
The Nazi Party no longer exists and you're linking to ideology in Germany at the time. We could similarly link to pretty terrible political party views of Republicans or Democrats over our history.
By no means am I defending Nazism here, I would take huge personal issue with any holding those views. That's entirely separate from the topic here though, and I don't agree with discriminating hiring processes based on political views regardless of what they are. If someone can go to work, get the job done, and be a net-positive member of the team I have no reason to act against them.
A person is entitled to hold any political views they wish, and a business is entitled to not hire them for those views. Just like freedom of speech does not entitle you to a platform or give you immunity from the consequences of saying things.
Not hiring people who wish the majority of your employees death is a super low bar, you should try to make sure you can get over it.
"How many people in the office do you view as vile subhumans who should be purged from the world because of how they were born?"
Not hiring people only for personal views they hold is just a weirs bar to set. Judge people by their fit for the role and their actions. Attempting to both uncover and judge a person's beliefs is a losing battle at best.
It is not a weird bar at all when the "personal view" here is being a Nazi. The action of believing in Nazism is actually a disbarring for any role of trust, integrity, or value in our society.
Being a Nazi is not a protected status (yet) and you should expect to be fired immediately if you espoused those views anywhere, at all.
(Just not when employed at Cloudflare.)
The Azov brigade are not Aryan.
Not sure how they are involved in this discussion nor do I know their current ideology besides the media reports, but collaborators were/are not uncommon. Abraham Gancwajch, for example, seemed to have no issue with betraying his people.
https://en.wikipedia.org/wiki/Abraham_Gancwajch
I was giving example of a non-Aryan Nazi body.
Be careful with your reasoning. Remember that the current ruling party in America (as well as growing movement in Europe) is using the same rhetoric to go after liberals and trans people.
The problem isn't that any sensible person supports genocide, it is that insensible people can get to power and trick normal people into thinking genocide is necessary or not happening at all. They do the former by saying "if we don't commit genocide then they will commit genocide against us".
The problem is who gets to pick who is right and not? The problem is that if you limit the right to limit speech then good rulers won't abuse that power but evil ones will. It's because they are the ones who pick and choose. It's why you have to protect the rights of those you abhor. Because if you don't you build the powder keg of Turnkey Tyranny. Doesn't matter how many signs you put up, eventually someone will light a match. My accident or because they want to watch it burn.
So yes, to protect those groups being persecuted (trans, minorities, and Jews alike) you need to protect the speech of abhorrent groups like Nazis. You don't have to like it. And you don't have to, and shouldn't, protect the actions of Nazis, but you do have to protect the speech. It's exactly why the ACLU has done this in the past because every authoritarian loves to use abhorrent characters to justify overreaching laws.
We're on Hacker News for fuck's sake! How often have we seen the same play but replace "speech" with "encryption" and replace "Nazis" with "pedos and terrorists". It's the same stupid game!
> The problem is who gets to pick who is right and not?
we all do, collectively, as a society
> So yes, to protect those groups being persecuted (trans, minorities, and Jews alike) you need to protect the speech of abhorrent groups like Nazis.
there is actually a categorical difference between advocating the persecution of minorities, and advocating the persecution of nazis. and furthermore it is actually possible and good for a society to say one of these things is bad and should not be allowed, while the other one is good and should be allowed.
Yes. Discrimination in hiring with regard to personal viewpoints (ie adult decisions, not built-in traits) is one of the best ways we have to shape society for the better.
As private entities, we have freedom of association - including freedom to shun certain groups. Use it!
Once we start that, we cannot control if it is going to shape the society for the better or worse. Should feminists be prevented from joining a company? How about pro-choice rights activists? And one persons better society would be totally different from the other person's better society.
We should aim to reduce discrimination not encourage it for select causes.
For anyone not understanding this comment and similar ones try this for me: replace "speech" with "encryption" and "Nazis" with "pedos and terrorists".
Here's the thing, authoritarians use abhorrent groups to justify authoritarian laws. It creates a power creep. Even well meaning rulers will push for more autocratic power with the justification that they can do more good with it. But unless you can place strong guarantees that no malicious ruler can come to power, you should evaluate powers as if they are the ones wielding it.
It's the entire concept of Turnkey Tyranny. A thing we are actively watching being exploited in America and across Europe. Because you can't prevent a malicious ruler from gaining power in a free society, but you can greatly limit their ability to do harm. But this can't be done with myopia.
Would you say the same for other types of discrimination?
And how can you so clearly differentiate between what is and is not an adult decision vs a built-in trait?
What is a "built-in trait" ?
In my view, this whole stance is completely indefensible, and it frankly shocks me every time I hear this from the progressive side of the political spectrum.
You want to introduce additional discrimination at every workplace in order to get rid of viewpoints you don't agree with?! This is honestly closer to Nazi ideology than the actual Nazi would probably be that you want to discriminate against.
How would you ever prevent policies like this from being leveraged against minorities? How could you ever make sure that you are never gonna be a "Catholic church against Galilei" equivalent?
You do realize that such a policy would've been used like 30 years ago to exclude every pro-LGBT person from hiring, after being used against anti-racial-segregation advocates in the decades before and everyone in favor of womans voting rights well into the 20th century?
If you want some totalitarian society that enforces state-sanctioned viewpoints I would kindly ask you to build your own, preferably as far away as possible, because that stands diametrally opposed to the principles the US was founded on.
ಠ_ಠ
Yes. Naziism is terrorism. People lose their jobs for publicly supporting terrorism. The employee was self-proclaimed "Nazi" (including to quote, "I'm a nazi", posted publicly while working there) per views and advocacy. They also took over leadership of "GNAA" from Weev (a Nazi with Nazi tattoos etc.) while employed at Cloudflare (I won't type out what it stands for here)
> Are you arguing for a system where employers consider your political views before hiring you?
Would you put a Nazi and a Jewish person in a room every day (or on a Zoom call or whatever) and expect something productive to happen? Well, no. It's a ticking timebomb. If you have an organization with multiple employees, they'll have to be people who can work together. So as a workplace, you need to either rid your employees of their discriminating views or rid yourself of employees who cause problems.
I don't care what religion or political views they have. Its a workplace, if either person can't check it at the door then that's the problem to deal with.
Honestly its pretty insulting to both of the people involved for you to assume so strongly that they couldn't be professional that (a) you never give them the chance and (b) you chose to hire only the one who you agree with (or disagree with the least).
the people talking to you are talking about something very different than simply "political beliefs that you disagree with"
the appropriate level of capital gains tax at the 80th percentile is a political belief that you can tweet about in your personal time and allowing there to be a civil relationship with your colleagues in a professional environment. this is a political belief that reasonable people can disagree with.
asserting the supremacy of the white race is not a political belief that you can tweet about in your personal time while still allowing a civil relationship with your colleagues in a professional environment. this is not something that reasonable people can disagree with.
If they can be professional, yeah? I have diverse private interests that don't really get mixed with work. Don't see why my political interests should. I've worked with people I don't personally like. It's more tiring since there's less chit chat but the work gets done all the same.
your private interests probably don't include the wish for your co-workers to be harmed, killed or at least treated like a lesser being.
Is this fictitious Nazi working with a fictitious Jewish person acting on those views or discussing them at work? If not then why should their employer care, and why should we actually support the idea of workplace discrimination?
> Is this fictitious Nazi working with a fictitious Jewish person acting on those views or discussing them at work?
There's a reason I say "ticking time bomb" in my comment. Hypothetical Jewish person keeps kosher for instance. Is that "acting on" being Jewish at work? What about wearing a yarmulke? If that is, how do you rectify it? If you allow yarmulke, is a swastika armband okay? Both are clothing choices depicting "views".
> Would you put a Nazi and a Jewish person in a room every day
Today's Nazis have more diversified targets for discrimination. Concentrated antisemitism was a side effect of the personal issues of the most famous Nazi exponent in history, but they're more about racial supremacy. Today they might be Islamophobic more then antisemitic.
To answer to your question, their thoughts and views don't matter in the office, their behavior does. You can deeply dislike a colleague for various other reasons too but the effect is the same. I don't want to be fired because I unilaterally hate, or even love, my colleague. As long as I don't act on it, that is.
I know people working together in the same office where one's grandfather was in the Nazi military guarding one camp, the other's was a civilian killed in that camp. Whatever their deep feelings, they mind their job as expected.
It's both. In allowing Cloudflare to grow so big, we now have one huge universal button for governments to push. If instead all of these customers were dispersed over hundreds of different services from different countries, good luck with trying to keep them all in line with your specific country's whims.
Worse, governments can also just block Cloudflare's IP ranges wholesale - because Cloudflare is used to launder IP addresses for sites with shady and/or illegal content.
Legitimate sites get blocked too, but most governments probably won't care.
Isn't this an argument in favor of centralization? Right now, those legitimate sites include many government websites which means that most governments do care. You know what IP block they definitely don't use? A tiny provider for DIY blogs or whatever.
Because human nature is what it is. The best way to eat better isn't to be a better person, it's to not keep junk food at the house. It's not Cloudflare's fault that they're successful, but it's now everyone's problem that they're an easy throat for governments to choke.
It is their fault they are successful. They worked hard to get there.
It is a forbidden rule of discussion to refer to Hitler and Nazis but I still want to point out that holocaust was fully legal.
So, interestingly, the places that actually did the worst in the Holocaust were generally the places where there were the least legal structures--even though you would expect it to be worst for Jews in Germany, it was often Poland and other states that had all legal structures and civil institutions destroyed who had it the worst.
https://www.amazon.nl/Black-Earth-Holocaust-History-Warning/...
For example, recently certain big corp ask me to verify something. I clicked on the link in the E-Mail and it was suck on Cloudflare the click button over and over again. No matter how many times I clicked.
Do I need to find another internet access now?
I would bet in the direction of this being a bug on big corp's side rather than Cloudflare's.
No, it's a common issue. A bit of traffic is always misclassified and one day you'll be the unlucky one. And there's nothing you can do about it beyond trying different device on a different network.
You need to become more like a "normal person."
No VPN (unless your ISP is extremely shady, then do use a VPN or change ISP), no overly zealous adblock (ublock origin on default settings should be fine), no JS blocking / weird privacy extensions / whatever, nno PiHole, just what your average, relatively tech-savvy geek would use.
HN readerships's problems with Cloudflare are mostly their own fault. "normal" internet users don't have these problems[1].
[1] except for people in specific countries, and I do feel sorry for those.
I am from a specific country.
Could you please suggest me some ways in which I can become more like a normal person? Thanks.
>[1] except for people in specific countries, and I do feel sorry for those.
Normal people also travel, and ended in those said countries sometimes. Which is the time when you need these things to work from any kind of connection.
Normal isn't normative, it's just laziest and worst practice.
Hmmmm, it's rare that I'll bite, but in this instance, I just have to
> You need to become more like a "normal person."
Isn't in inherently problematic that there is even a definition of a "normal person"? Who gets to judge this? Why do I have to conform? This immediately creates in-groups and out-groups. We should all know better than to allow this to happen. Classification is fine. Probably even needed to help with inclusion. Restriction based on classification can very quickly become problematic.
> No VPN (unless your ISP is extremely shady, then do use a VPN or change ISP)
That's all ISPs by now. You should never just trust any authority logging what you do. What is fine today might not be fine with tomorrow's government and those logs (as much as some might pretend they are not) are permanent. VPN bans will start to pop up all over the place soon and everyone half-paying attention knows why
> no overly zealous adblock (ublock origin on default settings should be fine)
And what is the definition of overly zealous? Chrome has already dropped support for ublock, more or less. Adblocking is directly hostile to the data-hoovering machine. That should be enough reason to use very restrictive adblocking. I am using every filter list there is with Firefox on Linux. Cloudflare's checks are basically always fine. ReCaptcha, however, is a nightmare.
> no JS blocking / weird privacy extensions / whatever
Well, most of the web doesn't work when blocking JS outright. So I guess we've lost that battle. Though I'd argue that things like reader-mode and the ability to just get text content is pretty important to quite a lot of people still, especially those with disabilities. I don't understand the derogatory tone used when calling privacy extensions weird and the 'whatever' part is just a flippant dismissal of an entire ecosystem of extensions and applications that have a right to exist
> nno PiHole
PiHole is soon going to be the only way to protect yourself, considering what Google is pushing for with manifest v3. I don't yet use it, because it's a pain in the ass, but I'd rather have less internet and more control than vice versa
> just what your average, relatively tech-savvy geek would use.
Why do you think that you should be the one to define what or who that is? Furthermore, why should anyone be given that right? What are we really losing by allowing people to have custom setups vs. what are we losing when we don't?
> HN readerships's problems with Cloudflare are mostly their own fault. "normal" internet users don't have these problems
This reliance on the definition of "normal" is problematic, for the aforementioned reasons. You don't know what normal is and having a gate-keeper of this definition will lead to ever-smaller circles of people falling under that definition, until one day you are no longer normal and then what?
> [1] except for people in specific countries, and I do feel sorry for those.
Get ready to feel sorry for yourself in the near future :)
All of my ISPs are shady due to regulatory capture. I can’t change to any ISP that is safe to use without a VPN.
Nearly any company under a government's jurisdiction will comply to a legal order to censor content, especially if its done in the claimed goal of protecting children.
Those companies that don't comply will be shut down or targeted in some way if the legal order had any political teeth behind it.
There's no way around that unfortunately, short of limiting government power in the first place so such an order would never be lawful.
The problem with Cloudflare is that it does business everywhere, so it has to appease all governments.
If you're a news site registered in the US or a porn site registered in Canada, with relatively few ties in other countries, you have far much less pressure to comply with unreasonable demands from India or Bahrain. They just don't have that much leverage. If you use Cloudflare, they can put the pressure on Cloudflare instead.
To make matters worse, some governments will demand worldwide removal / blocking of certain content they don't like.
This is what makes the internet so weird and pre-internet intuitions about how governments work so treacherous.
that's why the gov't has somehow shut down torrenting and piracy. Oh wait...
