FOLD
Native email client · macOS · iOS · iPadOS

Scales natively. Secure at the core.

FOLD is a native email client for people who take their inbox seriously, engineers, researchers, journalists, sysadmins. Security is an architectural constraint, not a polish step.

Scale
500,000
Messages per mailbox, fluid
Verified
1,762
green tests · FoldCore + FoldUI
Third-party deps
0
Apple system frameworks only
Tracking
NULL
No pixels, no telemetry beacon
Stylised preview of the FOLD main view on macOS, three columns: mailbox, message list, message detail.
Main view · macOS Stylised preview · final screenshots to follow
What works today · macOS
Pre-alpha · early access 2026
One inbox across all accounts
cross-account unified inbox
Incremental sync
CONDSTORE delta
Send with undo
undo-send + outbox
Drafts save themselves
local-first + Drafts APPEND
Encrypted
S/MIME & OpenPGP, shipped
Drag & drop
attachments and folders
Why FOLD

Email is a tool,
not an ad channel.

Most mail clients sell you to ad networks, import half the web as a dependency, push banners constantly and call it productivity. FOLD walks the other way. Less code, less surface, fewer assumptions.

01

Progressive disclosure is law

A reply starts with the To field. Cc, Bcc, attachments and encryption appear only on a gesture or keystroke. What is on screen has to earn its place.

02

Keyboard first

Command palette via ⌘K. Search with operator syntax (from:, has:attachment, before:2024-06, /regex/). Header inspector at a keystroke. The mouse is optional.

03

Local. Fast. Private.

All mail lives on your device. A pure-Swift IMAP engine. A four-tier local store. No cloud sync service reading along. Your data stays yours.

04

Sending that thinks ahead

Take a send back during the countdown. Drafts save themselves — local first, then to the Drafts folder. Replies come from the right address, even with a dozen aliases. Sent mail lands cleanly in your server's Sent folder.

Four sentences, visible in the code

Principles for security.

These four sentences are literal quotes from our internal security docs. They are not marketing, they are decision rules during code review.

P · 01 Architecture, not polish

Security first, not last.

Security properties are designed before the feature, not bolted on afterwards. Crypto, TLS validation, sandboxing and logging restrictions land earlier in the pull request than the file does.

P · 02 Better small and self-built

Auditability beats convenience.

A third-party dependency only enters if we cannot correctly build the primitive ourselves and the source is trustworthy. The MVP ships with Apple system frameworks only. No swift-crypto, no libetpan, no JSON helper package.

P · 03 Several layers, none alone

Defense in depth.

TLS · Keychain · App Sandbox · Hardened Runtime · code signing · optional Fortress Mode with Argon2id + AES-256-GCM. If one layer falls, the others keep standing.

P · 04 Less means more security

Minimal attack surface.

Less code, fewer dependencies, fewer entitlements, less data needlessly in memory. Sensitive buffers are zeroed after use. JavaScript inside HTML mail is hard-disabled.

In the picture

What FOLD feels like.

Four views that show what FOLD is about in practice: keyboard-led, transparent about the protocol, no clutter.

Stylised preview of the FOLD main view with mailbox, message list and message detail columns.
01 · macOS

Three-column main view

Mailbox · message list · message detail. Hardware keyboard and trackpad first. On iPadOS the same three-column layout, not a mobile approximation.

Stylised preview of the FOLD command palette with search operator hints.
02 · Keyboard

Command palette

Everything that can be done is typeable. Search operators like from:, has:attachment, before:2024-06 and /regex/ inline.

Stylised preview of the FOLD header inspector with an IMAP protocol trace.
03 · Audit

Header inspector

Raw IMAP/SMTP trace, summoned by keystroke. Lives in a RAM ring buffer, never on disk. For people who want to know what goes over the wire.

Stylised preview of the FOLD conversation view with a stacked thread history.
04 · Threading

Conversation view

Mail woven into threads by the JWZ engine (References/In-Reply-To, subject drift normalised), read as a stacked history. Safe across accounts via Message-ID — never UID.

Automation

Your inbox, scriptable.

Every action in FOLD runs through a single layer. Command line, Shortcuts, widgets and filters all speak the same language: what you do in the terminal, a button in a widget does too. None of it is bolted on after the fact.

foldmail · example
$ foldmail search 'from:alerts@acme.dev is:unread before:2026-01' --json \
  | jq -r '.[].id' \
  | xargs foldmail flag --read
CLI

The foldmail command line

Git-style subcommands: accounts, mailboxes, search, read, flag, delete, compose, send, outbox. Stable --json schema, --quiet for IDs only, defined exit codes: 0 success, 2 invalid query or ID, 3 no match. Drops straight into jq, xargs and your scripts.

