To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it. This is one of those.
Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
It had much more freedom. Currently it's up to Cloudflare to decide whether you will read that article or not. Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
It's both. In allowing Cloudflare to grow so big, we now have one huge universal button for governments to push. If instead all of these customers were dispersed over hundreds of different services from different countries, good luck with trying to keep them all in line with your specific country's whims.
Because human nature is what it is. The best way to eat better isn't to be a better person, it's to not keep junk food at the house. It's not Cloudflare's fault that they're successful, but it's now everyone's problem that they're an easy throat for governments to choke.
For example, recently certain big corp ask me to verify something. I clicked on the link in the E-Mail and it was suck on Cloudflare the click button over and over again. No matter how many times I clicked.
I don't know what kind of internet you used but mine didn't randomly decide to block my access to a website because some quasi monopolist decided I wasn't allowed to use a certain website for intransparent reasons.
Being blocked from a web site and having to hit a little box are two different things. Are you talking about the former or the latter? If it's the former ... that has literally never happened to me unless I'm on a VPN and even then it's rarely (if ever) CF that's doing the blocking.
If it's the latter then it reflects the sad truth that we can't have nice things anymoret. I have lots of problems with the accessibility of that box, but either Cloudflare would be implementing it, somebody else would be implementing it, or a huge chunk of data would be unavailable to you anyway because of accidental DDoS attacks caused by irresponsibly deployed bots.
The internet is worse for me with Cloudflare. I'm using a cellphone router for my internet. My guess is I don't get a dedicated IP and probably behind a NAT with other users. 85% of my request needs me to solve a cloudflare captcha. on bad days I have to do this easily 100+ times.
It is not Cloudflare's fault. It means the website operators were so fed up with bots and bad actors that they just applied a carpet ban and called it a day.
Thanks to Cloudflare I was able to reduce my website load threefold and downscale my VMs and my monthly cloud bill, and seeing how 50k daily requests were shown CAPTCHA and not even tried to solve it makes me terrified of running anything without Cloudflare.
Don't blame site owners and service that is trying to help them. Blame the fact that 90% of today's Internet traffic is bots
But what's the counterfactual? People use cloudflare because they want protection from ddos attacks and bots. If cloudflare didn't exist there would probably be similar measures.
Businesses want to protect the continuity of their business operations, and to that end they buy such protection as a service, from a business that managed to MitM half the Internet in order to provide such service.
Point being, it's a commercial subverting the Internet from inside, reshaping it to better serve the interests of commerce. It is indeed protection, but it's accomplished by reducing variance. 99% of legitimate commerce on the Internet follows the same patterns, use a small subset of possibilities offered by the technology - so why not just block the remaining 1% that doesn't fit and call it a day? It will stop most of the threats to running businesses on the Internet. The 1% of legitimate commerce that doesn't fit the pattern? It's not being ignored per se, just pressured to adapt and conform to the majority.
What is being ignored is that the Internet is not just a place of commerce, and non-commercial use cases, ideas such as empowering people to better their lives, are gradually becoming impossible, as fundamental Internet infrastructure becomes inhospitable for them.
Some of us still remember the Internet being more than just a virtual mall, and are unhappy about it gradually becoming one. And it's not like CloudFlare, et al. are hostile to non-commercial interests as a matter of principle - it's just out of scope for them.
CDNs always existed IMHO. The world before cloudflare was just much more hidden. In general I find their take at the typical cloud business from a network perspective mostly refreshing.
However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
IMHO it needs other enterprises entering the competition. Maybe it could be new more software defined mobile network providers offering edge compute. Maybe data from IoT could never enter the Internet and we could have some confidential computing power when we need it for our IoT stuff. Maybe we could get a more decentralized Internet again...
> However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
I don't think that's it, and I think the explanation is much more simple and straight-forward.
Cloudflare established a very successful business model around a straight-forward, very transparent, no-bullshit CDN. Now, they started offering other cloud services build around their CDN. Cloudflare Workers kind of extend their CDN pipeline to allow clients to run arbitrary code to customize caching logic, but it turns out their function-as-a-service model is exceptionally good, and higher-level services like email are a low-effort way to meet existing needs.
Like what? Give an example. I'm struggling to think of something they offer that is particularly unique and not offered by the other public clouds or several SASS companies.
I'm not entirely aware of all their products, but just thinking about a CDN, isn't that in many ways kind of fungible? Is it really that hard to migrate to your big cloud co's CDN (CloudFront, Google Cloud CDN) or the several other large competitors without an immense amount of work?
It's not the specialization around hosting that's the problem, but that entities running CDNs realized they're in a privileged position in the network, and decided to capitalize on it.
I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization. This isn't the fault of CloudFlare, they are just exploiting a business opportunity and as you say: At least they're not selling ads.
It is a legitimate business, from my perspective. I'd just wish we weren't in a situation where CloudFlare isn't exactly struggling to sell their services.
> I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization.
I'm perplexed by this sort of comment. Cloudflare doesn't even feature in the top 10 of cloud provider market share, and the number 8 spot already reports 2%. And here you are, complaining about Cloudflare and centralization.
Furthermore, AWS is by far the biggest cloud provider, reporting around 30% market share, and I don't see AWS being referred as a concern.
> At least they’re not selling ads using your data.
Yet. Since it's an american company with an ever-growing influence, I dread and expect that to change, among other things, down the road. I assume the three-letter agencies also already MITM the traffic.
We said the same thing with Google, "Don't be evil", "They are better than MS", now here we are, Google, became something that doing everything to squeeze every data off us, so that they can sell them to their partners.
And, anything that stops them from doing it, well, you are kind of erased from the Internet. The freedom we had, slowly becoming non-existent now.
Corporates have one and only one target. It is to make money. And this mentality, enables them.
Same day shipping was always the norm here. Order something before 14:00 - 16:00, depending on where the company was on the route for package pickups, and you'd have your package the next day. Amazon has normalized multi-day / weeks shipping, so they've made it worse.
Denmark, there is no close Amazon warehouse, so shipping always suck. Not only is shipping times frequently a week or more, it's also overpriced and items are frequently less expensive from local online stores.
Amazons only advantage is it's massive selection, if you can find what you're looking for.
> At least they’re not selling ads using your data
Sounds great, until a new CEO steps in. Any company is exactly one (or more often zero) CEO away from doing whatever they want (within legal constraints) with their business, in order to fulfill their fiduciary duty (and greed).
Huge fan of Cloudflare here actually. It’s always such a breath of fresh air compared to the heavyweight configuration hells like AWS. And for doing super convenient stuff like make node:http work on cloud functions recently, but guess only certain DevOps guys realize how cool that is compared to other FaaS wrapping ceremonies.
Too bad you don’t hire senior folks in Germany currently, would probably join in a heartbeat for emotional reasons alone. Keep going, lightweight features on a tap and solid reliability over years is exactly what I need and want at least.
I am genuinely curious what protections are in place to ensure that? What is the plan after you are gone?
It looks like you have voting shares with 10x the power of institutional investors, but activist investors aren't dumb either.
My biggest fear of Cloudflare has always been that one day you'll get hit by a bus and someone will figure out that merging Cloudflare with an ad network would create so much more shareholder value. The road to hell is paved with free DDoS mitigation, so to speak.
> Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
Not to comment on whether they're actually a monopoly or not (since idk much about CF's market share, except that it's big), but how does this prove they aren't a monopoly? If anything, it'd work as evidence to prove that they are.
I think the point is to keep them in that mindset, and that requires competition and some counterbalance that won't be there is everyone just moves to Cloudflare.
If Cloudflare is so vital to the internet, it should be nationalized for the public benefit as having a private entity with so much control over the internet is not a good thing. Corporatized control of the internet should not be encouraged.
I trust a corporation more than I trust the nation you want it nationalized in (America?)
EU maybe. But yes I don't want cloudflare to be part of america after patriotic acts and all the dystopia.
Honestly, cloudflare is not so vital to the internet. Like, The only thing its gonna be a problem if they stop working without giving any way to migrate. Then yes, its gonna be a bit of problem to the internet.
Really? Try distrusting CF certs, and see how much of your internet activity breaks. CF certs should be distrusted, because it's MITM by definition. At the very least, I'd like an addon that makes the URL bar bright red, so I know my connection isn't secure.
Yup, I also meant the same when I was writing my comment and although I agree about regulation, the thing is, that I don't even trust that aspect...
Also, I know that there are sometimes where cloudflare sits in the middle between your servers and your users for DDOS protection, and so yes theoretically its a point of interception but given how their whole thing is security, I doubt that they would exploit it but yes its a point of concern.
On the other hand, if something like this does happen, migrating can be easier or on the same level if something like this happened on like AWS.
But cloudflare still feels safer than AWS y'know?
That being said, I am all in for some regulations as a public utility but not nationalizing it as the GP comment suggested. Just some regulations would be nice but honestly we are in a bit of tough spot and maybe it was the necessity of the internet to have something like cloudflare to prevent DDOS's.
Hm, you raise good points but I just thought when I was writing that comment, that if there was even a single case of somebody using that MITM then that would just make everyone leave cloudflare and find either other mechanism or something else that's safer for sure.
I think that cloudflare is used by most as DDOS protection and so they still have the servers.
There are also cloudflare workers and pages but even migrating them is somewhat doable as I think that cf workers have a local preview option somewhat available in their node etc., so you could run it locally somehow.
Sure its gonna be a huge huge problem but something that the internet might look past of (I think).
Honestly, I kinda wish that there was a way to have something like how the tor onion links work in the sense that the link has the public key of the person running the server and so uh, no matter if its cloudflare serving the link or something else, its still something that can't be MITM'd for the most part.
Am I right in thinking so? Sure, its gonna make the links longer but maybe sacrifices/compromises must be made?
The EU is quickly becoming a dystopian nightmare with age verification, mandated encryption backdoors, and generally an extremely invasive form of government. So no thanks.
No thanks to this level of evaluation which doesn’t even rise to “analysis”, it’s just a word salad association that picks two hobby horses and pretends they represent the apocalypse while ignoring all the measures on which many EU participating countries are producing quality of life and personal freedom at outlier levels.
Lets just hope that EU doesn't add that age verification thing or those Cert based things which is controlled by the govt.
My opinion is simple, age verification won't work unless they block VPN (something which UK wants to do/ is doing) and that sets a really really bad precedent and I doubt if its entirely possible without breaking some aspects of internet or complete internet privacy.
EU in aggregate is net positive but it still has some things which are kinda flawed regulations that are a bad precedent, but germany kinda blocked the verification thing iirc so there is still a lot of hope and EU does look like its trying its best but I think that it can do just a bit better if they don't think of age verification or some other stuff but that's just my 2 cents.
This was why I added "maybe" tbh. They are one of the best options but even they aren't thaat good. Like its questionable I think and needs a much bigger debate
What quality of life improvements? I seriously hope major tech companies pull out of the EU market altogether instead of complying when client-side scanning is mandated. Then you can come back here and brag about how great life is in the EU.
I would say if the political environment pre 1980s was still in existence that might be true. Today that would just mean the entire thing would unravel as it ate its own tail in the race to the bottom environment we are currently in.
You can create democratic policies to thwart this. Even something as basic as nationalizing Cloudflare then forcing workplace democracy provisions on it would probably do more good for, not just the Cloudflare workers, but society writ large.
If CF limited their clients to big businesses (just like Akamai and who else?) it might be less bad, but as it is, they're trying to get the whole internet including small sites on board.
I dunno, I am basically a dick to Big Tech all the time, give me an opening and I will go after them with gusto, but I can't really find fault in Cloudflare offering email sending infrastructure.
The ire should be reserved for if and when they establish some kind of monopoly or other anti-consumer practices, fall afoul of anti-trust law, and inevitably the US government gives them a free pass for criminality like it has been doing for years with dozens of other Big Tech mergers, rollups, exclusivity dealings, etc. and appears to have just done again with Google a few weeks ago.
It is fine for big companies to offer competing email sending services. It is not fine for them to break competition laws.
