Email RFC Protocol Support - Complete Standards & Specifications Guide

About This Document

This document outlines the RFC (Request for Comments) protocol support for Forward Email. Since Forward Email uses WildDuck under the hood for IMAP/POP3 functionality, the protocol support and limitations documented here reflect WildDuck's implementation.

Source Code: https://github.com/forwardemail/forwardemail.net

Architecture Overview

---

Email Service Comparison - Protocol Support & RFC Standards Compliance

Compare email protocol support and RFC standards implementation across major email providers:

Feature	Forward Email	Postfix/Dovecot	Gmail	iCloud Mail	Outlook.com	Fastmail	Yahoo/AOL (Verizon)	ProtonMail	Tutanota
Custom Domain Price	Free	Free	$7.20/mo	$0.99/mo	$7.20/mo	$5/mo	$3.19/mo	$4.99/mo	$3.27/mo
IMAP4rev1 (RFC 3501)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	⚠️ Via Bridge	❌ Not Supported
IMAP4rev2 (RFC 9051)	⚠️ Partial	⚠️ Partial	⚠️ 31%	⚠️ 92%	⚠️ 46%	⚠️ 69%	⚠️ 85%	⚠️ Via Bridge	❌ Not Supported
POP3 (RFC 1939)	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	✅ Supported	✅ Supported	⚠️ Via Bridge	❌ Not Supported
SMTP (RFC 5321)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	⚠️ Via Bridge	❌ Not Supported
JMAP (RFC 8620)	❌ Not Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported	✅ Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported
DKIM (RFC 6376)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported
SPF (RFC 7208)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported
DMARC (RFC 7489)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported
ARC (RFC 8617)	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported
MTA-STS (RFC 8461)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported
DANE (RFC 7671)	⚠️ Partial	✅ Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported	✅ Supported	✅ Supported
DSN (RFC 3461)	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	✅ Supported	⚠️ Unknown	❌ Not Supported	⚠️ Via Bridge	❌ Not Supported
REQUIRETLS (RFC 8689)	✅ Supported	✅ Supported	⚠️ Unknown	⚠️ Unknown	⚠️ Unknown	⚠️ Unknown	⚠️ Unknown	⚠️ Via Bridge	❌ Not Supported
ManageSieve (RFC 5804)	❌ Not Supported	✅ Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported	✅ Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported
OpenPGP (RFC 9580)	✅ Supported	⚠️ Via Plugins	⚠️ Third-party	⚠️ Third-party	⚠️ Third-party	⚠️ Third-party	⚠️ Third-party	✅ Native	❌ Not Supported
S/MIME (RFC 8551)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	⚠️ Partial	❌ Not Supported	✅ Supported	❌ Not Supported
CalDAV (RFC 4791)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	❌ Not Supported	✅ Via Bridge	❌ Not Supported
CardDAV (RFC 6352)	✅ Supported	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	❌ Not Supported	✅ Via Bridge	❌ Not Supported
Tasks (VTODO)	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	❌ Not Supported	✅ Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported
Sieve (RFC 5228)	⚠️ Future	✅ Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported	✅ Supported	❌ Not Supported	❌ Not Supported	❌ Not Supported
Catch-All	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	❌ Not Supported	✅ Supported	❌ Not Supported	❌ Not Supported	✅ Supported
Unlimited Aliases	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	✅ Supported
Two-Factor Auth	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported
Push Notifications	✅ Supported	⚠️ Via Plugins	✅ Supported	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	✅ Supported
Calendar/Contacts Desktop	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	❌ Not Supported
Advanced Search	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported	✅ Supported
API/Integrations	✅ 39 Endpoints	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	✅ Supported	❌ Not Supported	✅ Supported	❌ Not Supported

Protocol Support Visualization

---

Core Email Protocols

Email Protocol Flow

IMAP4 Email Protocol and Extensions

Forward Email provides robust IMAP4 support through the WildDuck mail server implementation. The server implements IMAP4rev1 (RFC 3501) with partial support for IMAP4rev2 (RFC 9051) extensions.

Forward Email's IMAP functionality is provided by the WildDuck dependency. The following email RFCs are supported:

RFC	Title	Implementation Notes
RFC 3501	Internet Message Access Protocol (IMAP) - Version 4rev1	Full support with intentional differences (see below)
RFC 2177	IMAP4 IDLE command	Push-style notifications
RFC 2342	IMAP4 Namespace	Mailbox namespace support
RFC 2087	IMAP4 QUOTA extension	Storage quota management
RFC 2971	IMAP4 ID extension	Client/server identification
RFC 5161	IMAP4 ENABLE Extension	Enable IMAP extensions
RFC 4959	IMAP Extension for SASL Initial Client Response (SASL-IR)	Initial client response
RFC 3691	IMAP4 UNSELECT command	Close mailbox without EXPUNGE
RFC 4315	IMAP UIDPLUS extension	Enhanced UID commands
RFC 7162	IMAP Extensions: Quick Flag Changes Resynchronization (CONDSTORE)	Conditional STORE
RFC 6154	IMAP LIST Extension for Special-Use Mailboxes	Special mailbox attributes
RFC 6851	IMAP MOVE Extension	Atomic MOVE command
RFC 6855	IMAP Support for UTF-8	UTF-8 support
RFC 3348	IMAP4 Child Mailbox Extension	Child mailbox information
RFC 7889	IMAP4 Extension for Advertising Maximum Upload Size (APPENDLIMIT)	Maximum upload size

Supported IMAP Extensions:

Extension	RFC	Status	Description
IDLE	RFC 2177	✅ Supported	Push-style notifications
NAMESPACE	RFC 2342	✅ Supported	Mailbox namespace support
QUOTA	RFC 2087	✅ Supported	Storage quota management
ID	RFC 2971	✅ Supported	Client/server identification
ENABLE	RFC 5161	✅ Supported	Enable IMAP extensions
SASL-IR	RFC 4959	✅ Supported	Initial client response
UNSELECT	RFC 3691	✅ Supported	Close mailbox without EXPUNGE
UIDPLUS	RFC 4315	✅ Supported	Enhanced UID commands
CONDSTORE	RFC 7162	✅ Supported	Conditional STORE
SPECIAL-USE	RFC 6154	✅ Supported	Special mailbox attributes
MOVE	RFC 6851	✅ Supported	Atomic MOVE command
UTF8=ACCEPT	RFC 6855	✅ Supported	UTF-8 support
CHILDREN	RFC 3348	✅ Supported	Child mailbox information
APPENDLIMIT	RFC 7889	✅ Supported	Maximum upload size
XLIST	Non-standard	✅ Supported	Gmail-compatible folder listing
XAPPLEPUSHSERVICE	Non-standard	✅ Supported	Apple Push Notification Service

IMAP Protocol Differences from RFC Specifications

Forward Email intentionally deviates from some IMAP RFC specifications. These differences are inherited from WildDuck and are documented below:

• No \Recent flag: The \Recent flag is not implemented. All messages are returned without this flag.
• RENAME doesn't affect subfolders: When renaming a folder, subfolders are not automatically renamed. The folder hierarchy is flat in the database.
• INBOX cannot be renamed: RFC 3501 permits renaming INBOX, but Forward Email explicitly prohibits it. See WildDuck source code.
• No unsolicited FLAGS responses: When flags are changed, no unsolicited FLAGS responses are sent to the client.
• STORE returns NO for deleted messages: Attempting to modify flags on deleted messages returns NO instead of silently ignoring.
• CHARSET ignored in SEARCH: The CHARSET argument in SEARCH commands is ignored. All searches use UTF-8.
• MODSEQ metadata ignored: MODSEQ metadata in STORE commands is ignored.
• SEARCH TEXT and SEARCH BODY: Forward Email uses SQLite FTS5 (Full-Text Search) instead of MongoDB's $text search. This provides:
  • Support for NOT operator (MongoDB doesn't support this)
  • Ranked search results
  • Sub-100ms search performance on large mailboxes
• Autoexpunge behavior: Messages marked with \Deleted are automatically expunged when the mailbox is closed.
• Message fidelity: Some message modifications may not preserve the exact original message structure.

