Ask HN: How can sending emails cost Let's Encrypt five figures?

5 points by rrr_oh_man 8 hours ago

https://letsencrypt.org/2025/01/22/ending-expiration-emails/

Quote:

> Providing expiration notifications costs Let’s Encrypt tens of thousands of dollars per year, money that we believe can be better spent on other aspects of our infrastructure.

I'm trying to come up with a scenario in my head where sending, let's say, 2M emails per month at scale with an essentially fully automated service infrastructure can cost more than a grand per month. I'm failing to do so.

My calc: SES pricing is around $0.1 per 1,000 emails. LE has around 550M active certificates. Let's say 5% receive an expiration notice (I never got one?), that's just over 2M emails per month on average.

How can that be? Am I missing something?

gnabgib 8 hours ago

Let's Encrypt generates ~7M certs/day[0], a cert is only good for 90 days (~a quarter) so let's use 90 days as a window.

  7M/day * 90 = 620M/quarter
So that's ~2.5B certs issued per year (knowing that these are often reissues, but you get the notification each time you approach the expiry).

Assuming only one message (not what happens, you get more than one notice.. especially if you let it expire, you get at least two follow up messages) per cert:

  2.5B * $.1/1000 = $250K/yr
Some users don't provide email addresses, some don't provide valid ones (doesn't mean their infra doesn't have to try to contact, at least for the first expiry), some use a renewal script that renews before the email (9 days prior to expiry I think?), some don't care to renew (I'm sure LE is used in throw away cases where they don't care to renew, but the 3+ emails were still dutifully sent).

But for 1 email per issued cert it's > $20k/month to send these messages with SES pricing.

There's also the TLS validity halving (well.. 90 days -> 47 days) looming, which in some way helps with the revocation servers, but would also double their (former) email costs. And then there's future proposals that would half or ever quarter that lifetime again (once again multiplying their email costs). At some point LE would just be an Amazon SES support system (like DVD-Netflix was for postal services).

[0]: https://letsencrypt.org/stats/

  • rrr_oh_man 6 hours ago

    > some use a renewal script that renews before the email

    I'd like to challenge the "some" part. How many of those ~600M currently issued certs realistically don't get auto-renewed 30 days before expiration, except when it's one-off dev sites or legacy stuff? Last time I touched certbot that was the default I think (so I've never received a renewal email).

    edit: It sounds more like they've been getting fleeced by Mailchimp for tx email...

is_true 14 minutes ago

I guess the alternative could've been exchanging the service for an ad.

Letting the sender service include a little ad in the notificaton.

Magma7404 8 hours ago

I guess the volume is irrelevant. In other industries it would be the reliable automation and full security that cost a lot.