| ▲ | Meekro 9 hours ago |
| I'm not sure why this announcement has generated so much irritation in the comments-- Cloudflare has been transitioning from "DDoS protection" to "AWS competitor" for many years now, and this is just their alternative to AWS SES. It's an email sender that you can access through an API, or directly through Workers. For those who haven't been keeping up over the years, Workers is their product for running code on Cloudflare's platform directly (an AWS Lambda competitor, more or less) and they've been trying to make it the centerpiece of an ecosystem where you deploy your code to their platform and get access to a variety of tools: databases, storage, streaming, AI, and now email sending. All of this is stuff that AWS has had for years, but some people like Cloudflare more (I certainly do). One thing that surprised me is the price-- Cloudflare's cloud offerings are usually much cheaper, and I've saved plenty of money by migrating from AWS S3 to Cloudflare's R2. This new offering is 3x the AWS price, though. Weird. Anyway, most small companies don't send enough email for it to matter. But getting back to the consensus in the comments here: I'm not sure why people think that they'll be worse about policing spam than AWS SES, Azure Email, etc. |
|
| ▲ | embedding-shape 9 hours ago | parent | next [-] |
| > But getting back to the consensus in the comments here: I'm not sure why people think that they'll be worse about policing spam than AWS SES, Azure Email, etc. Cloudflare is (in)famous for not acting against spammers, fraud, piracy and other less savory groups that are hosting their stuff at/behind Cloudflare, so reasonably, people who've been affected by that are now afraid the same thing will happen with email. |
| |
| ▲ | ttul 9 hours ago | parent | next [-] | | When it comes to email delivery, you can't ignore spam. It's the bane of existence of every email sending service and the number one business challenge in that segment. After all, orchestrating delivery over SMTP is not rocket science. But getting that email to not be rejected totally IS rocket science and it's simultaneously an art form known only to a handful of email nerds working at the core of the big email sending services... | | |
| ▲ | embedding-shape 9 hours ago | parent [-] | | Ok, but what about as a CDN/website-proxy/WAF? I know we don't have the same automated reputation-propagation as with email, but same thing supposedly happens there, where eventually you get turned off if you don't act on lawful requests, which is exactly why Cloudflare is unavailable in Spain during La Liga matches, because Cloudflare don't take piracy streams down. In theory, Cloudflare should take those down, when requested by legal means, but that doesn't matter. How sure are we that they'll act differently for email, instead of trying to get rid of the reputation system instead? > getting that email to not be rejected totally IS rocket science and it's simultaneously an art form known only to a handful of email nerds working at the core of the big email sending services It really isn't, you need a clean IP and a clean domain, send handful of emails and you're pretty much whitelisted on most services out there. Maybe you'd say I'm one of the handful, but I personally know more than a handful others who also run their own email services, just like me, and besides the usual hassle of running your own service, as long as you don't spam, your emails will arrive as usual. | | |
| ▲ | ttul 8 hours ago | parent | next [-] | | I run an email sending service at scale (billions of messages per month, tens of millions of end users, thousands of customers). Most of our software development and operational effort revolves around abuse mitigation. That has been the case for 15 years. It's a cat-and-mouse game with two different mice: the senders, who are constantly trying to figure out how to get you to deliver their garbage; and the receivers, who are constantly trying to figure out how to block it. We're stuck in the middle. It's hard to appreciate how difficult this battle is when running at scale. | | |
| ▲ | embedding-shape 5 hours ago | parent | next [-] | | Right, I won't disagree with any of that, but I'm not sure how it's related to what I wrote either. Maybe I should have been more specific that I'm talking about hosting your own email, not hosting emails for others, which brings out a lot of other types of problems. | | |