IMAP4rev2 Partial Support:

Forward Email implements IMAP4rev1 (RFC 3501) with partial IMAP4rev2 (RFC 9051) support. The following IMAP4rev2 features are not yet supported:

• LIST-STATUS - Combined LIST and STATUS commands
• LITERAL- - Non-synchronizing literals (minus variant)
• OBJECTID - Unique object identifiers
• SAVEDATE - Save date attribute
• REPLACE - Atomic message replacement
• UNAUTHENTICATE - Close authentication without closing connection

Relaxed Body Structure Handling:

Forward Email uses "relaxed body" handling for malformed MIME structures, which may differ from strict RFC interpretation. This improves compatibility with real-world emails that don't perfectly conform to standards.

METADATA Extension (RFC 5464):

The IMAP METADATA extension is not supported. For more information about this extension, see RFC 5464. Discussion about adding this feature can be found in WildDuck Issue #937.

IMAP Extensions NOT Supported

The following IMAP extensions from the IANA IMAP Capabilities Registry are NOT supported:

RFC	Title	Reason
RFC 2086	IMAP4 ACL extension	Shared folders not implemented. See WildDuck Issue #427
RFC 5256	IMAP SORT and THREAD Extensions	Threading implemented internally but not via RFC 5256 protocol. See WildDuck Issue #12
RFC 5162	IMAP4 Extensions for Quick Mailbox Resynchronization (QRESYNC)	Not implemented
RFC 5464	IMAP METADATA Extension	Metadata operations ignored. See WildDuck documentation
RFC 5258	IMAP4 LIST Command Extensions	Not implemented
RFC 5267	Contexts for IMAP4	Not implemented
RFC 5465	IMAP NOTIFY Extension	Not implemented
RFC 5466	IMAP4 FILTERS Extension	Not implemented
RFC 6203	IMAP4 Extension for Fuzzy Search	Not implemented
RFC 6785	IMAP4 Implementation Recommendations	Recommendations not fully followed
RFC 7162	IMAP Extensions: Quick Flag Changes Resynchronization (CONDSTORE) and Quick Mailbox Resynchronization (QRESYNC)	Not implemented
RFC 8437	IMAP UNAUTHENTICATE Extension for Connection Reuse	Not implemented
RFC 8438	IMAP Extension for STATUS=SIZE	Not implemented
RFC 8457	IMAP "$Important" Keyword and "\Important" Special-Use Attribute	Not implemented
RFC 8474	IMAP Extension for Object Identifiers	Not implemented
RFC 9051	Internet Message Access Protocol (IMAP) - Version 4rev2	Forward Email implements IMAP4rev1 (RFC 3501)

---

POP3 Email Protocol and Extensions

Forward Email's POP3 functionality is provided by the WildDuck dependency. The following email RFCs are supported:

RFC	Title	Implementation Notes
RFC 1939	Post Office Protocol - Version 3 (POP3)	Full support with intentional differences (see below)
RFC 2595	Using TLS with IMAP, POP3 and ACAP	STARTTLS support
RFC 2449	POP3 Extension Mechanism	CAPA command support

Forward Email provides POP3 support for clients that prefer this simpler protocol over IMAP. POP3 is ideal for users who want to download emails to a single device and remove them from the server.

Supported POP3 Extensions:

Extension	RFC	Status	Description
TOP	RFC 1939	✅ Supported	Retrieve message headers
USER	RFC 1939	✅ Supported	Username authentication
UIDL	RFC 1939	✅ Supported	Unique message identifiers
EXPIRE	RFC 2449	✅ Supported	Message expiration policy

POP3 Protocol Differences from RFC Specifications

Forward Email Behavior (source code):

• DELE → QUIT permanently deletes messages
• Follows RFC 1939 specification exactly
• Matches behavior of Dovecot (default), Postfix, and other standards-compliant servers

WildDuck Behavior (discussion):

• DELE → QUIT moves messages to Trash (Gmail-like)
• Intentional design decision for user safety
• Non-RFC-compliant but prevents accidental data loss

Why Forward Email Differs:

• RFC Compliance: Adheres to RFC 1939 specification
• User Expectations: Download-and-delete workflow expects permanent deletion
• Storage Management: Proper disk space reclamation
• Interoperability: Consistent with other RFC-compliant servers

Single-Device Access:

POP3 is designed for single-device access. Messages are typically downloaded and removed from the server, making it unsuitable for multi-device synchronization.

No Folder Support:

POP3 only accesses the INBOX folder. Other folders (Sent, Drafts, Trash, etc.) are not accessible via POP3.

Limited Message Management:

POP3 provides basic message retrieval and deletion. Advanced features like flagging, moving, or searching messages are not available.

POP3 Extensions NOT Supported

The following POP3 extensions from the IANA POP3 Extension Mechanism Registry are NOT supported:

RFC	Title	Reason
RFC 6856	Post Office Protocol Version 3 (POP3) Support for UTF-8	Not implemented in WildDuck POP3 server
RFC 2595	STLS command	Only STARTTLS supported, not STLS
RFC 3206	The SYS and AUTH POP Response Codes	Not implemented

---

SMTP Email Protocol and Extensions

Forward Email's SMTP functionality is provided by multiple components: smtp-server (nodemailer), zone-mta, and custom implementations. The following email RFCs are supported:

RFC	Title	Implementation Notes
RFC 5321	Simple Mail Transfer Protocol (SMTP)	Full support
RFC 3207	SMTP Service Extension for Secure SMTP over Transport Layer Security (STARTTLS)	TLS/SSL support
RFC 4954	SMTP Service Extension for Authentication (AUTH)	PLAIN, LOGIN, CRAM-MD5, XOAUTH2
RFC 6531	SMTP Extension for Internationalized Email (SMTPUTF8)	Native unicode email address support
RFC 3461	SMTP Service Extension for Delivery Status Notifications (DSN)	Full DSN support
RFC 3463	Enhanced Mail System Status Codes	Enhanced status codes in responses
RFC 1870	SMTP Service Extension for Message Size Declaration (SIZE)	Maximum message size advertisement
RFC 2920	SMTP Service Extension for Command Pipelining (PIPELINING)	Command pipelining support
RFC 1652	SMTP Service Extension for 8bit-MIMEtransport (8BITMIME)	8-bit MIME support
RFC 6152	SMTP Service Extension for 8-bit MIME Transport	8-bit MIME support
RFC 2034	SMTP Service Extension for Returning Enhanced Error Codes (ENHANCEDSTATUSCODES)	Enhanced status codes

Forward Email implements a full-featured SMTP server with support for modern extensions that enhance security, reliability, and functionality.

Supported SMTP Extensions:

Extension	RFC	Status	Description
PIPELINING	RFC 2920	✅ Supported	Command pipelining
SIZE	RFC 1870	✅ Supported	Message size declaration (52MB limit)
ETRN	RFC 1985	✅ Supported	Remote queue processing
STARTTLS	RFC 3207	✅ Supported	Upgrade to TLS
ENHANCEDSTATUSCODES	RFC 2034	✅ Supported	Enhanced status codes
8BITMIME	RFC 6152	✅ Supported	8-bit MIME transport
DSN	RFC 3461	✅ Supported	Delivery Status Notifications
CHUNKING	RFC 3030	✅ Supported	Chunked message transfer
SMTPUTF8	RFC 6531	⚠️ Partial	UTF-8 email addresses (partial)
REQUIRETLS	RFC 8689	✅ Supported	Require TLS for delivery

Delivery Status Notifications (DSN)

Forward Email fully supports DSN (RFC 3461), which allows senders to request delivery status notifications. This feature provides:

• Success notifications when messages are delivered
• Failure notifications with detailed error information
• Delay notifications when delivery is temporarily delayed

DSN is particularly useful for:

• Confirming important message delivery
• Troubleshooting delivery issues
• Automated email processing systems
• Compliance and audit requirements

