Cloudflare Email Service: Private Beta
Key topics
Cloudflare has announced a new email service in private beta, generating excitement among developers who see it as a convenient addition to their existing suite of tools, with discussions highlighting both the benefits and potential concerns around centralization and pricing.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
26m
Peak period
134
0-12h
Avg / period
26.7
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 25, 2025 at 10:33 AM EDT
3 months ago
Step 01 - 02First comment
Sep 25, 2025 at 11:00 AM EDT
26m after posting
Step 02 - 03Peak activity
134 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 1, 2025 at 2:20 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
That's great - and maybe I'm cynical - but that's right where my mind went when I read that. Trading income for control isn't a bad game..
Are digital content creators lazy too? Why don't they just host their content on their own damn servers?
Do you talk to your customers with that mouth?
For those who are lazy to click, this guy's business is hosting and maintaining a sales platform for people.
(cloudflare customer, in both personal and professional capacities; i pay Fastmail to host family email; both can easily be switched if needed to prevent lock in, with DNS changes and in the case of hosted email, an export of mailboxes and tenant config)
And there is a spectrum to this. For example, using a small, independent email or hosting provider may cost a little more time, but makes you more independent from big tech, and maybe more importantly, contributes to reducing the power of big tech. We are all paying for it, down the line.
Paying Fastmail, along with others who do so, means Fastmail will remain as a non Big Tech option, for example (they also developed and championed, JMAP, for a more efficient user experience). Paying Kagi means Kagi will remain as a non Big Tech option. Donating to Let's Encrypt means Let's Encrypt will remain as a public good independent of Big Tech. I could go down the list of every service I pay for to de-Google and de-Big Tech, but that's likely unhelpful to further demonstrate the point.
> We are all paying for it, down the line.
Indeed, so establish and fund organizations that provide systems and services for benefit vs profit and control that cannot be captured. Self hosting your own box at home helps you (which is totally fine and reasonable, I run my own on prem infra across two continents at small business enterprise scale for use cases I cannot procure commercially at reasonable cost), but does nothing else, and doesn't scale.
(think in systems)
You get to respond to requests and your data cannot be handed over without your knowledge.
but I do mind my data being drag-netted, or hoovered up by scummy big tech and then sold on
(whether that's for slop training, ads, anything really)
Citation requested. Big tech considers your IP address dishonorable, and blackholes your emails. How independent are you now when you can't email any providers that use blacklists?
> contributes to reducing the power of big tech
Again, citation requested. Big tech will just blackhole your emails and you'll only find out when your users complain.
I also see a lot of comments from those who have admittedly never tried, telling me that I'll be blacklisted and not even know.
I don't know if this is some kind of confirmation bias, or if there's just a very vocal bubble of people without experience talking about how difficult it is.
And always will be.
New but non-standard niche browsers are also problematic.
Website owners may understandably be appreciative of CF. But as as someone browsing the web, I think it's done a lot of irreversible* damage to the open internet.
* I say irreversible because I don't think they'll be looking to improve this anytime soon, but rather add more restrictions.
Cloudflare succeeded to do what Google tried and failed with AMP, and we are all the worse off for it. [Though at least it is not Google, that would be worse.]
I cannot afford to be DDOS'ed and there are bad actors that have already proven that they _will_ take me down if they could. So, I feel bad for the internet being walled up, and I feel bad for users that will lose access. And I fret that one day CF may just decide to take all my content and use it somehow to shut me down.
Meanwhile though, I hold my nose, cry inwardly, and continue to use Cloudflare.
Just be a good little consumer.
That such a database has other uses would be a happy coincidence.
The ire should be reserved for if and when they establish some kind of monopoly or other anti-consumer practices, fall afoul of anti-trust law, and inevitably the US government gives them a free pass for criminality like it has been doing for years with dozens of other Big Tech mergers, rollups, exclusivity dealings, etc. and appears to have just done again with Google a few weeks ago.
It is fine for big companies to offer competing email sending services. It is not fine for them to break competition laws.
