From IndieWeb
(Redirected from spearphishing)

Email is a decentralized, non-web messaging transport, with user interfaces that enable a wide range of message formats and styles, and commonly used for account recovery by web sites and applications.


Email can be useful for:

  • Asynchronous posting to your website.
  • A POSSE destination to reach people who use email as a reader

Older reasons to use email:

  • One on one or one to many messaging among older internet users, some professions, and academia.
  • Messaging to a (often self-)selected group, i.e. email list


How to


How to POSSE

How to POSSE to email:

This section is a stub.

  • Several WordPress plugins (Jetpack, for instance, uses the infrastructure for syndication) enable visitors to subscribe to your posts by email and will send out a message when you publish a new post.

For now, see

IndieWeb Examples

IndieWeb community members currently posting to their sites via email, and/or POSSEing to email:

Nick Doty

Nick Doty occasionally publishes emails on that he also POSSEs to mailing lists since 2009-01-22, e.g.:

Barnaby Walters

Barnaby Walters has been posting to his site occasionally via email since 2013-05-22. Example:

Aaron Parecki

Aaron Parecki has occasionally syndicated posts (POSSE) from his site to email lists since 2014-11-18. Example(s):

It is currently a manual process of first making the post, then manually copying the text to reply to the email list.

gRegor Morrill

gRegor Morrill: syndicated at least one post from my site to email since 2023-06-20

Kelson Vibber

Kelson Vibber uses Jetpack to syndicate WordPress posts to email subscribers.

Add yourself!

Add yourself here… (see this for more details)


It's also possible to PESOS your email that you send to people or email lists to your own site. Examples of IndieWeb creators that have PESOSed email to their site.


Tantek Çelik has at least once PESOSed an email sent to co-workers, to his own site, with some bits redacted for public consumption, since 2004-06-29:


Due to its popularity and ubiquity email is extremely widely supported.

Application integration

Of particular interest is the fact that many native applications (especially on iOS) include it in their share/export/action menus by default. This could be an excellent UI to piggyback on for quick and easy posting to our own sites.


Bridgy does not support email currently, however there is an issue filed to support POSSE to email lists in particular (and backfeed replies)

Webmention was an indieweb/email bridge that aimed to be a hub for all kinds of interactions between indie sites and email addresses, including email-to-webmention and webmentions-to-email.


POSSE techniques

Some thoughts on techniques for POSSEing to email, based in IndieWeb Examples above.

  • publish an article
  • name of the article --> email Subject:
  • author: <-- intended email From: of yours
  • audience: <-- intended from email To & CC:
  • content: --> email body
  • hyperlink with class="u-syndication" <-- email list permalink

If you are POSSEing a reply to an email (e.g. on a mailing list)

  • publish a reply note (no need for an article, since the name/title isn't something you came up with, but rather "just" a "Re:" and the name/title of the original email you are replying to, which can go in the reply context
  • author: <-- intended email From: of yours
  • audience: <-- intended from email To & CC:
  • content: --> email body
  • use <blockquote> for portions of the original email that you’re quoting to respond to, or lines starting with > in a plain text note (which you can upgrade to <blockquote> when rendering on your site)
  • hyperlink with class="u-syndication" <-- email list permalink

Redirect to public issues

One possible approach is to redirect incoming email to public issues, hosted on your own site, or GitHub, per:


Bad for more than two people

Whilst adequate for some one to one conversation it scales extremely badly to conversations with more than two people.

Bad for collaboration

It is also appallingly bad for collaboration (wikis or version control systems are much better for this[1]).

Not web

  • URLs == web [2]
  • email addresses != web. [3]

Not web identifiers

  • email addresses are internet identifiers, not web identifiers, by definition. [4]

Maintenance disinterest

  • "I would rather futz with a domain and shared hosting than my own SMTP server any day" [5]

Bad for identity

Encourages Constant Distraction

Unreliable Delivery

Email delivery, especially with your own domain, has shown to be anecdotally unreliable due to overzealous spam filters' false positives, e.g.:

Is there a way to find out if my email is ending up semi-routinely in spam filters? Several folks recently said they didn't get my messages

Ecosystem discriminates against indie servers

The email server ecosystem has evolved to a small handful of very large (100s of millions of accounts) services that peer with each other, and are actively hostile to indie servers sending their own mail with the excuse that those indie servers lack "reputation" (an ineffable an ill-defined requirement) for the larger servers to accept email from them.