| ▲ | ttul 3 hours ago | parent [-] | | Apologies. When you said "email services" I thought you were implying "email services for use by others". Yeah, you can definitely run your own mail server in 2026 and I think the internet community should always strongly endorse being able to do so. Unfortunately, large email receivers have to make do with imperfect signals when making filtering decisions, and your traffic from a lonely IP that happens to have a bad neighbour might get blocked as collateral damage. One long term hope: That domain name reputation eventually overtakes IP address reputation entirely. |
| |
| ▲ | i_think_so an hour ago | parent | prev | next [-] | | > I run an email sending service at scale (billions of messages per month, tens of millions of end users, thousands of customers). Giving you the benefit of the doubt and accepting your claim, doesn't that make you one of the people at least second-order responsible for the current state of affairs in email blocking? It would seem that your company, by dint of your volume, navigates roadblocks that the rest of us (ie. the 99.999% of Internet email servers and their admins), who aren't FAANG et al[1], have to deal with to get our users' legitimate email delivered. If so, could you perhaps give us a brief explanation as to why an otherwise competent engineer can "follow all the best practices" with their server which has no known compromises[2], on an IP address they have controlled for, oh, let's say a full calendar year, and yet still can't get off those FAANG et al default-deny blocklists, but you can?[3] A cynic might say that your service had a vested interest in paying for unimpeded access to those FAANG et al companies to get over the bar that the rest of us are unable to vault. A cynic might also say that those biggest of the big email services like it that way, because it drives more users to them at the expense of the rest of us 99.999%. I'll try to remain open to the possibility that there are aspects of the industry I've not yet had any exposure to, and refrain from chimping out over having my users blocked through no fault of their own. [1] Yes, I know, Facebook doesn't receive anywhere near as much email as they send, and Hotmail = Microsoft, etc. If I used an accurate acronym I could pat myself on the back for being Technically Correct, while nobody would know what the heck I was talking about. [2] We shan't digress into a discussion of hardware/firmware/OS/application backdoors nor Snowden disclosures. It's not that hard to auto-install security updates and run a reasonably tight ship with no unnecessary attack surfaces. [3] Or perhaps there aren't any default-deny blocklists at all, but in fact only much smaller default-allow whitelists? That would be cynical indeed. | |
| ▲ | pbronez 8 hours ago | parent | prev [-] | | What structural changes could we make to improve the situation? | | |
| ▲ | ttul 4 hours ago | parent | next [-] | | That is such a great question and there is no easy answer. There have been enormous efforts to do better for at least the last 20 years. An entire organization, M3AAWG, was founded for that reason and it meets three times a year, bringing together all the people that matter for making the situation better. It's a great organization and the people are all really smart and awesome. The IETF is no slouch either, coming up with excellent new standards and improving existing ones, such as the recent update to DKIM. That's about as good of an answer as I can provide: keep sending smart people to the conferences! | |
| ▲ | edoceo 7 hours ago | parent | prev | next [-] | | Signed senders? | |
| ▲ | b112 7 hours ago | parent | prev | next [-] | | It's simple, there's a standard, a new one, which takes into account SPF, DKIM, DMARC, ARC, and even DANE along with upcoming and purposed SPKF, DKIM+, DMARC2, and ARCv4. It should fix just about everything. | | | |
| ▲ | jgalt212 7 hours ago | parent | prev [-] | | Hashcash, or BTC. | | |
| ▲ | ttul 3 hours ago | parent [-] | | I always loved the hashcash concept and actually raised our original funding because of it (our Microsoft angels loved the idea of making spamming more expensive, and our Series A concept was tar-pitting to dissuade botnets). In the context of email sending services, we have a modern version of hashcash that we might at some point turn to. If someone can figure out how to tokenize sending at scale, then senders could pay recipients to open their emails by attaching a "tip" to each message. If even a small fraction of legitimate email recipients altered their mail client settings to route "tipped" messages to their inbox, that would probably suffice to get senders to participate in the scheme. Senders are starved for high quality engagement data. Meanwhile, anything we can do to make spam less likely - on a relative scale - to reach the inbox in comparison to "legitimate" traffic, is a win. |