Also yes, please do set up SPF, DKIM and DMARC for me. I may very well end up using this down the road because they say they'll do that for me and I just don't want to think about them in some situations.
I'm going to take this opportunity, because hopefully Cloudflare will see it, to request they support SPF record flattening natively.
Google is in a perfect position to compete but they don’t, so it’s not like Cloudflare is a monopoly or something.
At least they’re not selling ads using your data.
1934 [1].
[1] https://tile.loc.gov/storage-services/service/ll/usrep/usrep... Humphrey's Executor vs. United States
At least you're referencing the United States in 1934, though. Things were very dysfunctional politically in the US at that time, but not nearly as bad as what was going on in some other parts of the world.
Seriously? You don't see the relevance of independent agencies to this discussion?
And the dynamics of inter-branch checks and balances within the US federal government aren't directly relevant to the question of whether the federal government as a whole is a reliable institution in the first place (nb: it isn't).
You don’t see a reliability difference between a self-moderating and unmoderated system?
Do you see any value in QC?
I mean the reconstitution of AT&T was one of the IMO the biggest middle fingers to the public I've seen. It was broken up because it was a bad actor and now its back again as a worse than ever bad actor. That was kind my wake up call. I'm sure there is worse though that I don't remember because it was not tech related.
I could be wrong I'm not a huge politics person. Either way I don't think any response to me invalidates my opinion that the current government would not do a better job than cloudflare currently is.
I trust a corporation more than I trust the nation you want it nationalized in (America?)
EU maybe. But yes I don't want cloudflare to be part of america after patriotic acts and all the dystopia.
Honestly, cloudflare is not so vital to the internet. Like, The only thing its gonna be a problem if they stop working without giving any way to migrate. Then yes, its gonna be a bit of problem to the internet.
Really? Try distrusting CF certs, and see how much of your internet activity breaks. CF certs should be distrusted, because it's MITM by definition. At the very least, I'd like an addon that makes the URL bar bright red, so I know my connection isn't secure.
Though arguably neither should be in a position to do so without being regulate as a public utility
Also, I know that there are sometimes where cloudflare sits in the middle between your servers and your users for DDOS protection, and so yes theoretically its a point of interception but given how their whole thing is security, I doubt that they would exploit it but yes its a point of concern.
On the other hand, if something like this does happen, migrating can be easier or on the same level if something like this happened on like AWS.
But cloudflare still feels safer than AWS y'know?
That being said, I am all in for some regulations as a public utility but not nationalizing it as the GP comment suggested. Just some regulations would be nice but honestly we are in a bit of tough spot and maybe it was the necessity of the internet to have something like cloudflare to prevent DDOS's.
I think that cloudflare is used by most as DDOS protection and so they still have the servers.
There are also cloudflare workers and pages but even migrating them is somewhat doable as I think that cf workers have a local preview option somewhat available in their node etc., so you could run it locally somehow.
Sure its gonna be a huge huge problem but something that the internet might look past of (I think).
Honestly, I kinda wish that there was a way to have something like how the tor onion links work in the sense that the link has the public key of the person running the server and so uh, no matter if its cloudflare serving the link or something else, its still something that can't be MITM'd for the most part.
Am I right in thinking so? Sure, its gonna make the links longer but maybe sacrifices/compromises must be made?
My opinion is simple, age verification won't work unless they block VPN (something which UK wants to do/ is doing) and that sets a really really bad precedent and I doubt if its entirely possible without breaking some aspects of internet or complete internet privacy.
EU in aggregate is net positive but it still has some things which are kinda flawed regulations that are a bad precedent, but germany kinda blocked the verification thing iirc so there is still a lot of hope and EU does look like its trying its best but I think that it can do just a bit better if they don't think of age verification or some other stuff but that's just my 2 cents.
This was why I added "maybe" tbh. They are one of the best options but even they aren't thaat good. Like its questionable I think and needs a much bigger debate
I'm not sure that sounds like a good idea, if that's what you're saying.
