Sealed sender. Zero metadata.
AfterMail encrypts every message end-to-end, hides the sender from the relay using sealed sender architecture, and delivers through a protocol that has never heard your name. Familiar interface. Zero trace.
The Problem
End-to-end encryption was supposed to be enough. It isn't. The message content is protected. Everything else (who sent it, when, from where, to whom, how often) is logged, analyzed, and in many jurisdictions, legally compelled.
The encryption got stronger. The gap didn't close.
AfterMail is not a privacy feature bolted onto an email client. It is a layered architecture: identifierless messaging with sealed sender, and a familiar interface, designed from the protocol layer up. Each layer independently defeats a class of surveillance. The relay never knows who is sending. The protocol never records who you are.
The sender wraps the message in an inner encrypted envelope before transmission. The relay receives only a recipient identifier, ciphertext, and nonce — it never sees who is sending. On receipt, the recipient's client authenticates the sender locally using shared keys. No auth header is transmitted. The relay cannot log or correlate sender identity even from HTTP metadata.
SimpleX has no user IDs, no phone numbers, no email addresses. Connections are established via one-time QR codes. Messages are delivered through single-direction queues with no persistent global identifier linking conversations to a person. The relay sees a recipient queue. Nothing else. Combined with sealed sender, the relay knows neither who sent nor who receives in any meaningful sense.
An email-familiar interface over the sealed sender and SimpleX stack. Compose, send, receive. Inbox, sent, archived. The cognitive model you already have — without the surveillance architecture beneath it. Built in Rust. At-rest encryption via passphrase-derived keys with biometric surface and remote wipe.
Access Tiers
Full access to the AfterMail architecture. The security model does not degrade by tier. Every user gets sealed sender and identifierless delivery.
Unlimited everything. For individuals and teams who need AfterMail as infrastructure, not a secondary channel.
Private deployment for defense, government, and organizations where the infrastructure itself must be owned. FedRAMP-aligned. No shared infrastructure.
Waitlist
AfterMail is in development. Join the waitlist to be notified at launch, receive early access, and help shape the product.
Your email is used once: to notify you. Then discarded.
Co-Founder
AfterMail is looking for a technical co-founder with a background in distributed systems, cryptography, or defense/FedRAMP. The stack is defined. The thesis is published. What's needed is someone who has solved hard infrastructure problems at scale and wants to build something that matters.
hello@aftermail.co →About
Vordan is a practitioner-focused governance and accountability publication. Since April 2026, it has tracked the accountability gap across cybersecurity, AI governance, post-quantum cryptography, and digital sovereignty, written for the people building and defending systems.
AfterMail is Vordan's first product. It emerged directly from the reporting: months of documenting how privacy providers comply, how metadata becomes the exposure surface, and how architectural gaps survive policy fixes. The doctrine is Accountable by Design: governance built in before deployment, not retrofitted after failure. Applied to communication infrastructure, that doctrine produces AfterMail.
Founded by Dominick Costa, a New York-based GRC practitioner and operations leader with 20 years running systems at scale.
Threat Model
An adversary observing traffic correlates senders and recipients by timing and packet volume. The relay sees recipient IPs when inboxes are fetched. Network-level correlation is not defeated.
Partial: sender hidden, recipient IP visible to relayA provider logs who communicated with whom, when, from which IP, how often. Disclosed under legal compulsion.
Mitigated: sealed sender + no identifiersUser accounts tie communications to a real-world identity. A single legal request retrieves an entire history.
Mitigated: no accounts existPhysical or remote access to a device allows recovery of messages, keys, and contact graphs.
Mitigated: passphrase keys + remote wipeA state-level adversary observing all internet traffic simultaneously attempts correlation attacks at scale. AfterMail uses HTTPS. Network-level timing attacks are not defeated at the transport layer.
Not mitigated at network levelIf the device running AfterMail is fully compromised at OS level, no communication layer can protect message content.
Out of scope: by design| Exposure surface | Gmail / Outlook | Proton Mail | Signal | AfterMail |
|---|---|---|---|---|
| Message content | Exposed | Protected | Protected | Protected |
| Sender / recipient identifiers | Exposed | Exposed | Phone number | None exist |
| Communication graph | Exposed | Exposed | Phone numbers | Not constructible |
| Timestamps and frequency | Exposed | Exposed | Registration date | Sender hidden; fetch timing visible |
| IP address / location | Exposed | VPN mitigates | Sealed sender | Sender IP hidden; recipient IP visible to relay |
| Network traffic analysis | Vulnerable | Vulnerable | Vulnerable | Sender hidden; network layer not anonymized |
| Legal compulsion disclosure | Full metadata | Account + IP metadata | Registration + last seen | Queue ID only |
Contact
For co-founder inquiries, early access, Sovereign tier discussions, or press. Reach out directly.
Private infrastructure deployment. Air-gap capable. DoD and FedRAMP-aligned architecture. Admin controls limited to Active/Inactive. No message access at any level.
Sovereign tier discussions are handled directly and confidentially.