Docs / Security

Name: Kanmail
Price: 49 USD
Author: Oxygem

Kanmail is designed with privacy and security as core principles. This page provides a detailed overview of how Kanmail handles your data.

Architecture

Kanmail is a native desktop application that connects directly to your email servers using standard IMAP and SMTP protocols. Your emails are fetched directly from and sent directly to your email provider. There is no intermediary service, relay server, or third-party infrastructure involved in handling your email.

Account Authentication

Kanmail supports two authentication methods depending on your email provider:

OAuth 2.0 (Google & Microsoft)

For Google and Microsoft (Outlook/Office 365) accounts, Kanmail uses OAuth 2.0 for secure authentication. When you sign in, you authenticate directly with Google or Microsoft through their official login pages. Kanmail receives a limited-scope access token that only permits email operations - it cannot access other services on your account.

OAuth tokens are stored securely in your operating system's credential storage (see below). Kanmail never sees or stores your Google or Microsoft password.

Password Authentication

For other IMAP providers, Kanmail uses standard password authentication. Many providers support app-specific passwords, which we recommend using where available. Your password is stored securely in your operating system's credential storage and is only transmitted to your email server over encrypted connections.

Credential Storage

All account credentials (OAuth tokens and passwords) are stored using your operating system's secure credential storage:

macOS: Keychain Services, protected by your system password and hardware security features
Windows: Windows Credential Manager, protected by your Windows account
Linux: Secret Service API (compatible with GNOME Keyring, KWallet, and other providers)

Credentials are never stored in plain text files or application preferences.

On-Device Data Storage

All email data remains on your device. Kanmail stores:

Email cache: Message headers and content are cached locally in a SQLite database for fast access and offline reading
Attachments: Downloaded attachments are stored in a temporary cache directory
Settings: Your account configuration (server addresses, folder mappings) and application preferences are stored in a local JSON file
Contacts: Frequently-used email addresses are cached locally for autocompletion

This data is stored in your user application data directory and is not transmitted to any external servers.

Data Transmission

All communication with your email servers uses TLS (Transport Layer Security) encryption. Kanmail enforces TLS for connections to major providers and will warn you if a server does not support encrypted connections.

Note that standard email protocols (IMAP/SMTP) provide encryption in transit, but emails stored on your provider's servers remain accessible to your email provider. True end-to-end encryption (such as PGP or S/MIME) is not currently supported.

Application Security

Code Signing: Kanmail releases for macOS are signed with an Apple Developer ID certificate and notarized by Apple
Windows releases are signed with an EV code signing certificate
Update checking: Kanmail periodically checks for updates by fetching a version manifest from our server. No personal data is transmitted during this check. Updates are verified via sha256 checksums to ensure package integrity before installation

External Communications

Kanmail only communicates with external servers (other than your email provider) for:

License activation: Your license key is validated with our licensing server at purchase and periodically thereafter. Only the license key and a device identifier are transmitted
Update checks: Kanmail fetches a version manifest to check for available updates. No user data is sent
OAuth authentication: When signing into Google or Microsoft accounts, you interact directly with their authentication servers

Kanmail never transmits email contents, credentials, or personally identifying information to our servers. Optional anonymous usage analytics (PostHog) and crash reports (Sentry) may be transmitted — both have user-identifying information stripped before transmission. See our privacy policy for the full list of third parties we use.

Source Available

Kanmail's source code is publicly available on GitHub. You can inspect exactly how Kanmail handles your data, audit the security implementation, and verify these practices yourself. We welcome security reviews and responsible disclosure of any issues.

Questions?

If you have security questions or concerns, please contact us at hello@oxygem.com.