For more details see:

Email deliverability services such as Mailgun can help with this. Setting up Postfix + Mailgun for multiple outgoing domains

More Problems

See and extract/cite from:


Can I point my domain to my VPS(/web server) but still use hosted email services? I don’t want to run a mailserver

Yes, your domain name can resolve to the IP address of your web server for HTTP traffic, but direct mail agents to look elsewhere. See also DNS.

Email Services by Type

Here are various levels of email services available from different providers, roughly ordered from easiest/cheapest/friendliest to most powerful/technical.

Custom domain email providers

Main article: email-hosting
  • to-do: providers from this subsection need to be copied into email-hosting, and then leave a summary list here of only the top 3-5 providers being used by IndieWeb folks.

Custom domain email providers have the ability to set up an email account to send email as if it is from your own personal domain.

You have to separately configure your domain (perhaps at your DNS provider or web hosting provider) to forward domain sent to your domain (e.g. to whatever email provider you use.


  • ...


  • ...

IndieWeb community members using this approach:

  • Jonny Barnes is using Fastmail's service for receiving/reading/sending emails. Fastmail works by setting up a custom domain as an alias for your fastmail inbox.
  • Tantek Çelik is using Gmail for receiving/reading/sending emails.
  • Kyle Mahan is a Fastmail user too. They recommend letting fastmail be your actual nameserver, but I opted to continue using my registrar's nameserver and just copy/paste MX, DKIM, and SPF records from Fastmail.
  • Pelle Wessman is using Soverin for his newest set up domain and an old free G-Suite/Google Apps account for his other account (also using a calendar on the G-Suite account).
  • Ethan Yoo is using to send and receive emails for both and
  • ...

Specific services:


FastMail is a paid email service that has a range of options from only giving you a @fastmail address to others that allow you to have your own personal domain. Other differentiators are with how much email you can store.


Main article: Gmail

Gmail ( run by Google) is a free email service that has the ability to set it up to send email as if it is from your own personal domain, optionally using the SMTP server from your domain host (web host). is a paid email service starting at 1 Euro a month. There is a help page for "Using e-mail addresses of your domain," which includes instructions for adding SPF, DKIM, and DMARC records. also supports "catch-all" aliases.


Pawnmail( is a service dedicated to provide "Email hosting for custom domains" that gives 2GB storage "free forever" to anyone. It provides a webmail client along with SMTP, IMAP and POP3 access.


Pobox( is a paid email service that has two types of accounts: mailstore and forwarding. All of their plans allow for personal domains.


Soverin( is a paid one-plan only email service that provides a "private mailbox that’s truly yours". It's a European service, based in Amsterdam, that focuses on privacy and making it simple to get up and running with e-mail on a personal domain. Makes it easy to conf

Zoho Mail

Zoho Mail( has a free account plan that allows you to receive mail in your own domain (1 per account, in the free plan).

Mail as a Service


Mandrill is a service for sending and receiving emails run by Mailchimp. It formerly had a generous free plan, but will require a paid MailChimp account beginning 2016-04-27 and paid e-mail volume, now starting at 30$ a month.

Greyed-out information below probably not correct any more -> if you still use Mandrill, please update it!

Note: Madrill does not charge for inbound email. See:

  1. Register at
  2. Create a new inbound domain and set up MX records for the domain you’ve chosen detailed here
  3. Set up your web server to accept POST requests to the URL you configured
    • Make sure you verify the origin of the request as detailed here. You can see the key for your webhook here
    • The format of the POST request is detailed here. Send some test emails to yourself and store the results to learn about the format

Beware: I have experienced some inconsistencies in the mandrill responses. Namely that sometimes attachments are in the msg.attachments key, but I have also seen them in msg.images. I am currently using attachments = msg.attachments || msg.images || [] to cater for both cases. 10:26, 24 May 2013 (PDT)

Other Inbound Email Providers

There are other email PaaS companies which offer similar inbound POST request hooks instead of using Mandrill. More details coming soon.