Piracy is already operating outside of the law, there's no corporation to take legal action against, only individuals.
A company is (usually) operating within the law, and if they wish to stay operating, have to follow the laws of the nations they operate in.
in other words, i was trying to imply that the only way to prevent gov't overreach is to continue developing technical solutions which are distributed and decentralized, so that there's no single button for which the gov't could press for removal of these fundamental rights.
It's not up to Cloudflare, it's up to the businesses that choose Cloudflare for that protection.
>> Currently it's up to Cloudflare to decide whether you will read that article or not.
How is Cloudflare gatekeeping things? I believe you but don't understand the mechanism.
Cloudflare sends certain users they think are bots into infinite captcha loops - the wrong user agent or tor endpoint can do it
Yes, it's unfortunate that a network service provider whose primary business model is checks notes preventing network abuse would try to detect and prevent abuse via various heuristics such as captchas.
I also agree that Cloudflare should get all the blame here, since none of their customers voluntarily chose to use them, and Cloudflare doesn't give their customers a huge variety of options for bot detection sensitivity.
Matt Prince personally kidnaps CTOs and waterboards them until they agree to use Cloudflare, and the thousands of configuration options and rule combinations on the WAF are just for show - customers can't actually use them.
What an evil, evil company.
It's the same people who believe software has no settings.
I assume this is only on sites that are on Cloudflare though. Or, no?
True, but a lot of sites use Cloudflare. It's sometimes very unexpected sites as well, both very large ones and very small ones.
The realistic right now worry is that you'll fall afoul of Cloudflare's bot checking and they just won't connect you through to your destination.
The potential future worry would be if cloudflare decide they don't like the article or you for some other reason, they can refuse to connect you.
These do both rely on your traffic being routed through Cloudflare's servers, but a LOT of traffic is
You have never been banned by Cloudflare because of the wrong shape of your skull? You must be living in the US probably.
> Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
Already happening, Well its more more "think about the big corps" than think of the children, for now....
https://torrentfreak.com/cloudflare-starts-blocking-pirate-s...
What's stopping you from creating a competitive feature?
Nothing. Are going to use it? No, you're probably picking the best out there which is Cloudflare.
And then it's Cloudflare who's gonna decide whether I can read your article or not.
> It had much more freedom
...right up until you got DDoS'd off the internet by some script kiddie "for the lolz".
That's the flipside.
Script kiddies pay for a botnet to DDoS for lulz?
So far Cloudflare have generally been good guys on the web. They're in an incredibly abusable position, but so far have refrained from doing that.
So far.
The problem with Cloudflare is that institutions change over time. It's a slow process, doesn't happen overnight, but it does happen to almost all of them sooner or later. Building institutions that stay good is one of the big unsolved problems for humanity.
The problem with Cloudflare is what happens the day this good guy MITM:ing half of the web is no longer a good guy. We need to at least have a plan for dealing with this scenario, because otherwise this could get very ugly.
I've got a treat for you, cloudflare's business model moved heavily towards crime as a service during the last decades, including DDoS botnets that host their own CnCs behind cloudflare, while themselves even relaying cloudflare DNS data to DDoS cloudflare instances itself.
The guy behind Crimeflare, when it was still available, tried to accumulate a dataset by running his own resolver, which filtered out domains in the zones of cloudflare's known ASNs.
This was actually also part of a lawsuit against lieferando (takeaway) because they're registering domains of restaurant owners and blackmail them into using their delivery service, after they already registered the Google business entry with that cloudflare domain to a call center of Takeaway, so the actual owner of that restaurant has no chance in terms of SEO and google searches that people would find them again.
Anyways, the dataset is pretty fascinating:
[1] https://web.archive.org/web/20210826102143/http://www.crimef...
[2] https://web.archive.org/web/20210826103036/http://www.crimef...
Let's see what we discover during the next NSA leak.
You can probably safely assume the 3-letter agencies are snooping on this data. It is and has always been very hard to resist government pressure. Happens all around the world, China, Russia, EU; all the geopolitical players find various means of eavesdropping where they can.
Also likely part of why ECH is taking such incredibly long time to see widespread adoption and why it's still quite a shit solution to SNI. As it stands, anyone with network level access can see which websites you are visiting, despite HTTPS.
The internet is worse for me with Cloudflare. I'm using a cellphone router for my internet. My guess is I don't get a dedicated IP and probably behind a NAT with other users. 85% of my request needs me to solve a cloudflare captcha. on bad days I have to do this easily 100+ times.
It is not Cloudflare's fault. It means the website operators were so fed up with bots and bad actors that they just applied a carpet ban and called it a day. Thanks to Cloudflare I was able to reduce my website load threefold and downscale my VMs and my monthly cloud bill, and seeing how 50k daily requests were shown CAPTCHA and not even tried to solve it makes me terrified of running anything without Cloudflare.
Don't blame site owners and service that is trying to help them. Blame the fact that 90% of today's Internet traffic is bots
If I click on a search result and it shows me a CloudFlare CAPTCHA I leave. Immediately and permanently. I get what you are saying but also you will not get a dime from me if I have to waste my time solving a CAPTCHA prompt that half the time is so broken it just gets stuck in a loop.
I guess whatever revenue you lose you make up for in a lower hosting bill. I just go to your competitor that doesn’t have the horrible UX. Usually those websites also tend to have much more optimized web pages too so it is an all around better experience.
Of course it's cloudflare's fault. They monetized and scaled a service that blocks humans from interacting with websites.
They're also essentially a deanonymization reverse proxy that can track everyone's browsing history and decide whether you get to see websites based on social credit.
And it is in their financial interest to block. They would rather not spend their bandwidth.
That I'm not so sure about. If they get too block-happy they'll lose customers.
But I don't think they care if they block firefox users, or people who delete cookies, or VPN users, or Tor users, or people who resist fingerprinting, or people who block ads, etc.
It's cloudlare's fault that it's so common to have very overzealous blocking. Site owners need access to bot protection but that doesn't mean highly flawed protection gets to be blameless.
That reads more like:
- site owners can have protection as long as it doesn't inconvenience me.
Close.
Replace "me" with "legitimate users" and replace "inconvenience" with "very aggressively inconvenience or entirely block".
Then yeah you have it.
I mean, yeah that is what it is. You can have “protection” or you can have me as a customer. I am not here to solve broken CAPTCHAs all day long.
> It means the website operators were so fed up with bots and bad actors that they just applied a carpet ban and called it a day.
Many of my websites get 98% of their traffic from bots and bad actors, but it doesn’t really matter because the extra load of all these fake requests is absolutely negligible. I have a hard time understanding how someone would be bothered by an extra 50k requests a day. That’s less than a request per second. Most of the sites on even the weakest VM’s can easily do 10r/s these days.
I mean if I have 1 service sure but I have 20+ different one
if someone can foot the bill then I happily let them use it for free but its coming from own pocket
I've tried going to sites to buy things and been met with Cloudflare CAPTCHA, only to immediately leave and buy what I wanted elsewhere.
Won't anubis do the same?
ANUBIS = Annoying Normal Users, Barely Inconveniencing Scrapers
Scrapers started to solve PoW?
But what's the counterfactual? People use cloudflare because they want protection from ddos attacks and bots. If cloudflare didn't exist there would probably be similar measures.
Businesses want to protect the continuity of their business operations, and to that end they buy such protection as a service, from a business that managed to MitM half the Internet in order to provide such service.
Point being, it's a commercial subverting the Internet from inside, reshaping it to better serve the interests of commerce. It is indeed protection, but it's accomplished by reducing variance. 99% of legitimate commerce on the Internet follows the same patterns, use a small subset of possibilities offered by the technology - so why not just block the remaining 1% that doesn't fit and call it a day? It will stop most of the threats to running businesses on the Internet. The 1% of legitimate commerce that doesn't fit the pattern? It's not being ignored per se, just pressured to adapt and conform to the majority.
What is being ignored is that the Internet is not just a place of commerce, and non-commercial use cases, ideas such as empowering people to better their lives, are gradually becoming impossible, as fundamental Internet infrastructure becomes inhospitable for them.
Some of us still remember the Internet being more than just a virtual mall, and are unhappy about it gradually becoming one. And it's not like CloudFlare, et al. are hostile to non-commercial interests as a matter of principle - it's just out of scope for them.
I actually think that Cloudflare has made publishing on the internet _more_ accessible for many individuals. I’ve helped a few people get personal websites running on Cloudflare pages and run my own there—it’s free and extremely easy. They could obviously pull the plug at any point, but with static sites it’s easy to avoid lock-in. If it weren’t for Cloudflare and other services that give free, easy hosting, I suspect there would be even fewer of the non-commercial small-internet sites that you value.
There have been places that host personal and hobby websites for free for at least the last 30 years. Some older ones have left, and newer ones keep coming along. Cloudflare didn't make this any more accessible.
but most of them are dogshit tho
Your first paragraph summarize why businesses want to use Cloudflare and how it helps them maintain their business.
Your second paragraph talks about other (non-commercial) sites. I think I'm missing the link here. Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
I think the issue is that the general threat level has massively increased compared to the past - not in terms of sophistication but frequency/scale. But that's a consequence of widespread adoption, nothing Cloudflare in particular is responsible for.
> Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
Marketing and free tiers.
But my point is that Cloudflare is addressing threats that predominantly affect businesses, and does so well, but the way it does is effectively changing the whole Internet to be more hospitable for commerce, and less hospitable for any other kind of use.
Have you played with IPv6 vs IPv4? Wonder what's worse there, CGNAT-ed IPv4 or an inherently low-reputation IPv6.
I don't know what kind of internet you used but mine didn't randomly decide to block my access to a website because some quasi monopolist decided I wasn't allowed to use a certain website for intransparent reasons.
Being blocked from a web site and having to hit a little box are two different things. Are you talking about the former or the latter? If it's the former ... that has literally never happened to me unless I'm on a VPN and even then it's rarely (if ever) CF that's doing the blocking.
If it's the latter then it reflects the sad truth that we can't have nice things anymoret. I have lots of problems with the accessibility of that box, but either Cloudflare would be implementing it, somebody else would be implementing it, or a huge chunk of data would be unavailable to you anyway because of accidental DDoS attacks caused by irresponsibly deployed bots.
It was implied that the "let's check you're human" didn't do a good job at that, causing the block - without a VPN. Meanwhile, certain bots just circumvent it (there's even a couple of videos showing robot arms/fingers prove their humaness) while legit users, even coming from Tor, get blocked. That's the internet I used to know. (I am not in the "everything was better" camp though.)
This has happened for me on regular residential Internet access.
(Check the box, and get redirected to check the box again.)
I hit this too, maybe on the order of one day every month or two?
I'm using a fairly mainstream ISP in a fairly mainstream country.
I don't get why I seem to have such a hard time. I've kept the same IP for months.
But the worst thing overall is that it just doesn't acknowledge it.
Want to block me? OK. But tell me that! Don't just make me tick a box again and again and untick it. It's infuriating.
I can’t book a table at a local restaurant without calling because their resy link is behind Cloudflare and Cloudflare has decided that my up-to-date Firefox is out of date and therefore can’t pass the challenge. In reality it’s more likely that one of my ad blockers is stopping it from doing what it wants. It doesn’t even let me hit the box.
I might whitelist Cloudflare, but it pretends to be not Cloudflare, because it's MITM by design.
> Being blocked from a web site and having to hit a little box are two different things.
Maybe for you.
But I don't let random unvetted websites run code on my computer. Checking that box requires it.
May I ask what the risk is with letting websites run JS on your computer?
The constant flow of js vulnerabilities in browsers. Also misbehaving scripts.
So you're blocking yourself? Seems really disingenuous to imply it's someone's fault when you know it's your own.
Due to implementation chosen by Cloudflare, allowing Cloudflare also allows the proxied website to run code, because Cloudflare blends with it, but why the proxied website should be trusted if the challenge is served by Cloudflare?
> So you're blocking yourself?
That's like saying that you're blocking yourself when installing an adblocker.
No, it's for safety and hygiene.
> Seems really disingenuous to imply it's someone's fault
That's because it is. I didn't make the web and I don't work on websites. But I have to deal with it because some fucking dumbasses decided they wanted to save some server cycles by offloading all the hard work onto the client and ruining internet safety in the process, while also offloading the cost of power and performance onto users.
So if disabling javascript is what's needed to keep my safety? So be it. If it breaks some asshats' websites, then they're websites I don't want to use anyway.
Why do you keep hitting yourself? Hahah
--childhood bullies
> never happened to me
"Never happens to me means never happens to anyone"
Also it's quite amusing what if you had got hit with an infinite captcha here then you couldn't post your comment.
> "Never happens to me means never happens to anyone"
I see your point.
> Also it's quite amusing what if you had got hit with an infinite captcha here then you couldn't post your comment.
And you couldn't have hit me with that sick burn ;)
Seriously though I see where you're coming from in that I was implying that there must be something wrong with the original person's set-up that causes this, and that is not the case.
The thing is that while there's plenty of complaining about CF's approach nobody is offering a better alternative.
The thing is what CF essentially became a monopolist and if for whatever reason you are on the CF's naughty list you are essentially blocked from a lot of resources even if the resource itself pretty fine with you. And yes, there are no alternatives because guess who isvthe first one both in Google's top search and word of mouth?
Infinity captchas are the most toxic thing ever. I have trouble completing many of the challenges.
That’s the website owner deciding to do that, Cloudflare just gives them the tools to do so.
Sure, the restaurant down the street chose to protect themselves against the likely risk of their competitor running DDoS against their website instead of their website agency getting a kickback out of a cloudflare partnership.
CDNs always existed IMHO. The world before cloudflare was just much more hidden. In general I find their take at the typical cloud business from a network perspective mostly refreshing.