Also yes, please do set up SPF, DKIM and DMARC for me. I may very well end up using this down the road because they say they'll do that for me and I just don't want to think about them in some situations.
Yes, but also you can't send an email in any meaningful way on the internet without going through a middleman anyways so while philosophically you're correct, in reality it's already the case.
I usually have the same (residential) IP for weeks on end and there's absolutely no malware or scraping or whatever the heck it is that Cloudflare thinks it's protecting against going on in my house. Yet I still get blocked or captcha'd.
Website owners may understandably be appreciative of CF. But as as someone browsing the web, I think it's done a lot of irreversible* damage to the open internet.
* I say irreversible because I don't think they'll be looking to improve this anytime soon, but rather add more restrictions.
As a website owner who uses Cloudflare after having being DDOS'd, I agree whole heartedly.
Cloudflare succeeded to do what Google tried and failed with AMP, and we are all the worse off for it. [Though at least it is not Google, that would be worse.]
I cannot afford to be DDOS'ed and there are bad actors that have already proven that they _will_ take me down if they could. So, I feel bad for the internet being walled up, and I feel bad for users that will lose access. And I fret that one day CF may just decide to take all my content and use it somehow to shut me down.
Meanwhile though, I hold my nose, cry inwardly, and continue to use Cloudflare.
What was your infrastructure like? Were the DDoSes affecting you at the application or network layer? I wonder if there's the case to be made for something like CF but integrated into your L4 and L7 LB infrastructure.
Yeah it's already a known point of failure. The annual chaos is always when they have some downtime. They do offer an incredible service though. Would like to see some competition but it's not easy.
I don't think Cloudflare did anything major wrong, most of what they offer have plenty of alternatives, but Cloudflare is able to do a lot for free which really isn't their fault.
There are complain about its cache's captcha, I get it, ideally it should not discriminate any human user, but IMO it's an economical problem unless we collectively decide what they do is public utilities.
Was about to comment on this but you got right to the point. All of this is because people are lazy to build, let alone maintain, their own damn programs and servers.
I have more money than time. Take my money to do things I do not have time for. What you call lazy, I call time and capital/cashflow efficient.
(cloudflare customer, in both personal and professional capacities; i pay Fastmail to host family email; both can easily be switched if needed to prevent lock in, with DNS changes and in the case of hosted email, an export of mailboxes and tenant config)
What GP is effectively saying is that you don’t value independence enough to invest the necessary money and (for personal use) time into self-hosting.
And there is a spectrum to this. For example, using a small, independent email or hosting provider may cost a little more time, but makes you more independent from big tech, and maybe more importantly, contributes to reducing the power of big tech. We are all paying for it, down the line.
This is a fallacy, as self hosting means you remain at the whims of receiving or interfacing systems. Does you hosting your own email change the concentration of email accounts hosted at Yahoo, Microsoft, and Gmail? It doesn't. Does hosting your own domain or website change Cloudflare's concentration and centralization of internet traffic? It doesn't. You vote with your dollars by picking providers who won't lock you in, you vote with your dollars by picking protocols over platforms that cannot lock you in.
Paying Fastmail, along with others who do so, means Fastmail will remain as a non Big Tech option, for example (they also developed and championed, JMAP, for a more efficient user experience). Paying Kagi means Kagi will remain as a non Big Tech option. Donating to Let's Encrypt means Let's Encrypt will remain as a public good independent of Big Tech. I could go down the list of every service I pay for to de-Google and de-Big Tech, but that's likely unhelpful to further demonstrate the point.
> We are all paying for it, down the line.
Indeed, so establish and fund organizations that provide systems and services for benefit vs profit and control that cannot be captured. Self hosting your own box at home helps you (which is totally fine and reasonable, I run my own on prem infra across two continents at small business enterprise scale for use cases I cannot procure commercially at reasonable cost), but does nothing else, and doesn't scale.
You will still be required to hand it over, or sit in jail while your confiscated, inventoried equipment is processed by forensics. If I want to be subpoena proof, I’d host the subject system outside the jurisdiction with an org having no connection or nexus in the adversary jurisdiction. Admittedly, this is up to your threat model. Do you want to know, but still be legally required to provide access? Or do you want to be out of reach entirely? The answer to that will guide your implementation and operating model in this context.
A lot more people and organizations would self-host email if it wasn't a minefield. It's not laziness that Google and Microsoft have effectively decided nobody's allowed to do that.
Is this even true for such a sensitive subject like email where there are insane blacklists/whitelists everywhere in which you are forced to use a middleman either way so your emails enter someone's inbox?
What's the problem? GP is addressing a market need consistent with their comment above. I wouldn't be surprised by a auto mechanic stating that (too) many people are too lazy to change their oil - they might be the best person to manke that observation, given their PoV.
Email is already MITMed by gmail. 90% of my time managing transactional/marketing emails is just keeping gmail from moving my legit customer communications to spam.
> Today, we're excited to announce just that: the private beta of Email Sending, a new capability that allows you to send transactional emails directly from Cloudflare Workers.
So many comments here assumed from the title they're offering a hosted email service, they aren't, they are announcing their own Sendgrid.
It's unfortunate that email hosting and email infrastructure can really be done only well by major players. The days of people running and maintaining their own are pretty much long gone.
Fwiw, not a knock against CF. I like their products, mostly simple, fair pricing, etc. Just a bit unfortunate commentary on the state of email infra on the internet.
I run my own email server and you couldn't pay me to use a commercial provider like Google instead. The privacy benefits are huge and there is no one to restrict my storage or change my "terms and conditions" overnight.
The days of people running their own servers are gone because of the shortsightedness and laziness of IT managers. They though the "cloud" would be easier and cheaper, and they are now trapped.
I entertained the idea of running my own mail servers for a while. After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
So it looks like we've gotta be well connected to federate with the other email servers now. A nobody like me can't just start up his own mail server at home and expect to deliver email to his family members who use gmail or outlook. So I became a Proton Mail customer instead.
I've run my own mail servers for many decades and have never had any deliverability issues. I've also never used bargain basement cloud VPS services with horrible reputations.
The best way to ensure a good reputation is to obtain your own address space from a RIR. Barring that, you need to choose a provider with a decent reputation to delegate the space to you.
Not true, at least for ARIN. If you have an IPv6 allocation, you can obtain one or more IPv4 /24 allocations, so long as their stated purpose is to provide IPv4/IPv6 compatibility (e.g. for dual-stack services or NAT): https://www.arin.net/participate/policy/nrpm/#4-10-dedicated...
> After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
You have to buy/rent a dedicated IP address (that you'll be able to keep long term), and it warm it up by gradually increasing mail volume over a few months to weeks. But once you have, deliverability shoudl be fine.
I think the bigger issue is needing to keep on top of mainenance of the server.
Like the parent have ran Email servers for many years now. If you get a bad IP, as long as you get the DKIM records right, over time it will 'warm' up the IP. And the more you use the email on that IP and NOT spam people. The IP will warm up. Make sure you actually own that IP!!! It will become valuable.
FWIW, a huge percentage of the spam I get is via Sendgrid, and at some point in the past year or two their abuse reporting mechanisms all turned into black holes, so mail sent via Sendgrid is heavily penalized in my spam rules.
Sending reputation is just as applicable if you're using a third party as if you're hosting it yourself, but much less under your control.
I don't have deliverability issues to the big providers, but that comes down to the age of my domain and my IP in a clean non-residential block. But you won't have reputation issues if your friends and family also run their own server and don't enforce such arbitrary requirements. Running your own servers, not only for email, is the only way to regain control over your computing.
I have arrived at the opinion that what I would do if I moved to selfhost would just be to pay some trivial amount for outbound email via a provider like sendgrid as someone else in these comments has also mentioned. Since I send out maybe a half dozen emails a month I don't think this would be a big deal.
But when I relied on selfhosted email several years ago, I was always inundated with spam, which SpamAssassin was wildly undermatched to handle -- that was one of the main reasons I moved to gmail. So I'm curious what people who are happy self-hosting today are using.
My suggestion would be to use a unique alias for each website/company. This way, if you start receiving spam at that address, you know who leaked it, and can simply delete the alias. You should also then publicly name and shame the source of spam.
I also run SpamAssassin on my server, but I don't believe it ever had to do anything.
I've run my own mail for 10 years (postfix/dovecot/rspamd), no issues. Reverse DNS, SPF, and DKIM records need to be in place, but that's a small lift.
Well, one time I was unable to send mail to a guy with an ancient @att.com email address from his ISP. I got a nice bounce message back with instructions to contact their sysadmins to get unblocked.
To my surprise, they unblocked the IP of my mail server in a matter of hours.
Private email will have no problems. I also ran my own mail server for personal use and had almost zero problem (and this was on an AWS IP!).
Where people will absolutely have problems is trying to run a marketing campaign through their own IP. You absolutely will (and should) get blocked. This is why these mixer companies exist and why you pay for an intermediary to delivery your mail.
It is probably because you have run it so long that you have good reputation and less issues. Too bad we don't have time machine to go back to ninties to start building up reputation.
I suspect if you shared more info about your mail infrastructure, it might reveal that what is working for you is too complicated for 99.9% of people to set up and maintain themselves.
I don't think the goal is that every non technical person can host their own mail infra.
But most people who can run a server should be able to setup OpenSMTPd with the DKIM filter and Dovecot. It's much easier than configuring postfix like we had to do in the past.
To answer a sibling comment, the last time I received an answer is a few minutes ago. The correspondent's email infra is hosted by Google.
You're right, it used to be a bit complicated. Now you just need to have a reputable and clean IP address, and knowledge of running some services in docker and of course understanding DNS and its crucial role for running a mail server.
I used to run all the components and maintain it (even that wasn't bad), but I changed to mailu[1] about a year ago
There is a sweet spot between Gmail and self-hosting. I use Runbox and generally separate contexts, with CF being an exception as I use CF pages for static blog websites, some of their core services, AND as a registrar. For the latter, the default setting is porkbun. The reason for this is not CF's mandatory in-house DNS servers, but the simple fact that they do not register .de domains.
> The days of people running and maintaining their own are pretty much long gone
This is very much a myth. There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster (professionally, I'm responsible for both at my org, so I can make this comparison with some authority).
Honestly `apt install postfix dovecot` gets you 90% of the way there. Getting spambinned isn't a problem in my experience, as long as you're doing SPF and DKIM and not using an often-abused IP range (yes, this means you can't use AWS). The MTA/MDA software is rock-solid and will happily run for years on end without human intervention. There really isn't anything to maintain on a regular basis apart from patches/updates every few months.
This is 100% my experience too. Self-hosting email isn't any harder than self-hosting something else and there is no maintenance beyond apt update and apt upgrade. Even if you choose to do this in hard mode using postfix/dovecot instead of a dockerized stack, you can get a working config in a few minutes from an LLM these days.
Great move. Will probably switch to it immediately from Sendgrid as soon as it goes GA.
Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
Yes, honestly been much more reliable than my previous provider (mailgun). Their IPs were constantly getting on spam blocklists with yahoo and hotmail. No issues with zepto so far, been using about 9 months.
Even with those pricing structures, 95%[1] of the spam I get comes from sendgrid. To their credit, their abuse@ address is good at handling the reports and they reply with a followup that the report was received and able to be acted upon[2].
The volume of spam (for me) doesn't seem to be decreasing from them, so there's a lot of moles to whack.
[1] Just a guess from looking at the last weeks
[2] I know it's automated, but often there's 2 that come with the 2nd one stating it's acted upon, so i'm hopeful.
These services are just spam-circumvention as a service. It's cheaper and easier to pay 20 bucks to sendgrid and let them fight the fight with google/microsoft/yahoo than to circumvent spam protections of the big providers.
You can very reasonably and reliably expect spam amount to correlate with the cost of sending said spam or expected return. At any service. There used to be a time where you HAD to check your mailbox several times a week or it would (literally) overflow with spam.
