How I Built a Free Anonymous Email Service — No Phone, No Password, No Logs

PRIVACY GUIDE — Sun, 03 May 2026 05:26:45 +0000

The Problem I Wanted to Solve

Every time you sign up for a new email service, you're asked for:

A phone number
An existing email address
Your real name
A government ID (in some countries)

I asked myself: what if email could work like cash? Anonymous by default. No identity required. No trail left behind.

That's how QRYPTY Mail was born — a fully functional, free anonymous email service where your only credential is a 32-character access code.

How It Works (The User's Perspective)

Go to qrypty.com/register
Pick a username → your address is username@qrypty.com
Receive a 32-character access code (your only key)
Save it. Done. You have a working email inbox.

No phone. No password. No "verify your identity." No CAPTCHA asking you to identify traffic lights for 5 minutes.

Your access code: Kx7mP2vL9nQ4wR8jF3sA6dG1hY5tB0eN

That's it. That string IS your login. Lose it → lose access forever. We don't store it, can't recover it, and have zero idea who you are.

Technical Architecture

Here's what's under the hood:

┌─────────────┐     ┌──────────────┐     ┌────────────┐
│   Nginx     │────▶│   FastAPI    │────▶│ PostgreSQL │
│  (SSL/TLS)  │     │   Backend    │     │   (Data)   │
└─────────────┘     └──────┬───────┘     └────────────┘
                           │
                    ┌──────┴───────┐
                    │  aiosmtpd    │
                    │ SMTP Server  │
                    │  (Port 25)   │
                    └──────────────┘

Component	Technology	Purpose
Frontend	React + Vite + Tailwind	SPA with PWA support
Backend API	FastAPI (Python 3.12)	REST API, auth, email logic
SMTP Inbound	aiosmtpd	Receive emails from Gmail, Outlook, etc.
SMTP Outbound	aiosmtplib + DKIM	Send emails to external providers
Database	PostgreSQL 16	Users, emails, folders, attachments
Cache	Redis	Rate limiting, sessions
Auth	JWT + bcrypt	32-char code → bcrypt hash → JWT token
Push	Web Push (VAPID)	Real-time notifications
Deploy	Docker Compose	Single VPS deployment

The Authentication Model

Traditional email services:

username + password → server verifies → session

QRYPTY Mail:

32-char code → bcrypt verify → JWT (7 days) → access

There's no "forgot password" flow. There's no 2FA because the code IS both factors — something you have (the code) and something you know (where you stored it).

Why 32 Characters?

Code Length	Possible Combinations	Time to Brute-Force (1B attempts/sec)
8 chars	2.18 × 10¹⁴	~2.5 days
16 chars	4.76 × 10²⁸	~1.5 billion years
32 chars	2.27 × 10⁵⁷	Heat death of universe × 10²⁰

With 62 possible characters (a-z, A-Z, 0-9) and 32 positions, brute-forcing is mathematically impossible.

Privacy by Architecture

Most services say "we respect your privacy" but still collect everything. QRYPTY Mail is architecturally incapable of violating your privacy:

What We Store	What We DON'T Store
Encrypted access code hash	Your IP address
Your emails (encrypted at rest)	Browser fingerprints
Your chosen username	Real name or identity
	Phone number
	Location data
	Login history
	Reading habits / analytics

No Logs — How?

# Our nginx config:
access_log off;

# Our application:
# No IP logging
# No request logging
# No analytics tracking
# No third-party scripts

We literally cannot tell law enforcement who owns an account because we don't know. The access code is bcrypt-hashed — it's a one-way function.

Anti-Spam Without Surveillance

A common argument: "Anonymous email = spam paradise." Here's how we handle it without compromising privacy:

Inbound Spam Filter

def calculate_spam_score(from_addr, subject, body_text, body_html):
    score = 0.0

    # Check spam keywords
    spam_words = ["viagra", "casino", "lottery", "winner", ...]
    for word in spam_words:
        if word in subject.lower(): score += 3.0
        if word in body.lower(): score += 1.5

    # Suspicious TLDs
    if from_addr.endswith(('.xyz', '.top', '.buzz')): score += 2.0

    # ALL CAPS subjects
    if upper_ratio > 0.7: score += 2.0

    return score  # > 5.0 = spam

Outbound Rate Limiting

Account Age	Hourly Limit	Daily Limit
< 24 hours	5 emails	20 emails
> 24 hours	30 emails	200 emails

New accounts get strict limits. Established accounts get generous ones. Spammers give up because they can't mass-send from fresh accounts.

