How I Built a Free Anonymous Email Service — No Phone, No Password, No Logs
The Problem I Wanted to Solve
Every time you sign up for a new email service, you're asked for:
- A phone number
- An existing email address
- Your real name
- A government ID (in some countries)
I asked myself: what if email could work like cash? Anonymous by default. No identity required. No trail left behind.
That's how QRYPTY Mail was born — a fully functional, free anonymous email service where your only credential is a 32-character access code.
How It Works (The User's Perspective)
- Go to qrypty.com/register
- Pick a username → your address is
username@qrypty.com - Receive a 32-character access code (your only key)
- Save it. Done. You have a working email inbox.
No phone. No password. No "verify your identity." No CAPTCHA asking you to identify traffic lights for 5 minutes.
Your access code: Kx7mP2vL9nQ4wR8jF3sA6dG1hY5tB0eN
That's it. That string IS your login. Lose it → lose access forever. We don't store it, can't recover it, and have zero idea who you are.
Technical Architecture
Here's what's under the hood:
┌─────────────┐ ┌──────────────┐ ┌────────────┐
│ Nginx │────▶│ FastAPI │────▶│ PostgreSQL │
│ (SSL/TLS) │ │ Backend │ │ (Data) │
└─────────────┘ └──────┬───────┘ └────────────┘
│
┌──────┴───────┐
│ aiosmtpd │
│ SMTP Server │
│ (Port 25) │
└──────────────┘
| Component | Technology | Purpose |
|---|---|---|
| Frontend | React + Vite + Tailwind | SPA with PWA support |
| Backend API | FastAPI (Python 3.12) | REST API, auth, email logic |
| SMTP Inbound | aiosmtpd | Receive emails from Gmail, Outlook, etc. |
| SMTP Outbound | aiosmtplib + DKIM | Send emails to external providers |
| Database | PostgreSQL 16 | Users, emails, folders, attachments |
| Cache | Redis | Rate limiting, sessions |
| Auth | JWT + bcrypt | 32-char code → bcrypt hash → JWT token |
| Push | Web Push (VAPID) | Real-time notifications |
| Deploy | Docker Compose | Single VPS deployment |
The Authentication Model
Traditional email services:
username + password → server verifies → session
QRYPTY Mail:
32-char code → bcrypt verify → JWT (7 days) → access
There's no "forgot password" flow. There's no 2FA because the code IS both factors — something you have (the code) and something you know (where you stored it).
Why 32 Characters?
| Code Length | Possible Combinations | Time to Brute-Force (1B attempts/sec) |
|---|---|---|
| 8 chars | 2.18 × 10¹⁴ | ~2.5 days |
| 16 chars | 4.76 × 10²⁸ | ~1.5 billion years |
| 32 chars | 2.27 × 10⁵⁷ | Heat death of universe × 10²⁰ |
With 62 possible characters (a-z, A-Z, 0-9) and 32 positions, brute-forcing is mathematically impossible.
Privacy by Architecture
Most services say "we respect your privacy" but still collect everything. QRYPTY Mail is architecturally incapable of violating your privacy:
| What We Store | What We DON'T Store |
|---|---|
| Encrypted access code hash | Your IP address |
| Your emails (encrypted at rest) | Browser fingerprints |
| Your chosen username | Real name or identity |
| Phone number | |
| Location data | |
| Login history | |
| Reading habits / analytics |
No Logs — How?
# Our nginx config:
access_log off;
# Our application:
# No IP logging
# No request logging
# No analytics tracking
# No third-party scripts
We literally cannot tell law enforcement who owns an account because we don't know. The access code is bcrypt-hashed — it's a one-way function.
Anti-Spam Without Surveillance
A common argument: "Anonymous email = spam paradise." Here's how we handle it without compromising privacy:
Inbound Spam Filter
def calculate_spam_score(from_addr, subject, body_text, body_html):
score = 0.0
# Check spam keywords
spam_words = ["viagra", "casino", "lottery", "winner", ...]
for word in spam_words:
if word in subject.lower(): score += 3.0
if word in body.lower(): score += 1.5
# Suspicious TLDs
if from_addr.endswith(('.xyz', '.top', '.buzz')): score += 2.0
# ALL CAPS subjects
if upper_ratio > 0.7: score += 2.0
return score # > 5.0 = spam
Outbound Rate Limiting
| Account Age | Hourly Limit | Daily Limit |
|---|---|---|
| < 24 hours | 5 emails | 20 emails |
| > 24 hours | 30 emails | 200 emails |
New accounts get strict limits. Established accounts get generous ones. Spammers give up because they can't mass-send from fresh accounts.