However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
IMHO it needs other enterprises entering the competition. Maybe it could be new more software defined mobile network providers offering edge compute. Maybe data from IoT could never enter the Internet and we could have some confidential computing power when we need it for our IoT stuff. Maybe we could get a more decentralized Internet again...
> However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
I don't think that's it, and I think the explanation is much more simple and straight-forward.
Cloudflare established a very successful business model around a straight-forward, very transparent, no-bullshit CDN. Now, they started offering other cloud services build around their CDN. Cloudflare Workers kind of extend their CDN pipeline to allow clients to run arbitrary code to customize caching logic, but it turns out their function-as-a-service model is exceptionally good, and higher-level services like email are a low-effort way to meet existing needs.
Much of their model and success was by giving away a lot of service for free.
I'm not discounting their innovations but had they not been VC funded and given away free service I suspect many would still never have heard of them.
> had they not been VC funded and given away free service I suspect many would still never have heard of them.
What does this purity test accomplish? that's just how things work in this industry. Can you name a company that has innovated on their scale that hasn't taken VC?
Cloudflare is far from a no bullshit CDN. The vendor lock in is real with an aggressive unethcial sales model.
I'm not entirely aware of all their products, but just thinking about a CDN, isn't that in many ways kind of fungible? Is it really that hard to migrate to your big cloud co's CDN (CloudFront, Google Cloud CDN) or the several other large competitors without an immense amount of work?
Please, educate me and tell me what's up.
Many of Cloudflare's products are bundled together for reasons.
Trying to unravel all that is an absolute nightmare.
Like what? Give an example. I'm struggling to think of something they offer that is particularly unique and not offered by the other public clouds or several SASS companies.
Oh I remember a time before CDNs and a big part of your startup fundraise was to build out your own setup inside a data center.
It's not the specialization around hosting that's the problem, but that entities running CDNs realized they're in a privileged position in the network, and decided to capitalize on it.
That's not what CDNs are for. They exist for primarily two purposes: a) speed up video loading for end-users, and b) anonymize IP addresses and routes for businesses.
Cloudflare built a business around b). This doesn't save on hosting costs, only lowers some operational and legal risks.
I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization. This isn't the fault of CloudFlare, they are just exploiting a business opportunity and as you say: At least they're not selling ads.
It is a legitimate business, from my perspective. I'd just wish we weren't in a situation where CloudFlare isn't exactly struggling to sell their services.
> I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization.
I'm perplexed by this sort of comment. Cloudflare doesn't even feature in the top 10 of cloud provider market share, and the number 8 spot already reports 2%. And here you are, complaining about Cloudflare and centralization.
Furthermore, AWS is by far the biggest cloud provider, reporting around 30% market share, and I don't see AWS being referred as a concern.
20% of websites uses CloudFlare(1, 2), even companies that use AWS, GCP and Azure have their services behind CloudFlare.
1) https://www.theregister.com/2024/12/13/cloudflare_2024_revie...
2) https://en.wikipedia.org/wiki/Cloudflare
"To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I'm fine with it."
Cloudflare not only blocking IA but asking for money on behalf of the website operator, as a "service"
https://web.archive.org/web/20250920180605if_/https://www.th...
That's the site owner demanding payment via cloudflare, not cloudflare unilaterally deciding to charge money (as far as I can tell at least).
https://blog.cloudflare.com/introducing-pay-per-crawl/
Looks like The Verge either set up an excessively tight pay-per-crawl policy or doesn't want IA scraping their stuff.
Cloudflare enabled blocking by default. People were on X complaining about it.
Blocking access to everyone or to scraping crawlers?
They have detailed stats about the behavior of all visitors, including how bot-like they are and how likely they are to scrape your (their users’) content.
Cloudflare offers a service to website owners to do that, yes. It’s the owners’ decision if they want to monetize on the content.
Is it that bad that Cloudflare offers people these choices?
> At least they’re not selling ads using your data.
Yet. Since it's an american company with an ever-growing influence, I dread and expect that to change, among other things, down the road. I assume the three-letter agencies also already MITM the traffic.
Assume your beloved tech company can be bought by Oracle and proceed on that basis.
You forgot about Broadcom !
> To be honest, the internet was worse without Cloudflare
It was better. 'Wget' and 'links' worked with most of the sites.
wget isn't supposed to work on these sites. They've chosen Cloudflare and asked them to do this.
That’s exactly the part that people forget: all these policies are decided to be applied by the website owners. It started with DDoS blocking and they just extended it to more things.
I feel like people here are forgetting the fact just how hostile bad actors on the internet are / can be.
How website owners enable infinite captcha?
That brings up opt-in vs opt-out tho, and last time I looked, Cloudflare defaulted to automatically signing website owners for it. That is to say, if you just mash next, Cloudflare blocks "AI", whatever that means.
We said the same thing with Google, "Don't be evil", "They are better than MS", now here we are, Google, became something that doing everything to squeeze every data off us, so that they can sell them to their partners.
And, anything that stops them from doing it, well, you are kind of erased from the Internet. The freedom we had, slowly becoming non-existent now.
Corporates have one and only one target. It is to make money. And this mentality, enables them.
Google doesn't sell data, they sell ads
> To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it. This is one of those.
Who here remembers exactly the same being said by large swaths of the "technologist" community about Google starting the development of Chrome and Chromium?
It's usually good until it isn't. It's still a company that has to make profits, so when the moment comes when they have to chose between "making money" and "provide good service", we all know what choice companies tend to lean towards.
Arguably, ecommerce was worse without Amazon but are we really better off?
Shipping times are definitely better off industry wide because of Amazon.
Same day shipping was always the norm here. Order something before 14:00 - 16:00, depending on where the company was on the route for package pickups, and you'd have your package the next day. Amazon has normalized multi-day / weeks shipping, so they've made it worse.
Where is this?
Denmark, there is no close Amazon warehouse, so shipping always suck. Not only is shipping times frequently a week or more, it's also overpriced and items are frequently less expensive from local online stores.
Amazons only advantage is it's massive selection, if you can find what you're looking for.
In the US, it's the opposite. If you order directly from the brand, you get multi-day or more often multi-week delivery times. Unless they are using amazon logistic and which case it's the same as buying off amazon - 0/1/2-day delivery times.
I remember the days when things didn't arrive immediately. I miss them. We were more patient back then.
Amazon are no longer the golden standard of e-commerce. I think 5-10 years from today we're going to look back at 2025 as the year Amazon started to destroy itself from within. They are pushing AI to "update" and "optimize" product descriptions. It's already made art supply descriptions a mess and now I see the same thing happening in the music gear section. I noticed that I go to other sites to buy stuff I was planning to buy on Amazon, because I am not sure what I'm buying anymore on Amazon.
If CF limited their clients to big businesses (just like Akamai and who else?) it might be less bad, but as it is, they're trying to get the whole internet including small sites on board.
If you're a normal person in a country that Cloudflare considers "scammy" - your internet experience is very different from someone based in the US. Your personal online behaviour is irrelevant
> At least they’re not selling ads using your data
Sounds great, until a new CEO steps in. Any company is exactly one (or more often zero) CEO away from doing whatever they want (within legal constraints) with their business, in order to fulfill their fiduciary duty (and greed).
I’m not going anywhere anytime soon.
I am genuinely curious what protections are in place to ensure that? What is the plan after you are gone?
It looks like you have voting shares with 10x the power of institutional investors, but activist investors aren't dumb either.
My biggest fear of Cloudflare has always been that one day you'll get hit by a bus and someone will figure out that merging Cloudflare with an ad network would create so much more shareholder value. The road to hell is paved with free DDoS mitigation, so to speak.
Huge fan of Cloudflare here actually. It’s always such a breath of fresh air compared to the heavyweight configuration hells like AWS. And for doing super convenient stuff like make node:http work on cloud functions recently, but guess only certain DevOps guys realize how cool that is compared to other FaaS wrapping ceremonies.
Too bad you don’t hire senior folks in Germany currently, would probably join in a heartbeat for emotional reasons alone. Keep going, lightweight features on a tap and solid reliability over years is exactly what I need and want at least.
How do you know?
Probably asked his handler
Brian Thompson felt the same way.
At least Brian Thompson wasn't complicit in helping the IC conduct bulk violation of the fourth amendment rights of the entire country, unlike you. He was just a greedy bastard. Your actions, on the other hand, render you a traitor and a threat to the democratic process of the country itself.
No it wasn’t. The internet peaked in 2005, or whatever year Firefox had the most popularity.
It’s only been downhill from there.
The internet was a lot better place before American mega corporations took total control.
It was mostly neighborhood bulletin boards, fan zines and the occasional shop.
Today there is only bots, bots, bots, political lunatics and influencers dumbing down future generations.
"Today there is only bots, bots, bots, political lunatics and influencers dumbing down future generations."
seems like its people problem not the internet problem are you blaming knife too when someone use it to kill people????
No.
>Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
Compete on what? I think I saw captchas on sites with google trust services certificates. It's not a google service?
> Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
Not to comment on whether they're actually a monopoly or not (since idk much about CF's market share, except that it's big), but how does this prove they aren't a monopoly? If anything, it'd work as evidence to prove that they are.
You could run this business like a protection racket, to drive demand to your service, where you can then provide unencrypted traffic of much of the Internet to other parties.
> the internet was worse without Cloudflare
Cloudflare acts as a proxy for dynamic content, thereby slowing down the internet.
Their existence (and success) suggests a lack of infrastructure or solutions (ie. DDOS, CDN) from data centers on their own and by default, what is... sad, as if the data centers were falling asleep without adapting to the times.
Soon we may have this picture: User > ISP > VPN (or proxy) > Cloudflare (proxy) > Server.
Intermediaries are slowness... and in the case of Cloudflare sniffing if they want (if they manage the TLS certs).
Hmm, I don't know where you get that takeaway. For me, it's an edge cache, so it speeds up the internet.
It sits between user and origin, often many hops closer, and serves content cached according to rules set by customer.
When you're a CF customer they send you reports on how much bandwidth origin is saving and for me, historically, it's been most of it.
And they do all of it for free most of the time! There's not a lot of cloud providers that I will endorse highly, but I have only love for Cloudflare.
It also keeps hackers from knowing origin's ip which is nice.
Cache of static content, ie. images, css, js or an static html, the CDNs purpose, to shorten location.
At moment you serve dynamic content, you are literally redirecting the request through an intermediary server (from Cloudflare/Homologous to the original server and come back, they are acting as a proxy).
This results in a slowdown of the internet. In fact, it's easy to tell when a regularly visited site has changed and put Cloudflare in between, because it takes longer to load.
> It also keeps hackers from knowing origin's ip which is nice.
Only if you put extra care trying to hide tracks. But certainly it keeps script kiddies from knowing origin's ip, what it is the only one nice feature.
Datacenters should deal with this, but their passivity over the years seems to know no bounds.
I believe you that this is your experience, but this is not the case in general. Cloudflare will generally result in a faster experience for a correctly configured setup. That's kind the whole point of using them.
CDN (can't say specifically about Cloudflare but that's true for other) may allow picking faster routes than BGP (BGP tends to optimize cost rather than perf), sometimes better compression than Origin on the path, and fast handshakes at Edge with already hot connections towards Origin.
Edgecomputing can also help accelerating dynamic content.
I think the point is to keep them in that mindset, and that requires competition and some counterbalance that won't be there is everyone just moves to Cloudflare.
There are other services, but CloudFlare is too well known. They're close to monopoly in the DDoS protection business unfortunately. But we still have a choice and for long-term success we should be choosing other companies where possible.
These sentences are what I would used to describe Google 10 years ago.
Ah yes I love when half the internet falls over because everyone is mindlessly relying on a black box they have no control or understanding of.
>" Google is in a perfect position to compete *but they don’t* [emphasis mine], so it’s not like Cloudflare is a monopoly or something."
That is how it works LOL, just because someone only has the capacity to compete with a monopoly doesn't mean that the monopoly has competition.
I started building on Cloudflare, but after their "pay us 120k or else" tactics they got famous for I decided to move code elsewhere.
> the internet was worse without Cloudflare
Thats a very bold statement, would you mind elaborating it?
Yet…
[dead]
you're right
internet is made sooo much better by negating all encryption effort of the last 20 years
If Cloudflare is so vital to the internet, it should be nationalized for the public benefit as having a private entity with so much control over the internet is not a good thing. Corporatized control of the internet should not be encouraged.
Can't believe if you are joking or not.
I trust a corporation more than I trust the nation you want it nationalized in (America?)
EU maybe. But yes I don't want cloudflare to be part of america after patriotic acts and all the dystopia.
Honestly, cloudflare is not so vital to the internet. Like, The only thing its gonna be a problem if they stop working without giving any way to migrate. Then yes, its gonna be a bit of problem to the internet.
>cloudflare is not so vital to the internet
Really? Try distrusting CF certs, and see how much of your internet activity breaks. CF certs should be distrusted, because it's MITM by definition. At the very least, I'd like an addon that makes the URL bar bright red, so I know my connection isn't secure.
It's not more vital, than, say, AWS. Blocking AWS certs/endpoints will break your internet too.
Though arguably neither should be in a position to do so without being regulate as a public utility
Yup, I also meant the same when I was writing my comment and although I agree about regulation, the thing is, that I don't even trust that aspect...
Also, I know that there are sometimes where cloudflare sits in the middle between your servers and your users for DDOS protection, and so yes theoretically its a point of interception but given how their whole thing is security, I doubt that they would exploit it but yes its a point of concern.
On the other hand, if something like this does happen, migrating can be easier or on the same level if something like this happened on like AWS.
But cloudflare still feels safer than AWS y'know?
That being said, I am all in for some regulations as a public utility but not nationalizing it as the GP comment suggested. Just some regulations would be nice but honestly we are in a bit of tough spot and maybe it was the necessity of the internet to have something like cloudflare to prevent DDOS's.
Hm, you raise good points but I just thought when I was writing that comment, that if there was even a single case of somebody using that MITM then that would just make everyone leave cloudflare and find either other mechanism or something else that's safer for sure.