REQUIRETLS Support

Forward Email supports REQUIRETLS (RFC 8689), which ensures that email messages are only delivered over TLS-encrypted connections. This provides:

• End-to-end encryption for the entire delivery path
• User-facing enforcement via checkbox in email composer
• Rejection of unencrypted delivery attempts
• Enhanced security for sensitive communications

SMTP Extensions NOT Supported

The following SMTP extensions from the IANA SMTP Service Extensions Registry are NOT supported:

RFC	Title	Reason
RFC 4865	SMTP Submission Service Extension for Future Message Release (FUTURERELEASE)	Not implemented
RFC 6710	SMTP Extension for Message Transfer Priorities (MT-PRIORITY)	Not implemented
RFC 7293	The Require-Recipient-Valid-Since Header Field and SMTP Service Extension	Not implemented
RFC 7372	Email Auth Status Codes	Not fully implemented
RFC 4468	Message Submission BURL Extension	Not implemented
RFC 3030	SMTP Service Extensions for Transmission of Large and Binary MIME Messages (CHUNKING, BINARYMIME)	Not implemented
RFC 2852	Deliver By SMTP Service Extension	Not implemented

---

JMAP Email Protocol

RFC	Title	Status	Reason
RFC 8620	The JSON Meta Application Protocol (JMAP)	❌ Not Supported	Forward Email uses IMAP/POP3/SMTP and a comprehensive REST API instead

JMAP (JSON Meta Application Protocol) is a modern email protocol designed to replace IMAP.

Why JMAP is Not Supported:

"JMAP is a beast that should not have been invented. It tries to convert TCP/IMAP (already a bad protocol by todays standards) into HTTP/JSON, just using a different transport while keeping the spirit." — Andris Reinman, HN Discussion

"JMAP is more than 10 years old, and there is almost no adoption at all" – Andris Reinman, GitHub Discussion

Also see additional comments at https://hn.algolia.com/?dateRange=all&page=0&prefix=true&query=jmap andris&sort=byDate&type=comment.

Forward Email currently focuses on providing excellent IMAP, POP3, and SMTP support, along with a comprehensive REST API for email management. JMAP support may be considered in the future based on user demand and ecosystem adoption.

Alternative: Forward Email offers a Complete REST API with 39 endpoints that provides similar functionality to JMAP for programmatic email access.

---

Email Security

Email Security Architecture

Email Message Authentication Protocols

Forward Email uses the mailauth library for email authentication. The following RFCs are supported:

RFC	Title	Implementation Notes
RFC 6376	DomainKeys Identified Mail (DKIM) Signatures	Full DKIM signing and verification
RFC 8463	A New Cryptographic Signature Method for DKIM (Ed25519-SHA256)	Supports both RSA-SHA256 and Ed25519-SHA256 signing algorithms
RFC 7208	Sender Policy Framework (SPF)	SPF record validation
RFC 7489	Domain-based Message Authentication, Reporting, and Conformance (DMARC)	DMARC policy enforcement
RFC 8617	Authenticated Received Chain (ARC)	ARC sealing and validation

Email authentication protocols verify that messages are genuinely from the claimed sender and haven't been tampered with during transit.

Authentication Protocol Support

Protocol	RFC	Status	Description
DKIM	RFC 6376	✅ Supported	DomainKeys Identified Mail - Cryptographic signatures
SPF	RFC 7208	✅ Supported	Sender Policy Framework - IP address authorization
DMARC	RFC 7489	✅ Supported	Domain-based Message Authentication - Policy enforcement
ARC	RFC 8617	✅ Supported	Authenticated Received Chain - Preserve authentication across forwards

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to email headers, allowing recipients to verify that the message was authorized by the domain owner and hasn't been modified in transit.

Forward Email uses mailauth for DKIM signing and verification.

Key Features:

• Automatic DKIM signing for all outbound messages
• Support for RSA and Ed25519 keys
• Multiple selector support
• DKIM verification for inbound messages

SPF (Sender Policy Framework)

SPF allows domain owners to specify which IP addresses are authorized to send email on behalf of their domain.

Key Features:

• SPF record validation for inbound messages
• Automatic SPF checking with detailed results
• Support for include, redirect, and all mechanisms
• Configurable SPF policies per domain

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM to provide policy enforcement and reporting.

Key Features:

• DMARC policy enforcement (none, quarantine, reject)
• Alignment checking for SPF and DKIM
• DMARC aggregate reporting
• Per-domain DMARC policies

ARC (Authenticated Received Chain)

ARC preserves email authentication results across forwarding and mailing list modifications.

Forward Email uses the mailauth library for ARC verification and sealing.

Key Features:

• ARC sealing for forwarded messages
• ARC validation for inbound messages
• Chain verification across multiple hops
• Preserves original authentication results

Authentication Flow

---

Email Transport Security Protocols

Forward Email implements modern transport security protocols:

RFC	Title	Status	Implementation Notes
RFC 8461	SMTP MTA Strict Transport Security (MTA-STS)	✅ Supported	Extensively used on IMAP, SMTP, and MX servers. See create-mta-sts-cache.js and get-transporter.js
RFC 8460	SMTP TLS Reporting	✅ Supported	Via mailauth library
RFC 7671	The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance	⚠️ Partial	Custom TLSA resolver implemented (Tangerine.resolveTlsa) but not yet used for DANE validation
RFC 6698	The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA	⚠️ Partial	TLSA resolution available but DANE not fully implemented
RFC 8314	Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access	✅ Supported	TLS required for all connections
RFC 8689	SMTP Service Extension for Requiring TLS (REQUIRETLS)	✅ Supported	Full support for REQUIRETLS SMTP extension and "TLS-Required" header

Transport security protocols ensure that email messages are encrypted and authenticated during transmission between mail servers.

Transport Security Support

Protocol	RFC	Status	Description
TLS	RFC 8314	✅ Supported	Transport Layer Security - Encrypted connections
MTA-STS	RFC 8461	✅ Supported	Mail Transfer Agent Strict Transport Security
DANE	RFC 7671	⚠️ Partial	DNS-based Authentication of Named Entities
REQUIRETLS	RFC 8689	✅ Supported	Require TLS for entire delivery path

TLS (Transport Layer Security)

Forward Email enforces TLS encryption for all email connections (SMTP, IMAP, POP3).

Key Features:

• TLS 1.2 and TLS 1.3 support
• Automatic certificate management
• Perfect Forward Secrecy (PFS)
• Strong cipher suites only

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS ensures that email is only delivered over TLS-encrypted connections by publishing a policy via HTTPS.

Forward Email implements MTA-STS using create-mta-sts-cache.js.

Key Features:

• Automatic MTA-STS policy publication
• Policy caching for performance
• Downgrade attack prevention
• Certificate validation enforcement

DANE (DNS-based Authentication of Named Entities)

DANE uses DNSSEC to publish TLS certificate information in DNS, allowing mail servers to verify certificates without relying on certificate authorities.

Current Status:

• ⚠️ Partial support for outbound delivery
• ❌ Not enforced for inbound delivery
• Requires DNSSEC-signed domains

REQUIRETLS

REQUIRETLS ensures that email messages are only delivered over TLS-encrypted connections for the entire delivery path.

Key Features:

• User-facing checkbox in email composer
• Automatic rejection of unencrypted delivery
• End-to-end TLS enforcement
• Detailed failure notifications

Transport Security Flow

---

Email Message Encryption

Forward Email supports OpenPGP and S/MIME encryption:

RFC	Title	Status	Implementation Notes
RFC 9580	OpenPGP (supersedes RFC 4880)	✅ Supported	Via OpenPGP.js v6+ integration. See FAQ
RFC 8551	Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification	✅ Supported	Both RSA and ECC algorithms supported. See FAQ

Message encryption protocols protect email content from being read by anyone except the intended recipient, even if the message is intercepted during transit.

