— Security

Security as architecture,
not a feature.

The hard guarantees live in the design, not in a settings toggle. Here's exactly how your mail is protected — and what we deliberately never do.

Authentication you can't fake

Sign-in is validated by an actual IMAP login against the mail server — the server is the source of truth, not a token we issue. If the mailbox wouldn't accept the password, neither do we.

Encrypted at rest

Your IMAP password is sealed server-side with AES-256-GCM and only decrypted for the moment a mail operation runs. Rotating the master key invalidates every stored session at once.

Short-lived, revocable tokens

Access tokens live 15 minutes; refresh tokens are single-use and rotate on every use. Logging out blacklists the token and deletes the session — a stolen token dies fast.

Two-factor, your way

Add TOTP via any authenticator app with single-use recovery codes. Sensitive admin actions require a fresh second factor — neither token nor code alone is enough.

Self-custody payments

You pay crypto directly to a standing address. We never take custody of funds, store card numbers, or hand your billing to a third-party processor.

Hardened, locked-down backbone

Mail runs on a self-hosted Mailcow stack (Postfix, Dovecot, rspamd) whose internal API is reachable only from localhost — never the public internet.

— By omission

What we never do.

Privacy is as much about absence as protection.

No tracking pixels, ever — incoming and outgoing

No selling, sharing or mining your correspondence

No ad profiles built from what you read

No card numbers or payment processors on file

No custody of your crypto or your keys

No public exposure of the mail backend

Want the deep technical detail? Our security posture is documented and open to questions.

Ask us anything

Security as architecture, not a feature.