|
|
| |
| ▲ | pocksuppet 8 hours ago | parent | prev [-] | | Cloudflare acts on lawful requests during LaLiga matches. The problem is that the Spanish government doesn't want to bother doing things the lawful way because that takes too long. They want piracy to magically disappear and they'll randomly shut down more parts of the internet until it does. Actual illegal sports streams are not impacted by Cloudflare being down, and Cloudflare is not the only impacted network. | | |
| ▲ | embedding-shape 5 hours ago | parent [-] | | > problem is that the Spanish government doesn't want to bother doing things the lawful way because that takes too long In Spain, what they are doing, is the "lawful way", it's literally happening via the courts and judges. Do you think ISPs are blocking Cloudflare specifically just for fun, out of their own accord? > Actual illegal sports streams are not impacted by Cloudflare being down, and Cloudflare is not the only impacted network. Some are, many aren't. Cloudflare is indeed the only impacted network, at least for me. Which other networks are being blocked for you during the La Liga matches? | | |
| ▲ | Dylan16807 4 hours ago | parent [-] | | The specific blocks don't go through courts and judges. | | |
| ▲ | embedding-shape 3 hours ago | parent [-] | | Yes, the specific block of blocking Cloudflare in Spain during La Liga matches literally has gone through a court and been ordered by a judge, I'm not sure how you could have missed this. Judges have also dismissed the requests from Cloudflare and others to remove the "dynamic block" as there is collateral damage. | | |
| ▲ | Dylan16807 3 hours ago | parent [-] | | My understanding was that cloudflare was being blocked by the same IP blocking list as everything else. And while that system went through courts, the list didn't. There are also direct actions against cloudflare, but that's not what's taking everything down, is it? Did I misunderstand something? | | |
| ▲ | embedding-shape 2 hours ago | parent [-] | | The sites are directed to be blocked by IP and DNS, this is the list I suppose you're talking about, I'm not sure of any specific "system vs list" distinction. Since some of the sites are behind Cloudflare, some of the IPs are IPs used by Cloudflare for any customer, not just the streams, so then Cloudflare gets blocked wholesale, the collateral damage that we get to joyfully experience every game. Remains to be seen if the block will remain in place or not, you could argue it goes against some other laws, but it has to be argued legally, just like how the block initially happened because La Liga went through the courts. So far us developers or people who visit more American websites tend to be hit the worst, since they're talking about "protecting" other matches too, in other sports, I'm guessing it'll get worse before it gets better. |
|
|
|
|
|
|
| |
| ▲ | thomas_gauvin 9 hours ago | parent | prev [-] | | Blog author chiming in here: We have reserved IPs for Email Service and will be protecting the reputation and fighting spam from originating on Email Service. If we did not do so, our IPs would get flagged and then emails end up in spam or not delivered. That defeats the purpose of having a transactional Email Service. We're well aware of this. | | |
| ▲ | embedding-shape 9 hours ago | parent | next [-] | | Will you also do this for other spammers using Cloudflare infrastructure, or just specifically for this email product? > For years, Spamhaus has observed abusive activity facilitated by Cloudflare’s various services. Cybercriminals have been exploiting these legitimate services to mask activities and enhance their malicious operations, a tactic referred to as living off trusted services (LOTS) [2]. > With 1201 unresolved Spamhaus Blocklist (SBL) listings [3], it is clear that the state of affairs at Cloudflare’s Connectivity Cloud looks less than optimal from an abuse-handling perspective. 10.05% of all domains listed on Spamhaus’s Domain Blocklist (DBL), which indicates signs of spam or malicious activity, are on Cloudflare nameservers https://www.spamhaus.org/resource-hub/service-providers/too-... | | |
| ▲ | 2 hours ago | parent | next [-] | | [deleted] | |