Encryption Support

Protocol	RFC	Status	Description
OpenPGP	RFC 9580	✅ Supported	Pretty Good Privacy - Public key encryption
S/MIME	RFC 8551	✅ Supported	Secure/Multipurpose Internet Mail Extensions
WKD	Draft	✅ Supported	Web Key Directory - Automatic key discovery

OpenPGP (Pretty Good Privacy)

OpenPGP provides end-to-end encryption using public key cryptography. Forward Email supports OpenPGP through the Web Key Directory (WKD) protocol.

Key Features:

• Automatic key discovery via WKD
• PGP/MIME support for encrypted attachments
• Key management through email client
• Compatible with GPG, Mailvelope, and other OpenPGP tools

How to Use:

1. Generate a PGP key pair in your email client
2. Upload your public key to Forward Email's WKD
3. Your key is automatically discoverable by other users
4. Send and receive encrypted emails seamlessly

S/MIME (Secure/Multipurpose Internet Mail Extensions)

S/MIME provides email encryption and digital signatures using X.509 certificates.

Key Features:

• Certificate-based encryption
• Digital signatures for message authentication
• Native support in most email clients
• Enterprise-grade security

How to Use:

1. Obtain an S/MIME certificate from a Certificate Authority
2. Install the certificate in your email client
3. Configure your client to encrypt/sign messages
4. Exchange certificates with recipients

SQLite Mailbox Encryption

Beyond message-level encryption, Forward Email encrypts entire mailboxes using sqleet (ChaCha20-Poly1305).

Key Features:

• Password-based encryption - Only you have the password
• Quantum-resistant - ChaCha20-Poly1305 cipher
• Zero-knowledge - Forward Email cannot decrypt your mailbox
• Sandboxed - Each mailbox is isolated and portable
• Unrecoverable - If you forget your password, your mailbox is lost

Encryption Comparison

Feature	OpenPGP	S/MIME	SQLite Encryption
End-to-End	✅ Yes	✅ Yes	✅ Yes
Key Management	Self-managed	CA-issued	Password-based
Client Support	Requires plugin	Native	Transparent
Use Case	Personal	Enterprise	Storage
Quantum-Resistant	⚠️ Depends on key	⚠️ Depends on cert	✅ Yes

Encryption Flow

---

Extended Functionality

Email Message Format Standards

Forward Email supports standard email message formats:

RFC	Title	Implementation Notes
RFC 5322	Internet Message Format	Full support
RFC 2045	MIME Part One: Format of Internet Message Bodies	Full MIME support
RFC 2046	MIME Part Two: Media Types	Full MIME support
RFC 2047	MIME Part Three: Message Header Extensions for Non-ASCII Text	Full MIME support
RFC 2048	MIME Part Four: Registration Procedures	Full MIME support
RFC 2049	MIME Part Five: Conformance Criteria and Examples	Full MIME support

Email format standards define how email messages are structured, encoded, and displayed.

Format Standards Support

Standard	RFC	Status	Description
MIME	RFC 2045-2049	✅ Supported	Multipurpose Internet Mail Extensions
SMTPUTF8	RFC 6531	⚠️ Partial	Internationalized email addresses
EAI	RFC 6530	⚠️ Partial	Email Address Internationalization
Message Format	RFC 5322	✅ Supported	Internet Message Format
MIME Security	RFC 1847	✅ Supported	Security Multiparts for MIME

MIME (Multipurpose Internet Mail Extensions)

MIME allows emails to contain multiple parts with different content types (text, HTML, attachments, etc.).

Supported MIME Features:

• Multipart messages (mixed, alternative, related)
• Content-Type headers
• Content-Transfer-Encoding (7bit, 8bit, quoted-printable, base64)
• Inline images and attachments
• Rich HTML content

SMTPUTF8 and Email Address Internationalization

SMTPUTF8 allows email addresses to contain non-ASCII characters (e.g., 用户@例え.jp).

Current Status:

• ⚠️ Partial support for internationalized email addresses
• ✅ UTF-8 content in message bodies
• ⚠️ Limited support for non-ASCII local parts

---

Calendaring and Contacts Protocols

Forward Email supports CalDAV and CardDAV via the caldav-adapter library:

RFC	Title	Status	Implementation Notes
RFC 4791	Calendaring Extensions to WebDAV (CalDAV)	✅ Supported	Calendar access and management
RFC 6352	CardDAV: vCard Extensions to WebDAV	✅ Supported	Contact access and management
RFC 5545	Internet Calendaring and Scheduling Core Object Specification (iCalendar)	✅ Supported	iCalendar format support
RFC 6350	vCard Format Specification	✅ Supported	vCard 4.0 format support

CalDAV and CardDAV are protocols that allow calendar and contact data to be accessed, shared, and synchronized across devices.

CalDAV and CardDAV Support

Protocol	RFC	Status	Description
CalDAV	RFC 4791	✅ Supported	Calendar access and synchronization
CardDAV	RFC 6352	✅ Supported	Contact access and synchronization
iCalendar	RFC 5545	✅ Supported	Calendar data format
vCard	RFC 6350	✅ Supported	Contact data format
VTODO	RFC 5545	✅ Supported	Task/reminder support

CalDAV (Calendar Access)

CalDAV allows you to access and manage calendars from any device or application.

Key Features:

• Multi-device synchronization
• Shared calendars
• Calendar subscriptions
• Event invitations and responses
• Recurring events
• Timezone support

Compatible Clients:

• Apple Calendar (macOS, iOS)
• Mozilla Thunderbird
• Evolution
• GNOME Calendar
• Any CalDAV-compatible client

CardDAV (Contact Access)

CardDAV allows you to access and manage contacts from any device or application.

Key Features:

• Multi-device synchronization
• Shared address books
• Contact groups
• Photo support
• Custom fields
• vCard 4.0 support

Compatible Clients:

• Apple Contacts (macOS, iOS)
• Mozilla Thunderbird
• Evolution
• GNOME Contacts
• Any CardDAV-compatible client

Tasks and Reminders (CalDAV VTODO)

VTODO is part of the iCalendar format and allows task management through CalDAV.

Key Features:

• Task creation and management
• Due dates and priorities
• Task completion tracking
• Recurring tasks
• Task lists/categories

Compatible Clients:

• Apple Reminders (macOS, iOS)
• Mozilla Thunderbird (with Lightning)
• Evolution
• GNOME To Do
• Any CalDAV client with VTODO support

CalDAV/CardDAV Synchronization Flow

Calendaring Extensions NOT Supported

The following calendaring extensions are NOT supported:

RFC	Title	Reason
RFC 5546	iCalendar Transport-Independent Interoperability Protocol (iTIP)	Not implemented in caldav-adapter
RFC 6047	iCalendar Message-Based Interoperability Protocol (iMIP)	Not implemented in caldav-adapter
RFC 4918	HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)	CalDAV uses WebDAV concepts but doesn't implement full RFC 4918
RFC 6578	Collection Synchronization for WebDAV	Not implemented
RFC 3744	WebDAV Access Control Protocol	Not implemented

---

Email Message Filtering

Sieve (RFC 5228)

RFC	Title	Status	Reason
RFC 5228	Sieve: An Email Filtering Language	⚠️ Future	Not currently supported. May be implemented in the future. See GitHub Discussion #337 to subscribe for updates.

Email filtering protocols allow users to create server-side rules for automatically processing incoming messages.

Sieve is a powerful email filtering language that allows users to create complex rules for message processing.

Planned Features:

• Server-side filtering rules
• Automatic message sorting
• Vacation auto-responders
• Spam filtering
• Forwarding rules
• Custom actions

Why Not Supported Yet:

Forward Email currently focuses on providing a user-friendly web interface for email filtering. Sieve support is planned for future implementation to provide advanced users with more powerful filtering capabilities.

Workaround:

Use Forward Email's web-based filtering interface to create filtering rules through the dashboard.

ManageSieve (RFC 5804)

RFC	Title	Status	Reason
RFC 5804	A Protocol for Remotely Managing Sieve Scripts	❌ Not Supported	Sieve not implemented

ManageSieve is a protocol for remotely managing Sieve scripts.