I think that cloudflare is used by most as DDOS protection and so they still have the servers.
There are also cloudflare workers and pages but even migrating them is somewhat doable as I think that cf workers have a local preview option somewhat available in their node etc., so you could run it locally somehow.
Sure its gonna be a huge huge problem but something that the internet might look past of (I think).
Honestly, I kinda wish that there was a way to have something like how the tor onion links work in the sense that the link has the public key of the person running the server and so uh, no matter if its cloudflare serving the link or something else, its still something that can't be MITM'd for the most part.
Am I right in thinking so? Sure, its gonna make the links longer but maybe sacrifices/compromises must be made?
The EU is quickly becoming a dystopian nightmare with age verification, mandated encryption backdoors, and generally an extremely invasive form of government. So no thanks.
No thanks to this level of evaluation which doesn’t even rise to “analysis”, it’s just a word salad association that picks two hobby horses and pretends they represent the apocalypse while ignoring all the measures on which many EU participating countries are producing quality of life and personal freedom at outlier levels.
Lets just hope that EU doesn't add that age verification thing or those Cert based things which is controlled by the govt.
My opinion is simple, age verification won't work unless they block VPN (something which UK wants to do/ is doing) and that sets a really really bad precedent and I doubt if its entirely possible without breaking some aspects of internet or complete internet privacy.
EU in aggregate is net positive but it still has some things which are kinda flawed regulations that are a bad precedent, but germany kinda blocked the verification thing iirc so there is still a lot of hope and EU does look like its trying its best but I think that it can do just a bit better if they don't think of age verification or some other stuff but that's just my 2 cents.
This was why I added "maybe" tbh. They are one of the best options but even they aren't thaat good. Like its questionable I think and needs a much bigger debate
What quality of life improvements? I seriously hope major tech companies pull out of the EU market altogether instead of complying when client-side scanning is mandated. Then you can come back here and brag about how great life is in the EU.
I would say if the political environment pre 1980s was still in existence that might be true. Today that would just mean the entire thing would unravel as it ate its own tail in the race to the bottom environment we are currently in.
You can create democratic policies to thwart this. Even something as basic as nationalizing Cloudflare then forcing workplace democracy provisions on it would probably do more good for, not just the Cloudflare workers, but society writ large.
Which political environment pre-1980s do you want to go back to? 1930s? 1850s? 1760s?
> Which political environment pre-1980s do you want to go back to?
1934 [1].
[1] https://tile.loc.gov/storage-services/service/ll/usrep/usrep... Humphrey's Executor vs. United States
I can't imagine what a court case about whether the US president has the power to unilaterally dismiss officials in executive-branch agencies could possibly have to do with this.
At least you're referencing the United States in 1934, though. Things were very dysfunctional politically in the US at that time, but not nearly as bad as what was going on in some other parts of the world.
> can't imagine what a court case about whether the US president has the power to unilaterally dismiss officials in executive-branch agencies could possibly have to do with this
Seriously? You don't see the relevance of independent agencies to this discussion?
No.
And the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place (nb: it isn't).
> the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place
You don’t see a reliability difference between a self-moderating and unmoderated system?
Do you see any value in QC?
I don't think there has ever been a perfect time but I also think there has been an ever increasing weakness in the governments desire/ability to enforce regulation roughly since that time period.
I mean the reconstitution of AT&T was one of the IMO the biggest middle fingers to the public I've seen. It was broken up because it was a bad actor and now its back again as a worse than ever bad actor. That was kind my wake up call. I'm sure there is worse though that I don't remember because it was not tech related.
I could be wrong I'm not a huge politics person. Either way I don't think any response to me invalidates my opinion that the current government would not do a better job than cloudflare currently is.
To make sure I understand, your position is that anything vitally important to the internet should not be under the control of a plurality of institutions subject to heterogenous incentive structures, but instead should be under the centralized, monopolistic control of a single institution that is perpetually compromised by perverse incentives and ulterior motives, whose mechanisms of accountability are mostly performative and demonstrably broken?
I'm not sure that sounds like a good idea, if that's what you're saying.
My position is that if something becomes critical it should be under democratic constraints in a democratic society and not private enterprises that have no forms of control by the populace.
Maybe if Cloudflare had workplace democracy my concerns would be different, but they don't and wield too much power.
If it also helps I also think 99.99% of big tech should be broken up into separate, probably a few 100, different companies.
So yes, anything vital for the internet should be controlled by the people through democratic norms, institutions, and values rather than dictatorships by those with money over those with none.
No such thing as "democratic constraints" or "democratic society" at the level you're discussing. Democracy is an imperfect safeguard against certain types of extreme dysfunction of the political system -- a necessary one for sure, but not nearly sufficient to make the institutions it applies to trustworthy with monopolistic control over other aspects of society.
Everything reduces to specific people acting on their a priori motivations in bounded contexts, and any system of centralized control is guaranteed to enable expressions of the worst motivations of the people involved. The distinctions you're making -- "private" vs. "public", "corporations" vs. "governments", etc. -- are fundamentally meaningless.
There are no "democratic norms", just norms adhered to by specific people and the factions they form, contesting against each other for power over others. Performative "democracy" is often just cover to allow the currently dominant factions to function as "dictatorships".
Decentralization and individual autonomy are the only solution to the problems you rightly care about, but what you're proposing is literally the opposite of that.
I dunno, I am basically a dick to Big Tech all the time, give me an opening and I will go after them with gusto, but I can't really find fault in Cloudflare offering email sending infrastructure.
The ire should be reserved for if and when they establish some kind of monopoly or other anti-consumer practices, fall afoul of anti-trust law, and inevitably the US government gives them a free pass for criminality like it has been doing for years with dozens of other Big Tech mergers, rollups, exclusivity dealings, etc. and appears to have just done again with Google a few weeks ago.
It is fine for big companies to offer competing email sending services. It is not fine for them to break competition laws.
Also yes, please do set up SPF, DKIM and DMARC for me. I may very well end up using this down the road because they say they'll do that for me and I just don't want to think about them in some situations.
> Also yes, please do set up SPF, DKIM and DMARC for me.
I'm going to take this opportunity, because hopefully Cloudflare will see it, to request they support SPF record flattening natively.
And then they'll offer to 'protect' you from AI scrapers for a fee and then bulk negotiate against Google, etc for another fee.
If you use an old web browser, lots of sites are already not usable because Cloudfare's CAPTCHA will deny you entry.
New but non-standard niche browsers are also problematic.
I usually have the same (residential) IP for weeks on end and there's absolutely no malware or scraping or whatever the heck it is that Cloudflare thinks it's protecting against going on in my house. Yet I still get blocked or captcha'd.
Website owners may understandably be appreciative of CF. But as as someone browsing the web, I think it's done a lot of irreversible* damage to the open internet.
* I say irreversible because I don't think they'll be looking to improve this anytime soon, but rather add more restrictions.
As a website owner who uses Cloudflare after having being DDOS'd, I agree whole heartedly.
Cloudflare succeeded to do what Google tried and failed with AMP, and we are all the worse off for it. [Though at least it is not Google, that would be worse.]
I cannot afford to be DDOS'ed and there are bad actors that have already proven that they _will_ take me down if they could. So, I feel bad for the internet being walled up, and I feel bad for users that will lose access. And I fret that one day CF may just decide to take all my content and use it somehow to shut me down.
Meanwhile though, I hold my nose, cry inwardly, and continue to use Cloudflare.
What was your infrastructure like? Were the DDoSes affecting you at the application or network layer? I wonder if there's the case to be made for something like CF but integrated into your L4 and L7 LB infrastructure.
CFs single biggest piece of leverage on L7 DDoS is that once a node in a botnet attacks one of their properties, it usually can’t be used to attack any others for a substantial duration. Botnets rely on being retasked frequently so this dramatically reduces their effectiveness. Volumetric DDoS is even worse: you need to have the peering relationships and hardware to handle Tbps of traffic to an IP you announce. Doing either of these in your own infra is not feasible if you’re much smaller than a hyperscaler.
right, CF (along with Google and Meta) is already servicing double-digit percentages of the world's traffic so it can absorb whatever packets you can toss at it. On the other hand, I suspect most services are going to fall over at L7 first due to common patterns like pre-forked ruby/python servers that struggle to process more than 1k qps per node, unauthenticated user actions putting load on hard-to-scale resources like RDBMS, next to no load shedding designed into the system, etc.
That wouldn't be a DDoS, just flaky rate limiting.
And when you use decent protections against the worst bad actors on the internet (dns blackholing, adblocking, cookie dropping/corrupting, vpns) cloudflare again causes problems
Just be a good little consumer.
I am certain this is the intended endgame. LinkedIn/X style verification to prove you are not a bot once the hold is in enough places.
That such a database has other uses would be a happy coincidence.
and then capture the data on the sly and sell it to the AI scrapers anyway
Yes, but also you can't send an email in any meaningful way on the internet without going through a middleman anyways so while philosophically you're correct, in reality it's already the case.
I don't think that is true for email or xmpp. Could you please explain?
You can roll your own email if you can get your head around setting up an OpenBSD box and configuring OpenSMTPD and the correct domain DNS records - but the issue will be email deliverability. Gmail etc are going to treat as spam most emails that turn up from a residential or VPS linked IP address.
Personal email servers will communicate with each other happily but you need a middleman one for important recipients if you want to be sure it gets into an inbox.
Having hosted a small mail server for friends for over a decade now, I can only think of this as a myth.
Gmail has specific bulk (!) sender requirements, which to my knowledge don’t include a blanket downranking of residential and „VPS“ IPs (the latter are just datacenter IPs anyways). You need TLS, SPF, DKIM, DNS and reverse DNS entries that align, ideally DMARC and that’s pretty much it.
https://support.google.com/a/answer/81126?hl=en#zippy=%2Creq...
At one point I misconfigured a relay as unauthenticated and we got abused by spammers for a day. We got put on all sorts of blacklists within hours and got our IPs cleared self-service immediately after fixing the issue.
If you just send emails completely unauthenticated, yes they will be blocked.
In my experience deliverability to gmail is not that hard if you configure stuff correctly. You need a clean IP and domain, rDNS and the usual email stuff like DKIM, DMARC, SPF, but not much else.
Also not sure why you would choose OpenBSD and OpenSMTPD unless OpenBSD is your style. For example I run maddy on linux, which is pretty easy to configure.
Yeah it's already a known point of failure. The annual chaos is always when they have some downtime. They do offer an incredible service though. Would like to see some competition but it's not easy.
I’ve never understood the evil MITM endgame here. Cloudflare’s ToS and contracts prevent them from doing nastiness with your data without breach, and approximately all their revenue comes from large enterprises that will leave in droves (and some will actually sue them) if they started exploiting it.
The thing where they let DDoSers use them to protect their public sites from rival DDoSers is sketchy as hell, but doesn’t rely on having your data.
> Cloudflare's ToS and contracts prevent them from doing nastiness with your data without breach ...
Contracts can be and regularly are changed. Ebay, PayPal, Etsy, Google, Microsoft, ad nauseum all have done this many times.
Contract-based protections mean very little if those clauses are non-perpetual and revokable.
Sure, they could try adding “your data is our data” on the renewal of a few million dollar enterprise contract and see how that goes - probably a redline with a nasty Zoom call attached. They could rug-pull this on free and small business users to a degree, but I don’t even see how it would be worth it. It’s such a small proportion of their traffic, and the fact that this is even a thing on their platform would scare away regulated customers for sure.
Changed by informing in advance. If they change it to scrape your data to sell it to advertisers or someone, drop their service.
As rumbefrog said, not exactly an option if they're the biggest/only game in town or if no one else has a feature you absolutely rely on.
Easier said than done, vendor lock-in is costly to move from.
>Cloudflare’s ToS and contracts prevent them from doing nastiness
Crypto AG's ToS also presumably said "we pinky promise not to backdoor our devices" when selling it to foreign governments, and look how they ended up.
https://en.m.wikipedia.org/wiki/Crypto_AG
Crypto AG was a literal CIA front. Are you saying you think Cloudflare is a CIA front?
Yes. 0% sarcasm.
It is possibly the biggest MITM operation in the history of computing. An unbelievable intelligence asset.
https://blog.cloudflare.com/enterprise-grade-features-for-al...
That's great - and maybe I'm cynical - but that's right where my mind went when I read that. Trading income for control isn't a bad game..
I have been logging in via ssso on business non enterprise plan for a year. Am I a part of an a/b test or what?
Yes, Cloudflare would be the ideal point for spy agencies to MITM things. It wouldn't surprise me if the funding for it came from them. And since they sit in between, many API audit logs wouldn't even flag intrusions because everything would look like you'd done it.
Good point, but I guess we are stuck here.
I don't think Cloudflare did anything major wrong, most of what they offer have plenty of alternatives, but Cloudflare is able to do a lot for free which really isn't their fault.
There are complain about its cache's captcha, I get it, ideally it should not discriminate any human user, but IMO it's an economical problem unless we collectively decide what they do is public utilities.
Well, this is their second try at this. They shut down their first attempt after a year (and left a ton of developers stranded).
https://blog.cloudflare.com/sending-email-from-workers-with-...
MailChannels was a different company that offered an integration with Workers, and then later decided to stop offering that integration.
Today's announcement is a feature offered directly by Cloudflare.
It's not really a big deal to MITM email anyway.
Was about to comment on this but you got right to the point. All of this is because people are lazy to build, let alone maintain, their own damn programs and servers.
I have more money than time. Take my money to do things I do not have time for. What you call lazy, I call time and capital/cashflow efficient.
(cloudflare customer, in both personal and professional capacities; i pay Fastmail to host family email; both can easily be switched if needed to prevent lock in, with DNS changes and in the case of hosted email, an export of mailboxes and tenant config)
What GP is effectively saying is that you don’t value independence enough to invest the necessary money and (for personal use) time into self-hosting.
