As someone who works in this space. A large org like Google often separates the feature work and counter abuse teams. The org structure leads to unintended feature consequences. It sucks when your trying to provide value to people and it's taken advantage of by bad actors.
cube00 4 days ago [-]
You know it makes sense, so get that Google passkey set up now.
Unfortunately you'll be guided to storing those in your Google account too, so your everyday user will still get locked out, in some ways it's worse because a lot of sites will only accept a "recovery key", email confirmation is no longer enough (not that it matters if your GMail is also locked out)
jesseendahl 4 days ago [-]
People should be setting up Recovery Contacts so that they have a way of getting back into their Google account even if they lose all credentials (passwords and/or passkeys) and all their devices.
I hope Google starts to push all users to setup Recovery Contacts. It would greatly reduce the likelihood of lockouts, whether using passkeys or not.
4 days ago [-]
tguvot 4 days ago [-]
i don't really use gmail (i self host for more than 25 years), but I do have few throw away gmail accounts that I registered way back when gmail started. they all have recovery contacts/emails configured.
a few years ago gmail stopped letting me login. password was ok. it was saying something about my login been suspicious or something and that it will send me code to recovery email. i was getting code on recovery email, entering it and getting back message saying "we still not sure that everything is ok, try again later".
it took 6 months before i was able to login to account.
bickfordb 4 days ago [-]
I think the larger question is why are we all (or most of us?) still using Gmail? Why can't an average person host their own email server with open source software with straightforward security upgrades instead of trusting BigCo or the latest SmallCo?
gruez 4 days ago [-]
>Why can't an average person host their own email server with open source software with straightforward security upgrades instead of trusting BigCo or the latest SmallCo?
The average person isn't qualified to administer a server and would rather pay $1/month or whatever for a hosted solution.
politelemon 4 days ago [-]
The average person would prefer not to pay at all. Hence free email providers will always exist in some form.
pa7ch 4 days ago [-]
I think its fundamentally more difficult to host communications services where spam is possible and there is no auth/contact system in place before first communication can happen.
bickfordb 4 days ago [-]
I'm not an expert in this area but from what I understand what was once novel content spam filtering is not at all novel now, there are easily trainable model strategies (BERT?) that get you to 99%.
A whitelist, auth/contact is ideal for messaging without spam and is more workable with a large federated group that can adopt an evolving open source protocol.
jbaber 4 days ago [-]
I'm an average person who uses fastmail with a custom domain with a separate registrar. Fastmail does all the right DKIM, DMARC, etc. magic.
And still my mail sometimes goes to spam essentially because it's not "@gmail.com" This is a really real problem that will never go away because everyone in a position to do something about it being so monopolistic cannot understand it.
doubled112 4 days ago [-]
Do you mean average person around here? Or average person in general?
Too many unknowns and moving parts.
Have you ever worked with the general public and computers?
The average person was wondering why their wireless router needed cables. They did not update their computers for the entire time they owned them. Somebody else ignores big red text saying this will delete everything and hits next anyway, then wonders where their photo collection has gone.
I cannot believe the average person would be capable of registering a domain and configuring their DNS to point at this simple mail server they’re running.
If somebody else is taking care of all of these parts, I am not sure they’re really hosting it themselves.
Maybe we need a new protocol and we can replace all of this? How do we get everybody on board?
rolandog 4 days ago [-]
Especially with all the codified footguns (or the "Tyranny of the Default" — as Steve Gibson would put it) where a lot of critical apps ship with very insecure defaults, and even a seasoned Dev that's an expert on one domain doesn't have time to muddle through the whole of man pages + mail archives + stack overflow threads for every option.
sys_64738 4 days ago [-]
Most folk don't know how or don't want to. A mail server is mundane to admin and most folk probably have higher priority things in their lives going on.
Larrikin 4 days ago [-]
Is there a self hosted solution that will allow me to back up all my Gmail emails including attachments? Something like paperless but for my old emails.