Full Email Compatibility
QRYPTY Mail isn't a toy — it's a real email service with full RFC compliance:
✅ Send to Gmail, Outlook, Yahoo, ProtonMail — any provider
✅ Receive from any external sender
✅ DKIM signing (emails don't land in spam)
✅ Attachments up to 25 MB
✅ HTML emails with rich formatting
✅ Reply chains / threading
✅ Multiple folders (Inbox, Sent, Drafts, Starred, Spam, Trash)
✅ Full-text search across all emails
✅ Push notifications (even when browser is closed)
✅ Install as PWA on any device
13 Languages, Zero Barriers
The interface supports 13 languages out of the box:
| Language | Users | Region |
|---|---|---|
| English | Global | Worldwide |
| Russian | 258M | Russia, CIS |
| Chinese | 1.3B | China, SEA |
| Hindi | 600M | India |
| Spanish | 559M | Americas, Spain |
| French | 321M | France, Africa |
| Arabic | 274M | MENA |
| Bengali | 272M | Bangladesh, India |
| Portuguese | 264M | Brazil, Portugal |
| Urdu | 230M | Pakistan |
| Indonesian | 199M | Indonesia |
| German | 134M | DACH |
| Japanese | 125M | Japan |
Every UI element, error message, and captcha is fully translated.
The Captcha System (Anti-AI)
Instead of Google reCAPTCHA (which tracks you), I built a custom visual captcha with 10 challenge types:
- Color-based — "Type only the BLUE characters"
- Strikethrough — "Type characters WITHOUT a line"
- Size recognition — "Type the BIGGEST character"
- Spatial position — "Type only the TOP row"
- Shape counting — "How many circles?"
- Rotation detection — "Type only UPRIGHT characters"
These exploit the gap between human visual reasoning and AI/OCR capabilities. Humans solve them in 2-3 seconds. Bots can't distinguish color or spatial position from extracted text.
Performance
| Metric | Value |
|---|---|
| Time to register | < 10 seconds |
| First Contentful Paint | < 1.5s |
| API response (average) | < 100ms |
| SMTP delivery (internal) | < 500ms |
| Concurrent users supported | 10,000+ |
| Database size per user | ~2 KB (empty) |
| Max attachment size | 25 MB |
Comparison with Other Services
| Feature | QRYPTY Mail | ProtonMail | Tutanota | Gmail |
|---|---|---|---|---|
| Free tier | ✅ Unlimited | Limited | Limited | ✅ |
| Anonymous registration | ✅ | ❌ (phone/email) | ❌ (wait list) | ❌ |
| No phone required | ✅ | ❌ | ✅ | ❌ |
| No password | ✅ | ❌ | ❌ | ❌ |
| Zero logs | ✅ | Partial | Partial | ❌ |
| Send to any provider | ✅ | ✅ | ✅ | ✅ |
| PWA / installable | ✅ | ❌ | ✅ | ❌ |
| Custom domain | ❌ | Paid | Paid | Paid |
| E2E encryption | Transit only | ✅ | ✅ | ❌ |
| Open registration | ✅ Instant | Often blocked | Wait list | ✅ |
Real-World Use Cases
Journalists & Whistleblowers
Create a disposable tip line in 10 seconds. No paper trail.
Developers & Testing
Need 50 test accounts? Register them in minutes without phone verification hell.
Privacy-Conscious Users
Sign up for services without giving your real email. No more "we sold your data to advertisers."
Activists in Restrictive Countries
No phone number means no government tracking. No ID verification means true anonymity.
Temporary Communication
Need to email someone once? Create account, send, forget the code. Account becomes permanently inaccessible.
Try It Now
👉 qrypty.com — Create your free anonymous email in 10 seconds.
No sign-up forms. No verification emails. No waiting.
Just pick a username, save your code, and you have a fully functional email inbox that nobody can trace back to you.
FAQ
Q: What if I lose my access code?
A: You permanently lose access. We cannot recover it. This is by design — if we could recover it, so could an attacker.
Q: Is this legal?
A: Yes. Anonymous communication is a fundamental right protected by law in most countries. Email anonymity is no different from sending a letter without a return address.
Q: How do you make money?
A: Currently self-funded. The service is free with no plans for paywalls. Running costs are minimal (single VPS).
Q: Can you read my emails?
A: Technically yes (emails are stored in our database). We don't, and we have no business model that incentivizes it. Future versions may add client-side encryption.
Q: Why not just use a VPN + Gmail?
A: Gmail still requires a phone number, still tracks you, still builds an advertising profile. A VPN hides your IP but not your identity from Google.
Built with FastAPI, React, PostgreSQL, and a healthy distrust of surveillance capitalism.
🔗 qrypty.com | Create your anonymous email now
Top comments (0)