Email Stack — Final Scoring / Ranking / Analysis

Generated: 2026-03-01 • Role-specific scoring (server / alias / client / hosted)
A sovereign/BTC/FOSS/privacy-maximalist evaluation of email-adjacent components. Scores are role-specific and represent “fitness for purpose” inside a hardened, self-sovereign stack. Cross-role comparisons are not “replace X with Y”; they indicate how strongly each component performs inside its own job.
No provider lock-in (prefer self-host) FOSS-first (copyleft favored) Metadata minimization AI/telemetry avoidance BTC/KYC friction accounted CVE culture over CVE count

Overview

Scoring is role-specific (server / alias / client / hosted provider), with distinct criteria and weights. The objective is not “one global league table,” but a precise map of which components are structurally fit as sovereign primitives vs. perimeter shells.
What “high score” means
High-scoring components minimize external dependence, preserve local control, resist metadata concentration, avoid telemetry/AI coupling, and present a manageable operational/security posture.
What “low score” means
Low-scoring components may still be useful, but typically concentrate identity/metadata in third-party infrastructure, bind to corporate ecosystems, or drift toward AI/service bundles that amplify systemic capture risk.

Evaluated Tool Set

Category Tools
Mail Servers (self-host) Stalwart Mail Server (open-source edition), maddy, docker-mailserver (DMS), Mailu, mailcow: dockerized, Mail-in-a-Box
Alias / Forwarding AnonAddy / addy.io (self-host), SimpleLogin (self-host), AnonAddy / addy.io (hosted), Forward Email (hosted), SimpleLogin (hosted)
Clients (MUA) NeoMutt, aerc, Thunderbird
Hosted Secure Email Tuta (Tutanota/Tuta Mail), Proton Mail

1. Mail Servers (Self-Host Core)

Criteria & Weights (Servers)

Code Criterion Weight Meaning
S1Sovereignty & self-host design20%Runs fully on owned infrastructure; minimal external reliance.
S2FOSS purity/licensing10%Open-source completeness; copyleft preference.
S3Security posture & audits20%Patch latency, advisories, audits/fuzzing, demonstrated hardening.
S4Privacy & log control (operator-side)10%Control over logs/telemetry and data path on owned infra.
S5Complexity & attack surface15%Higher score = fewer moving parts and less orchestration bloat.
S6Operations, upgrade friction & deliverability15%Real-world usability, upgrade cadence, deliverability posture.
S7Community & longevity10%Sustained maintenance, adoption, survivability.

Final Ranking (Servers)

Rank Tool Composite Signal
1Stalwart Mail Server (community/open-source edition)89.8audited • rust • full-stack
2maddy89.7lean • composable • minimal
3docker-mailserver (DMS)87.6postfix-stack • docker • mature
4Mailu86.1docker-suite • f.o.s.s
5mailcow: dockerized86.1polished • heavy • cves
6Mail-in-a-Box83.9appliance • opinionated

Stalwart Mail Server (community/open-source edition)

Composite: 89.8 / 100 • Mail server (self-host core)
Homepage Open-source edition Docs Source (GitHub) Security audit (2025) CVE-2024-35179 (NVD)
rank#1
Feature-rich, audited Rust stack; slightly more surface than minimalist servers, offset by security culture and transparency.
Criterion scores (servers model)
CodeCriterionWeightScore
S1Sovereignty & self-host design20%98
S2FOSS purity/licensing10%93
S3Security posture & audits20%92
S4Privacy & log control10%90
S5Complexity & attack surface15%86
S6Ops, upgrades & deliverability15%84
S7Community & longevity10%80

Evidence anchors: Open-source edition positioning (stalw.art/open-source), second security audit (stalw.art/blog/security-audit-2025), and RUN_AS_USER privilege escalation issue fixed in 0.8.0 (CVE-2024-35179).

