v2.1.0Manage Blocked IPs, Dashboard Chart Fixes, Calendar Integration & more

How We Handle Emails

A deeply engineered architecture designed for extreme performance, rigorous security, and uncompromising privacy. Every message is processed through a robust, multi-stage pipeline.

Architecture Overview

Shared Client UINext.js / Browser
Go Microservices
Node REST API
WebSockets
Go Backend
CalendarICS / Sync
WorkspaceTeams
IMAPSync Layer
Express APICore Web App
Socket.IO NodeReal-time Events
Queue Jobs
Pub/Sub Events
Data StorePostgreSQL
BullMQ WorkersRedis Queues
Custom MTAPorts 25 & 587

Shared Frontend UI

Our Next.js frontend intelligently routes actions to totally distinct backends depending on the domain. Core mail reading and sending happen via the Express API, while real-time incoming mail alerts are continuously streamed through the parallel Socket.IO connection. Modern features like Workspace collaboration, Calendar syncing, and IMAP bridges hit our ultra-fast Go Microservices.

The Worker & MTA Layer

When you send an email, Express drops a job into the BullMQ/Redis Queues. The background workers pick it up, format the email, apply tracking/PGP, and hand it to our Custom MTA for outbound routing across ports 25 and 587. When the MTA receives a delivery receipt, it drops a message via Redis Pub/Sub back up to Socket.IO, which alerts your browser UI.

Scalable Edge Nodes

Dedicated Stage 0 SMTP listeners for fast acceptance (<200ms) with mid-stream back-pressure. Our resilient outbound nodes use a custom Go-built MTA ensuring advanced TCP pooling, retries, and comprehensive DSN generation.

High-Speed Queues

Messages seamlessly enter a Redis-backed multi-stage worker pipeline, handling intense workloads through distributed streams without blocking vital SMTP connections.

Secure At-Rest Storage

High-speed PostgreSQL stores account metadata, attachments sit in S3-compatible endpoints, while the mail payloads themselves are safeguarded by dual-layer AES and PGP encryption.

The Inbound Pipeline

Incoming emails pass through four stringent, specialized stages to guarantee fast routing, accurate spam detection, and protocol compliance.

  • 0Edge Acceptance Layer

    • Instant Blacklist Check: Redis & DNS Spamhaus RBL lookups drop attacks immediately.
    • Bounce Envelope Detection: Instant VERP recognition limits processing overhead.
    • Early Rejection: System accounts (noreply/postmaster) are protected before bodies are parsed.
    • Quota Guard & Size Limits: Checks usage capacities instantly and enforces explicit max message sizes mid-stream.

  • 1Anti-Spam & Authentication

    • Duplicate Prevention: Advanced SHA-256 fingerprinting drops spam bursts entirely.
    • Parallel Verification: PTR, MX, SPF, DKIM, and DMARC evaluated synchronously.
    • TOML-Driven Scoring engine: Uses DNSBL APIs, OpenPhish, and rule-based DSL logic.
    • Sieve Filter Engine: Enforces JSON-based rule sets dynamically sorting into folders.
    • ARC Sealing: Applies comprehensive ARC cryptographic signatures maintaining chain of custody.

  • 2Delivery & Real-Time Sync

    • Privacy Stripping: Intercepts and blocks tracking pixels and URL parameters.
    • Smart Threading: Deep header analysis groups conversations intelligently.
    • Automatic Responders: Distinct queues handle looping, auto-replies, and vacation behaviors.
    • Real-time Dispatches: Socket.IO & Redis Pub/Sub fire inbound notifications instantly.

  • 3Bounce DSN Management

    • RFC 3464 Compliance: Standardized multi-part human/machine delivery status generation.
    • Parameter Support: Respects extensive DSN preferences like RET=FULL/HDRS and NOTIFY logic.
    • Smart Classification: Seamlessly differentiates between 4xx and 5xx errors translating to user-friendly messages.

The Outbound Pipeline

Submission & Rate Limiting

Secure Port 587 handoffs utilizing PLAIN, LOGIN, and XOAUTH2. Tiered per-user rate limits (minute/hour/day) and robust quota verification.

API Submission & Multi-Provider Bridge

Full REST API dispatch capability with smart failover strategies wrapping numerous providers (Sendgrid, Resend, etc.) or our custom MTA.

DKIM & Cryptography

Dynamically signs payloads at the application level ensuring zero-trust. Sent duplicates are similarly backed by PGP at-rest encryption within your secure sent folder.

Automated DNS Management

Automatically scaffolds optimal SPF, DKIM, DMARC, MX, MTA-STS, and Autodiscover records enabling fully compliant domain onboarding.

Privacy & Anti-Spam Protection

Tracking Protection

Proactively strips 1x1 pixels and intrusive parameters like utm_* or fbclid. We operate a highly scalable Image Proxy Server that scrubs referrers and ensures zero data leaks when opening messages.

Multi-vector Spam Defense

Leverages multi-layer heuristic evaluations spanning continuous OpenPhish indexing, disposable-domain trapping, IPv6 zone resolution, and explicit attachment classification algorithms.

At-Rest PGP

Messages are isolated and sealed cryptographically before permanent disk allocation.

  • Dual-layer: OpenPGP encrypt + Database AES wrapping.
  • Argon2id key derivation securely caches private components.
  • SRS implementations strictly isolate redirected chains.

Event & Webhooks

Integrate smoothly into backend infrastructure through exhaustive system dispatches.

  • Publishes rich payloads covering Delivery, Bounce, Rejection, and Failures.
  • Secured strictly via HMAC-SHA256 authenticated signatures.
  • Real-time connection bridging streams direct into frontend sockets.

Routine Telemetry

Persistent, resilient background workers ensure zero maintenance degradation.

  • Automatically purges orphaned multi-part objects and abandoned caches.
  • ICS calendar consumer seamlessly parses incoming RSVP requests.
  • MTA-STS adherence validates strict transport layer securities.