Onion Email

If I wanted to receive email from you, but wanted to hide as much as possible who I am, how could we go about it?

First, lets start with an oversimplification of how email works:

The first problem we would run into here is that this scheme isn't end to end encrypted, so anyone in the middle can inspect our communication.

Using PGP is somewhat the most conventional way to address this problem, although not wildely used.

Nevertheless, the way PGP works is for the receiver expose to the sender its public key, which the sender can use to encrypt the body of the message:

With that, anyone in the middle, including my email server, can't open our messages.

However, PGP leaves an important trace of our communication: metadata.


  1. the email username and server that I use
  2. the subject of our communication
  3. the date/time of our communication

So, if anyone wanted to have access to part of our communication, they could force themselves (e.g. subpoenas, hacking, collusion) into my email server.

Using Tor to access my email server is the most conventional way to solve this problem.

This way, the mail server has no idea who I am.

That allows me to hide who I am to my email server, but it still leaves my email server (and hence my metadata) exposed.

One trivial idea is to host my mail server behind a tor hidden service:

But there are two problems with the topology above:

  1. It requires every client to speak Tor, rather than SMTP.
  2. It requires my mail server to voluntarily:
    • run itself behind Tor as a hidden service
    • assume that everything addressed to its hidden service is for itself

These are somewhat easy things to change if you run your own email server, but really hard if you don't (and, let's face it, most of us don't).

Another idea is to insert a mail server in between that speaks SMTP on both ends and tell it route emails to my original email server:

Because the newly introduced mail server above has to at some point speak SMTP with my mail server, it is ultimately be aware of my communication habits (e.g. when I get email). However, it allows:

  1. The client to still speak SMTP
  2. My mail server to remain unchanged

At the cost of:

  1. Me running a trusted SMTP proxy
  2. Because it is not a hidden service, it can be forced into revealing my communications.

The cost of running a trusted SMTP proxy seems like something that can't be avoided, but it does seem substantially cheaper than running a full SMTP server.

The last point is an important one, though, that we'd like to see avoided.

What if we added onion routing at the SMTP layer, rather than the TCP-IP layer?

Because email isn't as latency sensitive as general TCP-IP traffic, we can probably go around more servers in between. There is probably a point in which we increase the chances of the message being lost, but otherwise it would seem constructive to add more servers in between the sender and the receiver.