Back
Roast
Posted

Roast my new privacy product: protect your online identity with email alias 📨

I started working on SimpleLogin https://www.simplelogin.io last year with 2 simple goals: protect my personal email inbox and able to login seamlessly. More on the 2nd goal later.

Now the product is quite stable (I use it everyday to manage most of my subscriptions/accounts now) and I'd love to hear your thoughts on it.

Please be severe as much as possible 😅 and let me know what do you think.
  • Would you use it?
  • What features are missing/unnecessary?
  • Are you ready to pay for such product?
Thanks!

P.S: if someone is interested in upgrading to "premium", please ping me, I'd be happy to send you the coupon to have the premium à vie ♾.


Looks good!

Here are my notes:

  • How quick and easy is it to create a new alias? That would be important to me. It's there a Chrome extension or something that will simplify the process?

  • Building trust with your customers is imperative. So, maybe highlight that my emails will never be lost, that you don't store them, guaranteed delivery, how my login credentials are saved, etc. I know some of this is covered in the FAQ, but maybe promote those higher in the page.

  • Move the roadmap to its own page? I think it might disrupt the potential purchaser flow.

  • "You can decide and customize what information you want to share with a website." instead of "You can decide and custom what information you want to share to a website."

  • On the pricing page, instead of "Number Alias" maybe use "Maximum Aliases"?

  • I don't think that custom domains are important to me. I'm not concerned about what my email looks like for login forms. Maybe that feature falls down the priority list in the roadmap? But to be honest, I haven't thought this one through. Maybe it is a useful feature.

  • I think there's a market for your site because of sites like burnermail.io. Also, I think you're pricing seems fair. But, there might be a disconnect between the login feature vs. the email alias feature. It's almost like it's two different things. Maybe two different plans, products, or even websites?

  • Personally, I'm only interested in the email alias feature. I'd find it useful to see which sites are leaking my information and causing spam. Maybe that's a selling point. I think you could sell just the email alias part of the product for your current asking price.

Thanks a lot for the review Cody 🙏! Yes a browser extension is a must-have, I've been thinking about it for a while!

The custom domain is requested by some users who want to have a bit of "independence" and I understand their points. However I'm hesitating between the priority of this feature vs the browser extension.

The login feature is indeed confusing to users. I'll maybe hide this section for now to avoid users getting lost.

Have you tried the product? It's 100% functional (I use it almost everyday since 2 months 🙂).

I've always liked the idea of having dedicated email addresses for each recipient, allowing you to disable them at any time.

The three problems all services offering this seem to have are:

  1. Vendor lock-in. I'm locked into using your service forever. Being able to use a custom domain and export all my aliases would combat that somewhat, but you're probably using a proprietary way to generate the unique hash. SimpleLogin being open source is great help with regards to this.

  2. Privacy. I don't want my email to pass through a third-party service. As far as I can tell SimpleLogin requires this as well?

  3. Dependency on a website/extension. I occasionally need to give out my email address over the phone or in person. I'm assuming SimpleLogin requires me to generate the link online.

I'm working an alternative solution myself that doesn't rely on third party software and can be used offline as well. Basically I'm leveraging the Sieve-based scriptability of email servers. It will allow me to generate unique email addresses on-the-fly (with a simple hashing algorithm I can do in my head) and the mail server just checks if the hash is correct.

So to answer your questions:

Would you use it?

Not in its current form. If it was open-source and I could host it myself, I might. But I'd probably stick with my own solution.

What features are missing/unnecessary?

There are a bunch of services like this out there already. What sets yours apart?

Are you ready to pay for such product?

A paid subscription wouldn't keep me from using the product. If you can build a great solution I'd happily pay for it. But I think this is the type of product I'd rather self-host.

Thanks for the thorough review Marc 🙏! Your concerns are absolutely right 👍.

  1. With SimpleLogin being open-source in the future, one can deploy the program somewhere else if somehow the service is shut down and migrate all aliases there. However as the service cost is quite low, it can be maintained easily in the long run.

  2. Technically the emails DO go through SimpleLogin servers. It's the same for other services as far as I know though and none of them is (or intend to be) open-sourced.

  3. At the moment the alias needs to be generated online. I also have other users asking on how to "remember" easily their alias or at least being able to generate one quickly. To be honest I don't have any solution for now that's easy to remember without affecting user privacy: concretely if the rule is too simple, it's easy to know 2 aliases coming from the same person -> easy to cross reference -> no privacy.

There are a bunch of services like this out there already. What sets yours apart?

In my research, some similar services are indeed more advanced in terms of browser extension or mobile app. However they have some issues:
- their emails are usually in spam. It's not their fault and a lot of spam will go through such email alias service. I don't think they have found the solution or at least a compromise. Avoid emails going to spam is really hard though, I experienced it first hand in a lot of projects.
- Their goal stops at the email alias. For me, the alias is only the first (and easy) step. Look at the SimpleLogin developer page and you'll understand 😉.
- They have no intention to open-source the code. Email alias is not rocket science and open-sourcing it is part of my plan since the beginning.

I don't want to cite their names here as this is not fair. I can give more info over private chat for a specific concurrent if you're interested 🙂.

I'm working an alternative solution myself

The product doesn't really target people who are have their own email servers as making alias is much easier in this case. I would even recommend not using SimpleLogin if this is your case 😉.

Thanks again for the review, I really appreciate!

Agree with the others; some additional things;

  1. I think your website is pretty good. You could probably make it a little simpler though.
  2. simpelogin.co only has a single MX; it's hosted in AWS. a) single MX = bad practice, even if mostly ok b) AWS IPs generally are shit for mail servers.
  3. your DMARC record has some minor errors - mxtoolbox.com/problem/dmarc/d…
  4. you must be breaking dkim signatures; as you're modifying and forwarding a (now) usually signed email; is there a way you've got around this?

Hi Russel, thank you a lot for the feedbacks 🙏!

  1. Could you give more details please? I'm taking any suggestion to make the website more accessible (even to non-geek people)!

  2. I use AWS mostly for their S3 and RDS. Do you know which cloud provider who might have "cleaner" IPs? The current IP is clean for almost a year now but some users still report SimpleLogin emails falling into their Spam folder so I suspect the IPs might be the culprit here 🤔.
    Adding a fallback server has a high position in my todo list! Once the second server is ready, I'll add a second MX record :).

  3. Fixed :)

  4. The "trick" is when an email is forwarded through SimpleLogin, I remove its incoming DKIM signature (after verifying it) and replace by the SimpleLogin one. So outgoing emails are DKIM-valid.

  1. Just shorter and simpler would get me to try it. If you're giving away accounts, maybe you could do the whole signup over email?
  2. Ya; it's hard - just check your ip / block in blacklists. You can build reputation by getting folks to take the messages out of spam.
  3. cool
  4. ya, so still the problem is that I have to trust the message is un-tampered with inside your infra.

1)) By "signup over email" you mean the passwordless login over email? I thought about this one before and am not 100% convinced about it yet ...

4)) Yes I know that it's hard to trust the system :), that's why I planned for SimpleLogin to be open source from the beginning. For now, users still need to take my word for it ...

A quick update on the product: it's now fully open source and self-hostable. The code is on github.com/simple-login/app.
The browser extension is also now available for Chrome & Firefox (Safari's one is coming soon) and support for custom domain is fully functional :).