Thundermail is a high-performance, "Sovereign" email client written in 100% native Rust. It is designed to be the memory-safe, privacy-first successor to legacy mail engines, eliminating the webview stack (Chromium/WebKit) in favor of a lean, immediate-mode GUI (egui), radical metadata protection (RFC 9788), and local-first AI intelligence.
In an era of pervasive email metadata harvesting and the vulnerabilities exposed by research like gpg.fail, Thundermail implements the most aggressive privacy standards from the user.js and 12bytes to ensure your communication remains truly yours.
We recommend forwardemail as the server.
Thundermail is built on a "Defense in Depth" philosophy, specifically addressing the flaws in the "Digital Postcard" nature of traditional email.
- Metadata Masking (RFC 9788): The first Rust-native implementation of modern Header Protection. We move your
SubjectandRecipientdata into the encrypted PGP packet, leaving only a generic "shroud" header for transit servers. - Forward Secrecy (FS): Implements Ephemeral Sub-keys (Autocrypt v2 style). Thundermail rotates encryption sub-keys every 24 hours and uses the
zeroizecrate to scrub private material from memory, ensuring that a future compromise of your master key cannot decrypt past messages. - Native Rust UI (egui): By using egui instead of Tauri or Electron, we eliminate the entire browser-exploit surface. No DOM, no XSS, no JavaScript---just pure, statically-linked Rust.
- Zero-Leak Networking: Native SOCKS5/Tor integration to defeat ISP-level traffic analysis (MITRE T1090.004). We enforce
#![forbid(unsafe_code)]and userustlsfor modern, memory-safe TLS 1.3.
- Dual-Tier Private AI:
- Local (Ollama): Maximum sovereignty. Zero data leaves your machine.
- Private Cloud (Venice AI): High-performance, uncensored inference with mandatory PII redaction and zero data retention.
- Smart Labeling: Database-driven (not folder-driven) categorization. Supports
X-GM-LABELSto prevent data duplication and "phantom" IMAP fetches. - AI Segregation: Automatic sorting into Promotions, Social, and Updates tabs using local context analysis via the
Categorizermodule. - Encrypted Search: Lightning-fast full-text search via Tantivy, indexed locally in an encrypted SQLite store.
- The Sanitizer: Automatic stripping of tracking pixels, malicious CSS, and identifying signatures before rendering in the native UI.
All official builds are produced automatically via secure, tamper-proof GitHub Actions workflows, which ensures a transparent and auditable trail from source code to the final compiled binary. Binaries for all platforms are cryptographically signed and, where applicable, notarized to ensure their authenticity and integrity. You can download the latest release from the GitHub Releases page.
| Platform | Architecture | Download | Store |
|---|---|---|---|
| Windows | x64,amd64 | .msi Installer |
|
| macOS | Apple Silicon & Intel | .dmg Universal |
App Store (Coming Soon) |
| Linux | x64,amd64 | .deb, .AppImage |
Note for macOS users: If you download the
.dmgfrom GitHub Releases, you may need to run the following command if you see a "damaged" or unverified app error:sudo xattr -rd com.apple.quarantine /Applications/ThunderMail.appReplace
/Applications/ThunderMail.appwith the actual path if you installed the app elsewhere.
Thundermail is modularized to ensure that privacy logic is never bypassed by networking or UI code.LayerResponsibilityTechnology
| Layer | Responsibility | Technology |
|---|---|---|
| UI | Immediate-mode Native GUI | egui / eframe |
| Protocol | Async IMAP/SMTP | tokio-imap, lettre |
| Cryptography | RFC 9788 & Ephemeral Keys | sequoia-openpgp |
| AI Engine | Private Inference | Ollama / Venice AI |
| Storage | Encrypted Metadata | SQLx (SQLite) + Tantivy |
| Networking | Proxy & TLS | tokio-socks, rustls |
- Rust 1.75+
- Ollama (Running locally) or a Venice AI API Key.
- GnuPG 2.4.9+ (For legacy compatibility, though native Sequoia is preferred).
