PGP Key Directory, Zero Access Storage, & Next-Gen JMAP Protocol
The secure mail server from the future
Email was built without the expectation of privacy that the modern HTTPS-only Internet requires. Stalwart retrofits SMTP/IMAP with secure-by-default options, providing infrastructure for email at your domain with end-to-end encryption.
The self-hosted ProtonMail alternative
Encrypted email designed for operational adoption
Stalwart Mail eliminates the complexity of PGP. Users manage their own public keys via a self-service portal, while the system automatically publishes those keys to a Web Key Directory (WKD) for seamless external discovery.
✱
Zero Access Storage
All incoming, as well as drafts & sent messages, are automatically encrypted at rest using your public key.
In the event that your IMAP password or even the mail server’s storage volume is compromised, your historical email remains cryptographically secure and unreadable to the attacker.
✱
Automated Key Exchange
External email clients including Thunderbird, Em Client, & Proton will auto-discover the PGP public key of Stalwart users from WKD. This eliminates the need to manually attach public keys.
Anyone with their own PGP keypair set up can email you E2EE by simply clicking “Encrypt” and send.
✱
IMAP / JMAP Mail Sync
In addition to the tried-and-trusted IMAP (port 993) protocol over SSL/TLS, Stalwart supports the JMAP protocol – a modern, efficient synchronization standard that runs natively over HTTPS.
While JMAP represents the future of mail synchronization, our current deployment focuses on high-reliability IMAP access from PGP desktop & mobile mail clients.
✱
True End-to-End Encryption
Stalwart natively supports PGP as a first-class citizen, the only decentralized email encryption standard that doesn’t rely on external certificate authorities (CAs). Attachments are also protected with PGP/MIME.
Unlike “Click to View” solutions like Microsoft Purview which are not truly E2EE, there is no key escrow or additional phishing exposure.
✱
Sender Authentication / Deliverability
Stalwart supports programatically managing your DKIM/SPF/DMARC records and rotating your RSA and ED25519 sender keys using the APIs of 10+ DNS providers & domain registrars.
By setting up smart hosts and a sender-dependent transport map, you can send E2E encrypted email using services such as AWS SES or Postmark as a “dumb pipe” for optimal deliverability.
✱
Hardware Backed Identity
OpenKeychain (for Android) secures PGP keys within the device’s hardware-backed keystore, gated by biometric authentication. For desktop and iOS, we recommend securing your key database with strong encryption – leveraging your OS keychain for credentials—or using physical smart cards (e.g., YubiKeys) for hardware-assured protection.
$2,800
add-on
Configuration & Hardening of Stalwart Mail
The only self-hosted PGP mail server with automated key discovery and incoming email encryption. Note that E2EE Email Server should be purchased in conjunction with the Cloud-based or Dedicated Sovereign Appliance.
✓ End-to-end Encryption with PGP
✓ Zero Access Storage of Mail
✓ IMAP and JMAP Syncing
✓ Automated SPF/DKIM/DMARC Management
✓ Outgoing Mail with Smart Hosts
✓ Web Key Discovery (WKD)
✓ Interoperates with ProtonMail and any other PGP mail client