In comparison
We only compare FOLD against properties that are objectively verifiable, and we link the source per column. As of May 2026. If a vendor changes something, this table changes with it.
| Property | FOLD | Apple Mail | Mimestream | Spark | Thunderbird | Outlook (new) |
|---|---|---|---|---|---|---|
| No extra cloud backend | Yes | Yes | Yes direct to Gmail | No Readdle cloud | Yes | No MS cloud |
| App Sandbox active | Yes | Yes | Yes | Yes | Limited standard install is not sandboxed | Yes |
| OpenPGP native | Yes RFC 9580 modern subset | No | No | No | Yes | No |
| S/MIME native | Yes | Yes | No | No | Yes | Yes |
| Any IMAP provider | Yes | Yes | No Gmail only | Yes | Yes | Limited forced through MS cloud |
| Open source | No | No | No | No | Yes MPL 2.0 | No |
Sources: Apple Platform Security · Mimestream supported accounts · Spark privacy explained · Thunderbird · New Outlook cloud sync (Cybernews, 2023).
The speed comparison on the homepage is deliberately anonymous and does not reference any specific competitor as long as we do not publish reproducible benchmarks.
Dependency policy
A third-party dependency is only accepted when all four criteria hold: it provides a primitive we cannot correctly build ourselves · it comes from a trustworthy source (Apple, the Swift Server Work Group, audited authors) · it is auditable (source readable, scope manageable) · it is explicitly listed in the table.
The MVP allows Apple system frameworks only.
| Allowed | |
|---|---|
Foundation | Apple SDK. |
Network | Apple SDK · TLS via NWProtocolTLS. |
CryptoKit | Ed25519, X25519, AES-GCM, ChaCha20-Poly1305, SHA-2, HKDF. |
Security | S/MIME (CMS) und Keychain. |
AuthenticationServices | ASWebAuthenticationSession für OAuth. |
SQLite3 | System-SQLite über dünnen Swift-Wrapper. Kein GRDB, kein SQLite.swift. |
os.Logger | Apple SDK. |
| Excluded | |
|---|---|
swift-crypto | Cross-Platform-Doppelpaar zu CryptoKit, nicht nötig auf Apple-only. |
libetpan, MailCore | C-Wrapper, wir wollen auditierbaren Swift-Code. |
| OpenPGP-Libraries | Eigene Modern-Only-Implementierung statt großer Legacy-Surface. |
SwiftData / CoreData | Reichen nicht für 500k+ Mails, direkt auf SQLite. |
| Dritt-JSON/Logging/Net | Foundation und os sind genug. |
Crypto strategy
Primitives strictly from CryptoKit and Security.framework. No homegrown work at the primitive level. Constant-time comparisons (CryptoKit's compare, never == on Data). Zero-on-free for sensitive buffers.
OpenPGP: modern-only subset
We implement RFC 9580 deliberately small. Ed25519 (signatures), X25519 (KEX), AES-256 in OCB mode, SHA-256/512, HKDF-SHA-256. No RSA, DSA, ElGamal, CAST5, IDEA, Blowfish, 3DES, MD5, SHA-1. Reason: most OpenPGP CVEs of the last twenty years came out of exactly those legacy paths.
S/MIME
Via Security.framework's CMS API. Certificates from the system keychain. Trust validation through SecTrust. Trust status appears as a quiet micro indicator, not a noisy banner.
TLS defaults
Strict certificate validation. TLS 1.2 minimum, 1.3 preferred. STARTTLS: we connect plaintext, request STARTTLS and abort if the server fails to upgrade, no silent downgrade. Cipher suites via Apple's ATS defaults. Cert pinning is off by default (it would block legitimate CA rotations), available as an opt-in power-user feature per account.
Authentication
Passwords and OAuth tokens only live in Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly. Never in UserDefaults or plists. OAuth flows run through ASWebAuthenticationSession, tokens return via the system browser. PKCE is mandatory. No client secret inside the binary.
Logging policy
Hard ban on PII, message content, subjects, addresses, tokens and cookies in logs, even in debug builds. Allowed: connection events (host, port, TLS version, latency), protocol state, error categories, anonymous counters. The raw command trace behind the header inspector lives in a RAM ring buffer only, never persisted to disk.
Sandbox & Hardened Runtime
macOS: App Sandbox enabled. Entitlements minimal, network.client, files.user-selected.read-write, keychain. No disable-library-validation. iOS: sandbox by default, App Groups only when required. Hardened Runtime enabled. Distribution via Developer ID (macOS) or App Store (iOS).
Fortress Mode
Opt-in per account for application-level encryption. Argon2id over a user passphrase + 32-byte salt in Keychain (m=64 MiB, t=3, p=4) → 256-bit master key in RAM only. Per-account key via HKDF-SHA-256. AES-256-GCM over HotIndex text fields, HeaderStore TEXT columns and the body cache. Auto-lock wipes the master key on inactivity, screen lock or app backgrounding. Expected overhead: +50 ms cold start, +30 % cold body reads. Compatible with our performance targets.
What Fortress is not
Not a replacement for OpenPGP/S-MIME (that is end-to-end over the wire, Fortress protects the local copy only). No magic against a compromised kernel or OS. Not an anonymising mode, IMAP metadata still tells the server who you talk to.
Threat model
Defenses mapped explicitly against MITRE ATT&CK (offensive techniques) and MITRE D3FEND (defensive counter-mappings). Spear-phishing attachments, MIME bombs, polyglot files, credential dumping, TLS-stripping MITM, EFAIL-style HTML exfiltration, for every technique the FOLD mitigation and its test are named.
Test strategy
Strict concurrency, ExistentialAny, warnings-as-errors in CI. Address, Thread and Undefined-Behavior sanitisers on every pull request. A CVE test suite against historic mail-client CVEs (EFAIL, BadWinmail, iOS Mail heap overflows). Fuzzing for MIMEParser, EncodedWord, AddressParser, HeaderBlockParser with libFuzzer over 100k+ corpora.
Coordinated disclosure
Found a flaw? Write to security@foldmail.de. We confirm within 72 hours. Fixes ship with credit as soon as they are out. PGP key on request.