Filter

Rules in your search language

Filters are declarative rules whose condition is exactly the search grammar you already know. Every destructive batch action requires a dry-run preview that shows what would happen first. Flagging, marking read and deleting work today; moving and auto-replies (with RFC 3834 loop protection) are in progress.

Shortcuts · planned

Shortcuts, Siri & Spotlight

Planned: through App Intents every foldmail action becomes available to Apple's automation — Shortcuts, voice, Spotlight. No bridges, no plugins. The shared action layer is already in place.

Widgets · planned

Interactive widgets

Planned: interactive widgets — unread count, inbox preview, thread watch, with buttons that act directly. On the lock screen, counts only by default; contents only if you opt in.

Search

One search language, everywhere.

One grammar, one parser: the command bar (⌘K) and the foldmail CLI use it today, and the filter engine builds on exactly that layer — a filter rule is just a saved search plus an action. From keyword to /regex/ to BM25 relevance, across accounts (internal measurement on Apple Silicon, within the millisecond budget).

Search · examples
from:ci@acme.dev has:attachment file:pdf after:2026-01 -is:read
subject:"deploy failed" OR body:/timeout|5\d\d/
size:>10M in:work account:all
Operators

Gmail-style operators

from:, to:, subject:, body:, has:attachment, file:pdf, size:>10M, before:/after:, is:unread, label:, list: — plus account:, from-identity:, in:Archive and relative dates like before:30d. Combine with AND, OR, parentheses and - to exclude.

Regex

Regular expressions inline

When keywords are not enough, /regex/ post-filters right in the search field. Exact phrases in quotes. The same grammar drives UI, CLI and filters.

Relevance

Sorted by BM25

Results by date or BM25 relevance. Full-text via FTS5 in ≤ 200 ms, across all accounts in one go.

Engine

Our own engine, not a wrapper.

IMAP, SMTP and SASL are built in Swift on Network.framework — no C library, no external dependency.

Sync

Incremental, not complete

After the first pass, FOLD remembers the server state (HIGHESTMODSEQ). Every later sync pulls only new mail, changed flags and server-side deletions via CONDSTORE (RFC 7162) — the delta, not the whole mailbox. If the server lacks the extension, FOLD falls back cleanly to a full sync.

Push

Real-time over IDLE

FOLD keeps the inbox live over IMAP IDLE (RFC 2177) — the server announces new mail itself, no polling cadence. Servers without IDLE get a clean polling fallback.

Scale

Built for size

One actor per account and per storage tier. The list index is memory-mapped in fixed 128-byte slots — 500,000 messages fit in roughly 64 MB, no JSON in the scroll path. 0 external dependencies, Apple system frameworks only.

Setup

Type your email, FOLD does the rest.

You enter your address, FOLD finds the servers itself. A six-stage discovery runs in order: known providers, the signed FOLD database, DNS, the Mozilla ISPDB. Before anything connects, you see which servers, no silent connection.

name@example.com
↓ resolved via signed FOLD DB · Ed25519 ✓
imap.example.com:993 · smtp.example.com:587
Zero-config

Discovery in six stages

Cache, built-in providers, signed FOLD DB, DNS SRV (DNSSEC-aware), Mozilla ISPDB, then manual. Around 15 providers are built in, from Gmail and Outlook to Posteo, Mailbox.org and Proton Bridge.

Signed

Provider DB, verified before parsing

The open provider database is Ed25519-signed. FOLD verifies the signature before a single byte is parsed. The data is public (CC0), and you always see the servers before the first connect.

OAuth

Google & Microsoft via OAuth

OAuth2 with mandatory PKCE for Google and Microsoft, including Office 365 and personal accounts. No client secret in the app. Tokens refresh themselves, concurrent requests are coalesced.

Accounts

Accounts and identities, kept separate

Multiple accounts, multiple alias identities per account. When you reply, FOLD automatically picks the address the mail was sent to, with fallback and per-alias opt-out.

Encryption

Both worlds, fully wired.

S/MIME and OpenPGP — not a roadmap promise but shipped, verified byte-for-byte against real gpg and openssl.

S/MIME · macOS

Sign, encrypt, decrypt

Through the system CMS API. Harvest recipient certificates, import .p12/.cer, trust via SecTrust. A valid signature whose certificate address doesn't match the sender is downgraded to ‘untrusted’.

