owlmail

The honest limit

No email host can hand you a mathematical proof that staff never read your messages. We don’t process mail for ad targeting, profiling, or “AI” training, but the architecture is the same almost everywhere: messages typically arrive in plaintext, get filtered for spam, and are stored. A provider that “encrypts your mailbox on disk” often still had plaintext at delivery time, unless you used end-to-end encryption or brought your own key model we never see.

We’re also not beyond legal pressure or a serious break-in. A warrant canary and a light operational footprint don’t make a nation-state adversary go away—but they can make the service easier to run honestly and to explain to users. Read ours on the canary page and the privacy policy for what we try not to collect.

Metadata and content

Even when the body is boring, the envelope tells a story: who talked to whom, when, and how often. If that matters, Tor or a good VPN for access, PGP-encrypted subject lines (where you use them), and moving mail off our disks all reduce what sits here over time. Metadata on the server is a separate problem from “is the body encrypted at rest?”—and both are worth thinking about.

Protecting the message body

If the operator must not be able to read the text, use real end-to-end tools with the people you correspond with: OpenPGP (GnuPG, Mailvelope, your client’s PGP) or S/MIME with a mail client. Webmail in the browser can’t do better than the browser model allows, so a desktop client with PGP is often the stronger choice for sensitive content.

Keeping a lean mailbox helps too: download important mail, archive it where you control keys and backups, and delete it from the server when you can. For many people that habit matters as much as ciphers on the wire.

What we do on our side

Sign-up stays minimal: we don’t require a phone, a second email, or an ID. The public site is built to work with zero JavaScript (no trackers, no client-side “framework” on the marketing pages). Passwords are hashed with Argon2id. We publish a warrant canary, aim to avoid logging what doesn’t need logging, and the service is meant to be usable over Tor as well as clearnet when the operator publishes an onion address.

At a glance

• No account recovery via phone or “backup” mailbox you must disclose
• No KYC: identity checks are not part of getting an address
• Marketing pages and forms without required JavaScript
• Argon2id password storage; canary and policies you can read
• E2E (PGP/S/MIME) recommended when the server must not read the body