An email client that fits how developers actually use email

A day with four mailboxes

At 08:10, the work Gmail has the on-call rotation update for the week. You read it, archive it with E, move on. At 09:45, the personal Gmail has a code-review request from the open-source project you maintain on the side; the GitHub notification went to a third address you set up exactly so it could be triaged separately. ⌘K, type the repo name, jump to the thread. At 13:20, the alumni address forwards a reply about a panel at next month’s conference; you draft an answer from the right identity (the nonprofit board uses a fourth one) and ⌘↵. On most setups today, none of those four accounts share a client: each one arrived with its own app, its own shortcuts, its own font.

Epistles is one client for all of them. Each connected account speaks its provider’s native protocol: Gmail API for Google, OWA for Microsoft 365, JMAP for Fastmail and compatible servers, Proton with OpenPGP for ProtonMail, IMAP plus CalDAV/CardDAV for iCloud through a single app-specific-password wizard, IMAP and SMTP for everywhere else. Gmail’s labels, Microsoft’s threading, and JMAP push survive intact. Each thread carries a quiet chip naming the address it belongs to, so you don’t reply from the wrong identity at midnight.

Native on Linux. Native on Mac

The Linux build is a Tauri 2 binary. APT, DNF, and Flatpak repos at repo.epistles.com; the Rust runtime is a few megabytes and the rendered UI uses the system WebKitGTK rather than a bundled Chromium. OAuth opens in your real system browser instead of an embedded WebView, so the consent screen looks like the consent screen you already trust. IMAP and SMTP run over a Rust TCP transport. CalDAV and CardDAV are first-class for the self-hosted Nextcloud crowd.

The Mac build is a signed, notarized React Native macOS app: native menu bar, native keychain, native push for Gmail (via Pub/Sub) and Microsoft 365 (via OWA SignalR), Spotlight on the local cache. It is not a wrapped web app. Both desktop builds share most of their code with the iOS and Android apps; what differs is the system surface, not the engine.

The keyboard

Every verb has a letter. ⌘K opens a command palette that searches accounts, mailboxes, threads, and actions. J and K walk the list. E archives, S stars, ⌘↵ sends. Bindings are remappable in Settings, including chord alternates, so the muscle memory you carry from Gmail, Mail.app, or Mailspring lands in the same shape here. If you want x for select and g i for go-to-inbox the way Gmail does, that’s a configuration, not a fork. The palette is the same surface across mail, calendar, and contacts.

Zero telemetry, by design

The desktop and mobile apps ship with no analytics SDK, no third-party crash reporter, no usage telemetry. The only network calls Epistles makes to our infrastructure are functional ones: vault sync, push registration, OAuth refresh, image proxy, opt-in outbound tracking. Debugging happens through named logs that stay on your device until you choose to export a diagnostic bundle. If we don’t hear from you, we don’t hear from your app. The security page documents the subprocessors we use and what each one sees.

Epistles is proprietary closed-source software. The trust mechanism is the security page, the zero-telemetry posture, and a published subprocessor list, not source-code inspection. If that trade-off is wrong for your environment, Thunderbird is open source and a genuinely good Linux email client.

Privacy as a default, not a feature flag

Mail lives on your device, in a local SQLite store, and search runs against that cache: milliseconds, no round trip, no signal required. The local DB sits behind your operating system’s disk encryption (FileVault on Mac, Data Protection on iOS, File-Based Encryption on Android, BitLocker on Windows, your luks setup on Linux).

Cross-device credential sync goes through a zero-knowledge Cloud Vault: IMAP passwords and JMAP session blobs are encrypted on your device with a key derived from your Epistles password, and the server stores opaque AES-256-GCM bytes it cannot read. OAuth refresh tokens are a deliberate carve-out, the backend is the single rotator and serves short-lived bearers to your devices, so multiple clients don’t race on a single-use refresh token and brick the chain. ProtonMail key material is also carved out and stays in the OS keychain only; it never enters the vault. The security page walks through the full design, including the failure modes.

What isn’t there yet

An honest pitch lists the gaps. As of today:

• The single combined-list unified inbox view lands later this year. Multi-account today means one client, one keyboard, one set of shortcuts, one composer, one command palette across every account, with each message chipped to the life it belongs to. The single chronological combined list that flattens everything into one stream is the part still on the 2026 roadmap. Snooze, send-later, read receipts, calendar, contacts, and per-account notification rules all ship today.
• No Slack, Linear, or task-app integrations. Email is the job here.
• No AI summarization. Local-first and zero-knowledge are real constraints; we don’t send the contents of your mail to a model provider, and we have no plans to.
• The source repo is not yet public. See above.

Try it, or read the code

Mac, Linux, Windows, iOS, Android, and the web ship today, with Apple Watch and Wear OS companions for triage on the wrist. Free covers up to two connected accounts; Pro at $35 a year is unlimited, with a 15-day no-card trial. Join the waitlist, or read the security page if you want to verify the encryption and storage claims before signing up. We write back to engineers who want to verify. That’s the audience this page was written for.