Native email client · macOS · iOS · iPadOS

Mail, taken seriously.
Ruthlessly tidy. Still nerdy.

FOLD is a native email client for people who take their inbox seriously, engineers, researchers, journalists, sysadmins. Security is an architectural constraint, not a polish step.

Request early access See the security model

Scale: 500,000; Messages per mailbox, fluid
Cold start: 8.5 ms; measured on M-series · budget ≤ 300 ms
Third-party deps: 0; Apple system frameworks only
Tracking: None; No pixels, no telemetry beacon

Stylised preview of the FOLD main view on macOS, three columns: mailbox, message list, message detail. — Main view · macOS Stylised preview · final screenshots to follow

Why FOLD

Email is a tool,
not an attention market.

Most mail clients sell you to ad networks, import half the web as a dependency, push banners constantly and call it productivity. FOLD walks the other way. Less code, less surface, fewer assumptions.

Progressive disclosure is law

A reply starts with the To field. Cc, Bcc, attachments and encryption appear only on a gesture or keystroke. What is on screen has to earn its place.

Keyboard first

Command palette via ⌘K. Search with operator syntax (from:, has:attachment, before:2024-06, /regex/). Header inspector at a keystroke. The mouse is optional.

Local. Fast. Private.

All mail lives on your device. A pure-Swift IMAP engine. A four-tier local store. No cloud sync service reading along. Your data stays yours.

Four sentences, visible in the code

Principles for security.

These four sentences are literal quotes from our internal security docs. They are not marketing, they are decision rules during code review.

P · 01 Architecture, not polish

Security first, not last.

Security properties are designed before the feature, not bolted on afterwards. Crypto, TLS validation, sandboxing and logging restrictions land earlier in the pull request than the file does.

P · 02 Better small and self-built

Auditability beats convenience.

A third-party dependency only enters if we cannot correctly build the primitive ourselves and the source is trustworthy. The MVP ships with Apple system frameworks only. No swift-crypto, no libetpan, no JSON helper package.

P · 03 Several layers, none alone

Defense in depth.

TLS · Keychain · App Sandbox · Hardened Runtime · code signing · optional Fortress Mode with Argon2id + AES-256-GCM. If one layer falls, the others keep standing.

P · 04 Less means more security

Minimal attack surface.

Less code, fewer dependencies, fewer entitlements, less data needlessly in memory. Sensitive buffers are zeroed after use. JavaScript inside HTML mail is hard-disabled.

In the picture

What FOLD feels like.

Three views that show what 'ruthlessly tidy' means in practice. Keyboard-led, transparent about the protocol, no clutter.

Stylised preview of the FOLD main view with mailbox, message list and message detail columns. — 01 · macOS
Three-column main view
Mailbox · message list · message detail. Hardware keyboard and trackpad first. On iPadOS the same three-column layout, not a mobile approximation.

02 · Keyboard

Command palette

Everything that can be done is typeable. Search operators like from:, has:attachment, before:2024-06 and /regex/ inline.

Stylised preview of the FOLD header inspector with an IMAP protocol trace. — 03 · Audit
Header inspector
Raw IMAP/SMTP trace, summoned by keystroke. Lives in a RAM ring buffer, never on disk. For people who want to know what goes over the wire.

Automation

Your inbox, scriptable.

Every action in FOLD runs through a single layer. Command line, Shortcuts, widgets and filters all speak the same language: what you do in the terminal, a button in a widget does too. None of it is bolted on after the fact.

fold · example

$ fold search 'from:alerts@acme.dev is:unread before:2026-01' --json \
  | jq -r '.[].id' \
  | xargs fold flag --read

CLI

The fold command line

Git-style subcommands for reading, searching, flagging, moving, sending. Stable --json schema, documented exit codes, pipe-friendly. Drops straight into jq, xargs and your scripts.

Filter

Rules in your search language

Filters are declarative rules whose condition is exactly the search grammar you already know. Destructive actions require --dry-run; auto-replies are protected against loops (RFC 3834).

Shortcuts

Shortcuts, Siri & Spotlight

Through App Intents every action is available to Apple's automation: Shortcuts, voice, Spotlight. No bridges, no plugins.

