• Email for the modern world

    Home » Forums » Newsletter and Homepage topics » Email for the modern world


    ON SECURITY By Susan Bradley When we go online, we begin with a basic tool that started us all on the technology journey years and years ago — an emai
    [See the full post at: Email for the modern world]

    Susan Bradley Patch Lady/Prudent patcher

    8 users thanked author for this post.
    Viewing 9 reply threads
    • #2565536

      Susan, you recommend Oath for email. In Thunderbird (Popmail), if I use

      Account Settings > Server Settings > Security Settings > Authentication Method and select OAuth2 from the Authentication Method dropdown,

      then I can send email but not received it. So how does one implement Oauth2 for Tbird or is only for Gmail accounts?

      • #2565555

        Thunderbird (Popmail) … I can send email but not received it.

        GMail has a setup in their Web Mail settings which allows you to create a one-time entry for a permanently saved App Password. You must use this App Password setup for POP-3 clients, and many IMAP clients (like Thunderbird) also require it.

        Setting up an App Password requires turning on two-factor authentication with Gmail. Gmail requires 2FA of all its users now, so this does not introduce an additional hoop to jump through.

        Once set up, the App Password is negotiated by your email client transparently — you never have to enter it or any other password again.

        Other providers may also have this requirement.  (My Yahoo Mail account does need an App Password for POP-3 access, but this does not require setting up 2FA to access Web Mail through Yahoo. But you should enable 2FA for all online accounts.)

        -- rc primak

        • #2565575

          rc: Are you and Susan saying that Oath is not possible for Tbird unless using Gmail?

          “Setting up an App Password requires turning on two-factor authentication with Gmail.”

          So if one used Tbird Popmail for email, then one cannot use Oath2?


          • #2565632

            So if one used Tbird Popmail for email, then one cannot use Oath2?

            Being able to use OAuth2 isn’t solely a function of whether the e-mail program you’re using includes support for it (FYI, Tbird “does” support it), the e-mail provider you’re using must also support it.

            If your e-mail service provider doesn’t support it (and not all of them do) then you won’t be able to use it for that particular account in your e-mail program!

            I.e. I have three different POP3 e-mail accounts setup in Tbird on my PC from three different e-mail service providers but only one of them (gmail) supports OAuth2… actually, it now requires it. The other two still use legacy authentication (SSL/TLS + password) with no option to enable any form of 2FA.

            • #2565731

              Alejr: Thanks for the clarification. Spectrum is my internet and email provider.

              In my up to date Tbird, I can go to Settings/Account Settings/Server Settings/Authentication method/ and choose “OAuth2”. However, when I did that and sent myself an email, I never received it.

              When I go to Settings/Account Settings/Outgoing Server/ which shows only “RoadRunner mail”, which I select and then Edit/Authentication Method/ , there is no choice for “OAuth2”.  So what’s going on?

            • #2565827


              E-mail programs “communicate” with the mail server you choose when you create an account and the server will respond indicating exactly which authentication methods it supports.

              So, if the OAuth2 option is missing, that means that mail server responded indicating it doesn’t support OAuth2 and, as you’ve discovered, it won’t work for that account.

                i.e. you can’t “force” a mail server to use OAuth2 if it’s not configured to support it!


              If you provider does support OAuth2, you must enable it on their end of the connection first to get the “special code” needed to make it work on your end. Without that code, which you’ll be prompted to enter the first time you send/receive messages after setting the account to use OAuth2, your e-mail won’t work!

              I checked, and as far as I can determine, Spectrum only supports OAuth2 for business users not home users; which would explain why it’s not an option for your outgoing mail server and doesn’t work for your incoming mail server.

                Feasibility of Oauth authentication for Spectrum

              3 users thanked author for this post.
            • #2565862


              Thanks for the very useful analysis of the Oauth situation at Spectrum (and likely at other email providers):

              “as far as I can tell, Spectrum only supports OAuth2 for business users not home users; which would explain why it’s not an option for your outgoing mail server and doesn’t work for your incoming mail.”

              One has to pay up for a business account if one wants the bells and whistles.

              1 user thanked author for this post.
    • #2565538

      2 Things … my EPIM Mail app — Hotmail acct Server setting (Incoming) shows IMAP (OAuth), SO, the issue isn’t (as Susan stated but it doesn’t always sink in with amateurs) just POP or IMAP, it’s the “Basic” approach — & absence of OAuth.

      For wife’s – at bellsouth.net — acct EPIM shows Only IMAP4 – BUT – she has a 15-Digit Secure Key for Logins I got from an AT&T page after login. It appears that the Secure Key equates to OAuth type protection making IMAP4 OK –

      W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

      • #2565556

        Yes, it’s the older Basic login vs. the better 2FA, OAuth or App Password (Secure Key) login methods.

        he has a 15-Digit Secure Key for Logins

        That is what is known as an App Password. It operates on a per-application basis and serves as a digital fingerprint or 2nd login factor. It’s not as secure as OAuth, but for older programs it may be the only viable alternative.

