Encrypted mail with chain-anchored keys.
Sigil Mail is end-to-end encrypted by construction. Recipients publish their own X25519 keys to the chain. Senders encrypt before the letter leaves them. A receive policy filters at the brass slot. Nineteen transactions cover the mailbox lifecycle, alias management, key rotation, receive policy, abuse handling, and delegated permissions.
Chapter 1 · Mailbox
MailCreateMailbox opens the slot.
A signer creates a mailbox bound to their DID. The chain instantiates a brass postal slot at that address. No mail can land until a key is published.
Chapter 2 · PublishKey
MailPublishKey is the recipient's choice.
The recipient — never an operator — publishes an X25519 public key signed by their mailbox owner key. The chain accepts it; senders look it up at encryption time.
Chapter 3 · Seal
Letters are encrypted before they leave the sender.
The sender folds the letter, looks up the recipient's published key, encrypts with X25519 + ChaCha20-Poly1305, addresses the envelope, and drops it through the slot. The plaintext never touches the chain.
Chapter 4 · Policy
Receive policy filters at the slot.
A filter mesh sits inside the slot's mouth. Letters must satisfy the owner-signed receive policy — verified DID, minimum reputation, allow-list, rate cap, sender bond. Letters that fail the mesh are rejected at admission.
Chapter 5 · Rotate
MailRotateKey + MailRevokeKey turn the key over.
When a key ages out, MailRotateKey publishes a fresh one with a grace window for in-flight ciphertext. When a key is compromised, MailRevokeKey invalidates it immediately. The chain remembers every revocation.
Chapter 6 · Abuse
MailReportAbuse + MailResolveAbuse are durable.
Reports and resolutions are signed transactions. Reputation aggregates use them; receive policies can mirror them. The chain is the audit log; no operator can wipe a complaint.
Chapter 7 · Close
MailLockMailbox · MailDeactivateMailbox.
The slot can be frozen — inbound mail rejected, outbound mail blocked — or fully deactivated. Either action is owner-signed; reactivation requires a fresh signed transaction. The lifecycle is explicit, not provider-controlled.
Mail that does not depend on a provider.
The chain is the keyring, the directory, the policy engine, and the audit log. Build mail clients, agent inboxes, and notification services on a primitive where the recipient — not the platform — owns the key and the policy.