And there is a spectrum to this. For example, using a small, independent email or hosting provider may cost a little more time, but makes you more independent from big tech, and maybe more importantly, contributes to reducing the power of big tech. We are all paying for it, down the line.
This is a fallacy, as self hosting means you remain at the whims of receiving or interfacing systems. Does you hosting your own email change the concentration of email accounts hosted at Yahoo, Microsoft, and Gmail? It doesn't. Does hosting your own domain or website change Cloudflare's concentration and centralization of internet traffic? It doesn't. You vote with your dollars by picking providers who won't lock you in, you vote with your dollars by picking protocols over platforms that cannot lock you in.
Paying Fastmail, along with others who do so, means Fastmail will remain as a non Big Tech option, for example (they also developed and championed, JMAP, for a more efficient user experience). Paying Kagi means Kagi will remain as a non Big Tech option. Donating to Let's Encrypt means Let's Encrypt will remain as a public good independent of Big Tech. I could go down the list of every service I pay for to de-Google and de-Big Tech, but that's likely unhelpful to further demonstrate the point.
> We are all paying for it, down the line.
Indeed, so establish and fund organizations that provide systems and services for benefit vs profit and control that cannot be captured. Self hosting your own box at home helps you (which is totally fine and reasonable, I run my own on prem infra across two continents at small business enterprise scale for use cases I cannot procure commercially at reasonable cost), but does nothing else, and doesn't scale.
(think in systems)
Hosting your own email means the subpoena (or warrant) is delivered to you.
You get to respond to requests and your data cannot be handed over without your knowledge.
You will still be required to hand it over, or sit in jail while your confiscated, inventoried equipment is processed by forensics. If I want to be subpoena proof, I’d host the subject system outside the jurisdiction with an org having no connection or nexus in the adversary jurisdiction. Admittedly, this is up to your threat model. Do you want to know, but still be legally required to provide access? Or do you want to be out of reach entirely? The answer to that will guide your implementation and operating model in this context.
I don't mind being warranted, if they come to the door with warrant I will give them my boring, pedestrian inbox
but I do mind my data being drag-netted, or hoovered up by scummy big tech and then sold on
(whether that's for slop training, ads, anything really)
Why do you mind that? Your life is exactly the same one way or another. Principles, I guess, but it looks to me its just for the sake of it. For me, time is precious, all I need is data safety so I backup stuff offline constantly.
> makes you more independent from big tech
Citation requested. Big tech considers your IP address dishonorable, and blackholes your emails. How independent are you now when you can't email any providers that use blacklists?
> contributes to reducing the power of big tech
Again, citation requested. Big tech will just blackhole your emails and you'll only find out when your users complain.
Everyone says this about self hosting email but I've had fewer problems self hosting email than any other service - though I don't use residential IPs I use dedicated servers or VPS. I've also seen plenty of comments from others who selfhost email whose experience matches mine.
I also see a lot of comments from those who have admittedly never tried, telling me that I'll be blacklisted and not even know.
I don't know if this is some kind of confirmation bias, or if there's just a very vocal bubble of people without experience talking about how difficult it is.
A lot more people and organizations would self-host email if it wasn't a minefield. It's not laziness that Google and Microsoft have effectively decided nobody's allowed to do that.
I was part of a team ran EMail services for a ~15,000 person campus of a ~80,000 person university in the late 90s and early 00s. It was a full-time job for a team of people to keep things running, up to date, control spam, etc. It was a minefield 25 years ago! Literal years before GMail was a thing.
Your website provides "paywalled hosting and sales platform for digital content creators"
Are digital content creators lazy too? Why don't they just host their content on their own damn servers?
I was obviously not talking about end customers but businesses. In my case, digital content creators should just do that - create digital content. They have no reason to tackle hosting, payments, access rules... as that is not their business. It's mine.
It's not laziness, it's greed. People want to build and host their own things but that costs money.
And this sentiment of "every company should have to run their own servers and pay 'me' to do that at a higher cost" isn't greed?
Is this even true for such a sensitive subject like email where there are insane blacklists/whitelists everywhere in which you are forced to use a middleman either way so your emails enter someone's inbox?
Always has been; remember AOL basically reinventing DNS?
And always will be.
running email servers is a huge and terrible time sink
Have you tried it?
OOF
Do you talk to your customers with that mouth?
For those who are lazy to click, this guy's business is hosting and maintaining a sales platform for people.
Yes, this guy's business is that. And it is MY business, not my customers'. If you do not understand the nuance of what I am saying, rather keep your thoughts to yourself as you portray yourself in very ignorant light.
What's the problem? GP is addressing a market need consistent with their comment above. I wouldn't be surprised by a auto mechanic stating that (too) many people are too lazy to change their oil - they might be the best person to manke that observation, given their PoV.
The new Room 641A
I think first they were hugely successful in their DDoS protection product that consisted of a DNS connected load balancer.
But now they took the excuse of security to act as a MiTM for everything else, when conveniently, it makes for a great business model to just be slapped in the middle of every connection.
I approve of this message.
[dead]
Email is already MITMed by gmail. 90% of my time managing transactional/marketing emails is just keeping gmail from moving my legit customer communications to spam.
> Today, we're excited to announce just that: the private beta of Email Sending, a new capability that allows you to send transactional emails directly from Cloudflare Workers.
So many comments here assumed from the title they're offering a hosted email service, they aren't, they are announcing their own Sendgrid.
More like Amazon SES than Sendgrid.
Those two are pretty equivalent in my mind, though I've only done trivial things with them. What's the diff?
sendgrid has an email marketing platform with list and audience management tools, in addition to just the ability to send emails. think mailchimp.
What’s the point of it for Cloudflare? It feels like they’re randomly offering different products. Are they trying to be a full cloud platform like everyone else? If not, then what?
> Are they trying to be a full cloud platform like everyone else?
Yes.
Cloudflare workers are incredibly powerful and only getting better. This is just another step in the right direction for them.
That's exactly why I'm excited. I could really use this.
Please blog about it if you do!
I can, but wouldn't that be a boring post? "I set my SMTP servers to this other thing and they still work"? :P
Or do you mean if I get access to the beta? I probably won't :(
I have yet to read a boring stavros post, imgz.org for example. I encourage you to keep writing and keep building. Moar sassy knowledge sharing pls.
Haha, thanks, I'll write about something soon then!
Relying on a single, US based company for this need is a bit dangerous.
It's unfortunate that email hosting and email infrastructure can really be done only well by major players. The days of people running and maintaining their own are pretty much long gone.
Fwiw, not a knock against CF. I like their products, mostly simple, fair pricing, etc. Just a bit unfortunate commentary on the state of email infra on the internet.
I run my own email server and you couldn't pay me to use a commercial provider like Google instead. The privacy benefits are huge and there is no one to restrict my storage or change my "terms and conditions" overnight.
The days of people running their own servers are gone because of the shortsightedness and laziness of IT managers. They though the "cloud" would be easier and cheaper, and they are now trapped.
You don't have deliverability issues?
I entertained the idea of running my own mail servers for a while. After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
So it looks like we've gotta be well connected to federate with the other email servers now. A nobody like me can't just start up his own mail server at home and expect to deliver email to his family members who use gmail or outlook. So I became a Proton Mail customer instead.
I've run my own mail servers for many decades and have never had any deliverability issues. I've also never used bargain basement cloud VPS services with horrible reputations.
The best way to ensure a good reputation is to obtain your own address space from a RIR. Barring that, you need to choose a provider with a decent reputation to delegate the space to you.
> The best way to ensure a good reputation is to obtain your own address space from a RIR.
There is the slight problem that RIRs ran out of (v4) addresses almost a decade ago.
Not true, at least for ARIN. If you have an IPv6 allocation, you can obtain one or more IPv4 /24 allocations, so long as their stated purpose is to provide IPv4/IPv6 compatibility (e.g. for dual-stack services or NAT): https://www.arin.net/participate/policy/nrpm/#4-10-dedicated...
> obtain your own address space from a RIR
How does one do that? And what are the costs involved?
From your HN profile, I see you're in Brazil, which is part of the region IANA has delegated to LACNIC. Per [0], LACNIC has further delegated numbering authority in Brazil to Registro.br.
Following the links on that page (or performing a simple Google search) leads one to: https://registro.br/tecnologia/numeracao/como-solicitar/
[0]: https://www.lacnic.net/1016/2/lacnic/ip-request
Looks like I need to become a literal ISP then.
Before I even start this bureaucratic process, I need to create an actual organization. Then I need to be assigned an ASN. Only then I'll be allowed to beg them for IPs. Once all that's taken care of, I need to tell them things like what the IPs will be used for and what my infrastructure is. If they like my answer, then they'll approve my request and finally tell me what the prices are.
https://registro.br/tecnologia/numeracao/custos/ Setup R$ 14.080,00 (~ 2,624 USD) anual cost R$ 3.379,20 (~ 630 USD)
Wow, that's pretty crazy, compared to the US. I paid a one-time fee of $50, then $262.50/year for IPv4 block + IPv6 block + ASN: https://www.arin.net/resources/fees/fee_schedule/
I've been through the process about 10 times now at various companies, and the paperwork (at least for ARIN) is no more difficult than what would be expected to justify IP space from your typical ISP. If anything, the ARIN folks are more responsive and technically competent than your average ISP support agent, which makes the process easier.
This seems like a lot of TODOs for something I’d rather just pay a few cents for
> After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
You have to buy/rent a dedicated IP address (that you'll be able to keep long term), and it warm it up by gradually increasing mail volume over a few months to weeks. But once you have, deliverability shoudl be fine.
I think the bigger issue is needing to keep on top of mainenance of the server.
Like the parent have ran Email servers for many years now. If you get a bad IP, as long as you get the DKIM records right, over time it will 'warm' up the IP. And the more you use the email on that IP and NOT spam people. The IP will warm up. Make sure you actually own that IP!!! It will become valuable.
This does you no good for the months or years it takes to "warm up" your email while your messages are getting thrown into the trash.
Key point - own the IP. We own our IPs and we also buy elastic IPs from AWS. The entire AWS subnet (it seems their entire address space) is universally garbage and unwarmable. Our own IPs have hummed along for years with zero issues.
Deliver via sendgrid*, receive directly is probably the only viable path for self hosted systems.
Where sendgrid=any major player, could be Mimecast, proofpoint or anyone else who will forward outgoing email.
FWIW, a huge percentage of the spam I get is via Sendgrid, and at some point in the past year or two their abuse reporting mechanisms all turned into black holes, so mail sent via Sendgrid is heavily penalized in my spam rules.
Sending reputation is just as applicable if you're using a third party as if you're hosting it yourself, but much less under your control.
I don't have deliverability issues to the big providers, but that comes down to the age of my domain and my IP in a clean non-residential block. But you won't have reputation issues if your friends and family also run their own server and don't enforce such arbitrary requirements. Running your own servers, not only for email, is the only way to regain control over your computing.
> The privacy benefits are huge
Are they? I'd bet 90% of the email in your archive went through Google or Microsoft or Yahoo's servers, and most likely a copy still resides there.
If you're sending to or getting a message from a Gmail account, Google still has a copy.
Can you share what your antispam strategy is?
I have arrived at the opinion that what I would do if I moved to selfhost would just be to pay some trivial amount for outbound email via a provider like sendgrid as someone else in these comments has also mentioned. Since I send out maybe a half dozen emails a month I don't think this would be a big deal.
But when I relied on selfhosted email several years ago, I was always inundated with spam, which SpamAssassin was wildly undermatched to handle -- that was one of the main reasons I moved to gmail. So I'm curious what people who are happy self-hosting today are using.
My suggestion would be to use a unique alias for each website/company. This way, if you start receiving spam at that address, you know who leaked it, and can simply delete the alias. You should also then publicly name and shame the source of spam.
I also run SpamAssassin on my server, but I don't believe it ever had to do anything.
Reverse DNS check and rspam check at connection phase (no spam folder and false positive gets an email from their MTA)
I’m the reverse, I can Microsoft 8 bucks not to mess with this? Sign me up!
I've run my own mail for 10 years (postfix/dovecot/rspamd), no issues. Reverse DNS, SPF, and DKIM records need to be in place, but that's a small lift.
Well, one time I was unable to send mail to a guy with an ancient @att.com email address from his ISP. I got a nice bounce message back with instructions to contact their sysadmins to get unblocked.
To my surprise, they unblocked the IP of my mail server in a matter of hours.
Private email will have no problems. I also ran my own mail server for personal use and had almost zero problem (and this was on an AWS IP!).
Where people will absolutely have problems is trying to run a marketing campaign through their own IP. You absolutely will (and should) get blocked. This is why these mixer companies exist and why you pay for an intermediary to delivery your mail.
This is a myth though (with some truth to it in certain cases). I've run my own mail infrastructure since 1999, no issues.
I suspect if you shared more info about your mail infrastructure, it might reveal that what is working for you is too complicated for 99.9% of people to set up and maintain themselves.
I don't think the goal is that every non technical person can host their own mail infra.
But most people who can run a server should be able to setup OpenSMTPd with the DKIM filter and Dovecot. It's much easier than configuring postfix like we had to do in the past.
To answer a sibling comment, the last time I received an answer is a few minutes ago. The correspondent's email infra is hosted by Google.
You're right, it used to be a bit complicated. Now you just need to have a reputable and clean IP address, and knowledge of running some services in docker and of course understanding DNS and its crucial role for running a mail server.
I used to run all the components and maintain it (even that wasn't bad), but I changed to mailu[1] about a year ago
[1] https://mailu.io
Your argument might have worked 5 years ago. Now, with AI, it's very dated.
It is probably because you have run it so long that you have good reputation and less issues. Too bad we don't have time machine to go back to ninties to start building up reputation.
Every single IT team I know wanted to get rid of the mails servers.
I don't know why. At the same time they don't want to get rid of the bbdd servers, or the app servers.
Maintaining a email service must not be as easy for them.
Have you had static IP since then? A problem is that most new mail servers will have IP address with history.