| ▲ | Meekro 8 hours ago | parent | prev | next [-] | | I would note that Cloudflare has been doing better-- the SBL listings page mentioned in that article[1] shows only 47 active complaints, down from 1201 when the article was written 2 years ago. Many of those complaints are stale, too: I spot-checked a few (referencing the domains fireplacecoffee.com and expansionus.com) and the domains are expired and not being hosted by anyone. [1] https://check.spamhaus.org/sbl/listings/cloudflare.com/ | | | |
| ▲ | computershit an hour ago | parent | prev [-] | | > 10.05% of all domains listed on Spamhaus’s Domain Blocklist...are on Cloudflare nameservers Not defending spammers, but this comes across a smidge naive considering Cloudflare's overall footprint in the modern internet. |
| |
| ▲ | Bender 8 hours ago | parent | prev | next [-] | | As someone that has managed very large outbound transactional email environments, email campaign platforms and some corporate email I just wanted to wish Cloudflare the best of luck on this endeavor. This is an entirely different animal from anything related to a CDN. Stay vigilant and don't let the cute and fuzzy bunnies ruin it for everyone else. They are evil and mischievous and will do whatever they technically can do. | |
| ▲ | creatonez 4 hours ago | parent | prev | next [-] | | Agent-produced emails are by definition spam. Everyone should be reacting to this news by immediately blocking your service. | | |
| ▲ | ttul 3 hours ago | parent [-] | | Recent outreach after creating an AgentMail account: "Thanks for being a user of AgentMail - a lot of people use AgentMail for outbound (spin up and warm up inboxes, send sequences, handle replies), ..." Yes, that's right. The first use case mentioned is to send automated outbound emails. "Cold prospecting" workflows are likely going to be a big slice of usage on the new Cloudflare service, as it seems to be on AgentMail. |
| |
| ▲ | ttul 3 hours ago | parent | prev | next [-] | | If you take the approach of policing individual sender accounts with a strict anti-abuse policy, you have a chance of succeeding. I'm sure you have already discovered that the moment you allow anyone to sign up for an email sending account, the worst of the worst actors immediately take up the opportunity to do so! Cloudflare has a massive amount of data about web traffic and I would hope that this data can be recycled into effective threat detection and control. No doubt you already know this and have people working on it. Good luck! | |
| ▲ | chinathrow 6 hours ago | parent | prev | next [-] | | > We're well aware of this. Then how about not market it as "for agents" when said agents are just LLM output? | |
| ▲ | themafia 5 hours ago | parent | prev | next [-] | | So what are the thresholds? For example with SES I will get automatically suspended if my bounce rate is more than 10% or if my complaint rate is more than 0.1%. | |
| ▲ | wang_li 8 hours ago | parent | prev [-] | | I think you should put your money where your mouth is. For each spam message sent to a recipient server, you send $1000 to the recipient. | | |
| ▲ | i_think_so an hour ago | parent [-] | | Make that penalty $1 per (so the discussion can be taken seriously) and I will not only support your proposal, I'll volunteer my time and effort in encouraging Congresscritters to vote for it. There are serious financial penalties for robocallers who violate the Do Not Call list (in America, at least). Let's update those laws for the 21st century, shall we? |
|
|
|
|
| ▲ | sixhobbits 9 hours ago | parent | prev | next [-] |
| I'm not sure if it's a correct impression but my impression is still that AWS is the "devil you know" and Cloudflare is less predictable with more individual decision making from high ups. I guess they got that reputation years ago when the founders (?) got into public spats about what they would and wouldn't host. AWS is more lawyers and committees and seems more anonymous, so people don't necessarily like it more but they do trust it to be what it looks like more. Probably just a function of time and size. |
| |
| ▲ | pocksuppet 8 hours ago | parent [-] | | Cloudflare will predictably shut down your account until you pay $150k. They will not transfer out any of your domains or files - they will be inaccessible until you pay $150k. | | |
| ▲ | b2m9 8 hours ago | parent [-] | | Excuse me, what are you referring to? | | |
| ▲ | foolswisdom 7 hours ago | parent | next [-] | | There have been stories about people with heavy internet traffic (generally media streaming I think) being more or less shut down unless they upgrade their cloudflare plan (to enterprise I guess). Some were posted on HN in the past. | | | |
| ▲ | 6 hours ago | parent | prev [-] | | [deleted] |
|
|
|
|
| ▲ | navigate8310 8 hours ago | parent | prev | next [-] |