Maybe if Cloudflare had workplace democracy my concerns would be different, but they don't and wield too much power.
If it also helps I also think 99.99% of big tech should be broken up into separate, probably a few 100, different companies.
So yes, anything vital for the internet should be controlled by the people through democratic norms, institutions, and values rather than dictatorships by those with money over those with none.
Everything reduces to specific people acting on their a priori motivations in bounded contexts, and any system of centralized control is guaranteed to enable expressions of the worst motivations of the people involved. The distinctions you're making -- "private" vs. "public", "corporations" vs. "governments", etc. -- are fundamentally meaningless.
There are no "democratic norms", just norms adhered to by specific people and the factions they form, contesting against each other for power over others. Performative "democracy" is often just cover to allow the currently dominant factions to function as "dictatorships".
Decentralization and individual autonomy are the only solution to the problems you rightly care about, but what you're proposing is literally the opposite of that.
Amazons only advantage is it's massive selection, if you can find what you're looking for.
Yet. Since it's an american company with an ever-growing influence, I dread and expect that to change, among other things, down the road. I assume the three-letter agencies also already MITM the traffic.
However, I guess they have become the major player now and certainly try to optimize the world towards their business model.
IMHO it needs other enterprises entering the competition. Maybe it could be new more software defined mobile network providers offering edge compute. Maybe data from IoT could never enter the Internet and we could have some confidential computing power when we need it for our IoT stuff. Maybe we could get a more decentralized Internet again...
I don't think that's it, and I think the explanation is much more simple and straight-forward.
Cloudflare established a very successful business model around a straight-forward, very transparent, no-bullshit CDN. Now, they started offering other cloud services build around their CDN. Cloudflare Workers kind of extend their CDN pipeline to allow clients to run arbitrary code to customize caching logic, but it turns out their function-as-a-service model is exceptionally good, and higher-level services like email are a low-effort way to meet existing needs.
Please, educate me and tell me what's up.
Trying to unravel all that is an absolute nightmare.
I'm not discounting their innovations but had they not been VC funded and given away free service I suspect many would still never have heard of them.
What does this purity test accomplish? that's just how things work in this industry. Can you name a company that has innovated on their scale that hasn't taken VC?
Cloudflare built a business around b). This doesn't save on hosting costs, only lowers some operational and legal risks.
It is a legitimate business, from my perspective. I'd just wish we weren't in a situation where CloudFlare isn't exactly struggling to sell their services.
I'm perplexed by this sort of comment. Cloudflare doesn't even feature in the top 10 of cloud provider market share, and the number 8 spot already reports 2%. And here you are, complaining about Cloudflare and centralization.
Furthermore, AWS is by far the biggest cloud provider, reporting around 30% market share, and I don't see AWS being referred as a concern.
1) https://www.theregister.com/2024/12/13/cloudflare_2024_revie...
2) https://en.wikipedia.org/wiki/Cloudflare
Point being, it's a commercial subverting the Internet from inside, reshaping it to better serve the interests of commerce. It is indeed protection, but it's accomplished by reducing variance. 99% of legitimate commerce on the Internet follows the same patterns, use a small subset of possibilities offered by the technology - so why not just block the remaining 1% that doesn't fit and call it a day? It will stop most of the threats to running businesses on the Internet. The 1% of legitimate commerce that doesn't fit the pattern? It's not being ignored per se, just pressured to adapt and conform to the majority.
What is being ignored is that the Internet is not just a place of commerce, and non-commercial use cases, ideas such as empowering people to better their lives, are gradually becoming impossible, as fundamental Internet infrastructure becomes inhospitable for them.
Some of us still remember the Internet being more than just a virtual mall, and are unhappy about it gradually becoming one. And it's not like CloudFlare, et al. are hostile to non-commercial interests as a matter of principle - it's just out of scope for them.
Your second paragraph talks about other (non-commercial) sites. I think I'm missing the link here. Why would the admins of such sites resort to Cloudflare if 'fundamental Internet infrastructure becomes inhospitable for them' by making that choice? They could very well choose to implement their own or no measures at all.