The current static IP (it changed over the years) I got in 2016 or so.
>This is a myth though (with some truth to it in certain cases). I've run my own mail infrastructure since 1999, no issues.
when was the last time you got a reply to an email you sent?
All the time. I use it in production and I have many users.
Well, it’s hard to beat 26 years of expertise.
Cloudflare's customers are companies that have to send out, say, reset password emails and verify account emails and other crumbs of the modern web. You want me to build my own infrastructure for that? Personally I can't wait for them to expand to SMS and crush Twilio.
It's really not that hard to run a mailserver with https://github.com/docker-mailserver/docker-mailserver
The problem is that Gmail will bounce any emails from DigitalOcean IP, even if you sit on this IP for years (so no recent spam), even if replying to someone, even if you registered as 'Postmaster' on Google.
So if you want to selfhost, you'll first need to find an IP that's not blocked to begin with.
That is not my experience at all. Using a pretty fresh IP and domain I get pretty good deliverability as long as I have proper rDNS and all the other normal steps (like DKIM, etc.)
> It's not hard, if you do it in a way that you can't send to like 50% of the recipients.
So it's hard (to do well)
>The problem is that Gmail will bounce any emails from DigitalOcean IP, even if you sit on this IP for years (so no recent spam), even if replying to someone, even if you registered as 'Postmaster' on Google.
>So if you want to selfhost, you'll first need to find an IP that's not blocked to begin with.
I'd say this is just the thing antitrust was made for. Hopefully some incumbent can get them to court.
> The days of people running and maintaining their own are pretty much long gone
This is very much a myth. There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster (professionally, I'm responsible for both at my org, so I can make this comparison with some authority).
Honestly `apt install postfix dovecot` gets you 90% of the way there. Getting spambinned isn't a problem in my experience, as long as you're doing SPF and DKIM and not using an often-abused IP range (yes, this means you can't use AWS). The MTA/MDA software is rock-solid and will happily run for years on end without human intervention. There really isn't anything to maintain on a regular basis apart from patches/updates every few months.
I think that there's a mindset among younger coders that "if it's not a modern post-AWS cloud provider, servers will take ages to come online and aren't going to give me full access, that's why EC2 exists." And this is conflated with the myth that running a mail server is hard.
But in practice, you can find any number of VPS providers, running in local datacenters, with modern self-service interfaces, with at least some IPs that aren't already spam flagged (and you can usually file a ticket to get a new IP if you need it), that are often cheaper per month than AWS, and give full root and everything. Find a service that will help you warm the IPs before you send to customers, and you're good to go!
This is 100% my experience too. Self-hosting email isn't any harder than self-hosting something else and there is no maintenance beyond apt update and apt upgrade. Even if you choose to do this in hard mode using postfix/dovecot instead of a dockerized stack, you can get a working config in a few minutes from an LLM these days.
I think this quote:
> > The days of people running and maintaining their own are pretty much long gone
Is less about the pieces you've mentioned, and more about reliable delivery without fighting blacklists, ip/domain reputation blackholes, etc.
> There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster
The main difference is that you're fully in control of the k8s cluster, but no matter what you do, you don't have control over the email infrastructure, because deliverability depends on the receiver. On every receiver you send to.
People say "I don't have deliverability problems!" but how do you know? Most places don't tell you they rejected your email.
Meh, one could also complain they don't have control over backbone networks, transit, peering agreements, and intermediary routing therefore hosting a service on k8s is futile without using a managed provider / PaaS.
> People say "I don't have deliverability problems!" but how do you know?
Because people reply to my emails.. because I email documents to family/friends/landlord/etc and they receive it as expected..
> Most places don't tell you they rejected your email.
Of course they do, this is what DMARC is for.
> intermediary routing therefore hosting a service on k8s is futile without using a managed provider / PaaS.
Except that a managed service doesn't solve that for you. They are no better at that than you are. Email services are better at deliverability than you are, because they spend lots of time building their IP reputations and more importantly negotiating with mail providers to guarantee their emails show up.
> Because people reply to my emails.. because I email documents to family/friends/landlord/etc and they receive it as expected..
I'm guessing you don't confirm every email you send with every person though.
> Of course they do, this is what DMARC is for.
I was involved in the creation of DMARC (and SPF and DKIM) so I know how it's supposed to work, but in the real world, most providers do not honor the "reject" flag and actually send the bounces. Last time I dealt with it was a few years ago, maybe it's better now.
For context, I started my career at Sendmail, and I worked on the SPF and DKIM specs, so I've dealt with deliverability for 25+ years. I also ran my own mail server until around 2009. But I switched to Gmail as my primary around 2008, when deliverability just got too hard. But I still worked on commercial deliverability for years after that.
Granted, SPF and DKIM wasn't widely adopted at that point (and DMARK didn't exist), so maybe it's easier now. But at the same time, most of AWS/Azure/GCP are marked as bad automatically, as well as most home internet blocks.
So if you want to run your own mail server, you can't do it on your home router anymore, you have to rent a server in a rack and get a clean IP that's just for you. That costs $$$.
We are working on an open-source, self-hosted solution [0] to make this easier. When you correctly set up DKIM, SPF, reverse/forward DNS for IPs, it is not much hard to get emails delivered. IPs can still get blacklisted and you need to monitor blacklists and contact them if it happens. Solutions like Postfix are great, but they lack observability. In our solution, we have developed dashboards and health checks to make it easier to find problems with the set up.
We are currently running beta tests (really appreciate it if you can join).
[0] https://github.com/hyvor/relay
> I like their products
I do, too. What I don't like is that they became too large and now are effectively in position to gatekeep the whole internet.
There is a sweet spot between Gmail and self-hosting. I use Runbox and generally separate contexts, with CF being an exception as I use CF pages for static blog websites, some of their core services, AND as a registrar. For the latter, the default setting is porkbun. The reason for this is not CF's mandatory in-house DNS servers, but the simple fact that they do not register .de domains.
Resend was a breath of fresh air for me recently.
I see this common pattern where a previously private infrastructure is opened up (usually from low abstraction), and the ecosystem is split into an open base and a private thin layer, and that private layer might just reimplement the same tradeoffs that the incumbent private monoliths made.
Examples being Git/Github, Crypto/Centralized Exchanges, and as per the topic, email.
But I think that it's an important distinction that the base infrastructure is open, and that technically an incumbent could join the fray, albeit with a lot of catching up to do, and mix it up.
> It's unfortunate that email hosting and email infrastructure can really be done only well by major players. The days of people running and maintaining their own are pretty much long gone.
Its really not. Everyone can do that (doesn't mean everyone should). I'm running it for millions of emails daily and don't see why I would crappy proprietary service instead.
Great move. Will probably switch to it immediately from Sendgrid as soon as it goes GA.
Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
Even with those pricing structures, 95%[1] of the spam I get comes from sendgrid. To their credit, their abuse@ address is good at handling the reports and they reply with a followup that the report was received and able to be acted upon[2].
The volume of spam (for me) doesn't seem to be decreasing from them, so there's a lot of moles to whack.
[1] Just a guess from looking at the last weeks [2] I know it's automated, but often there's 2 that come with the 2nd one stating it's acted upon, so i'm hopeful.
These services are just spam-circumvention as a service. It's cheaper and easier to pay 20 bucks to sendgrid and let them fight the fight with google/microsoft/yahoo than to circumvent spam protections of the big providers.
You can very reasonably and reliably expect spam amount to correlate with the cost of sending said spam or expected return. At any service. There used to be a time where you HAD to check your mailbox several times a week or it would (literally) overflow with spam.
Zeptomail by zoho has been reliable for me and extremely reasonably priced: https://www.zoho.com/zeptomail/
This is really cheap, is the deliverability good?
Yes, honestly been much more reliable than my previous provider (mailgun). Their IPs were constantly getting on spam blocklists with yahoo and hotmail. No issues with zepto so far, been using about 9 months.
Thank you! I hope they verify me soon.
This looks great. Thanks for sharing!
> Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
With a pricing structure like that it appears they became too tired of verifying/validating users to not send spam. Unfortunately I don't blame them.
$10/year for 10,000 messages/year is 10 cents per message. (Or some other volume at 10 cents/message.) Surely too high for spammers but cheap enough for an app with a low message volume.
$10/year for 10,000 messages is a tenth of a penny per message
It's not about optimizing for low volume side projects.
Barrier to entry for (12 * $20) is much higher than $10/year and they figure that was worth the tradeoff of losing small fish customers.
Well, I was responding to your claim that "it appears they became too tired of verifying/validating users to not send spam" is the reason for killing their low-volume free tier. It's a different story if they dropped the free tier to focus on large-volume customers.
isn't this done automatically?
Sure, and then the spammers figure out how to fool the checks. And sendgrid has to figure out how to detect the new and improved spammers. Then the spammers figure out how to fool the new and improved checks... and so on.
The part where sendgrid has to keep figuring out how to make new and improved validation is expensive.
Re: Sendgrid killing their free tier - I used them for the contact form on my personal website, and after they ended the free tier I was able to move to Resend (who has a similar free tier) without too much work. Pretty happy with it so far.
Try https://mailpace.com
The lowest plan $40/year for 1k emails/month isn’t on the Pricing page, but you can select it when signing up.
Sounds expensive. Amazon SES has 1k emails/month included for free (if you use an API to send). When sending via SMTP that quota does not apply, but still 1k Emails just costs 0.1$ (yes, 10 cents). I do not use any other AWS services but SES for my emails because of the pricing, I host everything else on Hetzner.
Yes but AWS SES emails don't get delivered to inboxes
That doesn't seem like even close to the truth, else Amazon SES would have no business. I use it myself in my Webapp to deliver signup verification and haven't gotten a single complaint so far.
Thanks for recommending mailpace, £7.50/month for 10,000 emails is very reasonable, _and_ they support idempotency! Definitely makes me consider switching to them..
Been using Mailpace for a few years.
Has been a 10/10 experience -- rock solid and extremely good deliverability.
Wish the pricing increased non-linearly though at higher volumes.
Thanks. It's not very smart to not list that plan in the pricing page IMO.
Or migadu for 19/yr
Migadu is more for personal emails - they aren't meant for transactional emails at all.
[dead]
Cloudflare themselves recommed(ed) Resend to send emails with workers. Generous free tier, simple. I didn't get too far down this road but for anyone interested: https://developers.cloudflare.com/workers/tutorials/send-ema...
smtp2go.com offers a free tier with 1,000 emails/month. I’ve been using it for a few small services I run and haven’t had any issues so far.
Mailgun offers 100 emails/day for free [1]
[1] https://www.mailgun.com/pricing/
smtp2go will let you have 200 a day or 1000 a month for free.
Switched to this from Sendgrid for my low email volume apps.
Finally. My two production projects are built entirely on Cloudflare workers platform, and I dread every time I have to login into AWS to manage SES. I even wrote a note for myself with instructions which buttons to press and where to navigate, like you'd write for your elderly relative who's "not good with technology".
Honestly this is why I like what Cloudflare is building nowadays. They aren’t just a CDN but rather they’re becoming a full on cloud, like AWS and Azure are - except their developer experience is just so incredibly better than any other cloud
One thing I like about Cloudflare is that each product makes sense on its own, not like AWS: go make access policies in one place, ACLs in another, and before you know it you have no idea how anything works without taking an AWS Certified Consultant course.
Cloudflare feels like separate silos, each individually complete and usable. And the “minimum viable path to make-this-work” is usually 1-2 button presses, rather than filling in pages and pages of configs.
I also love that Cloudflare is scoped under each domain, it helps keep my projects separate.
My experience is pretty much the opposite. Bad support for common APIs like S3, terrible support for terraform/opentofu, none/lackluster help in support or github issues.
I documented the process of using AWS SES from a Cloudflare Worker about a year ago.
https://www.ai.moda/en/blog/ses-emails-from-workers
Hopefully it’s helpful next time for you!
> Imagine a user emails your support address. A Worker can receive the email, parse its content, call a third-party API to create a ticket, and then use the Email Sending binding to send an immediate confirmation back to the user with their ticket number. That’s the power of a unified Email Service.
This is/was already possible. You can just reply to an email from an email worker.
I had the exact same thought. I guess now you could put something in a queue if you have to do non-trivial processing before replying, but that’s not what they wrote
i did this exact thing literally 15 years ago with a simple django app -- there's no way they are using this kind of example in 2025 year of our lord.
I keep thinking that Email would be a pretty natural extension process with the workers model in general... if they offered workers that could handle a tcp connection as stdin/out from the application perspective. Especially in concert with D1, R2 and other services.
I think the biggest issues would come down to server-side search functionality though. For very basic services, and even most of common IMAP/JMAP, it could be pretty great. Working on an a major email platform is something I've really wanted to do for a while now. (cloudflare, call me)
Kind of off-topic, but it's such a pity that we arrived at email as the local minimum for the best communication protocol for transactional messages. Having to set up an email service just to be able to enable authentication flows on a new website is such a hindrance that I keep wondering if it would be different if sending push notifications to a cell phone was made an open protocol..
It's because every communication protocol since has been a walled-garden with a rent-seeker attached. This is why open, federated protocols are so critically important.
I hear your pain. However I think if you really look at it email is a good thing. Its brokenness is a highly desired feature. It is the last generally accepted tech bastion that keeps us from becoming some sort of always on the job star trek borg style creatures that cannot have plausible deniability that the computer failed.
Oh i didn't get that email.
Oh spam filter.
Oh so backlogged on email.
This is the fate of most open protocols. It becomes too hard to migrate to a new spec due to the increasing difficulty of coordination and then the protocol gets stuck in time.
Spam push messages don’t need to be a thing. Ever.
China was able to pull that one off, pretty much no one uses email there.
What exactly are they using? Wechat messages?
For registering/authenticating to service, SMS mostly. Same deal in Russia in my experience, basically every website/service signup asks for your mobile number and just texts verification codes.
