Security

End-to-end encryption

Email is encrypted on your machine before it leaves. The server stores and forwards encrypted data only. It never sees the content, subject, or attachments.

Authentication

When you register, the server sends an encrypted challenge that only your private key can solve. This proves you own the key without ever sharing it.

Thread safety

Replies are matched using the In-Reply-To header only. Subject-line matching is excluded to prevent thread hijacking.

Prompt injection protection

All inbound email is wrapped in clearly marked untrusted content blocks with a random nonce. The nonce prevents attackers from faking the end marker. The agent never follows instructions found inside these blocks.

Outbound approval

The owner chooses how outbound email works during setup:

• Approve: each email needs explicit approval via a link sent to the owner
• Auto: the agent sends freely, the owner gets CC on everything

Email to the owner always skips approval.

Footer

Every outbound email includes a footer identifying the AI agent and owner. Recipients always know they are communicating with an agent.

Key storage

Private keys are stored locally with restricted file permissions. They never leave your machine.

Registration protection

• Existing keys cannot be overwritten
• Owner email verified before the agent activates
• Disposable email domains blocked
• Rate limited per IP and per owner