OpenPGP

Modern core, legacy contained

RFC 9580 with Ed25519, X25519, AES-256-OCB. Plus RSA legacy, so your correspondent's existing key isn't a wall. Mandatory MDC against EFAIL, constant-time decryption. Broken paths — MD5, SHA-1, CAST5, IDEA, 3DES — stay out by design.

Key vault

Generate or import

Generate keys inside FOLD (Ed25519 + X25519) or import from GnuPG (pubring.kbx). Private keys rest Argon2id-wrapped in a Keychain-bound vault.

In compose

Options when they count

Encryption options appear only when a recipient has a key — recipient pills colour live by encryptability.

Early access

Get in early.

FOLD is in active development. In 2026 we open early access to a first group of testers — leave your address and we'll reach out as soon as a seat opens up.

Request early access
Defense in depth

Five layers. None of them stands alone.

Each layer has its own job and its own test. If an attacker breaks one, the next layer is still there. If two fall, the third holds.

  1. L1

    TLS

    Strict certificate validation. TLS 1.2 minimum, 1.3 preferred. No auto-accept. Optional cert pinning per account with fingerprint display.

  2. L2

    Auth

    OAuth2 PKCE preferred over passwords. SASL: SCRAM-SHA-256 > XOAUTH2 > CRAM-MD5 > PLAIN. PLAIN only over TLS.

  3. L3

    Sandbox

    App Sandbox + Hardened Runtime. Minimal entitlements: network.client, files.user-selected, keychain. No disable-library-validation.

  4. L4

    Keychain

    Tokens stay in Keychain, bound to the unlocked device. No iCloud sync, never in UserDefaults or plists.

  5. L5

    Render

    JavaScript in HTML mail is hard-disabled. Remote content never auto-loads, attachments get the quarantine bit, hovering shows the real link target. Hardened MIME parser with depth limits.

Optional · per account

Fortress Mode

For when FileVault is not enough: app-level encryption per account. From your passphrase, Argon2id (64 MiB, 3 rounds) derives a 256-bit master key that lives in RAM only. One HKDF subkey per account, AES-256-GCM over the body cache. On idle the vault locks and wipes the key from memory.

Fully documented and proven: S/MIME and OpenPGP verified against real GnuPG and OpenSSL, independent DKIM verification against the RFC 8463 reference vector, threat model mapped to MITRE ATT&CK + D3FEND, CVE test suite against EFAIL & friends, fuzzing for the MIME parsers. Coordinated disclosure welcome.

Read the security dossier
Sender authenticity

Your client checks — not just your server.

FOLD verifies DKIM on its own — body hash, DNS key, header canonicalisation, signature check. No blind trust in a foreign Authentication-Results header.

DKIM

Computed in-house

Independent DKIM verification per RFC 6376/8463, byte-exact against the RFC reference vector. RSA and Ed25519. The DNS lookup piggybacks on the body fetch you're already making — no network just to open a mail.

DMARC

Alignment against the sender

FOLD aligns its self-checked DKIM result and the SPF read from the Authentication-Results header against the visible From: (RFC 7489). Only that alignment turns a signature into proof of authenticity.

Disclosure law

Silent on success

If everything checks out, you see nothing — that's the normal case. Only a gap or a spoofing suspicion is marked, quietly; the detail lives in the security inspector, per signature (d=, selector, algorithm). Mailing lists are damped so the hint doesn't dull over time.

In progress · BIMI

BIMI brings the verified brand logo of real senders. The foundation is in place; a logo appears only when a valid mark certificate backs it against a recognised CA and the DMARC policy enforces. Never a bare, unverified SVG. Display lands before beta.

Comparison

Where FOLD is different.

Speed in the short form against a typical cloud mail client. Security architecture in the short form against the five most-used competitors. The full matrix with sources lives on the security page.

Speed

FOLD vs. a typical cloud mail client
Cold start
Typical
noticeably slower
FOLD
≤ 300 ms
500,000 messages
Typical
UI gets sluggish
FOLD
stays fluid
Telemetry
Typical
active by default
FOLD
none

FOLD values from internal performance targets. Typical cloud mail client values are a qualitative experience reference, not tied to any specific product.

Security architecture

FOLD vs. Apple Mail · Mimestream · Spark · Thunderbird · Outlook
  • 01 Messages stay local, no extra cloud backend in between
  • 02 OpenPGP and S/MIME native — sign, encrypt, decrypt; verified against real GnuPG/OpenSSL. DKIM verified client-side.
  • 03 No telemetry, no link to a vendor cloud

As of June 2026. Source links per column live in the full matrix.

