Passwords are email’s soft underbelly: reused, phished, and reset through weaker accounts. That’s why privacy.fish uses SSH keys for account access instead. Tradeoff here: privacy.fish/blog/there-i...
Good technical mail-infra writeup from Peter Hansteen on moving from exim to OpenSMTPD on OpenBSD:
nxdomain.no/~peter/time_...
This is the email work we like: small understandable components, protocol correctness, greylisting/greytrapping, and fewer moving parts to trust.
Private signup is not just a smaller form. Payment records and anti-abuse checks can become privacy data too.
We built our one-time payment flow to ask less upfront and keep less afterward.
privacy.fish/blog/the-mos...
AI privacy keeps coming back to one practical question: what data has to leave the user's device at all?
For tools that touch email, docs, history, or bookmarks, the trust builder is local-first design, clear indexing controls, easy deletion, and no quiet cloud handoff.
Watching H.R. 9016, the new Email Privacy Act bill introduced May 22.
The practical test is in the details: stored content, metadata, payment/account links, access logs, and which providers are covered.
How we handle this at Privacy.Fish:
privacy.fish/documentatio...
AI agents getting inboxes makes email’s trust model clearer: “can receive mail” and “can send externally” should be separate grants. Safer default: restricted inbox first, human-approved sending scopes, expiry, rate limits, audit logs. Email addresses are identity surfaces, not just API resources.