Planned Features:

• Remote script management
• Script validation
• Multiple script support
• Script activation/deactivation

Current Status:

ManageSieve support is planned for future implementation alongside Sieve. For more information about ManageSieve, see Dovecot's ManageSieve documentation.

---

Storage Optimization

Forward Email implements two revolutionary storage optimization techniques that dramatically reduce mailbox size while maintaining full RFC compliance and message fidelity:

1. Attachment Deduplication - Eliminates duplicate attachments across all emails
2. Brotli Compression - Reduces storage by 46-86% for metadata and 50% for attachments

Architecture: Dual-Layer Storage Optimization

---

Attachment Deduplication

Forward Email implements attachment deduplication based on WildDuck's proven approach, adapted for SQLite storage.

How It Works

WildDuck's Original Implementation (MongoDB GridFS):

Wild Duck IMAP server de-duplicates attachments. "Attachment" in this case means the base64 or quoted-printable encoded mime node contents, not the decoded file. Even though using encoded content means a lot of false negatives (the same file in different emails might be counted as different attachment) it is needed to guarantee the validity of different signature schemes (DKIM, GPG etc.). A message retrieved from Wild Duck looks exactly the same as the message that was stored even though Wild Duck parses the message into a tree-like object and rebuilds the message when retrieving.

Forward Email's SQLite Implementation:

Forward Email adapts this approach for encrypted SQLite storage with the following process:

1. Hash Calculation: When an attachment is found, a hash is calculated using the rev-hash library from the attachment body
2. Lookup: Check if an attachment with matching hash exists in the Attachments table
3. Reference Counting:
   • If exists: Increment reference counter by 1 and magic counter by random number
   • If new: Create new attachment entry with counter = 1
4. Deletion Safety: Uses dual-counter system (reference + magic) to prevent false positives
5. Garbage Collection: Attachments are deleted immediately when both counters reach zero

Source Code: helpers/attachment-storage.js

Deduplication Flow

Magic Number System

Forward Email uses WildDuck's "magic number" system (inspired by Mail.ru) to prevent false positives during deletion:

• Every message gets a random number assigned
• Attachment's magic counter is incremented by that random number when message is added
• Magic counter is decremented by the same number when message is deleted
• Attachment is only deleted when both counters (reference + magic) reach zero

This dual-counter system ensures that if something goes wrong during deletion (e.g., crash, network error), the attachment is not deleted prematurely.

Key Differences: WildDuck vs Forward Email

Feature	WildDuck (MongoDB)	Forward Email (SQLite)
Storage Backend	MongoDB GridFS (chunked)	SQLite BLOB (direct)
Hash Algorithm	SHA256	rev-hash (SHA-256 based)
Reference Counting	✅ Yes	✅ Yes
Magic Numbers	✅ Yes (Mail.ru inspired)	✅ Yes (same system)
Garbage Collection	Delayed (separate job)	Immediate (on zero counters)
Compression	❌ None	✅ Brotli (see below)
Encryption	❌ Optional	✅ Always (ChaCha20-Poly1305)

---

Brotli Compression

Forward Email implements Brotli compression for both attachment bodies and message metadata, providing massive storage savings while maintaining backwards compatibility.

Implementation: helpers/msgpack-helpers.js

What Gets Compressed

1. Attachment Bodies (encodeAttachmentBody)

• Old formats: Hex-encoded string (2x size) or raw Buffer
• New format: Brotli-compressed Buffer with "FEBR" magic header
• Compression decision: Only compresses if it saves space (accounts for 4-byte header)
• Storage savings: Up to 50% (hex → native BLOB)

2. Message Metadata (encodeMetadata)

Includes: mimeTree, headers, envelope, flags

• Old format: JSON text string
• New format: Brotli-compressed Buffer
• Storage savings: 46-86% depending on message complexity

Compression Configuration

// Brotli compression options optimized for speed (level 4 is a good balance)
const BROTLI_COMPRESS_OPTIONS = {
  params: {
    [zlib.constants.BROTLI_PARAM_QUALITY]: 4
  }
};

Why Level 4?

• Fast compression/decompression: Sub-millisecond processing
• Good compression ratio: 46-86% savings
• Balanced performance: Optimal for real-time email operations

Magic Header: "FEBR"

Forward Email uses a 4-byte magic header to identify compressed attachment bodies:

"FEBR" = Forward Email BRotli
Hex: 0x46 0x45 0x42 0x52

Why a magic header?

• Format detection: Instantly identify compressed vs uncompressed data
• Backwards compatibility: Old hex strings and raw Buffers still work
• Collision avoidance: "FEBR" is unlikely to appear at the start of legitimate attachment data

Compression Process

Decompression Process

Backwards Compatibility

All decode functions auto-detect the storage format:

Format	Detection Method	Handling
Brotli-compressed	Check for "FEBR" magic header	Decompress with zlib.brotliDecompressSync()
Raw Buffer	Buffer.isBuffer() without magic	Return as-is
Hex string	Check for even length + [0-9a-f] chars	Decode with Buffer.from(value, 'hex')
JSON string	Check for { or [ first character	Parse with JSON.parse()

This ensures zero data loss during migration from old to new storage formats.

Storage Savings Statistics

Measured savings from production data:

Data Type	Old Format	New Format	Savings
Attachment bodies	Hex-encoded string (2x)	Brotli-compressed BLOB	50%
Message metadata	JSON text	Brotli-compressed BLOB	46-86%
Mailbox flags	JSON text	Brotli-compressed BLOB	60-80%

Source: helpers/migrate-storage-format.js

Migration Process

Forward Email provides automatic, idempotent migration from old to new storage formats:

// Migration statistics tracked:
{
  attachmentsMigrated: 0,
  messagesMigrated: 0,
  mailboxesMigrated: 0,
  bytesSaved: 0  // Total bytes saved from compression
}

Migration steps:

1. Attachment bodies: hex encoding → native BLOB (50% savings)
2. Message metadata: JSON text → brotli-compressed BLOB (46-86% savings)
3. Mailbox flags: JSON text → brotli-compressed BLOB (60-80% savings)

Source: helpers/migrate-storage-format.js

---

Combined Storage Efficiency

Example Scenario:

Traditional email provider (1GB mailbox):

• 1GB disk space = 1GB of emails
• No deduplication: Same attachment stored 10 times = 10x storage waste
• No compression: Full JSON metadata stored = 2-3x storage waste

Forward Email (1GB mailbox):

• 1GB disk space ≈ 2-3GB of emails (effective storage)
• Deduplication: Same attachment stored once, referenced 10 times
• Compression: 46-86% savings on metadata, 50% on attachments
• Encryption: ChaCha20-Poly1305 (no storage overhead)

Comparison Table:

Provider	Storage Technology	Effective Storage (1GB mailbox)
Gmail	None	1GB
iCloud	None	1GB
Outlook.com	None	1GB
Fastmail	None	1GB
ProtonMail	Encryption only	1GB
Tutanota	Encryption only	1GB
Forward Email	Deduplication + Compression + Encryption	2-3GB ✨

Technical Implementation Details

Performance:

• Brotli level 4: Sub-millisecond compression/decompression
• No performance penalty from compression
• SQLite FTS5: Sub-50ms search with NVMe SSD

Security:

• Compression happens after encryption (SQLite database is encrypted)
• ChaCha20-Poly1305 encryption + Brotli compression
• Zero-knowledge: Only user has decryption password

RFC Compliance:

• Messages retrieved look exactly the same as stored
• DKIM signatures remain valid (encoded content preserved)
• GPG signatures remain valid (no modification to signed content)

Why No Other Provider Does This

Complexity:

• Requires deep integration with storage layer
• Backwards compatibility is challenging
• Migration from old formats is complex

Performance concerns:

• Compression adds CPU overhead (solved with Brotli level 4)
• Decompression on every read (solved with SQLite caching)

Forward Email's Advantage:

• Built from the ground up with optimization in mind
• SQLite allows direct BLOB manipulation
• Encrypted per-user databases enable safe compression

---

---

Modern Features

Complete REST API for Email Management

Forward Email offers a complete REST API that provides unprecedented access to your email data. No other email service (including Gmail, iCloud, Outlook, ProtonMail, Tuta, or Fastmail) offers this level of comprehensive, direct database access.