Reading: Feature-rich, audited Rust suite; slightly more complex than maddy but with extremely serious security posture.

maddy

Composite: 89.7 / 100 • Mail server (self-host core)
Homepage Setup guide Source (GitHub) Releases CVE-2023-27582 (NVD) GitHub advisory (GHSA)
rank#2
Minimal, composable all-in-one server; strong lean-surface properties with real CVE history and patches.
Criterion scores (servers model)
CodeCriterionWeightScore
S1Sovereignty & self-host design20%98
S2FOSS purity/licensing10%95
S3Security posture & audits20%88
S4Privacy & log control10%90
S5Complexity & attack surface15%90
S6Ops, upgrades & deliverability15%82
S7Community & longevity10%82

Evidence anchors: maddy repository and protocol scope (github.com/foxcpp/maddy), setup guide (maddy.email/tutorials/setting-up), and critical auth bypass fixed in 0.6.3 (CVE-2023-27582).

Reading: Lean, elegant, battle-hardened enough, extremely aligned with a minimalist sovereign stack. Effectively tied with Stalwart, but on the “minimalist” end of the curve.

docker-mailserver (DMS)

Composite: 87.6 / 100 • Mail server (self-host core)
Source (GitHub) Docs Getting started Security overview Docker image
rank#3
Mature Postfix/Dovecot-class stack packaged for Docker; strong deliverability posture with higher moving-part count.
Criterion scores (servers model)
CodeCriterionWeightScore
S1Sovereignty & self-host design20%95
S2FOSS purity/licensing10%95
S3Security posture & audits20%85
S4Privacy & log control10%88
S5Complexity & attack surface15%72
S6Ops, upgrades & deliverability15%90
S7Community & longevity10%90

Reading: Heavy but proven. Strong choice when mainstream deliverability matters and higher orchestration complexity is acceptable.

Mailu

Composite: 86.1 / 100 • Mail server (self-host core)
Homepage Source (GitHub) Release notes Security advisories CVE-2020-5239 (NVD)
rank#4
“Simple yet full-featured” Docker suite; strong FOSS posture with suite-level complexity.
Criterion scores (servers model)
CodeCriterionWeightScore
S1Sovereignty & self-host design20%95
S2FOSS purity/licensing10%95
S3Security posture & audits20%83
S4Privacy & log control10%88
S5Complexity & attack surface15%74
S6Ops, upgrades & deliverability15%86
S7Community & longevity10%82

Reading: Similar class to DMS with a smaller ecosystem; suite-level complexity is the trade.

mailcow: dockerized

Composite: 86.1 / 100 • Mail server (self-host core)
Docs Source (GitHub) Project site CVE-2024-30270 (NVD) Security update post (2024-04)
rank#5
Polished “all-in-one” suite; strongest admin UX, highest moving-part footprint, documented CVE patch cadence.
Criterion scores (servers model)
CodeCriterionWeightScore
S1Sovereignty & self-host design20%94
S2FOSS purity/licensing10%92
S3Security posture & audits20%82
S4Privacy & log control10%87
S5Complexity & attack surface15%70
S6Ops, upgrades & deliverability15%90
S7Community & longevity10%90

Reading: Excellent web admin and broad adoption; suite complexity is the defining trade-off.

Mail-in-a-Box

Composite: 83.9 / 100 • Mail server (self-host core)
Homepage Setup guide Maintenance Source (GitHub)
rank#6
Scripted appliance-style deployment; strong for quick installs, weaker for custom hardening and long-run flexibility.
Criterion scores (servers model)
CodeCriterionWeightScore
S1Sovereignty & self-host design20%93
S2FOSS purity/licensing10%93
S3Security posture & audits20%80
S4Privacy & log control10%86
S5Complexity & attack surface15%72
S6Ops, upgrades & deliverability15%84
S7Community & longevity10%80

Reading: Strong “one-click” orientation; the trade is reduced flexibility and hidden complexity under the appliance surface.

2. Alias / Forwarding / Identity Firewall

Criteria & Weights (Alias Layer)

Code Criterion Weight Meaning
A1Sovereignty & self-host25%Runs on owned infra; no operator dependence.
A2FOSS purity10%Open-source completeness and licensing.
A3Graph control (centralization + correlation radius)25%Who sees alias↔destination mapping and whether it’s tied to larger identity/AI/finance stacks.
A4Policy & jurisdiction10%Operator policy posture when hosted; otherwise owner-controlled.
A5Complexity & attack surface10%Operational footprint; higher score = simpler.
A6BTC/KYC alignment10%Payment rails and KYC drag; indirect anonymous options.
A7UX & ecosystem fit5%Quality of tooling and integrations.
A8Community & sustainability5%Project survivability and maintenance.

