I’ve been using postgrey and greylisting in my personal mail setup for over 2 years and at my business for over 5. Sadly I’ve decided to disable it for my personal emails. My main problem? Greylisting works.

Greylisting works

It’s an amazing idea. For every new tuple of (from address, from IP, to address) tell that mail service to try again later. Only, if we have not seen it before. This delay by tuple method works under the assumption we are still in the 90’s. Where every mail provider is sending out of a constant single SMTP gateway. I am. If your host your own email you probably would be too. But huge email services are not. An example of this is Office365. If you use Office365 for your emails you will be using at a minimum 20 different outbound SMTP endpoints. So when your sending emails to a person using greylisting in its default form, don’t expect your emails to be delivered anytime soon. You can expect Office365 to deliver them between 1 to 48 hours!

Disclaimer: For my clients I still have greylisting enabled. Whitelisted via regex Office365 and Gmail SMTP outbound services. I could do this for myself but this becomes a very slippery slope.

Is it me? No it must be the users that are wrong.

Email is a solved problem. Why am I having issues with it! Fastmail solved this problem in 2006. 11 years later people are having the same issues. Following their example of allowing anyone that isn’t a major email provider to be subject to being part of the blacklist seems like a good idea. Until your regex misses something.

If you were to compare the Internet to a country. Email is basically the Government Institution of the internet. Reluctant to change. Slow to adopt. Just look at how long adoption of SPF/DKIM/DMARC has taken. Maybe ask your self why we need these as well?

I’ll talk to you later. Okay how does whenever the hell I get around to it sound?

When you run your own email service. Greylisting, works… like a drunk person at a bar. Knocks back everyone at the start of the night thinking they can do better. 2am rolls around then realises they’re going home alone and says, ‘screw it’ and allows the same people to talk to them again. I guess a better analogy would be a small child and they only talk with people they know. But I’m sticking with the bar analogy.

Greylisting, works… like a drunk person at a bar

In one month I had approximately 800 emails pass through my server, and the only reason I receive close to that amount is because I’m on a few mailing lists. With 100 emails being subject to delays ranging from 5 minutes to 60 minutes. Sure its not a deal breaker if they are marketing emails. Or an email from your Uncle that you don’t continuously talk to. When you reply back, the email gets delayed another 5-20 minutes. Then your Uncle sends you another video and then calls you about it because you never responded. All I do is here my internal monologue of: “Email gets there eventually, it’s not an instant service”.

Workflows are precious

The biggest issue for me and is the grand defining factor of why people complain: Interruption to workflows. Ideally I’d love to work on one thing at a time (wouldn’t we all?), and the mind having to context switch takes a tole on all of us. Messaging one person back and forth becomes a staggered miss-match of what did you say, and even has the possibility of mail being received in the wrong order. You could end up having a conversation which spans days instead of hours. It’s not your fault, and its not theirs. In this use-case; its greylisting.

Take password reset emails. You want them to appear now, not in a minimum of 5 minutes. These are important, and infrequent. Ripe for the delaying. That frustration of a 5-20 minute interruption can be a serious deal breaker. Hell, in our fast paced society, if a web page doesn’t load in under 5 seconds we’ll definitely think about closing it. Source

Closing words

Usability is a key metric which greylisting does not pass. Unfortunately this is the only metric which matters in a society where the internet is marketed as a near instant product. Sold and bought as a way to make our lives easier and better by “how fast it is”.

I love the concept of greylisting, but I love instantaneous email better. Feel free to drop me a comment on why I am (right wrong).

tl;dr. Greylisting fights low-quality spam on the assumption spammers don’t use conforming MTAs, and fails real world usage when users use large numbers of outbound gateways.