How my email service failed me and why it matters for privacy
I can't send email anymore from my $100/yr email service, Hey.
How did we get here? Well, I use SimpleLogin to avoid giving out my real email address and cut down on unwanted email. If you're not familiar with the service, here's how it works: senders email you at anything@your-domain.com. Your actual mailbox receives a message from sender_at_their_domain_com_nonce@simplelogin.co. You simply reply to this alias, SimpleLogin validates that the reply comes from your real email address, and the sender receives a reply from the original address as they would expect.
Recently, Hey made a change that breaks this validation because my Hey emails no longer come from me!
This deserves a little bit of an explanation. You see, the From address that shows up in most email clients is actually part of the body of the email and the sender can set it to whatever they want. The "real" from address, also known as the envelope sender, is specified by the sending mail server with the MAIL FROM command. This short SMTP conversation illustrates this well:
Note that MAIL FROM and From don't have to match.
So what happened? Well, unbeknownst to its customers, Hey started inserting metadata into the envelope sender address, so my email now comes from me+entry--timestamp=hex@hey.com. This means that, when I email a SimpleLogin alias, the reply is rejected, because SimpleLogin fails to match the envelope sender to my actual email address.
The rest of this saga is a tale as old as time. I reached out to Hey support, who promptly told me that SimpleLogin should just validate the From address (wrong) and that they only need to validate the domain part anyway (wrong again). After clarifying, I heard that, well, this is something they - and by extension I - will just have to accommodate. Nevermind that I can't send email anymore with my expensive email subscription.
I wish I could tell you that this story has a happy ending. Most likely I, and every other SimpleLogin + Hey user, will be lucky to get a prorated refund for the trouble of painstakingly migrating all of our email elsewhere. We as users get to choose between entirely unappealing alternatives: contending with a deluge of spam if we give out our real email addresses, dealing with the insanity of maintaining our own mail servers (good luck building a reputation!), or having the tech companies we entrust to take care of this for us break our workflows at a whim.
Call me an idealist, but I tried to explain this to Hey in the following message:
The internet as a whole only functions because a number of companies and organizations have agreed to a common standard of interoperability. This makes progress slower and harder for everyone, but it ensures that people like you and me can use whatever software and hardware we wish to and still connect to the open web.
What's happened here - and I can't reiterate this enough - is that Hey made a unilateral decision to do something custom and unexpected in email, a technology that's been around for 40 years. This has broken interoperability with another email service that people actually use. And instead of doing the hard thing and figuring out how to meet Hey's engineering objectives while maintaining interoperability, Hey is just throwing the responsibility over the fence.
This is not a bug or a small inconvenience. I am literally unable to send any outgoing email, because I use SimpleLogin for everything.
I implore you to reconsider. This change is not something that "perhaps other providers can accommodate". This is something that Hey needs to do better. If Linus can do it, so can you.