Re: Sendgrid killing their free tier - I used them for the contact form on my personal website, and after they ended the free tier I was able to move to Resend (who has a similar free tier) without too much work. Pretty happy with it so far.
Thanks for recommending mailpace, £7.50/month for 10,000 emails is very reasonable, _and_ they support idempotency! Definitely makes me consider switching to them..
> Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
With a pricing structure like that it appears they became too tired of verifying/validating users to not send spam. Unfortunately I don't blame them.
$10/year for 10,000 messages/year is 10 cents per message. (Or some other volume at 10 cents/message.) Surely too high for spammers but cheap enough for an app with a low message volume.
Well, I was responding to your claim that "it appears they became too tired of verifying/validating users to not send spam" is the reason for killing their low-volume free tier. It's a different story if they dropped the free tier to focus on large-volume customers.
Sure, and then the spammers figure out how to fool the checks. And sendgrid has to figure out how to detect the new and improved spammers. Then the spammers figure out how to fool the new and improved checks... and so on.
The part where sendgrid has to keep figuring out how to make new and improved validation is expensive.
I keep thinking that Email would be a pretty natural extension process with the workers model in general... if they offered workers that could handle a tcp connection as stdin/out from the application perspective. Especially in concert with D1, R2 and other services.
I think the biggest issues would come down to server-side search functionality though. For very basic services, and even most of common IMAP/JMAP, it could be pretty great. Working on an a major email platform is something I've really wanted to do for a while now. (cloudflare, call me)
> Imagine a user emails your support address. A Worker can receive the email, parse its content, call a third-party API to create a ticket, and then use the Email Sending binding to send an immediate confirmation back to the user with their ticket number. That’s the power of a unified Email Service.
This is/was already possible. You can just reply to an email from an email worker.
I had the exact same thought. I guess now you could put something in a queue if you have to do non-trivial processing before replying, but that’s not what they wrote
Kind of off-topic, but it's such a pity that we arrived at email as the local minimum for the best communication protocol for transactional messages. Having to set up an email service just to be able to enable authentication flows on a new website is such a hindrance that I keep wondering if it would be different if sending push notifications to a cell phone was made an open protocol..
It's because every communication protocol since has been a walled-garden with a rent-seeker attached. This is why open, federated protocols are so critically important.
I hear your pain. However I think if you really look at it email is a good thing. Its brokenness is a highly desired feature. It is the last generally accepted tech bastion that keeps us from becoming some sort of always on the job star trek borg style creatures that cannot have plausible deniability that the computer failed.
This is the fate of most open protocols. It becomes too hard to migrate to a new spec due to the increasing difficulty of coordination and then the protocol gets stuck in time.
For registering/authenticating to service, SMS mostly. Same deal in Russia in my experience, basically every website/service signup asks for your mobile number and just texts verification codes.
So smart-phone is required for everything there? No computer flows for website access?
"We" definitely don't want that... but many others do as it takes control away from people.
Question for the Cloudflare people: We use sendgrid today, and create subaccounts through it (entirely with API calls) to allow our customers to add and verify their own domains (with a couple of DNS entries the customer can create). Then we can send out email on their behalf "from" their domains -- with DKIM, SPF, and all that still being happy.
Does the Cloudflare email routing product provide this same capability?
Finally. My two production projects are built entirely on Cloudflare workers platform, and I dread every time I have to login into AWS to manage SES. I even wrote a note for myself with instructions which buttons to press and where to navigate, like you'd write for your elderly relative who's "not good with technology".
What are people's experiences using their current Email Routing service? Mine wasn't great -- right after I set it up I could not get a single test email through to my recipient account despite multiple attempts. No delivery failure emails or any responses at all. Nothing on their dashboards either.
Searching their community threads turned up several other folks who had encountered similar silent failures that were never reported on the dashboards or any status page, leading them to question the company's interest in supporting this feature. I tabled that idea at that point as it was not critical.
A few months later, I randomly tried sending a test email again and it just worked. However, the initial experience left a bad taste in my mouth. Could I trust it to start routing critical emails?
Wondering what other folks here have experienced...
They enforced ARC without any notice which failed deliverability by about 50% for my catch-all address. I only noticed when someone told me they had emailed and it didn’t come through.
I just don’t trust them now. That was a huge misstep.
Been waiting for this for a long time! CloudFlare developer platform is underrated. The ability to use queues, cache (KV), Hyperdrive, and R2 (an S3 equivalent) with one line of code is just brilliant.
Same here. Cloudflare products are a really good balance for small projects that could eventually need to scale up. Durable objects is such a cool concept in itself that I don't know why it didn't catchup the same way in other providers.
I really like CF focus on developers but their R2 is not quite configurable yet as S3. I am looking forward to move away from S3 if R2 can get their bucket policies and permissions as advanced as S3.
>// Classify incoming emails using Workers AI
const { score, label } = env.AI.run("@cf/huggingface/distilbert-sst-2-int8", { text: message.raw" })
This is neat but be careful using an LLM to parse email content. The demo is a BERT model which is a good but I can see how someone might swap this without realising the implications
Also really nice to see emails from workers, its something I have wanted for a while!
This is great. I’ve had many side projects with Cloudflare where I’ve wanted a way to send emails as a part of it, and it’s slightly annoying having to go find another service to use to get that done. Having this baked-in will he sweet!
My understanding is that "Best Practice" is to use different companies for different services (not to have all of your "eggs in one basket") in case something goes wrong with one company and they take everything down.
This is what I have...
Domain Name Registrar: Dynadot
DNS: Cloudlare
Hosting: Dreamhost
Email: Fastmail
Should everything be under Cloudflare? I think they also do domain name registration and now, soon email. Not sure off the top of my head if they do hosting.
You can't connect to your email or hosting if your DNS with Cloudflare is down.
Plus, Dynadot uses Cloudflare for their site, so you couldn't even change your nameservers if CF is down.
A random scatter won't protect you from a service like CF / AWS / GCP being down, and most users won't benefit from protecting from that sort of unlikely and major scenario anyway...
That's a good catch about Dynadot using Cloudflare.
Ideally there would be a setup to avoid having the domain name registrar use a different DNS than me.
I'm more concerned if an over-zealous algorithm or employee shutting down an account and being able to just switch that one service to another company rather than losing everything.
I'm not sure what best practice actually is, but each different company you depend on is a different failure point. If CloudFlare goes down half the internet does (which is a problem of course, but not my problem), so from a purely utilitarian perspective depending on them feels like a safe bet.
Cloudflare have great products and engineering expertise, but it starts to get into a concerning territory; what kind of influence over various protocols of the Internet they (might) have.
To be clear, Cloudflare Email Service is not a full-blown email provider like Fastmail, nor is it even comparable to email services like AWS SES or SendGrid. Cloudflare already offered email routing and Cloudflare Email Service just adds the ability to send email via Cloudflare Workers, so there’s a long way to go before Cloudflare could be an option for replacing Fastmail.
You know, it might be closer to AWS SES and SendGrid than I thought initially. My first reading of blog post gave me the impression that Cloudflare Email Service was designed for Cloudflare Workers only because that’s what they emphasized upfront. But I missed this piece:
> We’re also making sure Email Service seamlessly fits into your existing applications. If you need to send emails from external services, you can do so using either REST APIs or SMTP.
I just shared this with the team:
Today, Cloudflare entered the email sending market.
While I didn't expect this to happen today, it didn't come as a surprise either. It was never a question of if Cloudflare would add an email sending API, but when. Back in 2022, they introduced Email Routing, and it was only a matter of time until they added the sending part.
Some people will see this and will want to migrate off Resend, others will say we're dead. The reality is that they are after our target audience, otherwise they wouldn't create an example showing how to use React Email on their announcement post.
Still, I truly believe this is good news. Here's why:
When Cloudflare introduces millions of users to their email API, they're creating our next users. Developers will run into limitations and will want more from an email service. They will need bulk sending, advanced templates, no-code editors, and a lot more. That's where we step in.
Email is not a winner-takes-all kind of market, and that's why we've been able to enter such a competitive space and still thrive. Competition is good because it forces the best product to win.
We cannot let our guards down, and lose our sense of urgency. The bar is higher for us right now, but if there's a team that knows how to increase the bar, that team is this.
I’m interested to see pricing and what the backend dashboards look like for this. I’m currently using PostmarkApp for my transactional emails and they keep bumping the monthly price and my usage is tiny. If I could just pay per email that would be better.
That said, I’m hosted on AWS so maybe I should look into SES as well if I’m going to replace my email sending service.
I wonder what the pricing will be. I would love to have it be where X number are free, then each one additionally will be a small price. I hate having to change tiers based on usage. I would have no problem funding an account and using that to pay for the overage.
Cloudflare at some point will basically compete with AWS as the entire infra platform for developers. They are slowly building tools one after another.
I am really excited to follow how their Containers platform matures as it is still too early.
Yup and why their share price has rocketed. Nobody in the CDN industry is making money - a large player went bankrupt recently. You don't want to look at Fastlys financials and share price
Cloud is where the money is.
This is good and I am fairly certain email is dead with AI, hopefully soon.
I went from hosting my own pop/imap/smtp email to ignoring it almost completely at work and personal for a variety of reasons.
Text messages and chat or X/message boards are all I use now. I have the same ability to deliver messages, content, forward, save, export, and migrate between platforms. The spam in SMS is tolerable at this point.
Oh sure, a nice emailing experience (compared with SES) seems positive. But there are negative comments like Cloudflare shipping this is net negative, so just trying to understand the context.
I would actually use an email service from Cloudflare. That literally means I don't have to rely on anything else to host my apps. Currently I use email forwarding to send emails to a different email address from my custom domain. This would help a lot
How is that a good thing? Are we, as a society, forgetting the value of diversification, or just ignoring it because convenience is good? Do you really want to be just one wrongful ban away from being completely offline?
This is exactly the service I was looking for. I am using cloudflare email forwarding but couldn't find anything about how to send form data from webpage to email.
All the email service that I could find has monthly subscription, no pay as you go offer. Hopefully, cloudflare will offer pay as you go.
Is there a way to get priority in waitlist? I don't mind bugs.
As someone not currently using Cloudflare Workers, I'm not sure I want to build a worker and figure out how to interface with it though my existing application just to send email. What happened to SMTP?
That is exactly a service I was hoping Cloudflare would provide.
Simple binding using wrangler is really a life quality upgrade when starting new projects.
It's always shocking to me how many people blindly sacrifice the principles that make the things their lives depend on actually worthwhile. The internet isn't just a thing that happened, it was developed and rolled out under specific principles and vision, and violating those principles destroys the system.
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.
Sure, I wouldn’t want the Linux foundation or other pieces of critical FOSS infrastructure to be routed via Cloudflair. But if I am setting up a web shop for somebody they usually care much more about someone at least pretending to be doing something about a ddos they got hit with that the decentralised internet.
To quote Raytheon “Morals are cool but 90k/year sounds a lot cooler”.
Use other services where necessary, and sparingly. Use only what's functionally necessary, and diversify. Encourage your employer or organization to avoid vendor lock. Don't ever meet with salespeople, stay in charge of your websites and infrastructure. Find a highly disagreeable technical engineer to tell you what you can get away with; you probably don't need the scale of the things CloudFlare, AWS, et al impose by default.
AI right now can do all of that for you; pay for the best initially, have it do deep searches that meet what you need, and find appropriate contractors and services. Drop down to the plus tier after you get what you need initially, if the $200+ versions are too steep, but you can absolutely afford one month to plan an overhaul that doesn't empty your wallet.
Mandate open standards and bake in flexibility to your organization; pivot frequently and aggressively away from companies and services that don't meet your principles or standards.
Wherever possible use self hosting, decentralized protocols, open standards, FOSS software, and pay for expertise over the massive overkill "but wait, there's more!" the conglomerators offer. Their economies of scale serve to consolidate unearned and unaccountable power, often in cooperation with very shady players.
