MetaMail: Getting Secure Email with Web3

Introduction: This article introduces the security and spam problems of today's email, and suggests the use of Web3 address to send and receive emails, which provides signing and end-to-end encryption for security. We have built MetaMail, now in beta phase. Click the link below to use it:

Email, Security and Spams

Since the invention of email in the last century, the protocol and running mechanism have not changed fundamentally: the sender submits an email to the mail server with SMTP(Simple Mail Transfer Protocol), and the mail server uses SMTP to transmit the mail to the recipient's mail server. The receiver receives mail from the server through IMAP/POP. While email has become a ubiquitous form of communication around the world and will remain mainstream in the long run, some of these important issues have not been well addressed: the lack of convenient email encryption and the flood of spam.

Email protocol
Email protocol

Lack of convenient email encryption: In SMTP, email is transmitted in plaintext, and the user's email is easily leaked or forged when it is transmitted by the email service provider on the Internet. In order to protect the content of emails, the Pretty Good Privacy (PGP) proposes to sign emails and encrypt them end-to-end with asymmetric encryption to ensure security. Under the PGP framework, each user needs to maintain his private key and publish public key. When a user sends an email, he would first use his private key to sign the content of the email to ensure the integrity of the email, and then use the recipient's public key to encrypt the mail's private key. The above process ensures that only the sender and recipient can decrypt the mail. The concept of PGP is very good, but it has not become popular. One important reason is that users need to maintain their own public and private key pairs, and ensure that the recipient's public key really belongs to the recipient (because Man-in-the-Middle-Attack (MIMT) can replace the public key). It’s best to physically confirm the identity of the other and exchange the public key offline. These complicated steps have largely prevented the popularity of PGP mail among mass users. In Web3, every user has a private key, and the user's wallet address is the public key (or the hash of the public key). This problem can be solved naturally.

Spam flooding: Spam has been around for almost as long as email and has a growing trend, with an estimated 90% of all emails on the web as spam as of 2014 [Email Spam]. Until now, if one wanted to set up their own in-mail server, he would have to think about how to filter spam, otherwise, the inbox would quickly become overrun with spam. The reason for the proliferation of spam is that on this open protocol, people don't have a good way to prevent Sybil attacks, that is, spammers can create a large number of addresses at almost zero cost to send a large number of emails. People can only passively identify and filter them, such as filtering malicious senders by SPF, DIKM, and IP blacklists. If one wants to set up his own out-mail server, he has to go through very complicated steps to avoid sending out mail directly into the trash (binding a domain name, setting a certificate, obtaining a reputable IP). Don't forget, an ugly truth is that all mainstream cloud vendors today have banned port 25 of the cloud host and prohibit users from sending emails from the host to protect the "reputation" of the IP address. People prevent spam by setting various strict conditions, which at the same time makes it difficult for individuals to set up a mail server. People have to prove that it is not spam before sending an email, which to a certain extent makes the personal mail service dominated by big platforms like Gmail and QQ Mail.

Plaintext emails and the flood of spam are long-standing problems with email. The MITM attacks and Sybil attacks are commonly faced in the Internet world. Fortunately, blockchain technology can naturally solve the above problems, making it easier than ever to send encrypted emails in Web3 and avoid spam.

Web3 and MetaMail

In Web3, users own their addresses and identities, and can use the address/ENS + @ + domain name as their own email addresses.

For example, an user's Ethereum address is 0x045ff23cf3413f6a355f0acc6ec6cb2721b95d99, and the MetaMail domain name is mmail.ink. Then he can use 0x045ff23cf3413f6a355f0acc6ec6cb2721b95d99@mmail.ink as the email address. Since this address has registered ENS suneal.eth, he can also use suneal.eth@mmail.ink as the email address. With such an address, the user can send mail to any mailbox as usual, and receive mail from other mailboxes such as Gmail. Isn't it kind of cool? Well, what's the benefit of this other than being cool?

The primary benefit is safety. Each Web3 address/ENS corresponds to a private key managed by the user. When using MetaMail, users can naturally use the private key to sign and encrypt emails. The public key is recorded on the blockchain, eliminating the need to exchange public keys. When users send emails, they use their own private key to sign the entire email content. The recipient can verify the integrity of the email according to the digital signature. The email content remains in the email format and is transmitted seamlessly with all other email addresses through SMTP. When sending emails to other MetaMail users, the recipient's public key can be used to encrypt the email end-to-end, thus ensuring that only the recipient can decrypt the content of the email.

Key binding
Key binding

Another benefit is that spam can be reduced. The number of addresses on the blockchain is limited, and creating new addresses requires a certain cost—at least one transaction fee needs to be paid. The mail service providers only need to limit the sending frequency according to the sender's balance settings (a PoS-like mechanism) to block malicious addresses. With this mechanism, sending a large number of emails requires storing a certain balance or creating a large number of addresses, both of which will make it uneconomical to send spam from MetaMail addresses.

Signature and encryption ensure the security of MetaMail. Anti-spam will make MetaMail less likely to be marked as spam by the email filtering system. Moreover, the data of sending and receiving emails are transferred through the server and do not need to be stored on the blockchain, thus the whole process is completely free without gas fees.

In traditional mailboxes, such as Gmail, users "apply for" their own email addresses. In MetaMail, users have stronger control over email accounts. Users own their username, the mail service provider owns the domain name, and the two work together to send emails. Each email needs to be signed by the corresponding user. The encrypted email needs to be decrypted by the user, and the email service provider cannot arbitrarily create an account, or send or decrypt emails.

Users own their identities
Users own their identities

How to Use MetaMail?

Quite simple, access metamail.ink, connect the wallet, then you can get your own email address with the suffix @mmail.ink. The whole process only requires a signature to verify the ownership of the account, completely free without gas fees. Users will not disclose private keys or other information.

In MetaMail, editing, sending and receiving mail is almost the same as other mail services. Before sending, the user needs to sign the content of the email to ensure its integrity. The signature will be stored in the header of the email EML. The email service provider and the recipient can verify the signature at any time.

Sign email before sending
Sign email before sending

When sending an encrypted mail, the user creates a random symmetric key locally, encrypts the content of the message with this key, and encrypts this key with the recipient's public key. When receiving an encrypted email, the user needs to use the wallet to decrypt the key for this email, and then use this key to decrypt the entire email. All encryption and decryption are performed at client side, and the email content is encrypted before uploading to the server and during transmission.

Decrypt MetaMail
Decrypt MetaMail

Conclusion

This article introduces the security and spam problems of email. Using MetaMail in Web3 can easily perform email signature, verification, end-to-end encryption-decryption, and can reduce spam. We have implemented MetaMail for use. In the future, we will open-source the code and protocol of MetaMail to facilitate users to build their own MetaMail service.

Subscribe to Suneal
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.