        -- rc primak

        2 users thanked author for this post.
    • #2565558

      I’m fairly certain shared mailboxes use no Exchange Online licenses.  The exception is, if you’re using Microsoft Defender for Office 365 to protect the shared mailbox, it uses a Defender license.

      Another helpful site for learning and implementing DMARC is Global Cyber Alliance.  They have both a learning portal, plus the tools to help setup and check your DMARC implementation.


    • #2565593

      So now I am baffled. I don’t use exchange, I do use Outlook 365. I don’t see alternatives to POP and IMAP. Are there any?

      I also note that wikapedia includes some pretty disparaging remarks about Oauth 2.0

    • #2565596

      I think this is a really good article and I’ve run across instances of everything that Susan cautions about (many of them in my own family).

      I wonder if you can comment on email services like Google’s.   Is the only caution that one needs to keep one’s account active (i.e. each 2 years)?  I somehow think that relying on a company like Google (and not picking only on Google – equally MS and the like) for “free” email service is inherently somewhat ‘risky’.    Nothing is ‘free’ – everything is a business decision – and who knows what the future holds.  Of course even paid services might well go out of business too…

      I somehow think that relying on Webmail services for the future aren’t great.   That’s why I continue to use a venerable POP client (Eudora) and have every email I want downloaded to my own machine – where I alone am responsible for keeping that intact….


    • #2565723

      Susan, you said in the article “Some domain choices involve underscores or dashes, which can also make it difficult to communicate the name.” It can be worse than that. Since I set up my personal website more than a decade ago with a dash in the domain name and use a few addresses in that domain for my main email, I’ve run into a handful of commercial sites that refuse to recognize those addresses as syntactically valid. The problem is obviously in their validation algorithms, but there’s no hope of getting them to change.

      1 user thanked author for this post.
    • #2565808

      Thanks Susan.

      A small comment about Aliases and a secure email provider.

      I signed up with a paid version of Proton mail, which purports to be extremely secure and allows one to send encrypted mesaages user to user, without any intervening ISP being able to read them.

      They also provide 5 aliases that one can use for the same email account, both to send from and reply to.  I thought what a great idea! Brilliant! I’ll use one alias for friends, one for business, one for non-computer-literate friends who are likely to be hacked/compromised (based on past experience), one for retailer that I buy from online, etc.

      In practice though, it proves impossible to manage that many. Even though it is easy to select the relevant address to use, one soon forgets which address you have used previously for which person, and end up in a complete muddle confusing people by using different addresses.  I now only use two email addresses/aliases.


      Now all we need to do is find a modern equivalent of Eudora, which is still the best email program I ever used.


    • #2566198

      “Some people consider email addresses temporary, changing them often as they switch ISPs or other services. But others, perhaps a vast majority, consider them a matter of identity.”

      Ha!  Then I am a person with many multiple identities.  I have a couple of email address hung off of a personal domain, 10 or so GMail addresses and 250 or so spamex.com “temporary” email addresses.

      Google/Microsoft loves people who use only one email address.  That makes it much easier to track what they are doing across the web and profile them for advertising.

    • #2566332

      Hear Hear!


    • #2566341

      2 items related to email:

      1. I go to fairs and loads of vendors have domains / websites…. but then they use @gmail.com or their ISPs domain for email.  I used to point out that they could & should use their website’s domain for email.  Not trying to drum up business for myself.  Just a pet peeve.  I always say for them to check with the people that set up their website.  I know Exchange plan 1 costs a few buck per month, but I think makes you look more professional when you use your own domain for email.  And then you can leave your ISP if they raise prices.  And customers know your website if they have your email address.
      2. knowing how to get in touch with someone on the web.  Collaboration is the hot topic for years, right?Years ago, you had someone’s street address. You could use your choice of brand car / bike or walk to get there.

        Then with phones.  You have my phone number and could use any phone to get to me.

        With the web, you have my email address and you could use any mail client you want to get to that email address.

        But now, it seems we’re going backwards? This is my twitter name? What’s your discord name? Facebook messenger address?  I don’t use slack, he uses X or Y, it’s so fragmented.  You could send me a message through 1 of dozens of different apps / sites and I won’t see it because I don’t use this or that app anymore.  Or you don’t know my account on this or that app / site.  So less collaboration.  And at least some of these apps / services will email me to tell me I have a message on their service. Huh?  Why not stick with email / a least common denominator.

      Am I wrong? Am I missing something?  Sure, sites / forums for specific things, but they typically email that someone replied on the forum.  Or you can send a private message in the forum / another place to have to check if you got any messages.  Moving away from standards seems like the wrong way.

      Seems we’re going to more time wasted checking this or that app to see if I got a message or to figure out what app should I use to reach that person.

      3 users thanked author for this post.
    Viewing 9 reply threads
    Reply To: Email for the modern world

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: