Thelemail
Get started
Home / Security
Security · Threat model

What we protect — and what we can't.

Most email sites don't have a page like this. Ours does, because the honest version is the selling point. Here is exactly what is encrypted, what isn't, and what a server compromise would and wouldn't expose. No superlatives. No hand-waving.

How mail is encryptedServer compromiseAlways visibleNot yet built
The encryption model

Three different guarantees. Stated separately, on purpose.

"End-to-end encrypted" means different things depending on where mail goes. Collapsing them into one claim is how other providers overstate. We keep them distinct.

Between accounts Live

End-to-end encrypted

Mail from one Thelemail account to another is encrypted on your device and decrypted on theirs. The server only ever relays ciphertext it has no key for.
you relay them
Your stored mailbox Live

Zero-access at rest

Everything in your mailbox is encrypted with a key derived from your password. We store the ciphertext. We don't hold the key that reads it.
mailbox key derived
To the outside world Live

Encrypted when possible

If your recipient publishes a key (WKD / OpenPGP), we encrypt end-to-end automatically. If they don't, mail leaves over standard SMTP — encrypted in transit where supported, but readable on arrival.
has key no key

Your keys live in a signed directory. When you encrypt to another account, you fetch its public key from a directory we sign — so a casual swap can't go unnoticed. A fully verifiable transparency log, where you wouldn't have to trust us at all, is not yet built. It's marked below.

The hard question

If a Thelemail server were compromised.

The test of a security model isn't the happy path — it's what an attacker gets when things go wrong. Here's the honest accounting.

What an attacker reaches
Exposure
Your stored mailbox contents
Protected Ciphertext only. The decryption key is derived from your password, which we never store.
Mail between Thelemail accounts
Protected End-to-end encrypted. The server never held a key that could read it.
Your account password
Protected We store a verifier, not the password. A breach doesn't hand over your login.
Who you email, and when
Exposed Envelope metadata is visible — it's how mail is routed. We don't claim metadata privacy we don't have.
Mail you sent in plaintext to outside servers
Exposed Once it leaves for a server without a published key, it's out of our hands — and out of yours.
Subject lines of external mail
Exposed Standard SMTP doesn't encrypt subjects. Internal, end-to-end mail does.

What stays safe

Even with full access to our servers, the things that matter most to you remain unreadable.

  • The contents of your stored mailbox
  • Mail exchanged between Thelemail accounts
  • Your password and the keys derived from it

What's visible no matter what

Some things are inherent to how email works. We'd rather tell you than let you assume otherwise.

  • Envelope metadata — sender, recipient, timestamps
  • Plaintext mail after it leaves for an outside server
  • Subjects of external mail without a published key

One consequence worth stating plainly. Because your stored mail is encrypted with a key derived from your password, losing your password and your recovery method means even we cannot restore your mailbox. That is the zero-access guarantee working as intended.

Honest about the gaps

What we haven't built yet.

A page that only listed strengths would be marketing. These are real limitations, named plainly, marked coming until they're real.

Coming

Public client source

Our apps aren't open source yet. We're cleaning up the code before we publish it, because “open” should mean readable, not announced. The server will remain closed and there is no self-hosted option — the published client is how you check what we encrypt, not how you run your own.

Coming

Independent third-party audit

We have not commissioned an external security audit, and we won't imply one until the report exists and we can link to it. When our client code is public, independent researchers will be able to review it directly — and we'll point to their findings, good or bad.

Coming

Key transparency log

We sign the key directory today. A tamper-evident, publicly verifiable log — so you wouldn't have to trust us not to swap a key — is designed but not deployed.

Coming

Metadata minimization

Envelope metadata is visible by design. Techniques to reduce what we can see are research-stage here, not shipped.

Coming

Formal compliance certifications

We run in the EU and say so. We don't hold SOC 2 / ISO certifications yet, so we don't claim them.

The rule we hold ourselves to: every claim on this site maps to a mechanism that exists. If it's aspirational, it's phrased as intent and marked coming — never stated as accomplished fact.

Trust

Verifiable, not just claimed.

Every promise on this site maps to a mechanism that exists. The threat model spells out exactly what's encrypted, what isn't, and what a server compromise would and wouldn't expose — in plain words.

Read the threat model