Final Ranking (Alias Layer)

Rank Tool Composite Signal
1AnonAddy / addy.io (self-host)90.8sovereign graph • indie
2SimpleLogin (self-host)90.7sovereign graph • polished
3AnonAddy / addy.io (hosted)68.7hosted graph hub
4Forward Email (hosted)67.4hosted graph hub • US gravity
5SimpleLogin (hosted)64.9graph hub • ecosystem coupling

AnonAddy / addy.io (self-host)

Composite: 90.8 / 100 • Alias/forwarding layer
Homepage Self-host guide Source (GitHub) API docs
Ideal identity firewall in a sovereign stack; independent governance; self-host keeps the alias graph local.
Criterion scores (alias model)
CodeCriterionWeightScore
A1Sovereignty & self-host25%96
A2FOSS purity10%95
A3Graph control25%98
A4Policy & jurisdiction10%88
A5Complexity & attack surface10%78
A6BTC/KYC alignment10%82
A7UX & ecosystem fit5%80
A8Community & sustainability5%80

Reading: Fully sovereign mapping/graph when self-hosted; slightly higher setup overhead due to web-app footprint.

SimpleLogin (self-host)

Composite: 90.7 / 100 • Alias/forwarding layer
Homepage Source (GitHub) Self-host instructions Pricing (crypto note)
Extremely polished alias firewall; self-host keeps the graph local; upstream ownership sits inside Proton ecosystem.
Criterion scores (alias model)
CodeCriterionWeightScore
A1Sovereignty & self-host25%96
A2FOSS purity10%95
A3Graph control25%98
A4Policy & jurisdiction10%82
A5Complexity & attack surface10%80
A6BTC/KYC alignment10%78
A7UX & ecosystem fit5%88
A8Community & sustainability5%85

BTC/crypto rail note: Coinbase Commerce described on the pricing page (simplelogin.io/pricing).

Reading: Near-perfect functionality and UX; “upstream gravity” risk exists due to ecosystem coupling, even when self-hosted.

AnonAddy / addy.io (hosted)

Composite: 68.7 / 100 • Alias/forwarding layer
Service Help center Source (GitHub)
Useful hosted aliasing with strong FOSS roots; structurally a metadata graph hub by design.
Criterion scores (alias model)
CodeCriterionWeightScore
A1Sovereignty & self-host25%60
A2FOSS purity10%95
A3Graph control25%45
A4Policy & jurisdiction10%88
A5Complexity & attack surface10%75
A6BTC/KYC alignment10%80
A7UX & ecosystem fit5%88
A8Community & sustainability5%85

Reading: High convenience, low sovereignty. Hosted aliasing centralizes a relationship graph, even if content is not stored.

Forward Email (hosted)

Composite: 67.4 / 100 • Alias/forwarding layer
Homepage Source (GitHub) Self-host overview Crypto payments post
Fully open-source service; hosted mode centralizes the alias graph; payment rails emphasize non-BTC “crypto” flows.
Criterion scores (alias model)
CodeCriterionWeightScore
A1Sovereignty & self-host25%70
A2FOSS purity10%98
A3Graph control25%40
A4Policy & jurisdiction10%80
A5Complexity & attack surface10%78
A6BTC/KYC alignment10%60
A7UX & ecosystem fit5%85
A8Community & sustainability5%82

Reading: Strong FOSS posture; hosted operation remains a graph hub. Self-host changes the risk profile materially.

SimpleLogin (hosted)

Composite: 64.9 / 100 • Alias/forwarding layer
Service Pricing (crypto note) Source (GitHub) Proton Scribe (ecosystem AI) Proton Lumo AI
Best-in-class UX; maximum metadata graph concentration risk due to hosted operation + broader ecosystem coupling.
Criterion scores (alias model)
CodeCriterionWeightScore
A1Sovereignty & self-host25%60
A2FOSS purity10%90
A3Graph control25%35
A4Policy & jurisdiction10%80
A5Complexity & attack surface10%78
A6BTC/KYC alignment10%72
A7UX & ecosystem fit5%92
A8Community & sustainability5%90

Reading: Great experience; structurally not a core sovereign primitive when hosted due to graph centralization and ecosystem fusion risk.

