this post was submitted on 13 Jul 2026
-13 points (15.8% liked)

Privacy

10312 readers
384 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 3 years ago
MODERATORS
 

Full disclosure: I am the maker. I am not here to tell you it is perfect. I am here because this community is best at finding the holes, and I would rather you find them now.

Elusive (elusivemail.xyz) is encrypted email. The thing I care about is honesty over claims. The landing page has a two-sided ledger showing what is sealed to your key versus what the server can see. Most services bury the second half. I put it front and center.

Sealed to your key: message bodies, subject lines, attachments, the sender and recipient of every stored message, and in keyfile mode the key itself. Visible to the server: who a message is from and to at the moment it passes through, your account details, and incoming mail the instant it arrives, before it is encrypted to your key.

The crypto: keys are generated in your browser (OpenPGP.js, curve25519, Argon2id). Your password never leaves your device, the server only stores a hash, so it cannot derive your key. End-to-end by default, plus a keyfile mode where nothing stored can decrypt your mail.

Where I will not blow smoke: incoming external mail is plaintext at receipt, the envelope is visible at delivery time to route mail (no logs), and it is closed source right now.

The whole plan is public and numbered on the roadmap (elusivemail.xyz): open source everything at 300 users, then a public API, native apps, our own hardware in Switzerland, a multi-server split so no single machine holds everything, an independent audit at 4,000, and eventually an encrypted communicator and drive. If a number slips, the page says so. Watch the roadmap, not my word.

It is free, no ads, I make no money. What would make you trust it, or not? What did I get wrong?

you are viewing a single comment's thread
view the rest of the comments
[–] unitedwithme@lemmy.today 1 points 2 days ago (1 children)

OK, question(s):

  1. How to implement into Thunderbird mail client for practical day-to-day use? What would the SMTP address be and other settings? I didn't find that info on your website, but I did find you're looking into completing mobile and desktop apps.
  2. Have you tested internal/external services to see how well OpenPGP emails work? I had an issue w encrypted via a test proton acct or an IMAP acct in Thunderbird with OpenKeychain encryption key. My 2 test accounts within Thunderbird work so maybe I've goofed something up. I'll check it out in the morning.
[–] elusivemail@lemmy.world 1 points 1 day ago (1 children)

Sorry you waited 15h for this, solo project so answers come when I'm awake. Good questions:

  1. Web only right now, no IMAP/Thunderbird yet, but client access is on the roadmap with the desktop and mobile apps. Coming, just not today
  2. Quick clarify so I'm straight with you: the OpenPGP encrypts your stored mail to your own key, so we're not interoperable PGP, outgoing mail leaves as normal email. Nothing between us and Proton/OpenKeychain to test there, so your Thunderbird issue is separate from us. If that interop matters to you, fair feature ask.
[–] unitedwithme@lemmy.today 2 points 23 hours ago (1 children)

NP. Thank you for the clarification. Honestly, unless others have encrypted email on their end, what OpenKeychain and Thunderbird offer is also almost pointless as it won't remain encrypted. I just thought it might be nice if multiple services were more so widespread using common interchangeable or compatible protocols.

[–] elusivemail@lemmy.world 1 points 9 hours ago

Thanks for keeping an eye on things. I have been working hard on the next major update, and it directly addresses what we discussed. The upcoming release will include fully compatible, end-to-end encrypted communications. We are exposing PGP keys, which means you can exchange encrypted emails with other services like Proton, Mailbox, or Thunderbird.

We are also handling the "To" headers and metadata properly, keeping it clean, minimal, and secure.