Yeah, tragedy of the commons, this is why we can't have nice things, because it's hard, and complex, and actual evil people exist who will absolutely ddos sites and exploit every and any opportunity to grift people out of their money. Cloudflare is a well marketed bundle of solutions for real problems, but it's definitely not the only solution.
It's up to you to what extent you compromise on principles - with AI it's becoming much easier to find acceptable alternatives without having extensive domain expertise. Normal search engines are almost completely captured by SEO and big market players, and we have a window of opportunity to use new AI search to find things that defy the status quo. The window will probably close sometime in the near future, but until then, take full advantage and position yourself to not be subject to companies or industries that shouldn't be taking it upon themselves to gatekeep the internet.
Also, yell at your representatives about getting a digital bill of rights, protecting the open internet, breaking apart monopolies, and cultivating what's best for the internet, and the world.
We have to stop pissing away the good for the convenience of the cheap.
One thing I've grown concerned about, after watching the Twitter migration fizzle out, is we can imitate the old internet on a small scale, but on a large scale it just doesn't work. For Twitter specifically, the outcome was even worse, many users just migrated to other more centralized services or existing monopolies (like Instagram.)
Users are too used to being able to instantly stream 4k HDR 60fps. They are too used to limited amounts of spam. They are too used to having most non-agreeable content filtered. All of this stuff that big tech delivered now is replicate-able at the cost of tens of billions of dollars. The only business model that can pay for that is owning a giant ad platform.
Thinking about all of the issues the EU has had enforcing things like GDPR, which big tech companies largely haven't followed for years or straight up lied to their customers about, along with a possible failure of the DMA now due to tariffs.. and yet on the other side of the Atlantic, the US utterly failed to ban or control Tiktok. Endless announcements of upcoming deals that were either lies (Oracle protecting American's data) or postponements.
Meanwhile, all of the spam, hacking, bots, and DDoS attacks persist and grow, along with layer upon layer of (probably intentionally) poorly written and often conflicting legislation across multiple jurisdictions have truly made it impossible for the internet as it was designed and meant to exist to continue. (Sure you can just set up a basic web forum like you could do 20 years ago, not use Cloudflare, not host it at a major datacenter, and ignore all of the GDPR and age verification laws, but good luck. Hell, it doesn't even sound like it's really legal to run a Mastodon server anymore.)
One small hope is that if internet companies follow any pattern we've seen in other industries, when the growth ends, the managers will switch to tearing the conglomerates apart in to pieces and selling them off. One day CloudFlare might be split in to 30 pieces, along with Alphabet, Meta, and Amazon. But it could be a while.
They had it a few years ago, but the company offering the free integration essentially stopped offering the free part. I'm currently grandfathered in to mail channels.
Fun fact, you can actually use the current send_email binding to send emails to verified emails in your account (but this announcement will make it possible to send emails to everyone)
You can also reply to incoming emails from what I know, you just cannot initiate any email directly to prevent the obvious abuse. I wonder how they plan to mitigate that apart from keeping the pricing sane.
Please tell me this supports some kind of idempotency.. I fear it wont.
The kind of hoops I've had to jump through to achieve DIY idempotency with Postmark would make you cringe, a shared lock to avoid race conditions, and then using the API to check if an email with the unique id (manually added to the metadata when sending) has not already been sent before sending an email.
Being safe in the knowledge that an email with some unique key will only be delivered once regardless of bugs, processes dying mid task, network issues etc. just makes life so much simpler. The risk of sending duplicate emails or at worst spamming your users due to some more nefarious bug is something that you really want to guard against at as low a level as possible. Sure this might not be quite as consequential as duplicate charges through the Stripe API for example (Stripe have always seemed to lead the way with good API design in this regard).. doThing(data) is _not_ good enough for executing tasks over a network that are effectful, have a cost, and potentially risk your reputation if things go wrong. Idempotency keys should far more widely supported!
> Now, sending an email is as easy as adding a binding to a Worker and calling send
I hope it's easier to setup then the current mess of needing to use Wrangler to setup the send_mail binding the CF worker console can't even show in its binding list.
Will be interesting to see how good of a reputation they can keep (IP/sender reputation, specifically) given their historically very libertarian attitude to compliance.
Interesting development. Not really sure I trust Cloudflare on this one, the last time they tried this with "MailChannels" they got a bunch of people to use it and then killed it off a few months later. Still, their blog post was never updated to say the feature was removed: https://blog.cloudflare.com/sending-email-from-workers-with-...
MailChannels is a separate company from Cloudflare. At one point they offered a Workers integration, and Cloudflare blogged about it because we like to encourage such things. Unfortunately MailChannels later decided to discontinue their integration.
The new email product is built and operated by Cloudflare itself.
This is indeed great. I've been using emailjs dot com for low volume sending so far but they connect to your account and send it through there which is obviously problematic.. Will be interesting to see how pricing for low volumes is there. So far, I've found CF to be more than fair, esp. given their potential for abusive pricing.
Mailjet / Mailgun are one and the same service and since the acquisition, I haven't heard of anyone still happy with them. But yes good point, Mailjet is another one.
Cloudflare's email routing has been abused by malicious users for so long that I can no longer reliably use it with my domain, most times Outlook just blocks Cloudflare IP ranges and emails never get routed to my Outlook mail box.
No doubt cloudflare will refuse to receive emails from any mailservers except those that run special cloudflare extensions or whatever. It'll be a whitelist that's mostly corps only. For "security" of course.
And eventually it'll be so popular other mailservers will stop accepting mail from any except cloudflare/ms/apple/etc.
How cloudflare treats web browsers and their proposals for acting as gatekeeping for allowing websites to be spidered re: AI motivated corporations. Also cloudflare's near weekly proposals of unilateral protocol features that should be IETF'd but instead they just do and make others do because they're gatekeepers and they can. I expect them to keep behaving as they have and so posited likely 'cloudflare'-like actions for their announced attack on email.
I get that most people never feel the discimination and exclusion mediated by cloudflare because most people are just using chrome or whatever standard browser on their phones. But just because one doesn't have the lived experience of discrimination doesn't mean it isn't actively happening to lots of people.
Sorry... I though Cloudflare was offering full service email (SMTP/MTA). If it is just SMTP outbound email, then SMTP2Go would be a better alternative.
Fastmail is mentioned on every email provider suggestion thread on HN (Because they are great, happy user!), but they are not a transactional email provider which is what this product is about.
Eventually all Internet protocols will be MITMed by cloudflare. Your single point of interception!
To be honest, the internet was worse without Cloudflare, so as long as they provide a good service for their customers, I’m fine with it. This is one of those.
Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
At least they’re not selling ads using your data.
> the internet was worse without Cloudflare
It had much more freedom. Currently it's up to Cloudflare to decide whether you will read that article or not. Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
1. https://en.wikipedia.org/wiki/Think_of_the_children
How is this not a problem with the law rather than a problem with Cloudflare?
It's both. In allowing Cloudflare to grow so big, we now have one huge universal button for governments to push. If instead all of these customers were dispersed over hundreds of different services from different countries, good luck with trying to keep them all in line with your specific country's whims.
Because human nature is what it is. The best way to eat better isn't to be a better person, it's to not keep junk food at the house. It's not Cloudflare's fault that they're successful, but it's now everyone's problem that they're an easy throat for governments to choke.
For example, recently certain big corp ask me to verify something. I clicked on the link in the E-Mail and it was suck on Cloudflare the click button over and over again. No matter how many times I clicked.
Do I need to find another internet access now?
I don't know what kind of internet you used but mine didn't randomly decide to block my access to a website because some quasi monopolist decided I wasn't allowed to use a certain website for intransparent reasons.
Being blocked from a web site and having to hit a little box are two different things. Are you talking about the former or the latter? If it's the former ... that has literally never happened to me unless I'm on a VPN and even then it's rarely (if ever) CF that's doing the blocking.
If it's the latter then it reflects the sad truth that we can't have nice things anymoret. I have lots of problems with the accessibility of that box, but either Cloudflare would be implementing it, somebody else would be implementing it, or a huge chunk of data would be unavailable to you anyway because of accidental DDoS attacks caused by irresponsibly deployed bots.
This has happened for me on regular residential Internet access.
(Check the box, and get redirected to check the box again.)
> Being blocked from a web site and having to hit a little box are two different things.
Maybe for you.
But I don't let random unvetted websites run code on my computer. Checking that box requires it.
So you're blocking yourself? Seems really disingenuous to imply it's someone's fault when you know it's your own.
Why do you keep hitting yourself? Hahah
--childhood bullies
The internet is worse for me with Cloudflare. I'm using a cellphone router for my internet. My guess is I don't get a dedicated IP and probably behind a NAT with other users. 85% of my request needs me to solve a cloudflare captcha. on bad days I have to do this easily 100+ times.
It is not Cloudflare's fault. It means the website operators were so fed up with bots and bad actors that they just applied a carpet ban and called it a day. Thanks to Cloudflare I was able to reduce my website load threefold and downscale my VMs and my monthly cloud bill, and seeing how 50k daily requests were shown CAPTCHA and not even tried to solve it makes me terrified of running anything without Cloudflare.
Don't blame site owners and service that is trying to help them. Blame the fact that 90% of today's Internet traffic is bots
But what's the counterfactual? People use cloudflare because they want protection from ddos attacks and bots. If cloudflare didn't exist there would probably be similar measures.
Businesses want to protect the continuity of their business operations, and to that end they buy such protection as a service, from a business that managed to MitM half the Internet in order to provide such service.
Point being, it's a commercial subverting the Internet from inside, reshaping it to better serve the interests of commerce. It is indeed protection, but it's accomplished by reducing variance. 99% of legitimate commerce on the Internet follows the same patterns, use a small subset of possibilities offered by the technology - so why not just block the remaining 1% that doesn't fit and call it a day? It will stop most of the threats to running businesses on the Internet. The 1% of legitimate commerce that doesn't fit the pattern? It's not being ignored per se, just pressured to adapt and conform to the majority.
What is being ignored is that the Internet is not just a place of commerce, and non-commercial use cases, ideas such as empowering people to better their lives, are gradually becoming impossible, as fundamental Internet infrastructure becomes inhospitable for them.
Some of us still remember the Internet being more than just a virtual mall, and are unhappy about it gradually becoming one. And it's not like CloudFlare, et al. are hostile to non-commercial interests as a matter of principle - it's just out of scope for them.
Have you played with IPv6 vs IPv4? Wonder what's worse there, CGNAT-ed IPv4 or an inherently low-reputation IPv6.
CDNs always existed IMHO. The world before cloudflare was just much more hidden. In general I find their take at the typical cloud business from a network perspective mostly refreshing.
However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
IMHO it needs other enterprises entering the competition. Maybe it could be new more software defined mobile network providers offering edge compute. Maybe data from IoT could never enter the Internet and we could have some confidential computing power when we need it for our IoT stuff. Maybe we could get a more decentralized Internet again...
> However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
I don't think that's it, and I think the explanation is much more simple and straight-forward.
Cloudflare established a very successful business model around a straight-forward, very transparent, no-bullshit CDN. Now, they started offering other cloud services build around their CDN. Cloudflare Workers kind of extend their CDN pipeline to allow clients to run arbitrary code to customize caching logic, but it turns out their function-as-a-service model is exceptionally good, and higher-level services like email are a low-effort way to meet existing needs.
Much of their model and success was by giving away a lot of service for free.
I'm not discounting their innovations but had they not been VC funded and given away free service I suspect many would still never have heard of them.
Cloudflare is far from a no bullshit CDN. The vendor lock in is real with an aggressive unethcial sales model.
Like what? Give an example. I'm struggling to think of something they offer that is particularly unique and not offered by the other public clouds or several SASS companies.
I'm not entirely aware of all their products, but just thinking about a CDN, isn't that in many ways kind of fungible? Is it really that hard to migrate to your big cloud co's CDN (CloudFront, Google Cloud CDN) or the several other large competitors without an immense amount of work?
Please, educate me and tell me what's up.
Many of Cloudflare's products are bundled together for reasons.
Trying to unravel all that is an absolute nightmare.