3. Clients (MUA Layer)

Criteria & Weights (Clients)

Code Criterion Weight Meaning
C1Local sovereignty & provider-agnosticism25%Works with any IMAP/SMTP/JMAP, supports local stores.
C2FOSS purity15%Open-source completeness.
C3Privacy & telemetry defaults20%Telemetry/crash reporting defaults, disable-ability, phone-home.
C4AI/service coupling risk15%Drift toward service bundles/AI copilots.
C5Productivity & ergonomics (power use)15%Efficiency at scale for disciplined workflows.
C6Community & longevity10%Maintenance, adoption, survivability.

Final Ranking (Clients)

Rank Tool Composite Signal
1NeoMutt95.4no telemetry • no AI • cli
2aerc95.1no telemetry • no AI • cli
3Thunderbird86.9telemetry default • pro/services drift

NeoMutt

Composite: 95.4 / 100 • Client (MUA)
Homepage Source (GitHub)
Terminal apex: no telemetry, no AI, no service bundle. Provider-agnostic by design.
Criterion scores (clients model)
CodeCriterionWeightScore
C1Local sovereignty25%95
C2FOSS purity15%98
C3Privacy & telemetry defaults20%98
C4AI/service coupling risk15%100
C5Productivity & ergonomics15%90
C6Community & longevity10%88

Reading: Highest structural sovereignty at the client layer; steep curve, extreme efficiency after configuration.

aerc

Composite: 95.1 / 100 • Client (MUA)
Homepage Primary repo (SourceHut) Mirror (GitHub)
Modern terminal MUA: no telemetry, no AI; strong ergonomics for disciplined workflows.
Criterion scores (clients model)
CodeCriterionWeightScore
C1Local sovereignty25%95
C2FOSS purity15%98
C3Privacy & telemetry defaults20%98
C4AI/service coupling risk15%100
C5Productivity & ergonomics15%92
C6Community & longevity10%82

Reading: NeoMutt vs aerc is mostly preference. Both remain apex sovereign MUAs.

Strong GUI productivity; telemetry is opt-out by default; roadmap includes a service bundle with “Pro/Thundermail” and AI (Assist).
Criterion scores (clients model)
CodeCriterionWeightScore
C1Local sovereignty25%90
C2FOSS purity15%95
C3Privacy & telemetry defaults20%80
C4AI/service coupling risk15%70
C5Productivity & ergonomics15%94
C6Community & longevity10%95

Telemetry default described in Mozilla Support (support.mozilla.org/en-US/kb/thunderbird-telemetry). Service bundle described by the Thunderbird team (blog.thunderbird.net/2025/04/thundermail-and-thunderbird-pro-services).

Reading: Still a strong GUI client when hardened (telemetry disabled and service/AI bundle ignored), but structurally drifting toward a bundled ecosystem.

4. Hosted Secure Email Providers

Criteria & Weights (Hosted Mail)

Code Criterion Weight Meaning
H1Sovereignty / migration friction20%Hosted = structural dependence; migration cost matters.
H2FOSS purity (esp. server)10%Server openness vs clients-only openness.
H3Content privacy & crypto design15%E2EE design and cryptographic posture.
H4Metadata logging & jurisdiction20%Legal obligations, logging claims, track record.
H5AI / stack coupling15%AI copilots and multi-product ecosystem fusion.
H6BTC/KYC alignment10%Payment rails and anonymous upgrade paths.
H7Ecosystem / interoperability5%IMAP/Bridge and compatibility with external clients.
H8Longevity & resilience5%Business survivability and userbase stability.

Final Ranking (Hosted Mail)

Rank Provider Composite Signal
1Tuta (Tutanota/Tuta Mail)76.5no phone • anti-chat-control posture
2Proton Mail65.0ecosystem fusion • AI integrated

Tuta (Tutanota / Tuta Mail)

Composite: 76.5 / 100 • Hosted secure email
Homepage Anonymous email stance Open letter against Chat Control Payment options Open letter against ProtectEU
Strong anonymity and anti-surveillance posture; still a centralized silo with closed server-side code and no IMAP by design.
Criterion scores (hosted mail model)
CodeCriterionWeightScore
H1Sovereignty / migration friction20%45
H2FOSS purity (server)10%60
H3Content privacy & crypto design15%90
H4Metadata logging & jurisdiction20%88
H5AI / stack coupling15%95
H6BTC/KYC alignment10%85
H7Ecosystem / interoperability5%65
H8Longevity & resilience5%88

Anonymous signup posture (tuta.com/blog/anonymous-email), and formal public opposition to Chat Control (tuta.com/blog/open-letter-against-chat-control). Anonymous upgrade paths via gift cards and partner payments are described in the payment support page (tuta.com/support/payment).