So smart-phone is required for everything there? No computer flows for website access? "We" definitely don't want that... but many others do as it takes control away from people.
For just SMS authentication, you just need a phone. Any kind of phone.
But it also just so happens that in both of those countries, you must have your identity attached to any SIM you purchase. So, anything that makes you register with your phone number will indirectly link your real identity to that registration. It must be very convenient for their governments!
Smartphone is required for everything there, yes. Signing up for services, authenticating yourself (e.g. when entering a train station), payment, social media, etc.
Computers used to be expensive and people had less money back then, so most of the country essentially just directly upgraded to smartphones. Many don't and never used to own a PC outside of work.
No, any kind of phone that can receive codes over SMS will work (like the ultra-cheap feature phones you can probably get at your local corner store). From a computer browser, you still enter your mobile number to login, then enter the verification code it sends you over SMS. I've also seen sites that offer phone call as an alternative to SMS, so you can presumably also login from a landline.
Thats nowhere near reality. Its used a lot in corporate world.
Question for the Cloudflare people: We use sendgrid today, and create subaccounts through it (entirely with API calls) to allow our customers to add and verify their own domains (with a couple of DNS entries the customer can create). Then we can send out email on their behalf "from" their domains -- with DKIM, SPF, and all that still being happy.
Does the Cloudflare email routing product provide this same capability?
Been waiting for this for a long time! CloudFlare developer platform is underrated. The ability to use queues, cache (KV), Hyperdrive, and R2 (an S3 equivalent) with one line of code is just brilliant.
About their developer platform: https://blog.cloudflare.com/cloudflare-developer-platform-ke...
Same here. Cloudflare products are a really good balance for small projects that could eventually need to scale up. Durable objects is such a cool concept in itself that I don't know why it didn't catchup the same way in other providers.
I really like CF focus on developers but their R2 is not quite configurable yet as S3. I am looking forward to move away from S3 if R2 can get their bucket policies and permissions as advanced as S3.
Could you accomplish your needs in R2 just using more buckets?
potentially yes. but that will not be a clean solution. One bucket per customer is our rule.
My understanding is that "Best Practice" is to use different companies for different services (not to have all of your "eggs in one basket") in case something goes wrong with one company and they take everything down.
This is what I have...
Domain Name Registrar: Dynadot
DNS: Cloudlare
Hosting: Dreamhost
Email: Fastmail
Should everything be under Cloudflare? I think they also do domain name registration and now, soon email. Not sure off the top of my head if they do hosting.
You can't connect to your email or hosting if your DNS with Cloudflare is down.
Plus, Dynadot uses Cloudflare for their site, so you couldn't even change your nameservers if CF is down.
A random scatter won't protect you from a service like CF / AWS / GCP being down, and most users won't benefit from protecting from that sort of unlikely and major scenario anyway...
That's a good catch about Dynadot using Cloudflare.
Ideally there would be a setup to avoid having the domain name registrar use a different DNS than me.
I'm more concerned if an over-zealous algorithm or employee shutting down an account and being able to just switch that one service to another company rather than losing everything.
I'm not sure what best practice actually is, but each different company you depend on is a different failure point. If CloudFlare goes down half the internet does (which is a problem of course, but not my problem), so from a purely utilitarian perspective depending on them feels like a safe bet.
Does Fastmail have an easy API for sending messages from an app? I've tried it before but found it much more complex than an API call.
They do, it’s call “pages”
That seems very similar to Resend, which has been a joy to use for my part.
WTF Cloudflare you are using a google form for the beta sign up?
Sign up to the waitlist here. https://forms.gle/BX6ECfkar3oVLQxs7
Edit: I see its an email sending service not client.
To be clear, Cloudflare Email Service is not a full-blown email provider like Fastmail, nor is it even comparable to email services like AWS SES or SendGrid. Cloudflare already offered email routing and Cloudflare Email Service just adds the ability to send email via Cloudflare Workers, so there’s a long way to go before Cloudflare could be an option for replacing Fastmail.
What would be the difference if we are talking about transactional emails? Why not comparable to SES?
You know, it might be closer to AWS SES and SendGrid than I thought initially. My first reading of blog post gave me the impression that Cloudflare Email Service was designed for Cloudflare Workers only because that’s what they emphasized upfront. But I missed this piece:
> We’re also making sure Email Service seamlessly fits into your existing applications. If you need to send emails from external services, you can do so using either REST APIs or SMTP.
> This really irks me.
It shouldn't.
They are not launching a complete emailing service, this is just a service that you use to send emails from an app.
"Moving" to their service is as easy as updating your DNS records so they can be seen as an authorized sender.
That's nothing. One of the recent CloudFlare outages was because they hosted some essential stuff at Google cloud and that had an outage
>// Classify incoming emails using Workers AI const { score, label } = env.AI.run("@cf/huggingface/distilbert-sst-2-int8", { text: message.raw" })
This is neat but be careful using an LLM to parse email content. The demo is a BERT model which is a good but I can see how someone might swap this without realising the implications
Also really nice to see emails from workers, its something I have wanted for a while!
This is great. I’ve had many side projects with Cloudflare where I’ve wanted a way to send emails as a part of it, and it’s slightly annoying having to go find another service to use to get that done. Having this baked-in will he sweet!
Cloudflare have great products and engineering expertise, but it starts to get into a concerning territory; what kind of influence over various protocols of the Internet they (might) have.
Especially when they decide you've used too much and shake you down for a higher business or enterprise plan.
What are people's experiences using their current Email Routing service? Mine wasn't great -- right after I set it up I could not get a single test email through to my recipient account despite multiple attempts. No delivery failure emails or any responses at all. Nothing on their dashboards either.
Searching their community threads turned up several other folks who had encountered similar silent failures that were never reported on the dashboards or any status page, leading them to question the company's interest in supporting this feature. I tabled that idea at that point as it was not critical.
A few months later, I randomly tried sending a test email again and it just worked. However, the initial experience left a bad taste in my mouth. Could I trust it to start routing critical emails?
Wondering what other folks here have experienced...
They enforced ARC without any notice which failed deliverability by about 50% for my catch-all address. I only noticed when someone told me they had emailed and it didn’t come through.
I just don’t trust them now. That was a huge misstep.
I had a similar experience and backed away from using it - non-spam emails were getting spam filtered without visibility or notification.
I use it with a couple of addresses. No issues so far.
Cloudflare at some point will basically compete with AWS as the entire infra platform for developers. They are slowly building tools one after another.
I am really excited to follow how their Containers platform matures as it is still too early.
Yup and why their share price has rocketed. Nobody in the CDN industry is making money - a large player went bankrupt recently. You don't want to look at Fastlys financials and share price Cloud is where the money is.
Yup
https://stratechery.com/2021/cloudflares-disruption/
Interesting read, thanks! One almost LOL moment for me was at the end of this paragraph:
That is also an important part of AWS’s retention strategy: for most AWS customers the easiest solution to rising costs is to simply sign a long-term contract, dramatically decreasing their prices (again, Amazon has the margin to spare) while ensuring they stay on AWS that much longer, accumulating that much more data and relying on that many more AWS-specific services. Hotel Seattle, as it were.
For those who may be interested: I’ve built a project called Guten Email Notification, based on Cloudflare Email Service. It provides a simple way to send notifications to yourself from NAS, homelab servers, or GitHub Actions. You can check it out here: https://github.com/gutenye/email-notification
I just signed up for the early access!
So far I have used Resend, Sendgrid, Loops (for a person throw away project so don't have good exposure) but I found Resend the most easiest, convenient and straightforward. Especially their React Email library made it so easier to compose emails using React components. I really love that. Back then we had to manually craft HTML emails, worry about inline styles, and constantly test across different clients, which was a pretty painful process compared to how smooth it is now with React Emails.
One key part of my workflow is validating emails before sending so I'm not blowing up my bills or getting labelled as spam. And since Resend doesn’t support that natively, I'm currently having to use Emailable’s API to check if addresses are actually deliverable. Having that built-in would be a huge plus. And I know it's not usually something that email providers should care about but it would be so much better if Cloudflare makes this a native offering.
I’m interested to see pricing and what the backend dashboards look like for this. I’m currently using PostmarkApp for my transactional emails and they keep bumping the monthly price and my usage is tiny. If I could just pay per email that would be better.
That said, I’m hosted on AWS so maybe I should look into SES as well if I’m going to replace my email sending service.
I haven't experienced any price increase on the cheapest Postmark tier over the past 3 years or so? In any case they deliver excellent service and as a business earning money and sending emails per transaction it's almost free.
In July 2025 they raised the price for me from $10.60 to $13.04 (what was actually charged to my card), I know that is minor but I use essentially 0 emails 9 out of 12 months of the year and a pittance in those other months, not getting anywhere close to the limits.
My statement of "they keep bumping the monthly price" was incorrect, they only did it the one time it appears. However my plan is no longer available and the lowest plan they offer is now $15/mo which makes me concerned they will raise my prices again within a year or so.
Again, I know we are talking about a very small amount of money but I'm not super interested in staying with a provider that will just keep raising my prices while I have such low usage. I'd much rather switch to a pay-per-use-type service.
I was hoping this would be a competitor to gmail
There are many competitors to Gmail, what do they lack for you?
This is exactly the service I was looking for. I am using cloudflare email forwarding but couldn't find anything about how to send form data from webpage to email.
All the email service that I could find has monthly subscription, no pay as you go offer. Hopefully, cloudflare will offer pay as you go.
Is there a way to get priority in waitlist? I don't mind bugs.
It's always shocking to me how many people blindly sacrifice the principles that make the things their lives depend on actually worthwhile. The internet isn't just a thing that happened, it was developed and rolled out under specific principles and vision, and violating those principles destroys the system.
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.
or if CloudFlare gets conscripted as the new PRISM or NSA censorship
PRISM and the NSA are not involved in censorship but they do like to ingest a lot of data, the more the merrier. Only certain members of CF would know if they are already looped in and would have signed scary things preventing disclosure if that were the case. I just assume everything going through a CDN is monitored since it is a MitM by design. A long while back Akamai got in a lot of trouble for some of their people selling data to a country in the middle east, I forgot which one.
The way the censorious game works in the Ministry of Truth a sub-committee in the DHS sends private messages to former federal employees that work in high positions at tech platforms and advises them what to censor giving the company a way to say they did not officially comply with censorship demands. I will let the Queen of the internet explain [1]. Letting federal employees message people outside of logged government chat platforms is problematic.
[1] - https://www.youtube.com/watch?v=zdjQWuJeVqE [video][13 mins]
Sure, I wouldn’t want the Linux foundation or other pieces of critical FOSS infrastructure to be routed via Cloudflair. But if I am setting up a web shop for somebody they usually care much more about someone at least pretending to be doing something about a ddos they got hit with that the decentralised internet.
To quote Raytheon “Morals are cool but 90k/year sounds a lot cooler”.
In principle I agree, but in practice - what the better ways of doing things, as of now?
Use other services where necessary, and sparingly. Use only what's functionally necessary, and diversify. Encourage your employer or organization to avoid vendor lock. Don't ever meet with salespeople, stay in charge of your websites and infrastructure. Find a highly disagreeable technical engineer to tell you what you can get away with; you probably don't need the scale of the things CloudFlare, AWS, et al impose by default.
AI right now can do all of that for you; pay for the best initially, have it do deep searches that meet what you need, and find appropriate contractors and services. Drop down to the plus tier after you get what you need initially, if the $200+ versions are too steep, but you can absolutely afford one month to plan an overhaul that doesn't empty your wallet.
Mandate open standards and bake in flexibility to your organization; pivot frequently and aggressively away from companies and services that don't meet your principles or standards.
Wherever possible use self hosting, decentralized protocols, open standards, FOSS software, and pay for expertise over the massive overkill "but wait, there's more!" the conglomerators offer. Their economies of scale serve to consolidate unearned and unaccountable power, often in cooperation with very shady players.
Yeah, tragedy of the commons, this is why we can't have nice things, because it's hard, and complex, and actual evil people exist who will absolutely ddos sites and exploit every and any opportunity to grift people out of their money. Cloudflare is a well marketed bundle of solutions for real problems, but it's definitely not the only solution.
It's up to you to what extent you compromise on principles - with AI it's becoming much easier to find acceptable alternatives without having extensive domain expertise. Normal search engines are almost completely captured by SEO and big market players, and we have a window of opportunity to use new AI search to find things that defy the status quo. The window will probably close sometime in the near future, but until then, take full advantage and position yourself to not be subject to companies or industries that shouldn't be taking it upon themselves to gatekeep the internet.
Also, yell at your representatives about getting a digital bill of rights, protecting the open internet, breaking apart monopolies, and cultivating what's best for the internet, and the world.
We have to stop pissing away the good for the convenience of the cheap.
/soapbox
Good points - thank you for a thoughtful answer!
DDoS via AI bots doesn't have a straightforward solution at the individual level (Anubis-like solutions only neutralize the dumbest of bots). If you have a reference otherwise, I'd love to have it.
Digital bill of rights and enforcing laws already on the books, imposing requirements on ISPs to remove bad actors, and having governments and law enforcement agencies actually do the boring and tedious work of tracking these people down and shutting them down. Disconnecting ISPs from the rest of the internet when they cannot police themselves. Shutting down "VPN" services that harvest and abuse residential IP blocks of their users to evade detection while accepting money from bot herders, and other criminal activity that gets ignored.
We have sensible laws on the books, treaties, and all sorts of agreements with entities ranging from big corporations to ISPs to countries, but they aren't enforced. Just look at how long spam call centers have been an issue - if we start playing hardball and simply shutting off entire regions until providers and governments comply with basic enforcement, we can have a civilized internet.
These botnets are not magic. They're not subtle. They're not ultra-secure beyond the reach of mere mortals to do anything about.
They're allowed to persist for all sorts of reasons, ranging from utility to nation state level threat actors to local ISP corruption and bribery to simple laziness and incompetence.