The constant pestering by Google to buy storage space has started pushing me to deleting everything more then a few years old as a stepping stone to leaving Gmail completely.
tguvot 4 days ago [-]
whatever tools that can do imap sync/download and support whatever authentication that google fancies now
gmerc 4 days ago [-]
Synology can
phainopepla2 4 days ago [-]
> Ten years old being younger than the account had actually existed for, it is 12 years old apparently, might, you would have hoped, set off some Google alarm bells in these days of advanced AI protections, but no.
Good god what happened to editors?
Arrowmaster 4 days ago [-]
This is on forbes.com/sites/, I'm pretty sure anyone can pay to post on it now.
StopDisinfo910 4 days ago [-]
What's your issue with this sentence specifically?
It looks perfectly fine and understandable to me. I guess you don't like the parenthetical sentence between commas. Imagine it is behind em-dash and everything should be fine.
anon7000 4 days ago [-]
It is pretty hard to grasp on first ready without stumbling through the phrasing. Especially the first part: “Ten years old being younger than the account had actually existed for might have” is extremely clunky. For one, you can just delete the end of it: “The user being younger than the account might have…”. Plus the subject & predicate get a bit confused, and you loose track of the point
Maybe this “You’d hope Google would notice the account was older than the user, especially with today’s advanced AI protections, but no”
Or even clearer: “You’d think Google, with all its advanced AI tooling, would notice the account was created before its creator was born (4 years earlier, apparently), but no”
StopDisinfo910 4 days ago [-]
It's "might set off" not "might have". I don't mind the addition of complements between subject and verb. I view it as a stylistic choice especially when sentences remain that short.
I know English reader hates it when the verb is too far from subject however. Clearly, this one could be improved but I think calling it a failure of editorial standard is over harsh.
stefanfisk 4 days ago [-]
My morning brain really couldn’t parse it until I read your breakdown.
romanregin402 2 days ago [-]
[dead]
mr_windfrog 4 days ago [-]
I think the biggest question is why most people are still using third-party email services like Gmail or Hotmail.
Why not register your own domain and use an email on that domain?
Nowadays, registering a domain is almost free, and you can fully customize your email addresses.
wakawaka28 4 days ago [-]
Technically having your own domains is superior, but it can be difficult to get past spam filters if you have your own domain. Not least because Google and Microsoft often automatically trash anything from custom domains. If you're ok with the delivery issues that can come with this setup, it's better. But personally I get really pissed off when my mail does not get delivered for any recipient.
mr_windfrog 4 days ago [-]
You're absolutely right, ending up in spam is a real pain. I've run into the same issue myself with custom domains; even when everything is set up correctly, delivery can still be unreliable.
tatersolid 2 days ago [-]
This is more about reputation than “custom domains”. I’ve had <realname>.com registered since 1996. Hosted at free Google Workspace account for 15+ years. They added SPF and then DKIM/DMARC as those thigs evolved. Never had spam reports in all that time; delivery is better than $dayjob’s 30-year-old domain.
Reputation is everything in email delivery.
wakawaka28 2 days ago [-]
I set all that stuff up for mine, and used a reputable mail server (FastMail), and even went through steps particular to Microsoft and Google. Google started accepting my emails, but my employer's Microsoft Exchange system kept sending my stuff to spam. How many other people would just not receive my stuff? It's impossible for me to know. If you want to reach out to strangers, any false positives will hurt you.
tatersolid 2 days ago [-]
That might be from a Microsoft feature to prevent phishing that blocks display name spoofing. I get hit with that when I email from my personal to work email… the display name portion of the FROM address matches my work so it trips this filter.
Obviously they can only do this for unique-enough names and so this filtering could never work for “Joe Miller” but it does stop the dozens of phishes we see per day that are FROM our CEO’s first and last name but with a Gmail email address.
wakawaka28 2 days ago [-]
I don't think it's anti-phishing. If it is, then it's a broken rule. I have registered FastMail as my mail server properly with my DNS (MX record, I think) and also done the other authentication stuff. This is not a case of merely setting the FROM field, as many people do. You can set the FROM field of a message to anything if your mail server allows this. The receiver might reject this, but it is/was a common way to configure your mail client in the past because of stuff like email forwarding. Lots of people use 3rd party mail providers whose servers are not under the same domain as the mail being served. I think most people with custom domains do not run their own mail servers, and thus point their MX entries at a 3rd party mail provider just like I do.