Oh I remember a time before CDNs and a big part of your startup fundraise was to build out your own setup inside a data center.
It's not the specialization around hosting that's the problem, but that entities running CDNs realized they're in a privileged position in the network, and decided to capitalize on it.
I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization. This isn't the fault of CloudFlare, they are just exploiting a business opportunity and as you say: At least they're not selling ads.
It is a legitimate business, from my perspective. I'd just wish we weren't in a situation where CloudFlare isn't exactly struggling to sell their services.
> I still believe that CloudFlare means well, but that doesn't mean that I agree with the increased centralization.
I'm perplexed by this sort of comment. Cloudflare doesn't even feature in the top 10 of cloud provider market share, and the number 8 spot already reports 2%. And here you are, complaining about Cloudflare and centralization.
Furthermore, AWS is by far the biggest cloud provider, reporting around 30% market share, and I don't see AWS being referred as a concern.
20% of websites uses CloudFlare(1, 2), even companies that use AWS, GCP and Azure have their services behind CloudFlare.
1) https://www.theregister.com/2024/12/13/cloudflare_2024_revie...
2) https://en.wikipedia.org/wiki/Cloudflare
> To be honest, the internet was worse without Cloudflare
It was better. 'Wget' and 'links' worked with most of the sites.
> At least they’re not selling ads using your data.
Yet. Since it's an american company with an ever-growing influence, I dread and expect that to change, among other things, down the road. I assume the three-letter agencies also already MITM the traffic.
Assume your beloved tech company can be bought by Oracle and proceed on that basis.
You forgot about Broadcom !
We said the same thing with Google, "Don't be evil", "They are better than MS", now here we are, Google, became something that doing everything to squeeze every data off us, so that they can sell them to their partners.
And, anything that stops them from doing it, well, you are kind of erased from the Internet. The freedom we had, slowly becoming non-existent now.
Corporates have one and only one target. It is to make money. And this mentality, enables them.
Arguably, ecommerce was worse without Amazon but are we really better off?
Shipping times are definitely better off industry wide because of Amazon.
Same day shipping was always the norm here. Order something before 14:00 - 16:00, depending on where the company was on the route for package pickups, and you'd have your package the next day. Amazon has normalized multi-day / weeks shipping, so they've made it worse.
Where is this?
Denmark, there is no close Amazon warehouse, so shipping always suck. Not only is shipping times frequently a week or more, it's also overpriced and items are frequently less expensive from local online stores.
Amazons only advantage is it's massive selection, if you can find what you're looking for.
> At least they’re not selling ads using your data
Sounds great, until a new CEO steps in. Any company is exactly one (or more often zero) CEO away from doing whatever they want (within legal constraints) with their business, in order to fulfill their fiduciary duty (and greed).
I’m not going anywhere anytime soon.
Huge fan of Cloudflare here actually. It’s always such a breath of fresh air compared to the heavyweight configuration hells like AWS. And for doing super convenient stuff like make node:http work on cloud functions recently, but guess only certain DevOps guys realize how cool that is compared to other FaaS wrapping ceremonies.
Too bad you don’t hire senior folks in Germany currently, would probably join in a heartbeat for emotional reasons alone. Keep going, lightweight features on a tap and solid reliability over years is exactly what I need and want at least.
I am genuinely curious what protections are in place to ensure that? What is the plan after you are gone?
It looks like you have voting shares with 10x the power of institutional investors, but activist investors aren't dumb either.
My biggest fear of Cloudflare has always been that one day you'll get hit by a bus and someone will figure out that merging Cloudflare with an ad network would create so much more shareholder value. The road to hell is paved with free DDoS mitigation, so to speak.
How do you know?
> Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
Not to comment on whether they're actually a monopoly or not (since idk much about CF's market share, except that it's big), but how does this prove they aren't a monopoly? If anything, it'd work as evidence to prove that they are.
I think the point is to keep them in that mindset, and that requires competition and some counterbalance that won't be there is everyone just moves to Cloudflare.
Yet…
If Cloudflare is so vital to the internet, it should be nationalized for the public benefit as having a private entity with so much control over the internet is not a good thing. Corporatized control of the internet should not be encouraged.
Can't believe if you are joking or not.
I trust a corporation more than I trust the nation you want it nationalized in (America?)
EU maybe. But yes I don't want cloudflare to be part of america after patriotic acts and all the dystopia.
Honestly, cloudflare is not so vital to the internet. Like, The only thing its gonna be a problem if they stop working without giving any way to migrate. Then yes, its gonna be a bit of problem to the internet.
>cloudflare is not so vital to the internet
Really? Try distrusting CF certs, and see how much of your internet activity breaks. CF certs should be distrusted, because it's MITM by definition. At the very least, I'd like an addon that makes the URL bar bright red, so I know my connection isn't secure.
It's not more vital, than, say, AWS. Blocking AWS certs/endpoints will break your internet too.
Though arguably neither should be in a position to do so without being regulate as a public utility
Yup, I also meant the same when I was writing my comment and although I agree about regulation, the thing is, that I don't even trust that aspect...
Also, I know that there are sometimes where cloudflare sits in the middle between your servers and your users for DDOS protection, and so yes theoretically its a point of interception but given how their whole thing is security, I doubt that they would exploit it but yes its a point of concern.
On the other hand, if something like this does happen, migrating can be easier or on the same level if something like this happened on like AWS.
But cloudflare still feels safer than AWS y'know?
That being said, I am all in for some regulations as a public utility but not nationalizing it as the GP comment suggested. Just some regulations would be nice but honestly we are in a bit of tough spot and maybe it was the necessity of the internet to have something like cloudflare to prevent DDOS's.
Hm, you raise good points but I just thought when I was writing that comment, that if there was even a single case of somebody using that MITM then that would just make everyone leave cloudflare and find either other mechanism or something else that's safer for sure.
I think that cloudflare is used by most as DDOS protection and so they still have the servers.
There are also cloudflare workers and pages but even migrating them is somewhat doable as I think that cf workers have a local preview option somewhat available in their node etc., so you could run it locally somehow.
Sure its gonna be a huge huge problem but something that the internet might look past of (I think).
Honestly, I kinda wish that there was a way to have something like how the tor onion links work in the sense that the link has the public key of the person running the server and so uh, no matter if its cloudflare serving the link or something else, its still something that can't be MITM'd for the most part.
Am I right in thinking so? Sure, its gonna make the links longer but maybe sacrifices/compromises must be made?
The EU is quickly becoming a dystopian nightmare with age verification, mandated encryption backdoors, and generally an extremely invasive form of government. So no thanks.
No thanks to this level of evaluation which doesn’t even rise to “analysis”, it’s just a word salad association that picks two hobby horses and pretends they represent the apocalypse while ignoring all the measures on which many EU participating countries are producing quality of life and personal freedom at outlier levels.
Lets just hope that EU doesn't add that age verification thing or those Cert based things which is controlled by the govt.
My opinion is simple, age verification won't work unless they block VPN (something which UK wants to do/ is doing) and that sets a really really bad precedent and I doubt if its entirely possible without breaking some aspects of internet or complete internet privacy.
EU in aggregate is net positive but it still has some things which are kinda flawed regulations that are a bad precedent, but germany kinda blocked the verification thing iirc so there is still a lot of hope and EU does look like its trying its best but I think that it can do just a bit better if they don't think of age verification or some other stuff but that's just my 2 cents.
This was why I added "maybe" tbh. They are one of the best options but even they aren't thaat good. Like its questionable I think and needs a much bigger debate
What quality of life improvements? I seriously hope major tech companies pull out of the EU market altogether instead of complying when client-side scanning is mandated. Then you can come back here and brag about how great life is in the EU.
I would say if the political environment pre 1980s was still in existence that might be true. Today that would just mean the entire thing would unravel as it ate its own tail in the race to the bottom environment we are currently in.
You can create democratic policies to thwart this. Even something as basic as nationalizing Cloudflare then forcing workplace democracy provisions on it would probably do more good for, not just the Cloudflare workers, but society writ large.
If CF limited their clients to big businesses (just like Akamai and who else?) it might be less bad, but as it is, they're trying to get the whole internet including small sites on board.
you're right
internet is made sooo much better by negating all encryption effort of the last 20 years
I dunno, I am basically a dick to Big Tech all the time, give me an opening and I will go after them with gusto, but I can't really find fault in Cloudflare offering email sending infrastructure.
The ire should be reserved for if and when they establish some kind of monopoly or other anti-consumer practices, fall afoul of anti-trust law, and inevitably the US government gives them a free pass for criminality like it has been doing for years with dozens of other Big Tech mergers, rollups, exclusivity dealings, etc. and appears to have just done again with Google a few weeks ago.
It is fine for big companies to offer competing email sending services. It is not fine for them to break competition laws.
Also yes, please do set up SPF, DKIM and DMARC for me. I may very well end up using this down the road because they say they'll do that for me and I just don't want to think about them in some situations.
> Also yes, please do set up SPF, DKIM and DMARC for me.
I'm going to take this opportunity, because hopefully Cloudflare will see it, to request they support SPF record flattening natively.
Yes, but also you can't send an email in any meaningful way on the internet without going through a middleman anyways so while philosophically you're correct, in reality it's already the case.
And then they'll offer to 'protect' you from AI scrapers for a fee and then bulk negotiate against Google, etc for another fee.
If you use an old web browser, lots of sites are already not usable because Cloudfare's CAPTCHA will deny you entry.
New but non-standard niche browsers are also problematic.
I usually have the same (residential) IP for weeks on end and there's absolutely no malware or scraping or whatever the heck it is that Cloudflare thinks it's protecting against going on in my house. Yet I still get blocked or captcha'd.
Website owners may understandably be appreciative of CF. But as as someone browsing the web, I think it's done a lot of irreversible* damage to the open internet.
* I say irreversible because I don't think they'll be looking to improve this anytime soon, but rather add more restrictions.
As a website owner who uses Cloudflare after having being DDOS'd, I agree whole heartedly.
Cloudflare succeeded to do what Google tried and failed with AMP, and we are all the worse off for it. [Though at least it is not Google, that would be worse.]
I cannot afford to be DDOS'ed and there are bad actors that have already proven that they _will_ take me down if they could. So, I feel bad for the internet being walled up, and I feel bad for users that will lose access. And I fret that one day CF may just decide to take all my content and use it somehow to shut me down.
Meanwhile though, I hold my nose, cry inwardly, and continue to use Cloudflare.
What was your infrastructure like? Were the DDoSes affecting you at the application or network layer? I wonder if there's the case to be made for something like CF but integrated into your L4 and L7 LB infrastructure.
I am certain this is the intended endgame. LinkedIn/X style verification to prove you are not a bot once the hold is in enough places.
That such a database has other uses would be a happy coincidence.
and then capture the data on the sly and sell it to the AI scrapers anyway
Yeah it's already a known point of failure. The annual chaos is always when they have some downtime. They do offer an incredible service though. Would like to see some competition but it's not easy.
https://blog.cloudflare.com/enterprise-grade-features-for-al...
That's great - and maybe I'm cynical - but that's right where my mind went when I read that. Trading income for control isn't a bad game..
I have been logging in via ssso on business non enterprise plan for a year. Am I a part of an a/b test or what?
Good point, but I guess we are stuck here.
I don't think Cloudflare did anything major wrong, most of what they offer have plenty of alternatives, but Cloudflare is able to do a lot for free which really isn't their fault.
There are complain about its cache's captcha, I get it, ideally it should not discriminate any human user, but IMO it's an economical problem unless we collectively decide what they do is public utilities.
Was about to comment on this but you got right to the point. All of this is because people are lazy to build, let alone maintain, their own damn programs and servers.
I have more money than time. Take my money to do things I do not have time for. What you call lazy, I call time and capital/cashflow efficient.
(cloudflare customer, in both personal and professional capacities; i pay Fastmail to host family email; both can easily be switched if needed to prevent lock in, with DNS changes and in the case of hosted email, an export of mailboxes and tenant config)
What GP is effectively saying is that you don’t value independence enough to invest the necessary money and (for personal use) time into self-hosting.