I think the issue is that the general threat level has massively increased compared to the past - not in terms of sophistication but frequency/scale. But that's a consequence of widespread adoption, nothing Cloudflare in particular is responsible for.
Marketing and free tiers.
But my point is that Cloudflare is addressing threats that predominantly affect businesses, and does so well, but the way it does is effectively changing the whole Internet to be more hospitable for commerce, and less hospitable for any other kind of use.
Don't blame site owners and service that is trying to help them. Blame the fact that 90% of today's Internet traffic is bots
- site owners can have protection as long as it doesn't inconvenience me.
Replace "me" with "legitimate users" and replace "inconvenience" with "very aggressively inconvenience or entirely block".
Then yeah you have it.
They're also essentially a deanonymization reverse proxy that can track everyone's browsing history and decide whether you get to see websites based on social credit.
But I don't think they care if they block firefox users, or people who delete cookies, or VPN users, or Tor users, or people who resist fingerprinting, or people who block ads, etc.
Many of my websites get 98% of their traffic from bots and bad actors, but it doesn’t really matter because the extra load of all these fake requests is absolutely negligible. I have a hard time understanding how someone would be bothered by an extra 50k requests a day. That’s less than a request per second. Most of the sites on even the weakest VM’s can easily do 10r/s these days.
if someone can foot the bill then I happily let them use it for free but its coming from own pocket
I guess whatever revenue you lose you make up for in a lower hosting bill. I just go to your competitor that doesn’t have the horrible UX. Usually those websites also tend to have much more optimized web pages too so it is an all around better experience.
Sounds great, until a new CEO steps in. Any company is exactly one (or more often zero) CEO away from doing whatever they want (within legal constraints) with their business, in order to fulfill their fiduciary duty (and greed).
It looks like you have voting shares with 10x the power of institutional investors, but activist investors aren't dumb either.
My biggest fear of Cloudflare has always been that one day you'll get hit by a bus and someone will figure out that merging Cloudflare with an ad network would create so much more shareholder value. The road to hell is paved with free DDoS mitigation, so to speak.
At least Brian Thompson wasn't complicit in helping the IC conduct bulk violation of the fourth amendment rights of the entire country, unlike you. He was just a greedy bastard. Your actions, on the other hand, render you a traitor and a threat to the democratic process of the country itself.
Too bad you don’t hire senior folks in Germany currently, would probably join in a heartbeat for emotional reasons alone. Keep going, lightweight features on a tap and solid reliability over years is exactly what I need and want at least.
It was better. 'Wget' and 'links' worked with most of the sites.
I feel like people here are forgetting the fact just how hostile bad actors on the internet are / can be.
If it's the latter then it reflects the sad truth that we can't have nice things anymoret. I have lots of problems with the accessibility of that box, but either Cloudflare would be implementing it, somebody else would be implementing it, or a huge chunk of data would be unavailable to you anyway because of accidental DDoS attacks caused by irresponsibly deployed bots.
Maybe for you.
But I don't let random unvetted websites run code on my computer. Checking that box requires it.
That's like saying that you're blocking yourself when installing an adblocker.
No, it's for safety and hygiene.
> Seems really disingenuous to imply it's someone's fault
That's because it is. I didn't make the web and I don't work on websites. But I have to deal with it because some fucking dumbasses decided they wanted to save some server cycles by offloading all the hard work onto the client and ruining internet safety in the process, while also offloading the cost of power and performance onto users.
So if disabling javascript is what's needed to keep my safety? So be it. If it breaks some asshats' websites, then they're websites I don't want to use anyway.
--childhood bullies
(Check the box, and get redirected to check the box again.)
I'm using a fairly mainstream ISP in a fairly mainstream country.
I don't get why I seem to have such a hard time. I've kept the same IP for months.
But the worst thing overall is that it just doesn't acknowledge it.
