I’m looking for an email service that issues email addresses with an onion variant. E.g. so users can send a message with headers like this:
From: replyIfYouCan@hi3ftg6fgasaquw6c3itzif4lc2upj5fanccoctd5p7xrgrsq7wjnoqd.onion
To: someoneElse@clearnet_addy.com
I wonder if any servers in the onionmail.info pool of providers can do this. Many of them have VMAT, which converts onion email addresses to clearnet addresses (not what I want). The docs are vague. They say how to enable VMAT (which is enabled by default anyway), and neglect to mention how to disable VMAT. Is it even possible to disable VMAT? Or is there a server which does not implement VMAT, which would send msgs to clearnet users that have onion FROM addresses?
TL;DR you can send emails from .onion addresses if you want, but no clearnet server is going to accept them.
So when you send an email, you can actually put whatever you want in the from header. I could send an email that says from "made.this.up@website.doesnotexist". The protocol doesn't care.
Do you know who does care? The email server you're sending messages to, because spammers and scammers love to try and send email with fake from addresses.
So, there's an entire verification system in place that involves looking up public keys from the website that the email claims to be from. (this is a gross over simplification. Look up SPF, DKIM, and DMARC for more info). The problem is you can't even reach .onion sites from the clearnet to do the lookups. So no email servers would be able to validate your address is legitimate and so would drop it as spam.
Do you know who does care? The email server you’re sending messages to, because spammers and scammers love to try and send email with fake from addresses.
The receiving servers do not generally care what’s in the FROM field. They care that the sending server they are connected to is authorized and has their SPF, DKIM, and DMARC shit together. It’s not for the receiving server to control the email aliases of individual senders. Some rare over-zealous servers will look at the FROM field and expect the domain to match but if I encounter that, the collateral damage is what it is. I can always still decide from there whether it’s worthwhile to go through extra hoops.
That mismatch between DMARC verification domain and the domain of the "from" header is called DMARC Alignment. Any modern spam filter is going to mark unaligned messages as spam. Especially if one of the domains is completely non-routable like .onion.
And even if you sent the email and it got through with your .onion address, no one would be able to reply to you because the replying mail server can't even look up the MX record for your .onion domain.
How do you expect to receive replies from clearnet users, or are you okay not receiving replies?
Indeed that’s the idea. If you’ve ever received a message where the sender’s address is “noreply@corp.xyz”, it’s similar. But in fact the onion address is slightly more useful than a “noreply” address because the responder would at least have the option of registering with an onion-capable email server to reply.
Imagine you want to email a gmail user. You can ensure that the message contains nothing you don’t mind sharing with a surveillance advertiser, but you cannot generally control what gets shared in the response. An onion address ensures that replies will be outside of Google’s walled garden, for example. That’s just one of several use cases.
Also most mail hosts these days toss emails that dont match dmarc/dkim/spf, which would be especially hard to do for an onion email
Those are server to server authentication protocols, not something that validates the functionality of a sender’s disclosed email address. Otherwise how would a bank send an announcement from a “noreply” address?
Because dmarc, DKIM, and SPF validate the domain against the sending server, not the address.
When i send from noreply@ at work, it passes dmarc, DKIM, and SPF, because the recipient mail server validates the message came from an authorized mail server for the domain (mosty based on dns entries).
Without that validation, you can certainly still send emails, but most clearnet mail hosts will drop your messages. Google, Microsoft, and yahoo at the bare minimum will