And there is a spectrum to this. For example, using a small, independent email or hosting provider may cost a little more time, but makes you more independent from big tech, and maybe more importantly, contributes to reducing the power of big tech. We are all paying for it, down the line.
This is a fallacy, as self hosting means you remain at the whims of receiving or interfacing systems. Does you hosting your own email change the concentration of email accounts hosted at Yahoo, Microsoft, and Gmail? It doesn't. Does hosting your own domain or website change Cloudflare's concentration and centralization of internet traffic? It doesn't. You vote with your dollars by picking providers who won't lock you in, you vote with your dollars by picking protocols over platforms that cannot lock you in.
Paying Fastmail, along with others who do so, means Fastmail will remain as a non Big Tech option, for example (they also developed and championed, JMAP, for a more efficient user experience). Paying Kagi means Kagi will remain as a non Big Tech option. Donating to Let's Encrypt means Let's Encrypt will remain as a public good independent of Big Tech. I could go down the list of every service I pay for to de-Google and de-Big Tech, but that's likely unhelpful to further demonstrate the point.
> We are all paying for it, down the line.
Indeed, so establish and fund organizations that provide systems and services for benefit vs profit and control that cannot be captured. Self hosting your own box at home helps you (which is totally fine and reasonable, I run my own on prem infra across two continents at small business enterprise scale for use cases I cannot procure commercially at reasonable cost), but does nothing else, and doesn't scale.
(think in systems)
Hosting your own email means the subpoena (or warrant) is delivered to you.
You get to respond to requests and your data cannot be handed over without your knowledge.
You will still be required to hand it over, or sit in jail while your confiscated, inventoried equipment is processed by forensics. If I want to be subpoena proof, I’d host the subject system outside the jurisdiction with an org having no connection or nexus in the adversary jurisdiction. Admittedly, this is up to your threat model. Do you want to know, but still be legally required to provide access? Or do you want to be out of reach entirely? The answer to that will guide your implementation and operating model in this context.
I don't mind being warranted, if they come to the door with warrant I will give them my boring, pedestrian inbox
but I do mind my data being drag-netted, or hoovered up by scummy big tech and then sold on
(whether that's for slop training, ads, anything really)
A lot more people and organizations would self-host email if it wasn't a minefield. It's not laziness that Google and Microsoft have effectively decided nobody's allowed to do that.
Your website provides "paywalled hosting and sales platform for digital content creators"
Are digital content creators lazy too? Why don't they just host their content on their own damn servers?
It's not laziness, it's greed. People want to build and host their own things but that costs money.
Is this even true for such a sensitive subject like email where there are insane blacklists/whitelists everywhere in which you are forced to use a middleman either way so your emails enter someone's inbox?
And this sentiment of "every company should have to run their own servers and pay 'me' to do that at a higher cost" isn't greed?
running email servers is a huge and terrible time sink
Always has been; remember AOL basically reinventing DNS?
And always will be.
OOF
Do you talk to your customers with that mouth?
For those who are lazy to click, this guy's business is hosting and maintaining a sales platform for people.
What's the problem? GP is addressing a market need consistent with their comment above. I wouldn't be surprised by a auto mechanic stating that (too) many people are too lazy to change their oil - they might be the best person to manke that observation, given their PoV.
The new Room 641A
Well, this is their second try at this. They shut down their first attempt after a year (and left a ton of developers stranded).
https://blog.cloudflare.com/sending-email-from-workers-with-...
MailChannels was a different company that offered an integration with Workers, and then later decided to stop offering that integration.
Today's announcement is a feature offered directly by Cloudflare.
I approve of this message.
Email is already MITMed by gmail. 90% of my time managing transactional/marketing emails is just keeping gmail from moving my legit customer communications to spam.
> Today, we're excited to announce just that: the private beta of Email Sending, a new capability that allows you to send transactional emails directly from Cloudflare Workers.
So many comments here assumed from the title they're offering a hosted email service, they aren't, they are announcing their own Sendgrid.
That's exactly why I'm excited. I could really use this.
It's unfortunate that email hosting and email infrastructure can really be done only well by major players. The days of people running and maintaining their own are pretty much long gone.
Fwiw, not a knock against CF. I like their products, mostly simple, fair pricing, etc. Just a bit unfortunate commentary on the state of email infra on the internet.
I run my own email server and you couldn't pay me to use a commercial provider like Google instead. The privacy benefits are huge and there is no one to restrict my storage or change my "terms and conditions" overnight.
The days of people running their own servers are gone because of the shortsightedness and laziness of IT managers. They though the "cloud" would be easier and cheaper, and they are now trapped.
You don't have deliverability issues?
I entertained the idea of running my own mail servers for a while. After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
So it looks like we've gotta be well connected to federate with the other email servers now. A nobody like me can't just start up his own mail server at home and expect to deliver email to his family members who use gmail or outlook. So I became a Proton Mail customer instead.
I've run my own mail servers for many decades and have never had any deliverability issues. I've also never used bargain basement cloud VPS services with horrible reputations.
The best way to ensure a good reputation is to obtain your own address space from a RIR. Barring that, you need to choose a provider with a decent reputation to delegate the space to you.
> The best way to ensure a good reputation is to obtain your own address space from a RIR.
There is the slight problem that RIRs ran out of (v4) addresses almost a decade ago.
Not true, at least for ARIN. If you have an IPv6 allocation, you can obtain one or more IPv4 /24 allocations, so long as their stated purpose is to provide IPv4/IPv6 compatibility (e.g. for dual-stack services or NAT): https://www.arin.net/participate/policy/nrpm/#4-10-dedicated...
> After researching the topic it turned out that the internet now runs on an IP reputation system. Major email services like gmail assume that anything sent from unknown IPs is malicious.
You have to buy/rent a dedicated IP address (that you'll be able to keep long term), and it warm it up by gradually increasing mail volume over a few months to weeks. But once you have, deliverability shoudl be fine.
I think the bigger issue is needing to keep on top of mainenance of the server.
Like the parent have ran Email servers for many years now. If you get a bad IP, as long as you get the DKIM records right, over time it will 'warm' up the IP. And the more you use the email on that IP and NOT spam people. The IP will warm up. Make sure you actually own that IP!!! It will become valuable.
Deliver via sendgrid*, receive directly is probably the only viable path for self hosted systems.
Where sendgrid=any major player, could be Mimecast, proofpoint or anyone else who will forward outgoing email.
FWIW, a huge percentage of the spam I get is via Sendgrid, and at some point in the past year or two their abuse reporting mechanisms all turned into black holes, so mail sent via Sendgrid is heavily penalized in my spam rules.
Sending reputation is just as applicable if you're using a third party as if you're hosting it yourself, but much less under your control.
I don't have deliverability issues to the big providers, but that comes down to the age of my domain and my IP in a clean non-residential block. But you won't have reputation issues if your friends and family also run their own server and don't enforce such arbitrary requirements. Running your own servers, not only for email, is the only way to regain control over your computing.
Can you share what your antispam strategy is?
I have arrived at the opinion that what I would do if I moved to selfhost would just be to pay some trivial amount for outbound email via a provider like sendgrid as someone else in these comments has also mentioned. Since I send out maybe a half dozen emails a month I don't think this would be a big deal.
But when I relied on selfhosted email several years ago, I was always inundated with spam, which SpamAssassin was wildly undermatched to handle -- that was one of the main reasons I moved to gmail. So I'm curious what people who are happy self-hosting today are using.
My suggestion would be to use a unique alias for each website/company. This way, if you start receiving spam at that address, you know who leaked it, and can simply delete the alias. You should also then publicly name and shame the source of spam.
I also run SpamAssassin on my server, but I don't believe it ever had to do anything.
I’m the reverse, I can Microsoft 8 bucks not to mess with this? Sign me up!
I've run my own mail for 10 years (postfix/dovecot/rspamd), no issues. Reverse DNS, SPF, and DKIM records need to be in place, but that's a small lift.
Well, one time I was unable to send mail to a guy with an ancient @att.com email address from his ISP. I got a nice bounce message back with instructions to contact their sysadmins to get unblocked.
To my surprise, they unblocked the IP of my mail server in a matter of hours.
Private email will have no problems. I also ran my own mail server for personal use and had almost zero problem (and this was on an AWS IP!).
Where people will absolutely have problems is trying to run a marketing campaign through their own IP. You absolutely will (and should) get blocked. This is why these mixer companies exist and why you pay for an intermediary to delivery your mail.
This is a myth though (with some truth to it in certain cases). I've run my own mail infrastructure since 1999, no issues.
It is probably because you have run it so long that you have good reputation and less issues. Too bad we don't have time machine to go back to ninties to start building up reputation.
I suspect if you shared more info about your mail infrastructure, it might reveal that what is working for you is too complicated for 99.9% of people to set up and maintain themselves.
I don't think the goal is that every non technical person can host their own mail infra.
But most people who can run a server should be able to setup OpenSMTPd with the DKIM filter and Dovecot. It's much easier than configuring postfix like we had to do in the past.
To answer a sibling comment, the last time I received an answer is a few minutes ago. The correspondent's email infra is hosted by Google.
You're right, it used to be a bit complicated. Now you just need to have a reputable and clean IP address, and knowledge of running some services in docker and of course understanding DNS and its crucial role for running a mail server.
I used to run all the components and maintain it (even that wasn't bad), but I changed to mailu[1] about a year ago
[1] https://mailu.io
Your argument might have worked 5 years ago. Now, with AI, it's very dated.
Every single IT team I know wanted to get rid of the mails servers.
I don't know why. At the same time they don't want to get rid of the bbdd servers, or the app servers.
Maintaining a email service must not be as easy for them.
Have you had static IP since then? A problem is that most new mail servers will have IP address with history.
The current static IP (it changed over the years) I got in 2016 or so.
Well, it’s hard to beat 26 years of expertise.
>This is a myth though (with some truth to it in certain cases). I've run my own mail infrastructure since 1999, no issues.
when was the last time you got a reply to an email you sent?
All the time. I use it in production and I have many users.
> I like their products
I do, too. What I don't like is that they became too large and now are effectively in position to gatekeep the whole internet.
There is a sweet spot between Gmail and self-hosting. I use Runbox and generally separate contexts, with CF being an exception as I use CF pages for static blog websites, some of their core services, AND as a registrar. For the latter, the default setting is porkbun. The reason for this is not CF's mandatory in-house DNS servers, but the simple fact that they do not register .de domains.
> The days of people running and maintaining their own are pretty much long gone
This is very much a myth. There's a lot of FUD around how mail is "hard", but it's much less complicated than, say, running and maintaining a k8s cluster (professionally, I'm responsible for both at my org, so I can make this comparison with some authority).
Honestly `apt install postfix dovecot` gets you 90% of the way there. Getting spambinned isn't a problem in my experience, as long as you're doing SPF and DKIM and not using an often-abused IP range (yes, this means you can't use AWS). The MTA/MDA software is rock-solid and will happily run for years on end without human intervention. There really isn't anything to maintain on a regular basis apart from patches/updates every few months.
This is 100% my experience too. Self-hosting email isn't any harder than self-hosting something else and there is no maintenance beyond apt update and apt upgrade. Even if you choose to do this in hard mode using postfix/dovecot instead of a dockerized stack, you can get a working config in a few minutes from an LLM these days.
For people looking to self host email, the mox software is surprisingly refreshing.
Open source and available here: https://xmox.nl/
Great move. Will probably switch to it immediately from Sendgrid as soon as it goes GA.
Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
Zeptomail by zoho has been reliable for me and extremely reasonably priced: https://www.zoho.com/zeptomail/
This is really cheap, is the deliverability good?
Yes, honestly been much more reliable than my previous provider (mailgun). Their IPs were constantly getting on spam blocklists with yahoo and hotmail. No issues with zepto so far, been using about 9 months.