| I've used their email relay services to forward it to my Microsoft account, every forward is rejected by Microsoft due to spam generated by Cloudflare. So I don't have much faith at least in their email services. |
| |
| ▲ | tracker1 7 hours ago | parent | next [-] | | Of all email services, delivery to MS hosted systems is absolutely the worst to deal with. It's completely opaque and almost impossible to resolve most of the time. They tend to direct you to paid channels to try to mitigate issues instead of actually responding to complaints for false positive flagging as spam. For my small, personal email server, I just gave up on trying... I can deliver to Gmail and every other major email provider without issue, and even MS seems to be split into a couple different backing orgs. | |
| ▲ | magguzu 4 hours ago | parent | prev [-] | | This isn't unique to Cloudflare. Microsoft email spam filter absolutely sucks. I hit it a lot too from my small provider. | | |
|
|
| ▲ | jiveturkey 41 minutes ago | parent | prev | next [-] |
| > One thing that surprised me is the [high] price [vs SES for example] Not sure if you read the announcement closely: > Sending email that actually reaches inboxes usually means wrestling with SPF, DKIM, and DMARC records. When you add your domain to Email Service, we configure all of it automatically. Your emails are authenticated and delivered, not flagged as spam. this service is batteries included. SES is not. |
|
| ▲ | Onavo 9 hours ago | parent | prev | next [-] |
| > Cloudflare's cloud offerings are usually much cheaper, and I've saved plenty of money by migrating from AWS S3 to Cloudflare's R2. This new offering is 3x the AWS price, though. Weird. Anyway, most small companies don't send enough email for it to matter. For certain types of marketing and transactional emails, it's cheaper I think. AWS SES pricing doesn't include attachments. If you assume a maxed out 25MB email attachment body, I think the price comes out to be mostly similar, amortized at least. But if you are sending basic text/mostly text transactional emails for stuff like password resets, then SES comes out ahead for sure. |
|
| ▲ | EGreg 6 hours ago | parent | prev | next [-] |
| Can Cloudflare do an SMS service? That would be something :) |
|
| ▲ | ignoramous 2 hours ago | parent | prev | next [-] |
| > One thing that surprised me is the price-- Cloudflare's cloud offerings are usually much cheaper ... This new offering is 3x the AWS price, though. Weird. c. 2022 I used Cloudflare's free email sending service (via MailChannels) [0] until it was sunset in Aug 2024 [1]. [0] https://blog.cloudflare.com/sending-email-from-workers-with-... [1] https://support.mailchannels.com/hc/en-us/articles/456589835... / https://archive.vn/xNLzv |
|
| ▲ | Joel_Mckay 9 hours ago | parent | prev | next [-] |
| Almost every SaaS (Spam as a Service) API ends up arguing its minority of legitimate users are a justified excuse for the majority of nuisance traffic. Most cloud IP blocks already have very poor reputations, and or already on Spamhaus blacklists. People have a right to choose to be upset. =3 |
| |
| ▲ | Meekro 9 hours ago | parent [-] | | My experience has been the opposite of what you're saying: AWS SES (one of AWS's flagship products, and probably the biggest email sender in the world) is a pretty responsible anti-spam citizen. Spamhaus even wrote this article[1] praising SES's anti-spam efforts. From the article: "Amazon SES has a long-standing relationship with Spamhaus, working closely to prevent suspicious IPs and domains from impacting their network." Though I'm sure that new incidents come up daily, Spamhaus themselves seem to disagree with the notion that SES's IP blocks have "poor reputations." [1] https://www.spamhaus.org/resource-hub/service-providers/how-... | | |
| ▲ | Joel_Mckay 8 hours ago | parent [-] | | Whatever IP people temporarily host on a cloud incurs the prior users reputation. Again, using legitimate traffic to shim network spam is a common counterargument against black listing. Of the approximate 274000 banned hosts I stare at... many nuisances are from Amazon, Azure, digital ocean, and Hetzner. I am sure Maildrill or Mailchimp does have legitimate use cases, but generally the majority of the traffic suggests otherwise. I am certainly biased in this opinion. =3 | | |