I don't know why this stuff would be rejected. I went through several debugging steps online and didn't get anywhere with it. Every tool said I had set it up correctly.
emeril 4 days ago [-]
as someone who did that a long time ago - I largely regret it
granted, it gives me an out if my provider revokes my access (in this case, google) but the custom domain requires some headache to manage well - I wish I had just used a google account...
mr_windfrog 4 days ago [-]
I hear you, makes sense. I've also struggled a bit with managing custom domains.
cr125rider 4 days ago [-]
1) it costs more than nothing
2) the technical expertise to do that is way outside of most people
Who do you use as a mail host with your custom domain? A third party?
mr_windfrog 4 days ago [-]
I see, you're right.
Rendered at 11:06:57 GMT+0000 (Coordinated Universal Time) with Vercel.
Unfortunately you'll be guided to storing those in your Google account too, so your everyday user will still get locked out, in some ways it's worse because a lot of sites will only accept a "recovery key", email confirmation is no longer enough (not that it matters if your GMail is also locked out)
https://blog.google/technology/safety-security/recovery-cont...
I hope Google starts to push all users to setup Recovery Contacts. It would greatly reduce the likelihood of lockouts, whether using passkeys or not.
a few years ago gmail stopped letting me login. password was ok. it was saying something about my login been suspicious or something and that it will send me code to recovery email. i was getting code on recovery email, entering it and getting back message saying "we still not sure that everything is ok, try again later".
it took 6 months before i was able to login to account.
The average person isn't qualified to administer a server and would rather pay $1/month or whatever for a hosted solution.
A whitelist, auth/contact is ideal for messaging without spam and is more workable with a large federated group that can adopt an evolving open source protocol.
And still my mail sometimes goes to spam essentially because it's not "@gmail.com" This is a really real problem that will never go away because everyone in a position to do something about it being so monopolistic cannot understand it.
Too many unknowns and moving parts.
Have you ever worked with the general public and computers?
The average person was wondering why their wireless router needed cables. They did not update their computers for the entire time they owned them. Somebody else ignores big red text saying this will delete everything and hits next anyway, then wonders where their photo collection has gone.
I cannot believe the average person would be capable of registering a domain and configuring their DNS to point at this simple mail server they’re running.
If somebody else is taking care of all of these parts, I am not sure they’re really hosting it themselves.
Maybe we need a new protocol and we can replace all of this? How do we get everybody on board?
The constant pestering by Google to buy storage space has started pushing me to deleting everything more then a few years old as a stepping stone to leaving Gmail completely.
Good god what happened to editors?
It looks perfectly fine and understandable to me. I guess you don't like the parenthetical sentence between commas. Imagine it is behind em-dash and everything should be fine.
Maybe this “You’d hope Google would notice the account was older than the user, especially with today’s advanced AI protections, but no”
Or even clearer: “You’d think Google, with all its advanced AI tooling, would notice the account was created before its creator was born (4 years earlier, apparently), but no”
I know English reader hates it when the verb is too far from subject however. Clearly, this one could be improved but I think calling it a failure of editorial standard is over harsh.
Why not register your own domain and use an email on that domain?
Nowadays, registering a domain is almost free, and you can fully customize your email addresses.
Reputation is everything in email delivery.
Obviously they can only do this for unique-enough names and so this filtering could never work for “Joe Miller” but it does stop the dozens of phishes we see per day that are FROM our CEO’s first and last name but with a Gmail email address.
I don't know why this stuff would be rejected. I went through several debugging steps online and didn't get anywhere with it. Every tool said I had set it up correctly.
granted, it gives me an out if my provider revokes my access (in this case, google) but the custom domain requires some headache to manage well - I wish I had just used a google account...
Who do you use as a mail host with your custom domain? A third party?