API Documentation: https://forwardemail.net/en/email-api

API Categories (39 Endpoints)

1. Messages API (5 endpoints) - Full CRUD operations on email messages:

• GET /v1/messages - List messages with 15+ advanced search parameters (no other service offers this)
• POST /v1/messages - Create/send messages
• GET /v1/messages/:id - Retrieve message
• PUT /v1/messages/:id - Update message (flags, folders)
• DELETE /v1/messages/:id - Delete message

Example: Find all invoices from last quarter with attachments:

curl -u "alias@domain.com:password" \
  "https://api.forwardemail.net/v1/messages?q=subject:invoice+has:attachment+after:2024-01-01+before:2024-04-01"

See Advanced Search Documentation

2. Folders API (5 endpoints) - Full IMAP folder management via REST:

• GET /v1/folders - List all folders
• POST /v1/folders - Create folder
• GET /v1/folders/:id - Retrieve folder
• PUT /v1/folders/:id - Update folder
• DELETE /v1/folders/:id - Delete folder

3. Contacts API (5 endpoints) - CardDAV contact storage via REST:

• GET /v1/contacts - List contacts
• POST /v1/contacts - Create contact (vCard format)
• GET /v1/contacts/:id - Retrieve contact
• PUT /v1/contacts/:id - Update contact
• DELETE /v1/contacts/:id - Delete contact

4. Calendars API (5 endpoints) - Calendar container management:

• GET /v1/calendars - List calendar containers
• POST /v1/calendars - Create calendar (e.g., "Work Calendar", "Personal Calendar")
• GET /v1/calendars/:id - Retrieve calendar
• PUT /v1/calendars/:id - Update calendar
• DELETE /v1/calendars/:id - Delete calendar

5. Calendar Events API (5 endpoints) - Event scheduling within calendars:

• GET /v1/calendar-events - List events
• POST /v1/calendar-events - Create event with attendees
• GET /v1/calendar-events/:id - Retrieve event
• PUT /v1/calendar-events/:id - Update event
• DELETE /v1/calendar-events/:id - Delete event

Example: Create a calendar event:

curl -u "alias@domain.com:password" \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"title":"Team Meeting","start":"2024-12-20T10:00:00Z","attendees":["team@example.com"],"calendar_id":"calendar123"}' \
  https://api.forwardemail.net/v1/calendar-events

Technical Details

• Authentication: Simple alias:password authentication (no OAuth complexity)
• Performance: Sub-50ms response times with SQLite FTS5 and NVMe SSD storage
• Zero Network Latency: Direct database access, not proxied through external services

Real-World Use Cases

• Email Analytics: Build custom dashboards tracking email volume, response times, sender statistics

• Automated Workflows: Trigger actions based on email content (invoice processing, support tickets)

• CRM Integration: Sync email conversations with your CRM automatically

• Compliance & Discovery: Search and export emails for legal/compliance requirements

• Custom Email Clients: Build specialized email interfaces for your workflow

• Business Intelligence: Analyze communication patterns, response rates, customer engagement

• Document Management: Extract and categorize attachments automatically

• Complete Documentation

• Complete API Reference

• Advanced Search Guide

• 30+ Integration Examples

• Technical Architecture

Forward Email offers a modern REST API that provides full control over email accounts, domains, aliases, and messages. This API serves as a powerful alternative to JMAP and provides functionality beyond traditional email protocols.

Category	Endpoints	Description
Account Management	8	User accounts, authentication, settings
Domain Management	12	Custom domains, DNS, verification
Alias Management	6	Email aliases, forwarding, catch-all
Message Management	7	Send, receive, search, delete messages
Calendar & Contacts	4	CalDAV/CardDAV access via API
Logs & Analytics	2	Email logs, delivery reports

Key API Features

Advanced Search:

The API provides powerful search capabilities with query syntax similar to Gmail:

GET /v1/messages?q=subject:invoice+has:attachment+after:2024-01-01+before:2024-04-01

Supported Search Operators:

• from: - Search by sender
• to: - Search by recipient
• subject: - Search by subject
• has:attachment - Messages with attachments
• is:unread - Unread messages
• is:starred - Starred messages
• after: - Messages after date
• before: - Messages before date
• label: - Messages with label
• filename: - Attachment filename

Calendar Event Management:

GET /v1/calendar-events
POST /v1/calendar-events
PUT /v1/calendar-events/:id
DELETE /v1/calendar-events/:id

Webhook Integrations:

The API supports webhooks for real-time notifications of email events (received, sent, bounced, etc.).

Authentication:

• API key authentication
• OAuth 2.0 support
• Rate limiting: 1000 requests/hour

Data Format:

• JSON request/response
• RESTful design
• Pagination support

Security:

• HTTPS only
• API key rotation
• IP whitelisting (optional)
• Request signing (optional)

API Architecture

---

iOS Push Notifications

Forward Email implements Apple's proprietary XAPPLEPUSHSERVICE extension, providing native push notifications for iOS devices without requiring background polling.

How It Works

XAPPLEPUSHSERVICE is a non-standard IMAP extension that allows iOS Mail app to receive instant push notifications when new emails arrive.

Forward Email implements the proprietary Apple Push Notification service (APNs) integration for IMAP, allowing iOS Mail app to receive instant push notifications when new emails arrive.

Key Features

Instant Delivery:

• Push notifications arrive within seconds
• No battery-draining background polling
• Works even when Mail app is closed

• Instant Delivery: Emails, calendar events, and contacts appear on your iPhone/iPad immediately, not on a polling schedule
• Battery Efficient: Uses Apple's push infrastructure instead of maintaining constant IMAP connections
• Topic-Based Push: Supports push notifications for specific mailboxes, not just INBOX
• No Third-Party Apps Required: Works with the native iOS Mail, Calendar, and Contacts apps

Native Integration:

• Built into iOS Mail app
• No third-party apps required
• Seamless user experience

Privacy-Focused:

• Device tokens are encrypted
• No message content sent through APNS
• Only "new mail" notification sent

Battery Efficient:

• No constant IMAP polling
• Device sleeps until notification arrives
• Minimal battery impact

What Makes This Special

Most open-source email servers (including Dovecot, Postfix, Cyrus IMAP) do NOT support iOS push notifications. Users must either:

• Use IMAP IDLE (keeps connection open, drains battery)
• Use polling (checks every 15-30 minutes, delayed notifications)
• Use proprietary email apps with their own push infrastructure

Forward Email provides the same instant push notification experience as commercial services like Gmail, iCloud, and Fastmail.

Comparison with Other Providers:

Provider	Push Support	Polling Interval	Battery Impact
Forward Email	✅ Native Push	Instant	Minimal
Gmail	✅ Native Push	Instant	Minimal
iCloud	✅ Native Push	Instant	Minimal
Yahoo	✅ Native Push	Instant	Minimal
Outlook.com	❌ Polling	15 minutes	Moderate
Fastmail	❌ Polling	15 minutes	Moderate
ProtonMail	⚠️ Bridge only	Via Bridge	High
Tutanota	❌ App only	N/A	N/A

Implementation Details

IMAP CAPABILITY Response:

* CAPABILITY IMAP4rev1 ... XAPPLEPUSHSERVICE ...

