Security in mechanical terms.
Privacy here is not a marketing posture. It is the shape of the system. Below is exactly what runs, what we can see, what we can't, and how to verify.
- OpenPGP keys are generated locally in your browser. The private key never reaches our servers.
- Message bodies are encrypted before they leave your device and stay encrypted at rest.
- We don't log message contents, IP origins of reads, or alias-to-identity links.
- Every alias has its own kill switch. Spam dies at the alias, not at the inbox.
- Code is auditable. Cryptographic operations live in a public repo.
End-to-end encryption
Every message body is encrypted with OpenPGP before it leaves your device. Your private key never touches our servers — it is generated in the browser, encrypted with your password, and stored locally. We hold the ciphertext. We do not hold the key.
$ compose mail to: [email protected] encrypt: using alice's public key (cached locally) sign: with your private key (unlocked by your password) send: ciphertext only server: cannot read body, can route headers
Headers — To, From, Subject on incoming SMTP — are necessarily visible to route mail. We minimise what we keep and never expose them in logs. For internal mail (lowkeymail ↔ lowkeymail), even subjects can be sealed.
Browser-side, no plugins
All cryptography runs in openpgpjs inside the page. No browser extension required, no third-party services in the loop. Our build pins the library version and is signed for subresource integrity.
Zero-knowledge architecture
Zero-knowledge means a particular thing here: the data we'd need to read your mail (your private key) does not exist on our infrastructure. Anyone with full database access — including us — sees ciphertext. There is no master key, no key escrow, no recovery backdoor.
The trade-off is real: if you forget your password and you don't have a recovery code printed out, your mail is unrecoverable. We tell you this upfront and offer paper-recovery on signup.
No-logs policy
We log enough to run the service and nothing else. Specifically:
- Not stored: message bodies, decrypted message bodies, your private key, the contents of attachments, IP addresses on read.
- Stored, ephemerally: IP addresses on signup (24h, used for abuse), failed-login counters (24h, then reset).
- Stored, persistently: account email, hashed password, encrypted private key blob, alias mappings, billing metadata.
Backups are encrypted with a key that lives on hardware tokens held by two engineers in separate locations. No single person can decrypt backups.
Aliases as a firewall
Reusing one email address everywhere is the single biggest factor in how often you show up in breach corpuses. Per-service aliases make each address a separate target. If a service is breached, only that one address leaks; the rest of your inbox stays anonymous behind the pool.
Aliases are first-class: you can send as any alias, reply as the alias that received a message, and turn off a specific alias without touching the rest. Disabled aliases reject mail at the SMTP layer — senders get a clean bounce, no silent drop.
Spam & abuse
Spam filtering on encrypted mail is hard — we can't read the body. We do the next best thing: filter on headers, sender reputation, and per-alias rate limits. Suspected-spam mail is held for 30 days in an encrypted quarantine that youcan read; we still can't.
- Per-alias rate limits — N inbound messages per hour, configurable per alias.
- One-tap kill switches — disable an alias and every future message bounces.
- No remote-image loading by default — invisible tracking pixels never run.
Audits & bug bounty
Our cryptographic stack will be audited by an independent firm. The report is scheduled for Q3 2026 and will be published in full on this page.
Reporting a vulnerability
We pay for security work that helps our users. Send vulnerabilities to [email protected] (PGP key on the open-source page). We acknowledge in < 48 hours, ship a patch as fast as we can, and publish a CVE if appropriate. Coordinated disclosure: 90 days, with extensions when warranted.