  • MailGun - [6]
  • PostMark - [7]
  • Comparison of several providers - [8]

Mail Forwarding Services


  • The service provider handles all of the issues that are involved with mail delivery such as spam filtering, DKIM and SPF support and will also cache your mail if your MTA goes offline
  • ...


  • You still need to setup a MTA to receive the email being forwarded by the vendor
  • ...

IndieWeb community members using this approach:

  • Bear is using MailRoute for receiving/sending emails.
  • ...


MailRoute allows you to specify its mail servers in your domain's MX records and then specify what server domain or IP Address to forward sanitized emails to. It offers spam filtering, greylisting and a number of other features. Once you have an account and have configured it for your domain you are then ready to setup your local MTA.

Handling it Yourself

Mail in a Box

Mail in a Box is a script that Josh Tauberer has put together to turn a VPS into a functioning mail server.

Running your own mail server

A MTA (Mail Transfer Agent) is a process that runs on your server and accepts incoming SMTP (port 25 generally) connections for mail delivery. Running your own MTA is fraught with trouble and can be so very time consuming that even people who run servers for a living generally use a forwarding service to handle all of the messy bits.

The example I give here will be to use Mailroute as the forwarding service and Postfix as the local MTA, but other combinations can be used.

  • Note* this is a draft work-in-progress - I'll be filling in more concrete examples and other suggestions as I get time.

I use Postfix primarily because it comes from all of the OS Distros with a very sane set of defaults that you enter during setup and it just works. The reason Postfix becomes a drop-in tool is because of the work that is being done by the Mail Forwarder you setup in the prior step.

The key bits to configure is to tell the installer that you are using Postfix as "Stand-alone Internet Host" and then make sure the entries for mydestination contains your domain and relayhost contains the domain name for your Mail Forwarder.


  • tls and sasl configuration
  • show how to configure the host's MDA (Mail Delivery Agent) to deliver emails to a program instead of a user mailbox
  • show how to configure a mailbox to use store mail to be read by a cronjob or other agent

A guide to setting up a self-hosted email server

Indieweb examples

Peter Molnar had been running his own mail stack for 10+ years; the current setup is postfix ( with postscreen ) + dovecot + dspam + opendkim + opendmarc.

Security Issues

Anyone can send fake email from any email address. You need some way of determining that inbound email does indeed come from who it appears to. Possible solutions include:

  • Make sure you’re verifying the authenticity of the request sent to your webhook
  • Using “secret” email addresses by embedding the password in the address, e.g. — then store it in a private address book to save typing
    • Flickr does this - to let you upload photos by email - and the email address are pretty short too.
  • Use a mechanism such as SPF to determine the authenticity of an email


phishing is the act of sending an email (a phish) with both a forged from address and HTML contents that pretend to be from a popular service provider (often silo), and usually have some sort of fear-invoking subject like "Account Termination", or greed-invoking like "Transfer Notification" from a bank, with a link or button to "Log in", "Verify Account", "Initiate Transfer" which appears to go to the service provider but actually goes to an attacker's website that looks very similar (if not identical) to the service provider in order to trick you into entering your username and password, so the attacker can gain access to your service provider account.

The term "phish" comes from the attacker "fishing" for your username and password, which if you enter, then you've been "phished".

E.g. (documented examples of phishing emails)


spearphishing is the act of tailoring a "phish" specifically for a particular individual, sometimes seeming to come from a trusted contact, friend, co-worker.

As Commenting

In 2015, when shutting down their comment section, Motherboard recommended people to take discussions to email rather than getting them burried in public discourse:

Comment sections inspire quick, potent remarks, which too easily veer into being useless or worse. Sending an email knowing that a human will actually see it tends to foster thought, which is what we want.

As of 2020, several personal blogs started including links to solicitate replies via email to their feeds. Specifically to interact with people not visiting the blogs directly and using non-social readers.


The following are all announcement posts of personal blogs adding email links to their feeds:

A smaller number of personal blogs do the same right on their posts:

See Also