Widgets

Interactive widgets

Unread count, inbox preview and thread watch — with buttons that act directly, like mark or archive. On the lock screen, counts only by default; contents only if you opt in.

One search language, everywhere.

The same operators in the command bar (⌘K), in the fold CLI and in your filters. From simple keywords to regular expressions, across accounts in milliseconds.

Search · examples

from:ci@acme.dev has:attachment file:pdf after:2026-01 -is:read
subject:"deploy failed" OR body:/timeout|5\d\d/
size:>10M in:work account:all

Operators

Gmail-style operators

from:, to:, subject:, body:, has:attachment, file:pdf, size:>10M, before:/after:, is:unread, label:, list:. Combine with AND, OR, parentheses and - to exclude.

Regex

Regular expressions inline

When keywords are not enough, /regex/ post-filters right in the search field. Exact phrases in quotes. The same grammar drives UI, CLI and filters.

Relevance

Sorted by BM25

Results by date or BM25 relevance. Full-text via FTS5 in ≤ 200 ms, across all accounts in one go.

Setup

Type your email, FOLD does the rest.

You enter your address, FOLD finds the servers itself. A six-stage discovery runs in order: known providers, the signed FOLD database, DNS, the Mozilla ISPDB. Before anything connects, you see which servers, no silent connection.

name@example.com

↓ resolved via signed FOLD DB · Ed25519 ✓

imap.example.com:993 · smtp.example.com:587

Zero-config

Discovery in six stages

Cache, built-in providers, signed FOLD DB, DNS SRV (DNSSEC-aware), Mozilla ISPDB, then manual. Around 15 providers are built in, from Gmail and Outlook to Posteo, Mailbox.org and Proton Bridge.

Signed

Provider DB, verified before parsing

The open provider database is Ed25519-signed. FOLD verifies the signature before a single byte is parsed. The data is public (CC0), and you always see the servers before the first connect.

OAuth

Google & Microsoft via OAuth

OAuth2 with mandatory PKCE for Google and Microsoft, including Office 365 and personal accounts. No client secret in the app. Tokens refresh themselves, concurrent requests are coalesced.

Accounts

Accounts and identities, kept separate

Multiple accounts, multiple alias identities per account. When you reply, FOLD automatically picks the address the mail was sent to, with fallback and per-alias opt-out.

Early access

Get in early.

FOLD is in active development. In 2026 we open early access to a first group of testers — leave your address and we'll reach out as soon as a seat opens up.

Request early access

Defense in depth

Five layers. None of them stands alone.

Each layer has its own job and its own test. If an attacker breaks one, the next layer is still there. If two fall, the third holds.

L1
TLS
Strict certificate validation. TLS 1.2 minimum, 1.3 preferred. No auto-accept. Optional cert pinning per account with fingerprint display.
L2
Auth
OAuth2 PKCE preferred over passwords. SASL: SCRAM-SHA-256 > XOAUTH2 > CRAM-MD5 > PLAIN. PLAIN only over TLS.
L3
Sandbox
App Sandbox + Hardened Runtime. Minimal entitlements: network.client, files.user-selected, keychain. No disable-library-validation.
L4
Keychain
Tokens stay in Keychain, bound to the unlocked device. No iCloud sync, never in UserDefaults or plists.
L5
Render
JavaScript in HTML mail is hard-disabled. Remote content never auto-loads, attachments get the quarantine bit, hovering shows the real link target. Hardened MIME parser with depth limits.

Optional · per account

Fortress Mode

For when FileVault is not enough: app-level encryption per account. From your passphrase, Argon2id (64 MiB, 3 rounds) derives a 256-bit master key that lives in RAM only. One HKDF subkey per account, AES-256-GCM over the body cache. On idle the vault locks and wipes the key from memory.

Fully documented: threat model mapped to MITRE ATT&CK + D3FEND, CVE test suite against EFAIL & friends, fuzzing for MIME parsers. Coordinated disclosure welcome.

Read the security dossier

Comparison

Where FOLD is different.