Even with those pricing structures, 95%[1] of the spam I get comes from sendgrid. To their credit, their abuse@ address is good at handling the reports and they reply with a followup that the report was received and able to be acted upon[2].
The volume of spam (for me) doesn't seem to be decreasing from them, so there's a lot of moles to whack.
[1] Just a guess from looking at the last weeks [2] I know it's automated, but often there's 2 that come with the 2nd one stating it's acted upon, so i'm hopeful.
These services are just spam-circumvention as a service. It's cheaper and easier to pay 20 bucks to sendgrid and let them fight the fight with google/microsoft/yahoo than to circumvent spam protections of the big providers.
You can very reasonably and reliably expect spam amount to correlate with the cost of sending said spam or expected return. At any service. There used to be a time where you HAD to check your mailbox several times a week or it would (literally) overflow with spam.
Re: Sendgrid killing their free tier - I used them for the contact form on my personal website, and after they ended the free tier I was able to move to Resend (who has a similar free tier) without too much work. Pretty happy with it so far.
Try https://mailpace.com
The lowest plan $40/year for 1k emails/month isn’t on the Pricing page, but you can select it when signing up.
Been using Mailpace for a few years.
Has been a 10/10 experience -- rock solid and extremely good deliverability.
Wish the pricing increased non-linearly though at higher volumes.
Thanks for recommending mailpace, £7.50/month for 10,000 emails is very reasonable, _and_ they support idempotency! Definitely makes me consider switching to them..
Thanks. It's not very smart to not list that plan in the pricing page IMO.
Or migadu for 19/yr
Migadu is more for personal emails - they aren't meant for transactional emails at all.
smtp2go.com offers a free tier with 1,000 emails/month. I’ve been using it for a few small services I run and haven’t had any issues so far.
smtp2go will let you have 200 a day or 1000 a month for free.
Switched to this from Sendgrid for my low email volume apps.
> Sendgrid recently killed their free tier (100 emails per day) and their lowest plan is now $20/month for 50,000 emails. It's totally overkill for low traffic projects.
With a pricing structure like that it appears they became too tired of verifying/validating users to not send spam. Unfortunately I don't blame them.
$10/year for 10,000 messages/year is 10 cents per message. (Or some other volume at 10 cents/message.) Surely too high for spammers but cheap enough for an app with a low message volume.
$10/year for 10,000 messages is a tenth of a penny per message
It's not about optimizing for low volume side projects.
Barrier to entry for (12 * $20) is much higher than $10/year and they figure that was worth the tradeoff of losing small fish customers.
Well, I was responding to your claim that "it appears they became too tired of verifying/validating users to not send spam" is the reason for killing their low-volume free tier. It's a different story if they dropped the free tier to focus on large-volume customers.
isn't this done automatically?
Sure, and then the spammers figure out how to fool the checks. And sendgrid has to figure out how to detect the new and improved spammers. Then the spammers figure out how to fool the new and improved checks... and so on.
The part where sendgrid has to keep figuring out how to make new and improved validation is expensive.
I hope they enforce the use of plain text versions of html email :)
I keep thinking that Email would be a pretty natural extension process with the workers model in general... if they offered workers that could handle a tcp connection as stdin/out from the application perspective. Especially in concert with D1, R2 and other services.
I think the biggest issues would come down to server-side search functionality though. For very basic services, and even most of common IMAP/JMAP, it could be pretty great. Working on an a major email platform is something I've really wanted to do for a while now. (cloudflare, call me)
> Imagine a user emails your support address. A Worker can receive the email, parse its content, call a third-party API to create a ticket, and then use the Email Sending binding to send an immediate confirmation back to the user with their ticket number. That’s the power of a unified Email Service.
This is/was already possible. You can just reply to an email from an email worker.
I had the exact same thought. I guess now you could put something in a queue if you have to do non-trivial processing before replying, but that’s not what they wrote
Kind of off-topic, but it's such a pity that we arrived at email as the local minimum for the best communication protocol for transactional messages. Having to set up an email service just to be able to enable authentication flows on a new website is such a hindrance that I keep wondering if it would be different if sending push notifications to a cell phone was made an open protocol..
It's because every communication protocol since has been a walled-garden with a rent-seeker attached. This is why open, federated protocols are so critically important.
I hear your pain. However I think if you really look at it email is a good thing. Its brokenness is a highly desired feature. It is the last generally accepted tech bastion that keeps us from becoming some sort of always on the job star trek borg style creatures that cannot have plausible deniability that the computer failed.
Oh i didn't get that email.
Oh spam filter.
Oh so backlogged on email.
Spam push messages don’t need to be a thing. Ever.
This is the fate of most open protocols. It becomes too hard to migrate to a new spec due to the increasing difficulty of coordination and then the protocol gets stuck in time.
China was able to pull that one off, pretty much no one uses email there.
What exactly are they using? Wechat messages?
For registering/authenticating to service, SMS mostly. Same deal in Russia in my experience, basically every website/service signup asks for your mobile number and just texts verification codes.
So smart-phone is required for everything there? No computer flows for website access? "We" definitely don't want that... but many others do as it takes control away from people.
Question for the Cloudflare people: We use sendgrid today, and create subaccounts through it (entirely with API calls) to allow our customers to add and verify their own domains (with a couple of DNS entries the customer can create). Then we can send out email on their behalf "from" their domains -- with DKIM, SPF, and all that still being happy.
Does the Cloudflare email routing product provide this same capability?
Finally. My two production projects are built entirely on Cloudflare workers platform, and I dread every time I have to login into AWS to manage SES. I even wrote a note for myself with instructions which buttons to press and where to navigate, like you'd write for your elderly relative who's "not good with technology".
What are people's experiences using their current Email Routing service? Mine wasn't great -- right after I set it up I could not get a single test email through to my recipient account despite multiple attempts. No delivery failure emails or any responses at all. Nothing on their dashboards either.
Searching their community threads turned up several other folks who had encountered similar silent failures that were never reported on the dashboards or any status page, leading them to question the company's interest in supporting this feature. I tabled that idea at that point as it was not critical.
A few months later, I randomly tried sending a test email again and it just worked. However, the initial experience left a bad taste in my mouth. Could I trust it to start routing critical emails?
Wondering what other folks here have experienced...
They enforced ARC without any notice which failed deliverability by about 50% for my catch-all address. I only noticed when someone told me they had emailed and it didn’t come through.
I just don’t trust them now. That was a huge misstep.
I use it with a couple of addresses. No issues so far.
Been waiting for this for a long time! CloudFlare developer platform is underrated. The ability to use queues, cache (KV), Hyperdrive, and R2 (an S3 equivalent) with one line of code is just brilliant.
Same here. Cloudflare products are a really good balance for small projects that could eventually need to scale up. Durable objects is such a cool concept in itself that I don't know why it didn't catchup the same way in other providers.
About their developer platform: https://blog.cloudflare.com/cloudflare-developer-platform-ke...
I really like CF focus on developers but their R2 is not quite configurable yet as S3. I am looking forward to move away from S3 if R2 can get their bucket policies and permissions as advanced as S3.
Could you accomplish your needs in R2 just using more buckets?
potentially yes. but that will not be a clean solution. One bucket per customer is our rule.
Email for developers will always trickle down to a commodity, wrappers will get left behind, acquired, or relegated to a small niche.
That seems very similar to Resend, which has been a joy to use for my part.
>// Classify incoming emails using Workers AI const { score, label } = env.AI.run("@cf/huggingface/distilbert-sst-2-int8", { text: message.raw" })
This is neat but be careful using an LLM to parse email content. The demo is a BERT model which is a good but I can see how someone might swap this without realising the implications
Also really nice to see emails from workers, its something I have wanted for a while!
This is great. I’ve had many side projects with Cloudflare where I’ve wanted a way to send emails as a part of it, and it’s slightly annoying having to go find another service to use to get that done. Having this baked-in will he sweet!
My understanding is that "Best Practice" is to use different companies for different services (not to have all of your "eggs in one basket") in case something goes wrong with one company and they take everything down.
This is what I have...
Domain Name Registrar: Dynadot
DNS: Cloudlare
Hosting: Dreamhost
Email: Fastmail
Should everything be under Cloudflare? I think they also do domain name registration and now, soon email. Not sure off the top of my head if they do hosting.
You can't connect to your email or hosting if your DNS with Cloudflare is down.
Plus, Dynadot uses Cloudflare for their site, so you couldn't even change your nameservers if CF is down.
A random scatter won't protect you from a service like CF / AWS / GCP being down, and most users won't benefit from protecting from that sort of unlikely and major scenario anyway...
That's a good catch about Dynadot using Cloudflare.
Ideally there would be a setup to avoid having the domain name registrar use a different DNS than me.
I'm more concerned if an over-zealous algorithm or employee shutting down an account and being able to just switch that one service to another company rather than losing everything.
I'm not sure what best practice actually is, but each different company you depend on is a different failure point. If CloudFlare goes down half the internet does (which is a problem of course, but not my problem), so from a purely utilitarian perspective depending on them feels like a safe bet.
Does Fastmail have an easy API for sending messages from an app? I've tried it before but found it much more complex than an API call.
They do, it’s call “pages”
Cloudflare have great products and engineering expertise, but it starts to get into a concerning territory; what kind of influence over various protocols of the Internet they (might) have.
Especially when they decide you've used too much and shake you down for a higher business or enterprise plan.
WTF Cloudflare you are using a google form for the beta sign up?
Sign up to the waitlist here. https://forms.gle/BX6ECfkar3oVLQxs7
Edit: I see its an email sending service not client.
To be clear, Cloudflare Email Service is not a full-blown email provider like Fastmail, nor is it even comparable to email services like AWS SES or SendGrid. Cloudflare already offered email routing and Cloudflare Email Service just adds the ability to send email via Cloudflare Workers, so there’s a long way to go before Cloudflare could be an option for replacing Fastmail.
What would be the difference if we are talking about transactional emails? Why not comparable to SES?
You know, it might be closer to AWS SES and SendGrid than I thought initially. My first reading of blog post gave me the impression that Cloudflare Email Service was designed for Cloudflare Workers only because that’s what they emphasized upfront. But I missed this piece:
> We’re also making sure Email Service seamlessly fits into your existing applications. If you need to send emails from external services, you can do so using either REST APIs or SMTP.
> This really irks me.
It shouldn't.
They are not launching a complete emailing service, this is just a service that you use to send emails from an app.
"Moving" to their service is as easy as updating your DNS records so they can be seen as an authorized sender.
That's nothing. One of the recent CloudFlare outages was because they hosted some essential stuff at Google cloud and that had an outage
From Zeno Rocha, CEO, Resend -
(https://x.com/zenorocha/status/1971260006654742780)I’m interested to see pricing and what the backend dashboards look like for this. I’m currently using PostmarkApp for my transactional emails and they keep bumping the monthly price and my usage is tiny. If I could just pay per email that would be better.
That said, I’m hosted on AWS so maybe I should look into SES as well if I’m going to replace my email sending service.
So will this compete against SendGrid (transactional emails)?
Or is this going after Gmail/M365 (personal inboxes)?
I wonder what the pricing will be. I would love to have it be where X number are free, then each one additionally will be a small price. I hate having to change tiers based on usage. I would have no problem funding an account and using that to pay for the overage.
Cloudflare at some point will basically compete with AWS as the entire infra platform for developers. They are slowly building tools one after another.
I am really excited to follow how their Containers platform matures as it is still too early.
Yup and why their share price has rocketed. Nobody in the CDN industry is making money - a large player went bankrupt recently. You don't want to look at Fastlys financials and share price Cloud is where the money is.
Yup
https://stratechery.com/2021/cloudflares-disruption/
This is good and I am fairly certain email is dead with AI, hopefully soon.
I went from hosting my own pop/imap/smtp email to ignoring it almost completely at work and personal for a variety of reasons.
Text messages and chat or X/message boards are all I use now. I have the same ability to deliver messages, content, forward, save, export, and migrate between platforms. The spam in SMS is tolerable at this point.