Stack & performance

Apple-only. Swift 6. Our own engine.

No cross-platform wrappers. No web views dressed up as apps. A real native app built on the frameworks the operating system already ships.

Stack

Language
Swift 6 with strict concurrency.
UI
SwiftUI first. AppKit/UIKit only where SwiftUI demonstrably falls short.
Networking
Custom IMAP/POP3/SMTP engine on Network.framework. No C wrapper.
Storage
Direct SQLite, four tiers: HotIndex (mmap) · HeaderStore (WAL) · BodyCache (LRU) · SearchIndex (FTS5).
Crypto
CryptoKit + Security.framework + CommonCrypto, all Apple OS. S/MIME via CMS: sign, encrypt, decrypt. OpenPGP: produces Ed25519/X25519/AES-256-OCB (RFC 9580), additionally reads and writes RSA legacy with mandatory MDC.
Concurrency
Every server connection and storage tier is its own Swift actor; list reads run lock-free over mmap snapshots. Swift 6 strict concurrency, with the thread sanitizer catching data races on every pull request.
Dependencies
Apple system frameworks only. No third parties in the MVP.

Performance budget

Cold start
≤ 300 ms App tap to first visible list row
Scroll frame
≤ 8 ms Hard limit 16 ms (60 fps), even at 500k messages
Search
≤ 50 ms / ≤ 200 ms Header search / full-text (FTS5)
Memory
80 / 150 / 250 MB iOS / iPadOS / macOS working-set target
Sync
Delta Incremental via CONDSTORE (RFC 7162)
Dependencies
0 external SwiftPM dependency list empty, Apple system frameworks only. No third-party CVE upkeep.
Measured, not promised
8.5 ms
Open store + snapshot
0.02 ms
Index range read · 50 rows
58 ms
Full-text · 500,000 messages

Internal measurement on Apple Silicon against a synthetic 500,000-message corpus (June 2026). The 8.5 ms measure opening the store with its first index snapshot, not the app cold start; that budget is ≤ 300 ms and holds across devices, not just at best case.

Storage architecture

Four stores, one detects tampering

The body cache addresses every message by its SHA-256 hash. Two effects: identical content sits on disk only once, and a body tampered with after the fact is caught the moment it loads, because the hash no longer matches. Plus three more tiers: HotIndex (mmap) for instant scrolling, HeaderStore (SQLite WAL) and SearchIndex (FTS5).

Frequently asked

Short questions, short answers.

Which platforms are supported?

The macOS app (13 Ventura and up) is fully usable today. iOS and iPadOS (16 and up) share the same core and are in development — as a first-class target with three-column layout, hardware keyboard, trackpad hover and drag-and-drop, not a mobile approximation. They follow macOS.

Why no third-party libraries?

Because every dependency is attack surface. CryptoKit, Security, Network and SQLite cover everything we need in audited Apple quality. Anyone who reads Swift can read all of our code. Nobody has to trust a stranger's build output.

What about OpenPGP and S/MIME?

S/MIME via the system CMS API; identities (.p12) and recipient certificates can be imported. OpenPGP per RFC 9580 with a modern core — Ed25519, X25519, AES-256-OCB, SHA-256/512, HKDF — plus RSA legacy for existing keys, verified against real gpg. The broken paths stay out by design: MD5, SHA-1, CAST5, IDEA, 3DES. Most OpenPGP CVEs of the last 20 years came from exactly those. Incoming RSA mail is contained by a mandatory MDC and constant-time decryption.

Is FOLD open source?

The code is proprietary, distributed by Datargo GmbH. But it is not unchecked: engine and crypto are verified against real servers and tools (Dovecot, gpg, openssl) and against RFC vectors; FoldCore and FoldUI carry over 1,700 green tests between them. External security audit before beta, bug bounty in preparation. Pull requests against the provider database are curated in the open.

What will FOLD cost?

Pricing is not finalised. The plan is a one-time purchase per platform plus an optional subscription for convenience features (provider-DB updates, backup sync). No ad-supported model. Ever.

What happens to my data?

It stays on your device. FOLD only talks to the mail servers you configure and to our signed provider database for auto-setup. No telemetry. No crash reporters that could ship message contents.

Request early access

FOLD takes its first testers in 2026.
Reserve your slot.

Send us your email address. You will receive a short confirmation as soon as we can hand out a test slot. No newsletter, no advertising, no tracking link.

Opens your mail client, no server processing.