Want to block me? OK. But tell me that! Don't just make me tick a box again and again and untick it. It's infuriating.
"Never happens to me means never happens to anyone"
Also it's quite amusing what if you had got hit with an infinite captcha here then you couldn't post your comment.
I see your point.
> Also it's quite amusing what if you had got hit with an infinite captcha here then you couldn't post your comment.
And you couldn't have hit me with that sick burn ;)
Seriously though I see where you're coming from in that I was implying that there must be something wrong with the original person's set-up that causes this, and that is not the case.
The thing is that while there's plenty of complaining about CF's approach nobody is offering a better alternative.
It had much more freedom. Currently it's up to Cloudflare to decide whether you will read that article or not. Tomorrow some stupid law will mandate certain ideas to be hidden from children[1] and Cloudflare will happily comply.
1. https://en.wikipedia.org/wiki/Think_of_the_children
Do I need to find another internet access now?
No VPN (unless your ISP is extremely shady, then do use a VPN or change ISP), no overly zealous adblock (ublock origin on default settings should be fine), no JS blocking / weird privacy extensions / whatever, nno PiHole, just what your average, relatively tech-savvy geek would use.
HN readerships's problems with Cloudflare are mostly their own fault. "normal" internet users don't have these problems[1].
[1] except for people in specific countries, and I do feel sorry for those.
> You need to become more like a "normal person."
Isn't in inherently problematic that there is even a definition of a "normal person"? Who gets to judge this? Why do I have to conform? This immediately creates in-groups and out-groups. We should all know better than to allow this to happen. Classification is fine. Probably even needed to help with inclusion. Restriction based on classification can very quickly become problematic.
> No VPN (unless your ISP is extremely shady, then do use a VPN or change ISP)
That's all ISPs by now. You should never just trust any authority logging what you do. What is fine today might not be fine with tomorrow's government and those logs (as much as some might pretend they are not) are permanent. VPN bans will start to pop up all over the place soon and everyone half-paying attention knows why
> no overly zealous adblock (ublock origin on default settings should be fine)
And what is the definition of overly zealous? Chrome has already dropped support for ublock, more or less. Adblocking is directly hostile to the data-hoovering machine. That should be enough reason to use very restrictive adblocking. I am using every filter list there is with Firefox on Linux. Cloudflare's checks are basically always fine. ReCaptcha, however, is a nightmare.
> no JS blocking / weird privacy extensions / whatever
Well, most of the web doesn't work when blocking JS outright. So I guess we've lost that battle. Though I'd argue that things like reader-mode and the ability to just get text content is pretty important to quite a lot of people still, especially those with disabilities. I don't understand the derogatory tone used when calling privacy extensions weird and the 'whatever' part is just a flippant dismissal of an entire ecosystem of extensions and applications that have a right to exist
> nno PiHole
PiHole is soon going to be the only way to protect yourself, considering what Google is pushing for with manifest v3. I don't yet use it, because it's a pain in the ass, but I'd rather have less internet and more control than vice versa
> just what your average, relatively tech-savvy geek would use.
Why do you think that you should be the one to define what or who that is? Furthermore, why should anyone be given that right? What are we really losing by allowing people to have custom setups vs. what are we losing when we don't?
> HN readerships's problems with Cloudflare are mostly their own fault. "normal" internet users don't have these problems
This reliance on the definition of "normal" is problematic, for the aforementioned reasons. You don't know what normal is and having a gate-keeper of this definition will lead to ever-smaller circles of people falling under that definition, until one day you are no longer normal and then what?
> [1] except for people in specific countries, and I do feel sorry for those.
Get ready to feel sorry for yourself in the near future :)
Could you please suggest me some ways in which I can become more like a normal person? Thanks.
Not to comment on whether they're actually a monopoly or not (since idk much about CF's market share, except that it's big), but how does this prove they aren't a monopoly? If anything, it'd work as evidence to prove that they are.
internet is made sooo much better by negating all encryption effort of the last 20 years
403 more comments available on Hacker News