Speed in the short form against a typical cloud mail client. Security architecture in the short form against the five most-used competitors. The full matrix with sources lives on the security page.

Speed

FOLD vs. a typical cloud mail client

Cold start: Typical
noticeably slower; FOLD
≤ 300 ms
500,000 messages: Typical
UI gets sluggish; FOLD
stays fluid
Telemetry: Typical
active by default; FOLD
none

FOLD values from internal performance targets. Typical cloud mail client values are a qualitative experience reference, not tied to any specific product.

Security architecture

FOLD vs. Apple Mail · Mimestream · Spark · Thunderbird · Outlook

01 Messages stay local, no extra cloud backend in between
02 OpenPGP native as a deliberately small RFC 9580 subset
03 No telemetry, no link to a vendor cloud

As of May 2026. Source links per column live in the full matrix.

Full matrix with sources

Stack & performance

Apple-only. Swift 6. Our own engine.

No cross-platform wrappers. No web views dressed up as apps. A real native app built on the frameworks the operating system already ships.

Stack

Language: Swift 6 with strict concurrency.
UI: SwiftUI first. AppKit/UIKit only where SwiftUI demonstrably falls short.
Networking: Custom IMAP/POP3/SMTP engine on Network.framework. No C wrapper.
Storage: Direct SQLite, four tiers: HotIndex (mmap) · HeaderStore (WAL) · BodyCache (LRU) · SearchIndex (FTS5).
Crypto: CryptoKit + Security.framework. S/MIME via CMS. OpenPGP modern subset: Ed25519, X25519, AES-OCB.
Dependencies: Apple system frameworks only. No third parties in the MVP.

Performance budget

Cold start: ≤ 300 ms App tap to first visible list row
Scroll frame: ≤ 8 ms Hard limit 16 ms (60 fps), even at 500k messages
Search: ≤ 50 ms / ≤ 200 ms Header search / full-text (FTS5)
Memory: 80 / 150 / 250 MB iOS / iPadOS / macOS working-set target
Sync: 1 round trip Incremental via CONDSTORE / QRESYNC
Binary: lean No third-party packages also means no foreign CVE maintenance

Measured, not promised

8.5 ms

Cold start

0.02 ms

Scroll frame

58 ms

Full-text · 500,000 messages

Internal measurement on Apple Silicon against a synthetic 500,000-message corpus (May 2026). The budget figures above hold across devices, not just at best case.

Storage architecture

Four stores, one detects tampering

The body cache addresses every message by its SHA-256 hash. Two effects: identical content sits on disk only once, and a body tampered with after the fact is caught the moment it loads, because the hash no longer matches. Plus three more tiers: HotIndex (mmap) for instant scrolling, HeaderStore (SQLite WAL) and SearchIndex (FTS5).

Frequently asked

Short questions, short answers.

Which platforms are supported?

macOS 13 (Ventura) and up, iOS 16 and up, iPadOS 16 and up as a first-class citizen. Three-column layout, hardware keyboard, trackpad hover and drag-and-drop are mandatory on iPad, not bonus.

Why no third-party libraries?

Because every dependency is attack surface. CryptoKit, Security, Network and SQLite cover everything we need in audited Apple quality. Anyone who reads Swift can read all of our code. Nobody has to trust a stranger's build output.

What about OpenPGP and S/MIME?

S/MIME via the system CMS API. OpenPGP as a deliberately small modern-only subset (RFC 9580): Ed25519, X25519, AES-OCB, SHA-256/512, HKDF. No RSA, no DSA, no MD5/SHA-1, no CAST5, most OpenPGP CVEs of the last 20 years came from exactly those legacy paths.

Is FOLD open source?

The code is proprietary. Distributed by Datargo GmbH. An external security audit is planned before beta. A bug bounty is in preparation. Pull requests against the provider database are curated in the open.

What will FOLD cost?

Pricing is not finalised. The plan is a one-time purchase per platform plus an optional subscription for convenience features (provider-DB updates, backup sync). No ad-supported model. Ever.

What happens to my data?

It stays on your device. FOLD only talks to the mail servers you configure and to our signed provider database for auto-setup. No telemetry. No crash reporters that could ship message contents.