Reading: Strongest centralized option for anonymity posture and anti–Chat Control stance; still not a sovereign primitive due to hosted structure.

Proton Mail

Composite: 65.0 / 100 • Hosted secure email
Homepage Proton Scribe (Mail AI) Lumo AI Proton Wallet launch Pay with Bitcoin
High capability and interop; structural risk from ecosystem fusion (mail + aliases + wallet + AI) within one jurisdictional umbrella.
Criterion scores (hosted mail model)
CodeCriterionWeightScore
H1Sovereignty / migration friction20%40
H2FOSS purity (server)10%55
H3Content privacy & crypto design15%85
H4Metadata logging & jurisdiction20%70
H5AI / stack coupling15%55
H6BTC/KYC alignment10%75
H7Ecosystem / interoperability5%85
H8Longevity & resilience5%95

AI integration: Proton Scribe is built into Proton Mail (proton.me/blog/proton-scribe-writing-assistant). Ecosystem AI: Lumo launched as a privacy-focused AI assistant (proton.me/blog/lumo-ai). BTC rails: Proton supports BTC payments (on-chain) (proton.me/support/pay-with-bitcoin), and operates a Bitcoin-only wallet product (proton.me/blog/proton-wallet-launch).

Reading: Powerful and polished; the trade is ecosystem fusion and AI coupling, increasing identity correlation radius.

5. Cross-layer Synthesis

Core “Sovereign Primitives”

Components that function as core atoms in a sovereign/BTC/FOSS/privacy-maximalist stack (no required cloud, no telemetry/AI defaults, minimal metadata centralization):

Layer Top Tier Why these sit at the core
Mailserver Stalwart (open-source edition), maddy Single-stack designs with strong security posture; self-hosted ownership over data and logs; minimal external dependence.
Alias / firewall AnonAddy self-host, SimpleLogin self-host Alias graph remains local; highest leverage for compartmentalization without outsourcing identity mapping.
Client (MUA) NeoMutt, aerc Provider-agnostic terminal clients with no telemetry and no AI/service bundling; extreme control and efficiency.

Heavy but Valuable

Components that score high on deliverability/admin UX or mainstream usability, but trade away simplicity and attack surface:

Perimeter Shells (Centralized by Definition)

Useful for interacting with the normie world or as outer addresses, but structurally centralized:

  • Hosted AnonAddy and hosted SimpleLogin — hosted aliasing concentrates the alias graph; SimpleLogin hosted also inherits broader ecosystem coupling.
  • Tuta and Proton — strong privacy marketing, but hosted structure means jurisdictional dependency and central operator trust remain unavoidable.
Any further refinement would require private operational data (real-world compromise rates, hidden logging practices, and long-run admin patch lag), which cannot be derived purely from public documentation.

Scoring Methods

Each layer uses role-specific criteria and weights. Composite scores are computed as: Σ(criterion_score × weight). Criterion scores are normalized to 0–100.

Role separation
Mailservers, alias systems, clients, and hosted providers are structurally different. A single global weight set would collapse distinct risk topologies into false equivalence.
CVE posture vs CVE count
Presence of CVEs is not automatically negative. Patch latency, disclosure quality, and audit/fuzzing culture are higher-signal than raw vulnerability counts.

Security and policy anchors are linked inline throughout the document: Stalwart audit (stalw.art/blog/security-audit-2025), Stalwart CVE reference (CVE-2024-35179), maddy auth bypass (CVE-2023-27582), Thunderbird telemetry default (support.mozilla.org), Thunderbird Pro/Thundermail (blog.thunderbird.net), Proton Scribe (proton.me), Proton Lumo (proton.me), Tuta open letter (tuta.com), and Tuta payment options (tuta.com/support/payment).

Document intent: strict structural scrutiny of email-adjacent components under a sovereignty-first, privacy-maximalist evaluation lens. All links are embedded inline near the claims they support.