Full Email Compatibility

QRYPTY Mail isn't a toy — it's a real email service with full RFC compliance:

✅ Send to Gmail, Outlook, Yahoo, ProtonMail — any provider

✅ Receive from any external sender

✅ DKIM signing (emails don't land in spam)

✅ Attachments up to 25 MB

✅ HTML emails with rich formatting

✅ Reply chains / threading

✅ Multiple folders (Inbox, Sent, Drafts, Starred, Spam, Trash)

✅ Full-text search across all emails

✅ Push notifications (even when browser is closed)

✅ Install as PWA on any device

13 Languages, Zero Barriers

The interface supports 13 languages out of the box:

Language	Users	Region
English	Global	Worldwide
Russian	258M	Russia, CIS
Chinese	1.3B	China, SEA
Hindi	600M	India
Spanish	559M	Americas, Spain
French	321M	France, Africa
Arabic	274M	MENA
Bengali	272M	Bangladesh, India
Portuguese	264M	Brazil, Portugal
Urdu	230M	Pakistan
Indonesian	199M	Indonesia
German	134M	DACH
Japanese	125M	Japan

Every UI element, error message, and captcha is fully translated.

The Captcha System (Anti-AI)

Instead of Google reCAPTCHA (which tracks you), I built a custom visual captcha with 10 challenge types:

Color-based — "Type only the BLUE characters"
Strikethrough — "Type characters WITHOUT a line"
Size recognition — "Type the BIGGEST character"
Spatial position — "Type only the TOP row"
Shape counting — "How many circles?"
Rotation detection — "Type only UPRIGHT characters"

These exploit the gap between human visual reasoning and AI/OCR capabilities. Humans solve them in 2-3 seconds. Bots can't distinguish color or spatial position from extracted text.

Performance

Metric	Value
Time to register	< 10 seconds
First Contentful Paint	< 1.5s
API response (average)	< 100ms
SMTP delivery (internal)	< 500ms
Concurrent users supported	10,000+
Database size per user	~2 KB (empty)
Max attachment size	25 MB

Comparison with Other Services

Feature	QRYPTY Mail	ProtonMail	Tutanota	Gmail
Free tier	✅ Unlimited	Limited	Limited	✅
Anonymous registration	✅	❌ (phone/email)	❌ (wait list)	❌
No phone required	✅	❌	✅	❌
No password	✅	❌	❌	❌
Zero logs	✅	Partial	Partial	❌
Send to any provider	✅	✅	✅	✅
PWA / installable	✅	❌	✅	❌
Custom domain	❌	Paid	Paid	Paid
E2E encryption	Transit only	✅	✅	❌
Open registration	✅ Instant	Often blocked	Wait list	✅

Real-World Use Cases

Journalists & Whistleblowers

Create a disposable tip line in 10 seconds. No paper trail.

Developers & Testing

Need 50 test accounts? Register them in minutes without phone verification hell.

Privacy-Conscious Users

Sign up for services without giving your real email. No more "we sold your data to advertisers."

Activists in Restrictive Countries

No phone number means no government tracking. No ID verification means true anonymity.

Temporary Communication

Need to email someone once? Create account, send, forget the code. Account becomes permanently inaccessible.

Try It Now

👉 qrypty.com — Create your free anonymous email in 10 seconds.

No sign-up forms. No verification emails. No waiting.

Just pick a username, save your code, and you have a fully functional email inbox that nobody can trace back to you.

FAQ

Q: What if I lose my access code?

A: You permanently lose access. We cannot recover it. This is by design — if we could recover it, so could an attacker.

Q: Is this legal?

A: Yes. Anonymous communication is a fundamental right protected by law in most countries. Email anonymity is no different from sending a letter without a return address.

Q: How do you make money?

A: Currently self-funded. The service is free with no plans for paywalls. Running costs are minimal (single VPS).

Q: Can you read my emails?

A: Technically yes (emails are stored in our database). We don't, and we have no business model that incentivizes it. Future versions may add client-side encryption.

Q: Why not just use a VPN + Gmail?

A: Gmail still requires a phone number, still tracks you, still builds an advertising profile. A VPN hides your IP but not your identity from Google.

Built with FastAPI, React, PostgreSQL, and a healthy distrust of surveillance capitalism.

🔗 qrypty.com | Create your anonymous email now

Open Forem: PRIVACY GUIDE

How I Built a Free Anonymous Email Service — No Phone, No Password, No Logs

The Problem I Wanted to Solve

How It Works (The User's Perspective)

Technical Architecture

The Authentication Model

Why 32 Characters?

Privacy by Architecture

No Logs — How?

Anti-Spam Without Surveillance

Inbound Spam Filter

Outbound Rate Limiting

Full Email Compatibility

13 Languages, Zero Barriers

The Captcha System (Anti-AI)

Performance

Comparison with Other Services

Real-World Use Cases

Try It Now

FAQ