Security
Your email. Your business.
We built shipmail to be the email host we wanted to use ourselves. That means no data mining, no ad targeting, and security practices we can stand behind.
We don't read your email
Your messages are not scanned, analyzed, or used for advertising. There is no ad-supported tier and never will be.
We don't track you
No tracking cookies. No cross-site analytics. We use DataFast for website analytics, which collects zero personal data.
We don't sell your data
Your data is used to run your email. That's it. No third-party data brokers, no profiling, no behavioral targeting.
Your data stays yours
Export your email anytime. Delete your account and we delete your data. No lock-in.
We encrypt your email at rest
Stored email can be encrypted with your own key. Only you hold the private key. Not even we can read encrypted messages.
How it works
How we protect your email.
Encrypted connections
Every connection to shipmail is encrypted with TLS. IMAP, SMTP, and the web interface all require encrypted connections. Email between servers is encrypted in transit whenever the receiving server supports it.
TLS 1.2+, STARTTLS, implicit TLS on ports 993/465/443
Encrypted storage
You can upload your OpenPGP public key or S/MIME certificate and incoming email is automatically encrypted before it's stored. Your private key never touches our servers.
OpenPGP (AES-256) or S/MIME (AES-256-CBC), user-held private keys
Strict transport security
We enforce MTA-STS in strict mode, which tells other email servers they must use encryption when delivering mail to your mailbox. This prevents downgrade attacks where an attacker forces email to travel unencrypted.
MTA-STS enforce mode, DANE, TLS-RPT daily reporting
Email authentication
Every domain on shipmail gets DKIM signatures, SPF records, and DMARC policies configured automatically. This stops attackers from sending email that pretends to come from your domain.
DKIM (Ed25519 + RSA), SPF, DMARC, ARC
Spam and phishing protection
A built-in filter checks every incoming message against known spam sources, phishing patterns, and reputation databases. Suspicious messages are flagged before they reach your inbox.
Spamhaus DNSBL, Bayesian classifier, phishing heuristics, greylisting
Brute force protection
Failed login attempts are tracked per IP address. After repeated failures, the IP is automatically blocked. Port scanning and common exploit paths are also detected and blocked.
Automatic IP banning, rate limiting, path-based scan detection
Infrastructure
Built on solid ground.
Written in Rust
The mail server is built in Rust, a programming language designed for safety and performance. It prevents common security vulnerabilities by design rather than relying on manual checks.
Independently audited
The mail engine powering shipmail has completed two independent security audits by Radically Open Security. The auditors described the codebase as 'robust, well-architected, and cleanly compartmentalized.' Reports are public.
Open protocols
IMAP, SMTP, CalDAV, CardDAV. Standard protocols supported by every major email client. No proprietary apps required, no vendor lock-in. Switch away anytime with your data intact.
Minimal third parties
We use a small number of infrastructure providers: Stripe for payments, Neon for our database, Cloudflare for storage, and AWS SES for outbound relay. Each processes only what's needed to deliver their service.
FAQ
Common questions.
- Is shipmail end-to-end encrypted like Proton Mail?
- No. Proton Mail encrypts messages on your device before they leave. shipmail encrypts connections and offers optional encryption of stored email with your own key. Both are valid approaches for different needs. If end-to-end encryption is a hard requirement, Proton Mail is the right choice.
- What happens to my data if I delete my account?
- Your data is deleted. Audit logs are retained with personally identifiable fields removed. See our privacy policy for full details.
- Where is my data stored?
- Our servers are in the United States. All stored data is encrypted at rest on the infrastructure level.
- Do you comply with GDPR?
- Yes. We collect only what's needed to run the service, we don't sell data, and we honor data export and deletion requests. Our website analytics (DataFast) are GDPR-compliant without requiring a cookie banner.