A private mailbox. Encrypted, and delivered.
No magic, and nothing you have to take on faith. Here's the mechanism — how signing up gives you a working, encrypted @thelemail.com mailbox, who can read what along the way, and how to put it on your own domain if you want to.
Sign up. Start sending encrypted mail.
Your @thelemail.com mailbox works the moment you sign up — no domain, no DNS. Prefer your own domain? Add the records we generate and we'll verify and watch them. That's an optional upgrade, not step one.
Sign up
Create your account. Nothing to host, nothing to configure.
Get your @thelemail.com mailbox
A real, private mailbox: encrypted at rest, reliably delivered.
Send and receive encrypted mail
End-to-end between accounts; encrypted to outsiders who publish a key.
Optional — connect your own domain
Paste the MX, SPF, DKIM, and DMARC records we generate. We verify and keep watching for drift.
What's actually happening, in plain words.
The things that matter most — your encryption, your delivery, and, if you want it, your own domain — without the marketing gloss.
Encryption that means what it says
Between Thelemail accounts, mail is end-to-end encrypted: encrypted on the sender's device, decrypted on the recipient's, with only ciphertext in between. Stored mail is encrypted at rest with a key derived from your password. To outsiders, we encrypt when they publish a key — and tell you plainly when we can't.
The deliverability you came for
Running your own server means fighting blocklists and IP reputation forever. We do that part: aligned SPF, DKIM, and DMARC, warmed sending infrastructure, and monitored reputation — so your mail lands instead of vanishing into spam.
Optionally, your own domain
Your mailbox works on @thelemail.com out of the box. When you're ready, connect a domain you own and put your whole family or team on it — verify DNS once and every address is yours to keep. If you ever leave, the domain goes with you.
Want the full accounting? Exactly what's encrypted, what isn't, and what a server compromise would expose lives on the threat model page.
A few honest details.
The questions that matter most for a zero-access product, answered before you have to ask.
What happens if I forget my password?
Your mailbox is encrypted with a key derived from your password, and we never hold that key. That's the point — but it means a forgotten password without a saved recovery method means we cannot decrypt your stored mail for you. We'll walk you through setting up recovery when you sign up, and we'll be blunt about the trade-off: real zero-access has a real cost, and this is it.
Can I bring my existing email with me?
Not yet — an import tool is on the roadmap, and we won't pretend it exists before it does. The door out already works, though: you can export everything in standard formats whenever you leave.
How do I read my mail?
Through the Thelemail web app, and our desktop and mobile apps. Standard IMAP/SMTP access for clients like Apple Mail or Thunderbird isn't supported yet — stock IMAP and zero-access encryption don't mix trivially, and we'd rather say “not yet” than quietly weaken the model.
Verifiable, not just claimed.
Every promise on this site maps to a mechanism that exists. The threat model spells out exactly what's encrypted, what isn't, and what a server compromise would and wouldn't expose — in plain words.