I feel like I'm missing something based on some of the comments here. How is this different than from SES? (Why is this controversial?)
A lot of folks find SES or even just the broader AWS experience unpleasant.
Oh sure, a nice emailing experience (compared with SES) seems positive. But there are negative comments like Cloudflare shipping this is net negative, so just trying to understand the context.
The negatives are probably around the fact that Cloudflare is soon to be the master of the web (80/443)
If they launch an email service and are as successful, they could become the master of the email (25/465)
So soon, they'll be the master of the entire Internet
To be clear: I don't share this view, in part because Google and Microsoft already are the masters of the email
Thank you for the context
I would actually use an email service from Cloudflare. That literally means I don't have to rely on anything else to host my apps. Currently I use email forwarding to send emails to a different email address from my custom domain. This would help a lot
How is that a good thing? Are we, as a society, forgetting the value of diversification, or just ignoring it because convenience is good? Do you really want to be just one wrongful ban away from being completely offline?
Cloudflare is the new AWS
I like this version of AWS
Give it time, we always like them in the beginning.
This is exactly the service I was looking for. I am using cloudflare email forwarding but couldn't find anything about how to send form data from webpage to email.
All the email service that I could find has monthly subscription, no pay as you go offer. Hopefully, cloudflare will offer pay as you go.
Is there a way to get priority in waitlist? I don't mind bugs.
As someone not currently using Cloudflare Workers, I'm not sure I want to build a worker and figure out how to interface with it though my existing application just to send email. What happened to SMTP?
REST APIs and SMTP will also be available
Oh cool, somehow missed that. :)
That is exactly a service I was hoping Cloudflare would provide. Simple binding using wrangler is really a life quality upgrade when starting new projects.
Email sending providers have become a bit of a cartel, with prices usually rising overtime. I am expecting much lower prices from cloudflare.
Anybody know if it supports IPv6?
It's always shocking to me how many people blindly sacrifice the principles that make the things their lives depend on actually worthwhile. The internet isn't just a thing that happened, it was developed and rolled out under specific principles and vision, and violating those principles destroys the system.
The internet doesn't work if Matthew Prince gets to act as global gatekeeper, or if CloudFlare gets conscripted as the new PRISM or NSA censorship and surveillance apparatus whether they want it or not. Given the profit incentives and intense pursuit of control, it's apparent (to me, at least) they're positioning themselves to profit off of the next big horsemen of the infocalypse opportunity.
Centralized control and gatekeeping of the internet, private or otherwise, should be shunned. Sacrificing that for walled garden features is despicable.
Don't shit in the village well, even if the guy selling bottled water says he'll get you a great deal. There are better ways of doing things.
Sure, I wouldn’t want the Linux foundation or other pieces of critical FOSS infrastructure to be routed via Cloudflair. But if I am setting up a web shop for somebody they usually care much more about someone at least pretending to be doing something about a ddos they got hit with that the decentralised internet.
To quote Raytheon “Morals are cool but 90k/year sounds a lot cooler”.
In principle I agree, but in practice - what the better ways of doing things, as of now?
Use other services where necessary, and sparingly. Use only what's functionally necessary, and diversify. Encourage your employer or organization to avoid vendor lock. Don't ever meet with salespeople, stay in charge of your websites and infrastructure. Find a highly disagreeable technical engineer to tell you what you can get away with; you probably don't need the scale of the things CloudFlare, AWS, et al impose by default.
AI right now can do all of that for you; pay for the best initially, have it do deep searches that meet what you need, and find appropriate contractors and services. Drop down to the plus tier after you get what you need initially, if the $200+ versions are too steep, but you can absolutely afford one month to plan an overhaul that doesn't empty your wallet.
Mandate open standards and bake in flexibility to your organization; pivot frequently and aggressively away from companies and services that don't meet your principles or standards.
Wherever possible use self hosting, decentralized protocols, open standards, FOSS software, and pay for expertise over the massive overkill "but wait, there's more!" the conglomerators offer. Their economies of scale serve to consolidate unearned and unaccountable power, often in cooperation with very shady players.
Yeah, tragedy of the commons, this is why we can't have nice things, because it's hard, and complex, and actual evil people exist who will absolutely ddos sites and exploit every and any opportunity to grift people out of their money. Cloudflare is a well marketed bundle of solutions for real problems, but it's definitely not the only solution.
It's up to you to what extent you compromise on principles - with AI it's becoming much easier to find acceptable alternatives without having extensive domain expertise. Normal search engines are almost completely captured by SEO and big market players, and we have a window of opportunity to use new AI search to find things that defy the status quo. The window will probably close sometime in the near future, but until then, take full advantage and position yourself to not be subject to companies or industries that shouldn't be taking it upon themselves to gatekeep the internet.
Also, yell at your representatives about getting a digital bill of rights, protecting the open internet, breaking apart monopolies, and cultivating what's best for the internet, and the world.
We have to stop pissing away the good for the convenience of the cheap.
/soapbox
Agreed.
One thing I've grown concerned about, after watching the Twitter migration fizzle out, is we can imitate the old internet on a small scale, but on a large scale it just doesn't work. For Twitter specifically, the outcome was even worse, many users just migrated to other more centralized services or existing monopolies (like Instagram.)
Users are too used to being able to instantly stream 4k HDR 60fps. They are too used to limited amounts of spam. They are too used to having most non-agreeable content filtered. All of this stuff that big tech delivered now is replicate-able at the cost of tens of billions of dollars. The only business model that can pay for that is owning a giant ad platform.
Thinking about all of the issues the EU has had enforcing things like GDPR, which big tech companies largely haven't followed for years or straight up lied to their customers about, along with a possible failure of the DMA now due to tariffs.. and yet on the other side of the Atlantic, the US utterly failed to ban or control Tiktok. Endless announcements of upcoming deals that were either lies (Oracle protecting American's data) or postponements.
Meanwhile, all of the spam, hacking, bots, and DDoS attacks persist and grow, along with layer upon layer of (probably intentionally) poorly written and often conflicting legislation across multiple jurisdictions have truly made it impossible for the internet as it was designed and meant to exist to continue. (Sure you can just set up a basic web forum like you could do 20 years ago, not use Cloudflare, not host it at a major datacenter, and ignore all of the GDPR and age verification laws, but good luck. Hell, it doesn't even sound like it's really legal to run a Mastodon server anymore.)
One small hope is that if internet companies follow any pattern we've seen in other industries, when the growth ends, the managers will switch to tearing the conglomerates apart in to pieces and selling them off. One day CloudFlare might be split in to 30 pieces, along with Alphabet, Meta, and Amazon. But it could be a while.
Ahhhh I've been waiting so long for this. SES is the last thing I have to keep logging into the clumsy AWS UI for
I didn't see any pricing, but it would be amazing if they could get close to SES pricing with like Resend levels of usability.
I hope it doesn't throw you in a mental health crisis when attempting to set it up like AWS SES does.
I've been using email workers for years now. Adding the ability to send emails directly from workers will be amazing!
https://blog.cloudflare.com/sending-email-from-workers-with-...
They had it a few years ago, but the company offering the free integration essentially stopped offering the free part. I'm currently grandfathered in to mail channels.
Fun fact, you can actually use the current send_email binding to send emails to verified emails in your account (but this announcement will make it possible to send emails to everyone)
You can also reply to incoming emails from what I know, you just cannot initiate any email directly to prevent the obvious abuse. I wonder how they plan to mitigate that apart from keeping the pricing sane.
Only a matter of time till Palantir acquires them.
Please tell me this supports some kind of idempotency.. I fear it wont.
The kind of hoops I've had to jump through to achieve DIY idempotency with Postmark would make you cringe, a shared lock to avoid race conditions, and then using the API to check if an email with the unique id (manually added to the metadata when sending) has not already been sent before sending an email.
Being safe in the knowledge that an email with some unique key will only be delivered once regardless of bugs, processes dying mid task, network issues etc. just makes life so much simpler. The risk of sending duplicate emails or at worst spamming your users due to some more nefarious bug is something that you really want to guard against at as low a level as possible. Sure this might not be quite as consequential as duplicate charges through the Stripe API for example (Stripe have always seemed to lead the way with good API design in this regard).. doThing(data) is _not_ good enough for executing tasks over a network that are effectful, have a cost, and potentially risk your reputation if things go wrong. Idempotency keys should far more widely supported!
> Now, sending an email is as easy as adding a binding to a Worker and calling send
I hope it's easier to setup then the current mess of needing to use Wrangler to setup the send_mail binding the CF worker console can't even show in its binding list.
Will be interesting to see how good of a reputation they can keep (IP/sender reputation, specifically) given their historically very libertarian attitude to compliance.
I need to send upto 50k-80k emails per month
JSX email is an improved fork of the (very slow to be updated) react-email code https://jsx.email/docs/quick-start
Finally!
Interesting development. Not really sure I trust Cloudflare on this one, the last time they tried this with "MailChannels" they got a bunch of people to use it and then killed it off a few months later. Still, their blog post was never updated to say the feature was removed: https://blog.cloudflare.com/sending-email-from-workers-with-...
MailChannels is a separate company from Cloudflare. At one point they offered a Workers integration, and Cloudflare blogged about it because we like to encourage such things. Unfortunately MailChannels later decided to discontinue their integration.
The new email product is built and operated by Cloudflare itself.
This is indeed great. I've been using emailjs dot com for low volume sending so far but they connect to your account and send it through there which is obviously problematic.. Will be interesting to see how pricing for low volumes is there. So far, I've found CF to be more than fair, esp. given their potential for abusive pricing.
"Centralizing the decentralized." --(probably) Cloudflare
This sounds amazing… basically everyone in the space is either reselling Sendgrid or AWS SES.
What other "root" email services are there out there? Even Google Cloud doesn't provide one...
Postmark is pretty good as well :)
Mailjet, mailgun, sparkpost and a bunch of others.
Mailjet / Mailgun are one and the same service and since the acquisition, I haven't heard of anyone still happy with them. But yes good point, Mailjet is another one.
Sparkpost to my knowledge is built on SES.
Sparkpost roll their own MTA’s on AWS, they’re not sending via SES.
Google's Mail API for App Engine seems to still be available. I think they don't really want you to use it, but there it is.
I'm currently implementing SES for a new app, but I like the idea of having another option. I wonder what the pricing will be.
Cloudflare's email routing has been abused by malicious users for so long that I can no longer reliably use it with my domain, most times Outlook just blocks Cloudflare IP ranges and emails never get routed to my Outlook mail box.
shut up and take my money!
For fuck sake is nothing sacred anymore
No doubt cloudflare will refuse to receive emails from any mailservers except those that run special cloudflare extensions or whatever. It'll be a whitelist that's mostly corps only. For "security" of course.
And eventually it'll be so popular other mailservers will stop accepting mail from any except cloudflare/ms/apple/etc.
Where are you getting this from?
How cloudflare treats web browsers and their proposals for acting as gatekeeping for allowing websites to be spidered re: AI motivated corporations. Also cloudflare's near weekly proposals of unilateral protocol features that should be IETF'd but instead they just do and make others do because they're gatekeepers and they can. I expect them to keep behaving as they have and so posited likely 'cloudflare'-like actions for their announced attack on email.
I get that most people never feel the discimination and exclusion mediated by cloudflare because most people are just using chrome or whatever standard browser on their phones. But just because one doesn't have the lived experience of discrimination doesn't mean it isn't actively happening to lots of people.
Everyone just forgetting Fastmail exits.
https://www.fastmail.com/
Is Fastmail in any way similar to what is being described here? Fastmail looks like a replacement for Gmail or maybe Gsuite.
Sorry... I though Cloudflare was offering full service email (SMTP/MTA). If it is just SMTP outbound email, then SMTP2Go would be a better alternative.
Fastmail is mentioned on every email provider suggestion thread on HN (Because they are great, happy user!), but they are not a transactional email provider which is what this product is about.
By transactional, do you mean a bulk sender? For that, I recommend SMTP2Go.