Registration Process:

1. iOS Mail app detects XAPPLEPUSHSERVICE capability
2. App registers device token with Forward Email
3. Forward Email stores token and associates with account
4. When new mail arrives, Forward Email sends push via APNS
5. iOS wakes up Mail app to fetch new messages

Security:

• Device tokens are encrypted at rest
• Tokens expire and are refreshed automatically
• No message content exposed to APNS
• End-to-end encryption maintained

• IMAP Extension: XAPPLEPUSHSERVICE
• Source Code: WildDuck Issue #711
• Setup: Automatic - no configuration needed, works out of the box with iOS Mail app

Comparison with Other Services

Service	iOS Push Support	Method
Forward Email	✅ Yes	XAPPLEPUSHSERVICE (reverse-engineered)
Gmail	✅ Yes	Proprietary Gmail app + Google push
iCloud Mail	✅ Yes	Native Apple integration
Outlook.com	✅ Yes	Proprietary Outlook app + Microsoft push
Fastmail	✅ Yes	XAPPLEPUSHSERVICE
Dovecot	❌ No	IMAP IDLE or polling only
Postfix	❌ No	IMAP IDLE or polling only
Cyrus IMAP	❌ No	IMAP IDLE or polling only

Gmail Push:

Gmail uses a proprietary push system that only works with the Gmail app. iOS Mail app must poll Gmail IMAP servers.

iCloud Push:

iCloud has native push support similar to Forward Email, but only for @icloud.com addresses.

Outlook.com:

Outlook.com does not support XAPPLEPUSHSERVICE, requiring iOS Mail to poll every 15 minutes.

Fastmail:

Fastmail does not support XAPPLEPUSHSERVICE. Users must use the Fastmail app for push notifications or accept 15-minute polling delays.

---

Testing and Verification

Protocol Capability Tests

This section contains the actual CAPABILITY/CAPA/EHLO responses from all tested providers. All tests were run on January 22, 2026.

These tests help verify the advertised and actual support for various email protocols and extensions across major providers.

Test Methodology

Test Environment:

• Date: January 22, 2026 at 02:37 UTC
• Location: AWS EC2 instance
• IPv4: 54.167.216.197
• IPv6: 2600:4040:46da:9a00:b19e:3ad4:426c:2f48
• Tools: OpenSSL s_client, bash scripts

Providers Tested:

• Forward Email
• Gmail
• Outlook.com
• iCloud
• Fastmail
• Yahoo/AOL (Verizon)

Test Scripts

For full transparency, the exact scripts used for these tests are provided below.

IMAP Capability Test Script

#!/bin/bash
# IMAP Capability Test Script
# Tests IMAP CAPABILITY for various email providers

echo "========================================="
echo "IMAP CAPABILITY TEST"
echo "Date: $(date -u +"%Y-%m-%d %H:%M:%S UTC")"
echo "========================================="
echo ""

# Gmail
echo "--- Gmail (imap.gmail.com:993) ---"
echo -e "a001 CAPABILITY\na002 LOGOUT" | timeout 10 openssl s_client -connect imap.gmail.com:993 -crlf -quiet 2>&1 | grep -A 20 "CAPABILITY"
echo ""

# Outlook.com
echo "--- Outlook.com (outlook.office365.com:993) ---"
echo -e "a001 CAPABILITY\na002 LOGOUT" | timeout 10 openssl s_client -connect outlook.office365.com:993 -crlf -quiet 2>&1 | grep -A 20 "CAPABILITY"
echo ""

# iCloud
echo "--- iCloud (imap.mail.me.com:993) ---"
echo -e "a001 CAPABILITY\na002 LOGOUT" | timeout 10 openssl s_client -connect imap.mail.me.com:993 -crlf -quiet 2>&1 | grep -A 20 "CAPABILITY"
echo ""

# Fastmail
echo "--- Fastmail (imap.fastmail.com:993) ---"
echo -e "a001 CAPABILITY\na002 LOGOUT" | timeout 10 openssl s_client -connect imap.fastmail.com:993 -crlf -quiet 2>&1 | grep -A 20 "CAPABILITY"
echo ""

# Yahoo
echo "--- Yahoo (imap.mail.yahoo.com:993) ---"
echo -e "a001 CAPABILITY\na002 LOGOUT" | timeout 10 openssl s_client -connect imap.mail.yahoo.com:993 -crlf -quiet 2>&1 | grep -A 20 "CAPABILITY"
echo ""

# Forward Email
echo "--- Forward Email (imap.forwardemail.net:993) ---"
echo -e "a001 CAPABILITY\na002 LOGOUT" | timeout 10 openssl s_client -connect imap.forwardemail.net:993 -crlf -quiet 2>&1 | grep -A 20 "CAPABILITY"
echo ""

echo "========================================="
echo "Test completed"
echo "========================================="

POP3 Capability Test Script

#!/bin/bash
# POP3 Capability Test Script
# Tests POP3 CAPA for various email providers

echo "========================================="
echo "POP3 CAPABILITY TEST"
echo "Date: $(date -u +"%Y-%m-%d %H:%M:%S UTC")"
echo "========================================="
echo ""

# Gmail
echo "--- Gmail (pop.gmail.com:995) ---"
echo -e "CAPA\nQUIT" | timeout 10 openssl s_client -connect pop.gmail.com:995 -crlf -quiet 2>&1 | grep -A 20 "CAPA"
echo ""

# Outlook.com
echo "--- Outlook.com (outlook.office365.com:995) ---"
echo -e "CAPA\nQUIT" | timeout 10 openssl s_client -connect outlook.office365.com:995 -crlf -quiet 2>&1 | grep -A 20 "CAPA"
echo ""

# iCloud (Note: iCloud does not support POP3)
echo "--- iCloud (No POP3 support) ---"
echo "iCloud does not support POP3"
echo ""

# Fastmail
echo "--- Fastmail (pop.fastmail.com:995) ---"
echo -e "CAPA\nQUIT" | timeout 10 openssl s_client -connect pop.fastmail.com:995 -crlf -quiet 2>&1 | grep -A 20 "CAPA"
echo ""

# Yahoo
echo "--- Yahoo (pop.mail.yahoo.com:995) ---"
echo -e "CAPA\nQUIT" | timeout 10 openssl s_client -connect pop.mail.yahoo.com:995 -crlf -quiet 2>&1 | grep -A 20 "CAPA"
echo ""

# Forward Email
echo "--- Forward Email (pop3.forwardemail.net:995) ---"
echo -e "CAPA\nQUIT" | timeout 10 openssl s_client -connect pop3.forwardemail.net:995 -crlf -quiet 2>&1 | grep -A 20 "CAPA"
echo ""

echo "========================================="
echo "Test completed"
echo "========================================="

SMTP Capability Test Script

#!/bin/bash
# SMTP Capability Test Script
# Tests SMTP EHLO for various email providers

echo "========================================="
echo "SMTP CAPABILITY TEST"
echo "Date: $(date -u +"%Y-%m-%d %H:%M:%S UTC")"
echo "========================================="
echo ""

# Gmail
echo "--- Gmail (smtp.gmail.com:587) ---"
echo -e "EHLO test.com\nQUIT" | timeout 10 openssl s_client -connect smtp.gmail.com:587 -starttls smtp -crlf -quiet 2>&1 | grep -A 30 "250-"
echo ""

# Outlook.com
echo "--- Outlook.com (smtp.office365.com:587) ---"
echo -e "EHLO test.com\nQUIT" | timeout 10 openssl s_client -connect smtp.office365.com:587 -starttls smtp -crlf -quiet 2>&1 | grep -A 30 "250-"
echo ""

# iCloud
echo "--- iCloud (smtp.mail.me.com:587) ---"
echo -e "EHLO test.com\nQUIT" | timeout 10 openssl s_client -connect smtp.mail.me.com:587 -starttls smtp -crlf -quiet 2>&1 | grep -A 30 "250-"
echo ""

# Fastmail
echo "--- Fastmail (smtp.fastmail.com:587) ---"
echo -e "EHLO test.com\nQUIT" | timeout 10 openssl s_client -connect smtp.fastmail.com:587 -starttls smtp -crlf -quiet 2>&1 | grep -A 30 "250-"
echo ""

# Yahoo
echo "--- Yahoo (smtp.mail.yahoo.com:587) ---"
echo -e "EHLO test.com\nQUIT" | timeout 10 openssl s_client -connect smtp.mail.yahoo.com:587 -starttls smtp -crlf -quiet 2>&1 | grep -A 30 "250-"
echo ""

