I get you when it comes to https vs http and I also get you when it comes to tracking. But..... there are email service providers, like it or not, that muddy the waters badly. I agree that Cloudfare should be 100% responsible for everything with their domain name and services, but they seem to use gmail for the mx servers (not themselves), they /seem/ to use Google for captcha as well, which I hate and they won't change. They outsource sending other emails with the sub-domain to customer.io (without any SPF records to support that, they so have SPF on their "main" domain name though[1]) -- do I like that at all, absolutely not. People use mailchimp and all sorts of other "services" to send and track emails. I REALLY HATE THAT. I wish we could convince ALL major providers to NOT do tracking and also to do as much as possible in house and not rely on third parties for services such that it makes their service seem non-trustable by someone who cares about these things -- granted probably 99+% of people are not technical enough to even care, let alone understand what may or may not be going on behind the scenes. [1] Now, their SPF is likely, although it looks okay right now, going to cause real problems with all those DNS lookups due to the includes! However there are quite a few service providers than are allowed to send emails as @cloudflare.com -- this includes mcsv.net, Google, Mandrill, Zendesk, CustomerIO and stspg-customer (whomever that is) ... 🙁 What a dog's breakfast indeed.