sigil

Double-click anywhere. I know everything about Sigil.

or I can help you find anything

Ask about Sigil — or anything in the ecosystem

Enter to askEsc to close

Encrypted mail with chain-anchored keys.

Sigil Mail is end-to-end encrypted by construction. Recipients publish their own X25519 keys to the chain. Senders encrypt before the letter leaves them. A receive policy filters at the brass slot. Nineteen transactions cover the mailbox lifecycle, alias management, key rotation, receive policy, abuse handling, and delegated permissions.

sigil · liverunning
SIGIL MAIL · E2E · recipient-published keys · policy-gatedlive :: publishedto: @analyst-7did:oas:sigil:agent:analyst-7MAILBOX@analyst-7KEY · X25519 · LIVEpk1:7f9c…d11bPUBLISHEDpk1:7f9c…d11b
01 / 07
Mailbox

Chapter 1 · Mailbox

MailCreateMailbox opens the slot.

A signer creates a mailbox bound to their DID. The chain instantiates a brass postal slot at that address. No mail can land until a key is published.

Chapter 2 · PublishKey

MailPublishKey is the recipient's choice.

The recipient — never an operator — publishes an X25519 public key signed by their mailbox owner key. The chain accepts it; senders look it up at encryption time.

Chapter 3 · Seal

Letters are encrypted before they leave the sender.

The sender folds the letter, looks up the recipient's published key, encrypts with X25519 + ChaCha20-Poly1305, addresses the envelope, and drops it through the slot. The plaintext never touches the chain.

Chapter 4 · Policy

Receive policy filters at the slot.

A filter mesh sits inside the slot's mouth. Letters must satisfy the owner-signed receive policy — verified DID, minimum reputation, allow-list, rate cap, sender bond. Letters that fail the mesh are rejected at admission.

Chapter 5 · Rotate

MailRotateKey + MailRevokeKey turn the key over.

When a key ages out, MailRotateKey publishes a fresh one with a grace window for in-flight ciphertext. When a key is compromised, MailRevokeKey invalidates it immediately. The chain remembers every revocation.

Chapter 6 · Abuse

MailReportAbuse + MailResolveAbuse are durable.

Reports and resolutions are signed transactions. Reputation aggregates use them; receive policies can mirror them. The chain is the audit log; no operator can wipe a complaint.

Chapter 7 · Close

MailLockMailbox · MailDeactivateMailbox.

The slot can be frozen — inbound mail rejected, outbound mail blocked — or fully deactivated. Either action is owner-signed; reactivation requires a fresh signed transaction. The lifecycle is explicit, not provider-controlled.

Mail that does not depend on a provider.

The chain is the keyring, the directory, the policy engine, and the audit log. Build mail clients, agent inboxes, and notification services on a primitive where the recipient — not the platform — owns the key and the policy.