From the top down, governments merely need to enforce the rules that are already in play. I guarantee if you disconnect large regions of India where many of these sorts of problems originate, the people there will convince their local officials to take appropriate action - and if that doesn't work, we don't need them on the internet anyway.
Same goes for any regional ISPs in the US, or Canada, or anywhere else in the world.
We have rules, let's try following them before we decide on mechanisms like CloudFlare or other centralized controls.
That's wonderful, but the AI bots are costing me money or taking my website down at this moment
I don't need a solution tomorrow; I need a solution today. And Cloudflare is the "today" solution.
Agreed.
One thing I've grown concerned about, after watching the Twitter migration fizzle out, is we can imitate the old internet on a small scale, but on a large scale it just doesn't work. For Twitter specifically, the outcome was even worse, many users just migrated to other more centralized services or existing monopolies (like Instagram.)
Users are too used to being able to instantly stream 4k HDR 60fps. They are too used to limited amounts of spam. They are too used to having most non-agreeable content filtered. All of this stuff that big tech delivered now is replicate-able at the cost of tens of billions of dollars. The only business model that can pay for that is owning a giant ad platform.
Thinking about all of the issues the EU has had enforcing things like GDPR, which big tech companies largely haven't followed for years or straight up lied to their customers about, along with a possible failure of the DMA now due to tariffs.. and yet on the other side of the Atlantic, the US utterly failed to ban or control Tiktok. Endless announcements of upcoming deals that were either lies (Oracle protecting American's data) or postponements.
Meanwhile, all of the spam, hacking, bots, and DDoS attacks persist and grow, along with layer upon layer of (probably intentionally) poorly written and often conflicting legislation across multiple jurisdictions have truly made it impossible for the internet as it was designed and meant to exist to continue. (Sure you can just set up a basic web forum like you could do 20 years ago, not use Cloudflare, not host it at a major datacenter, and ignore all of the GDPR and age verification laws, but good luck. Hell, it doesn't even sound like it's really legal to run a Mastodon server anymore.)
One small hope is that if internet companies follow any pattern we've seen in other industries, when the growth ends, the managers will switch to tearing the conglomerates apart in to pieces and selling them off. One day CloudFlare might be split in to 30 pieces, along with Alphabet, Meta, and Amazon. But it could be a while.
I think this is amazingly great. If they can compete with AWS SES on pricing then, why should I work and pay to 2 services if I already use cloudflare and just use AWS SES for transactional emails. BUT and this is a big one. Most OSS already integrates with SES, so I doubt it will be easy to replace, it may take years, unless.... they can replace them completely as is without adding new codes and apis...
JSX email is an improved fork of the (very slow to be updated) react-email code https://jsx.email/docs/quick-start
For people looking to self host email, the mox software is surprisingly refreshing.
Open source and available here: https://xmox.nl/
Now that it’s possible, for anyone looking to start a new FOSS project… I would like if someone could please make a serverless spam catcher service that runs on workers so we can host it in front of self hosted email.
Something like:
- Blacklists/whitelists and wildcards
- Phishing detection
- Spam digest/rollup spam into single email every day with buttons to release
- Virus scanning of attachments
- Replace inbound links with hosted link previews/malware scans
Strategically looking to get off the MS email stack, but this is a big part of it.
You might want to check out MailTrigger (https://www.mailtrigger.net/) — it's a programmable SMTP server that can even call an LLM before sending emails, so everything you listed is technically doable: blacklists/whitelists, phishing detection, spam rollups, virus scans, link previews, etc. It’s not directly related to the MS email stack, but if you're self-hosting and looking for a flexible, programmable layer in front of your mail server, it could be a good fit. It’s still under development (though already running in production for my own company and a few early adopters), and the pricing page is just a placeholder for now. But the docs are public, and I believe it can cover what you're aiming for.
One thing to note: while the website mainly talks about multi-channel notifications, MailTrigger is actually more like IFTTT or Zapier, but specialized for email — when a message arrives, it can trigger smart, programmable actions. You can turn your existing email system into an IFTTT-style automation engine. It supports JS and WASM for preprocessing and routing, so you could, for example, auto-reply with an LLM-generated joke or handle customer support queries dynamically. The website might not fully reflect this yet, but the docs are more complete and show what’s possible.
This sounds amazing… basically everyone in the space is either reselling Sendgrid or AWS SES.
What other "root" email services are there out there? Even Google Cloud doesn't provide one...
Google's Mail API for App Engine seems to still be available. I think they don't really want you to use it, but there it is.
Postmark is pretty good as well :)
Mailjet, mailgun, sparkpost and a bunch of others.
Mailjet / Mailgun are one and the same service and since the acquisition, I haven't heard of anyone still happy with them. But yes good point, Mailjet is another one.
Sparkpost to my knowledge is built on SES.
Sparkpost roll their own MTA’s on AWS, they’re not sending via SES.
Cloudflare is the new AWS
I like this version of AWS
Give it time, we always like them in the beginning.
Interesting development. Not really sure I trust Cloudflare on this one, the last time they tried this with "MailChannels" they got a bunch of people to use it and then killed it off a few months later. Still, their blog post was never updated to say the feature was removed: https://blog.cloudflare.com/sending-email-from-workers-with-...
MailChannels is a separate company from Cloudflare. At one point they offered a Workers integration, and Cloudflare blogged about it because we like to encourage such things. Unfortunately MailChannels later decided to discontinue their integration.
The new email product is built and operated by Cloudflare itself.
All web protocols and traffic through one company! Hm, how this could go wrong?
I feel like I'm missing something based on some of the comments here. How is this different than from SES? (Why is this controversial?)
A lot of folks find SES or even just the broader AWS experience unpleasant.
Oh sure, a nice emailing experience (compared with SES) seems positive. But there are negative comments like Cloudflare shipping this is net negative, so just trying to understand the context.
The negatives are probably around the fact that Cloudflare is soon to be the master of the web (80/443)
If they launch an email service and are as successful, they could become the master of the email (25/465)
So soon, they'll be the master of the entire Internet
To be clear: I don't share this view, in part because Google and Microsoft already are the masters of the email
Thank you for the context
This could enable anyone serve one self with email. Not that it was not possible, but eleminates tech challenges, reverse dns and configs where you need to spiral down with ISP bureaucracy.
This is indeed great. I've been using emailjs dot com for low volume sending so far but they connect to your account and send it through there which is obviously problematic.. Will be interesting to see how pricing for low volumes is there. So far, I've found CF to be more than fair, esp. given their potential for abusive pricing.
I wonder what the pricing will be. I would love to have it be where X number are free, then each one additionally will be a small price. I hate having to change tiers based on usage. I would have no problem funding an account and using that to pay for the overage.
I would actually use an email service from Cloudflare. That literally means I don't have to rely on anything else to host my apps. Currently I use email forwarding to send emails to a different email address from my custom domain. This would help a lot
How is that a good thing? Are we, as a society, forgetting the value of diversification, or just ignoring it because convenience is good? Do you really want to be just one wrongful ban away from being completely offline?
https://cloudflare.tv/api/podcast/O3vVD0Zq
Cloudflare's email routing has been abused by malicious users for so long that I can no longer reliably use it with my domain, most times Outlook just blocks Cloudflare IP ranges and emails never get routed to my Outlook mail box.
Tangental - could you deploy something like webtorrent which uses seeds, mitigating a DDOS attack? Is this what IPFS would theoretically do, if web gateways were not used?
As someone not currently using Cloudflare Workers, I'm not sure I want to build a worker and figure out how to interface with it though my existing application just to send email. What happened to SMTP?
REST APIs and SMTP will also be available
Oh cool, somehow missed that. :)
Very strong move, by one of the few fair comanies that can pull this off
That is exactly a service I was hoping Cloudflare would provide. Simple binding using wrangler is really a life quality upgrade when starting new projects.
Email for developers will always trickle down to a commodity, wrappers will get left behind, acquired, or relegated to a small niche.
Email sending providers have become a bit of a cartel, with prices usually rising overtime. I am expecting much lower prices from cloudflare.
I'm currently implementing SES for a new app, but I like the idea of having another option. I wonder what the pricing will be.
I've been using email workers for years now. Adding the ability to send emails directly from workers will be amazing!
https://blog.cloudflare.com/sending-email-from-workers-with-...
They had it a few years ago, but the company offering the free integration essentially stopped offering the free part. I'm currently grandfathered in to mail channels.
Fun fact, you can actually use the current send_email binding to send emails to verified emails in your account (but this announcement will make it possible to send emails to everyone)
You can also reply to incoming emails from what I know, you just cannot initiate any email directly to prevent the obvious abuse. I wonder how they plan to mitigate that apart from keeping the pricing sane.
Ahhhh I've been waiting so long for this. SES is the last thing I have to keep logging into the clumsy AWS UI for
So will this compete against SendGrid (transactional emails)?
Or is this going after Gmail/M365 (personal inboxes)?
This is a SendGrid alternative (transactional emails, potentially with a nice API).
This is good and I am fairly certain email is dead with AI, hopefully soon.
I went from hosting my own pop/imap/smtp email to ignoring it almost completely at work and personal for a variety of reasons.
Text messages and chat or X/message boards are all I use now. I have the same ability to deliver messages, content, forward, save, export, and migrate between platforms. The spam in SMS is tolerable at this point.
I hope it doesn't throw you in a mental health crisis when attempting to set it up like AWS SES does.
I hope they enforce the use of plain text versions of html email :)
Please tell me this supports some kind of idempotency.. I fear it wont.
The kind of hoops I've had to jump through to achieve DIY idempotency with Postmark would make you cringe, a shared lock to avoid race conditions, and then using the API to check if an email with the unique id (manually added to the metadata when sending) has not already been sent before sending an email.
Being safe in the knowledge that an email with some unique key will only be delivered once regardless of bugs, processes dying mid task, network issues etc. just makes life so much simpler. The risk of sending duplicate emails or at worst spamming your users due to some more nefarious bug is something that you really want to guard against at as low a level as possible. Sure this might not be quite as consequential as duplicate charges through the Stripe API for example (Stripe have always seemed to lead the way with good API design in this regard).. doThing(data) is _not_ good enough for executing tasks over a network that are effectful, have a cost, and potentially risk your reputation if things go wrong. Idempotency keys should far more widely supported!
"Centralizing the decentralized." --(probably) Cloudflare
I thoght this was a service like migadu or proton mail
Only a matter of time till Palantir acquires them.
I'm sick of Cloudflare making me prove I'm not a bot - just because I run Ubuntu. I have a static IP. I visit my bank website regularly, can they not figure out that I'm legit? No, they can not.
Can't wait for them to get involved in email... looks like I don't have to!
I didn't see any pricing, but it would be amazing if they could get close to SES pricing with like Resend levels of usability.
Everyone just forgetting Fastmail exits.
https://www.fastmail.com/
Is Fastmail in any way similar to what is being described here? Fastmail looks like a replacement for Gmail or maybe Gsuite.
Sorry... I though Cloudflare was offering full service email (SMTP/MTA). If it is just SMTP outbound email, then SMTP2Go would be a better alternative.
Fastmail is mentioned on every email provider suggestion thread on HN (Because they are great, happy user!), but they are not a transactional email provider which is what this product is about.
By transactional, do you mean a bulk sender? For that, I recommend SMTP2Go.
Transactional like "password reset message".
Anybody know if it supports IPv6?
Will be interesting to see how good of a reputation they can keep (IP/sender reputation, specifically) given their historically very libertarian attitude to compliance.
Game changer
> Now, sending an email is as easy as adding a binding to a Worker and calling send
I hope it's easier to setup then the current mess of needing to use Wrangler to setup the send_mail binding the CF worker console can't even show in its binding list.
Cloudflare is an evil company in the making. I would rather stop using email altogether than using their "private" service. No for-profit company should be in the business of blocking IP addresses' access to the Internet. I am sick of their "are you human?" and "we are seeing a lot of traffic from your address" shit already.
I need to send upto 50k-80k emails per month
From Zeno Rocha, CEO, Resend -
(https://x.com/zenorocha/status/1971260006654742780)Finally!
Cloudflare is NSA/CIA.
shut up and take my money!
Love this, assuming they come in as the lowest cost provider.
But I'm more interested in seeing how they'll maintain clean sending IPs.
I have a feeling they grossly underestimate how difficult this will be.
I will not touch this with a 10 foot pole for a few years while they iron out all the kinks.
Now we can expect Cloudflare to start blocking emails from smaller providers soon to "block spam'.
better off using your own mail server. Stalwart collaboration server makes this stupid simple. Although dealing with poorly configured mail servers and draconian mail server policies can become tedious.
If really concerned about deliverability of transactional or marketing email messages, then relay through one of the many bulk senders.
adding yet another cf product as a single point of failure is not good.
[dead]
For fuck sake is nothing sacred anymore
Cloudflare this, Cloudflare that. Fuck Cloudflare; they become more and more of a gatekeeper. (Oh so you like to browse sites that you expect to visit maybe once in "Private" mode? Nah, can't have that - let's try to push this weirdo away by using the ever-spinning "verification" circle.)
No doubt cloudflare will refuse to receive emails from any mailservers except those that run special cloudflare extensions or whatever. It'll be a whitelist that's mostly corps only. For "security" of course.
And eventually it'll be so popular other mailservers will stop accepting mail from any except cloudflare/ms/apple/etc.
Where are you getting this from?
How cloudflare treats web browsers and their proposals for acting as gatekeeping for allowing websites to be spidered re: AI motivated corporations. Also cloudflare's near weekly proposals of unilateral protocol features that should be IETF'd but instead they just do and make others do because they're gatekeepers and they can. I expect them to keep behaving as they have and so posited likely 'cloudflare'-like actions for their announced attack on email.
I get that most people never feel the discimination and exclusion mediated by cloudflare because most people are just using chrome or whatever standard browser on their phones. But just because one doesn't have the lived experience of discrimination doesn't mean it isn't actively happening to lots of people.