Thundermail uses a config.toml for "Sovereign Mode" presets. Secrets are managed via the system keyring.`
Bash
cp config.toml.example ~/.config/thundermail/config.toml
thundermail/
βββ plugins-sdk/ # 𧩠Shared Plugin API (The "Contract")
β βββ src/
β β βββ lib.rs # Plugin Trait definitions
β β βββ types.rs # Sanitized Mail & UI types
βββ src/ # β‘ Main Native Rust Application
β βββ ai/ # Private Intelligence Layer
β β βββ mod.rs # MailAgent Trait & Provider Registry
β β βββ ollama.rs # Local Inference (Default)
β β βββ venice.rs # Private Cloud (Sanitized API)
β β βββ categorizer.rs # LLM Prompting for Labels/Inbox Tabs
β βββ core/ # The Mail Engine
β β βββ mod.rs
β β βββ session.rs # Async IMAP/SMTP State Machines
β β βββ labels.rs # Flat-DB Label Logic (X-GM-LABELS)
β β |ββ worker.rs # Background Task Loop (Sync & AI)
β β βββ plugin_host.rs # The "Loader" (Manages .so/.dll/.dylib)
β βββ crypto/ # Hardened Cryptography
β β βββ mod.rs
β β βββ rfc9788.rs # LAMPS Header Shrouding (Subject Masking)
β β βββ pgp.rs # Sequoia-OpenPGP Backend
β β βββ ephemeral.rs # Sub-key Rotation & Zeroize Logic
β βββ db/ # Encrypted Local Storage
β β βββ mod.rs
β β βββ schema.rs # SQLite (SQLx) Migrations
β β βββ search.rs # Tantivy Encrypted Search Index
β βββ net/ # Sovereign Networking
β β βββ mod.rs
β β βββ proxy.rs # SOCKS5/Tor Routing (MITRE T1090.004)
β β βββ tls.rs # Rustls Config (No-CA-Leaks)
β βββ privacy/ # The Sanitization Gatekeeper
β β βββ mod.rs
β β βββ sanitizer.rs # PII Redaction & Tracking Pixel Stripping
β β βββ headers.rs # MUA Fingerprint Masking
β βββ ui/ # Native Immediate-Mode GUI (egui)
β β βββ mod.rs
β β βββ app.rs # Main eframe::App implementation
β β βββ components/ # Custom Widgets (Sidebar, MailList, Composer)
β β |ββ theme.rs # Sovereign Visual Styles
β β βββ plugin_view.rs # Egui hooks for plugin-provided widgets
β βββ main.rs # Entry Point (Runtime & UI Launch)
βββ plugins/ # π User-defined plugins
β βββ spam-filter-ai/ # Example: A Venice AI powered spam filter
β βββ Cargo.toml # Defines crate-type = ["cdylib"]
β βββ src/lib.rs
βββ tests/ # Integration & Security Audits
β βββ leaks.rs # Validates no unauthorized network pings
β βββ crypto_integrity.rs # MDC Fail-hard & Forward Secrecy tests
βββ scripts/ # Build & Hardening Tools
β βββ harden-os.sh # Setup for Tor/SOCKS5 system-wide
βββ .github/
β βββ workflows/ # CI (Cargo Deny, Audit, & Fuzzing)
βββ ARCHITECTURE.md # Modular isolation docs
βββ Cargo.toml # The "Sovereign" Dependency Stack
βββ config.toml.example # Template for Private Cloud/Local AI
βββ README.md # Project Vision & Technical Spec
βββ SECURITY.md # Threat Model & Disclosure Policy
Thundermail stores all data locally with encryption. The encrypted SQLite database and search index are stored in platform-specific locations following each operating system's conventions.
| Operating System | Database Path |
|---|---|
| Linux | ~/.local/share/thundermail/thundermail.db |
| macOS | ~/.local/share/thundermail/thundermail.db |
| Windows | %LOCALAPPDATA%\thundermail\thundermail.db |
| Operating System | Search Index Path |
|---|---|
| Linux | ~/.local/share/thundermail/search_index |
| macOS | ~/.local/share/thundermail/search_index |
| Windows | %LOCALAPPDATA%\thundermail\search_index |
| Operating System | Logs Path |
|---|---|
| Linux | ~/.local/share/thundermail/logs |
| macOS | ~/.local/share/thundermail/logs |
| Windows | %LOCALAPPDATA%\thundermail\logs |
The default database location can be customized in your config.toml:
[database]
path = "~/.local/share/thundermail/thundermail.db"
encrypted = true
[search]
index_path = "~/.local/share/thundermail/search_index"
encrypted = true
[logging]
path = "~/.local/share/thundermail/logs"We welcome contributors who believe in the right to private communication. Please read our SECURITY.md and ARCHITECTURE.md before submitting pull requests.
The "No-Call" Rule: Any PR introducing an external network dependency (fetching favicons, checking dictionaries, etc.) must be strictly opt-in and disabled by default.
Distributed under the MIT