Everything We Built

Zero gave us a modern, keyboard-first webmail client. We kept the best parts and built a full platform around it.

• Modern React webmail (React Router + Vite + Tailwind + Shadcn UI)
• Keyboard-first navigation
• Thread view and compose
• Search interface
• Dark theme

Stalwart Mail Server handles all mail processing in a single, efficient Rust binary.

• Single Rust binary (~50MB RAM idle)
• JMAP as primary protocol (modern, efficient, bidirectional)
• IMAP/SMTP for any standard email client
• Built-in spam filtering with Rspamd
• Virtual users stored in PostgreSQL
• RocksDB mail store

Full DNS verification workflow with automated contract publishing and outbound readiness tracking.

• MX, SPF, DKIM, and DMARC records
• Automated DNS contract publishing per domain
• Domain verification state machine (pending → active)
• Outbound readiness tracking (pending_dns → verified_dns → send_enabled)
• First-party DKIM signing with shared selector
• Direct-to-MX outbound delivery (no relay dependency)

A REST API with scoped keys, sandbox mode, and a CLI tool for terminal-native workflows.

• Full REST endpoints for mailboxes and domains
• API keys with granular scope enforcement (resource:action format)
• Key format: lm_sk_live_* (production) / lm_sk_test_* (sandbox)
• Sandbox mode: test keys block actual email delivery
• CLI tool (@laim/cli) for terminal workflows
• Tenant isolation: API keys enforce org-level data boundaries

Calendar and contacts sync that works with every client you already use.

• Radicale server backend
• Sync calendars with any CalDAV client
• Sync contacts with any CardDAV client
• Works with Apple Calendar/Contacts on iOS and macOS
• Thunderbird and DAVx5 support
• Basic auth over TLS

Privacy by architecture, not just by policy. Your data stays in Germany.

• All infrastructure hosted in Germany (Contabo)
• GDPR-compliant by design — not just by policy
• No US cloud provider dependencies for data storage
• Encryption at rest with AES-256
• Passwords hashed with Argon2id
• 30-day grace period before hard account deletion

Modern JMAP for the webmail, legacy IMAP for everything else. Both available on every account.

• JMAP: stateless JSON-based protocol with efficient sync and push notifications
• IMAP: legacy compatibility — works with every email client ever made
• Both available simultaneously on every account
• SMTP for outbound from external clients
• All protocols secured with TLS

Defense in depth from the cluster level down to per-protocol rate limits.

• Kubernetes with namespace isolation and network policies
• Bitnami Sealed Secrets — no plaintext secrets in git
• Automated backups with Velero to EU object storage
• Rspamd spam filtering on all inbound mail
• Rate limiting on SMTP (60/min), IMAP (120/min), and JMAP (300/min)