| ▲ | tracker1 7 hours ago | parent [-] | | Are those hosts using hosted VPS instances, or are they sending through SES? There's a pretty significant difference... FWIW, I get why a lot of VPSes simply block email hosting altogether. It makes it a bit harder for me to find a host for my own small server, but I do understand the pain. Some services are better or worse, and I can imagine at the scale of many cloud hosts, trying to keep the IPs for general hosting out of blocklists would impact the bottom line more than reputational damage for a handful of legit email hosting accounts. TBF, the demo app referenced in TFA and depending on how many emails you actually send for however many domains may well be a better option for me than my small MTA server. |
|
|
|
|
| ▲ | arpinum 8 hours ago | parent | prev | next [-] |
| The pricing is disappointing. I'm surprised Cloudflare has not tried to compete on price against AWS lately after a good start with R2. Queues, database storage, database writes, worker invocation all more expensive than the AWS offering. |
| |
|
| ▲ | password4321 9 hours ago | parent | prev [-] |
| Cloudflare is spending years of goodwill earned through technical skill, trending towards AI enshittification starting with their blog posts and vibe coded features/products. |
| |
| ▲ | Meekro 9 hours ago | parent | next [-] | | I also kind of rolled my eyes at the blog post and its obsessive focus on "agents" -- definitely feels like a solution looking for a problem. But the email-sending product being promoted is probably ok, right? They just happened to write a lot of words observing that ChatGPT can, in fact, call sendmail() through their platform (if you give it access) -- a fact that shouldn't surprise anyone. | | |
| ▲ | thomas_gauvin 9 hours ago | parent | next [-] | | Blog author chiming in: Our initial blog covered most of Email Service's API and what you can expect from it in terms of deliverability, DNS records setup, etc. https://blog.cloudflare.com/email-service/ Email Service can definitely be used as a transactional email API, and it has everything you would expect like SDKs, binding, observability and more coming on the way The agent angle in this post reflects what we're actually seeing from developers during our private beta. And the idea that an agent can have an inbox to communicate is a new piece in the developer toolbelt. | | |
| ▲ | Meekro 9 hours ago | parent | next [-] | | Thanks for the clarification! Sounds like some developers, including your beta users, are experimenting with new ideas (which includes plugging agents into different workflows to see what happens), while old farts like myself bemoan AI getting plugged into everything and every app sprouting "Ask AI" buttons that they never asked for or wanted. I can definitely understand some of the ire-- people are probably imagining how they'll try to contact Verizon and will get back a totally unhelpful email from ChatGPT when all they wanted was to talk to a real human for 5 minutes. Your blog post about hooking up agents to email probably speaks to that fear. | |
| ▲ | fernandotakai 9 hours ago | parent | prev | next [-] | | >The agent angle in this post reflects what we're actually seeing from developers during our private beta. legit question: did you invite anyone that isn't doing agentic whatever during your beta? | | |
| ▲ | tracker1 7 hours ago | parent | next [-] | | It's most likely people doing active development, willing to experiment on a test/beta platform... which probably correlates strongly with those testing/trying agent based workflows. | |
| ▲ | Meekro 9 hours ago | parent | prev [-] | | Thomas can probably speak to this better, but as someone who has participated in other Cloudflare betas: there's usually a button or a form and you can request access. |
| |
| ▲ | dbbk 9 hours ago | parent | prev [-] | | It's just email man you do not need to throw an AI buzzword in front of everything |
| |
| ▲ | gardnr 8 hours ago | parent | prev [-] | | It's like the author handed the copy to the editor who then added a new broken sentence after each original sentence that somehow jams "agents" in there. |
| |
| ▲ | gpi 8 hours ago | parent | prev | next [-] | | Unfortunate situation. Also, what is cloudflare exactly? They seemed to have diversified a tad much. | | |
| ▲ | foresto 8 hours ago | parent | next [-] | | > what is cloudflare exactly? Man-in-the-middle and gatekeeper of (large parts of) the web. It's getting harder and harder to participate online without being subject to their surveillance and/or approval. | | | |
| ▲ | pfortuny 6 hours ago | parent | prev [-] | | Cloudflare is, believe it or not, the owner of several IP blocked by Telefonica in Spain durong football matches. Soon to be tennis, basket, too. |
| |
| ▲ | i_think_so 44 minutes ago | parent | prev [-] | | [dead] |
|