# Forward Email
echo "--- Forward Email (smtp.forwardemail.net:587) ---"
echo -e "EHLO test.com\nQUIT" | timeout 10 openssl s_client -connect smtp.forwardemail.net:587 -starttls smtp -crlf -quiet 2>&1 | grep -A 30 "250-"
echo ""

echo "========================================="
echo "Test completed"
echo "========================================="

Test Results Summary

IMAP (CAPABILITY)

Forward Email

* CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN CHILDREN ENABLE ID IDLE NAMESPACE QUOTA SASL-IR UNSELECT XLIST XAPPLEPUSHSERVICE

Gmail

* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS COMPRESS=DEFLATE ENABLE MOVE CONDSTORE ESEARCH UTF8=ACCEPT LIST-EXTENDED LIST-STATUS LITERAL- SPECIAL-USE

iCloud

* OK [CAPABILITY XAPPLEPUSHSERVICE IMAP4 IMAP4rev1 SASL-IR AUTH=ATOKEN AUTH=PLAIN AUTH=ATOKEN2 AUTH=XOAUTH2]

Outlook.com

* CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+

Fastmail

* CAPABILITY IMAP4rev1 ACL ANNOTATE-EXPERIMENT-1 CATENATE CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE LIST-EXTENDED LIST-STATUS LITERAL+ LOGINDISABLED MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SORT SPECIAL-USE THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN X-RENAME XLIST

Yahoo/AOL (Verizon)

* CAPABILITY IMAP4rev1 IDLE NAMESPACE QUOTA ID XLIST CHILDREN UIDPLUS MOVE CONDSTORE ESEARCH ENABLE LIST-EXTENDED LIST-STATUS LITERAL- SPECIAL-USE UNSELECT XAPPLEPUSHSERVICE

POP3 (CAPA)

Forward Email

+OK
CAPA
TOP
USER
UIDL
EXPIRE 30
IMPLEMENTATION ForwardEmail
.

Gmail

+OK
CAPA
TOP
USER
UIDL
EXPIRE 30
IMPLEMENTATION Gpop
.

Outlook.com

+OK
CAPA
TOP
USER
UIDL
SASL PLAIN XOAUTH2
.

Fastmail

+OK
CAPA
TOP
USER
UIDL
EXPIRE 30
IMPLEMENTATION Cyrus
.

SMTP (EHLO)

Forward Email

250-smtp.forwardemail.net
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING

Gmail

250-smtp.gmail.com at your service
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

Outlook.com

250-SN4PR13CA0005.outlook.office365.com Hello [x.x.x.x]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

Fastmail

250-smtp.fastmail.com
250-PIPELINING
250-SIZE 78643200
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING

Yahoo/AOL (Verizon)

250-smtp.mail.yahoo.com
250-PIPELINING
250-SIZE 41943040
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-STARTTLS

Detailed Test Results

IMAP Test Results

Gmail: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER

Outlook.com: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+

iCloud: * CAPABILITY XAPPLEPUSHSERVICE IMAP4 IMAP4rev1 SASL-IR AUTH=ATOKEN AUTH=PLAIN AUTH=ATOKEN2 AUTH=XOAUTH2

Fastmail: Connection timed out. See notes below.

Yahoo: * CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN UNSELECT X-MSG-EXT OBJECTID IDLE ENABLE UIDONLY X-ALL-MAIL X-UIDONLY LIST-EXTENDED LIST-STATUS SPECIAL-USE PARTIAL APPENDLIMIT=41697280

Forward Email: * CAPABILITY XAPPLEPUSHSERVICE IMAP4rev1 APPENDLIMIT=52428800 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN CHILDREN CONDSTORE ENABLE ID IDLE MOVE NAMESPACE QUOTA SASL-IR SPECIAL-USE UIDPLUS UNSELECT UTF8=ACCEPT XLIST

POP3 Test Results

Gmail: Connection did not return CAPA response without authentication.

Outlook.com: Connection did not return CAPA response without authentication.

iCloud: Not Supported.

Fastmail: Connection timed out. See notes below.

Yahoo: +OK CAPA list follows... SASL PLAIN XOAUTH2

Forward Email: Connection did not return CAPA response without authentication.

SMTP Test Results

Gmail: 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH

Outlook.com: 250-DSN

iCloud: 250-DSN

Fastmail: 250 AUTH PLAIN LOGIN XOAUTH2 OAUTHBEARER

Yahoo: 250 AUTH PLAIN LOGIN XOAUTH2 OAUTHBEARER

Forward Email: 250-DSN, 250-REQUIRETLS

Notes on Test Results

1. Fastmail Timeouts: Fastmail connections timed out during testing, likely due to rate limiting or firewall restrictions from the test server IP. Fastmail is known to have robust IMAP/POP3/SMTP support based on their documentation.

2. POP3 CAPA Responses: Several providers (Gmail, Outlook.com, Forward Email) did not return CAPA responses without authentication. This is common security practice for POP3 servers.

3. DSN Support: Only Outlook.com, iCloud, and Forward Email explicitly advertise DSN support in their SMTP EHLO responses. This doesn't necessarily mean other providers don't support DSN, but they don't advertise it.

4. REQUIRETLS: Only Forward Email explicitly advertises REQUIRETLS support with user-facing enforcement checkbox. Other providers may support it internally but don't advertise it in EHLO.

5. Test Environment: Tests were conducted from AWS EC2 instance (IP: 54.167.216.197 IPv4, 2600:4040:46da:9a00:b19e:3ad4:426c:2f48 IPv6) on January 22, 2026 at 02:37 UTC.

---

Summary

Forward Email provides comprehensive RFC protocol support across all major email standards:

• IMAP4rev1: 16 supported RFCs with intentional differences documented
• POP3: 4 supported RFCs with RFC-compliant permanent deletion
• SMTP: 11 supported extensions including SMTPUTF8, DSN, and PIPELINING
• Authentication: DKIM, SPF, DMARC, ARC fully supported
• Transport Security: MTA-STS and REQUIRETLS fully supported, DANE partial support
• Encryption: OpenPGP v6 and S/MIME supported
• Calendaring: CalDAV, CardDAV, and VTODO fully supported
• API Access: Complete REST API with 39 endpoints for direct database access
• iOS Push: Native push notifications for email, contacts, and calendars via XAPPLEPUSHSERVICE

Key Differentiators

What Makes Forward Email Unique:

1. Quantum-Safe Encryption - Only provider with ChaCha20-Poly1305 encrypted SQLite mailboxes
2. Zero-Knowledge Architecture - Your password encrypts your mailbox; we can't decrypt it
3. Free Custom Domains - No monthly fees for custom domain email
4. REQUIRETLS Support - User-facing checkbox to enforce TLS for entire delivery path
5. Comprehensive API - 39 REST API endpoints for full programmatic control
6. iOS Push Notifications - Native XAPPLEPUSHSERVICE support for instant delivery
7. Open Source - Full source code available on GitHub
8. Privacy-Focused - No data mining, no ads, no tracking

• Sandboxed Encryption: Only email service with individually encrypted SQLite mailboxes
• RFC Compliance: Prioritizes standards compliance over convenience (e.g., POP3 DELE)
• Complete API: Direct programmatic access to all email data
• Open Source: Fully transparent implementation

Protocol Support Summary:

Category	Support Level	Details
Core Protocols	✅ Excellent	IMAP4rev1, POP3, SMTP fully supported
Modern Protocols	⚠️ Partial	IMAP4rev2 partial support, JMAP not supported
Security	✅ Excellent	DKIM, SPF, DMARC, ARC, MTA-STS, REQUIRETLS
Encryption	✅ Excellent	OpenPGP, S/MIME, SQLite encryption
CalDAV/CardDAV	✅ Excellent	Full calendar and contact sync
Filtering	⚠️ Future	Sieve and ManageSieve planned
API	✅ Excellent	39 REST API endpoints
Push	✅ Excellent	Native iOS push notifications