Postmarker lets anyone send a secure, anonymous email to any recipient and read replies β all without creating an account. When you compose a message, Postmarker:
- Generates a unique thread alias (e.g.
you+xk3a9f@gmail.com) - Dispatches your email anonymously via SMTP with custom
X-PostMarker-Thread-IDheaders - Returns a single-use cryptographic token β your only key to the inbox
- Syncs replies via IMAP using header-based lookup (zero bandwidth waste)
- Deletes everything after 7 days β threads, messages, tokens
There is no user database. There are no cookies. There is nothing to leak.
- π Cryptographic token access β SHA-256 hashed, never stored in plaintext
- π¨ Anonymous SMTP dispatch β custom
X-PostMarker-Thread-IDheader embedded in every email - π₯ Smart IMAP sync β 4-tier fallback strategy; marks emails
\Seenimmediately after ingestion - π§Ή Auto-expiry β MongoDB TTL-based cleanup, enforced by a daily Vercel Cron Job
- π« Zero tracking β no analytics, no user accounts, no persistent identity
- β‘ Edge-ready β Next.js 16 App Router, Turbopack dev server
- π¨ Premium UI β Framer Motion animations, Geist font, dark-mode first
src/
βββ app/
β βββ page.tsx # Landing page (compose form)
β βββ inbox/
β β βββ page.tsx # /inbox token entry
β β βββ [token]/page.tsx # Thread inbox view (server component)
β βββ api/
β βββ create-thread/route.ts # POST β creates thread, sends email
β βββ inbox/route.ts # GET β IMAP sync + fetch messages
β βββ cleanup/route.ts # GET/POST β purge expired records
βββ components/
β βββ home/ # Landing page sections
β β βββ Hero.tsx
β β βββ ComposerCard.tsx
β β βββ Features.tsx
β β βββ Workflow.tsx
β β βββ SuccessModal.tsx
β βββ inbox/ # Token access form
β β βββ TokenAccessForm.tsx
β βββ conversation/ # Thread inbox UI
β βββ InboxClientForm.tsx
β βββ InboxHeader.tsx
β βββ ThreadSidebar.tsx
β βββ MessageViewer.tsx
βββ services/
β βββ thread.service.ts # Thread creation + SMTP dispatch
β βββ imap.service.ts # IMAP sync with header lookup
βββ models/
β βββ Thread.ts # Mongoose thread schema
β βββ Message.ts # Mongoose message schema
βββ lib/
βββ mongodb.ts # Connection pooling
βββ email.ts # Nodemailer transporter
βββ crypto.ts # Token generation + hashing
βββ validators.ts # XSS sanitisation
- Node.js 18+
- A MongoDB Atlas cluster (free tier works)
- A Gmail account with:
- IMAP enabled (Settings β See all settings β Forwarding and POP/IMAP)
- An App Password (myaccount.google.com/apppasswords)
git clone https://github.com/JhaSourav07/postmarker.git
cd postmarker
npm installCreate a .env.local file at the project root:
# Database
MONGODB_URI=mongodb+srv://<user>:<password>@cluster0.xxxxx.mongodb.net/Postmarker?retryWrites=true&w=majority
# SMTP (outgoing email)
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=you@gmail.com
SMTP_PASS=xxxx xxxx xxxx xxxx # Gmail App Password (no trailing spaces!)
SMTP_FROM=you@gmail.com
# IMAP (incoming email sync)
IMAP_HOST=imap.gmail.com
IMAP_PORT=993
IMAP_USER=you@gmail.com
IMAP_PASS=xxxx xxxx xxxx xxxx # Same App Password
# Cron security (generate with: openssl rand -hex 32)
CRON_SECRET=npm run devOpen http://localhost:3000.
- Push to GitHub
- Import the repo at vercel.com/new
- Add all environment variables in Settings β Environment Variables
- The
vercel.jsonin this repo configures a daily cron job at midnight UTC to purge expired data
MongoDB Atlas: Allow all IPs (
0.0.0.0/0) or Vercel's IP ranges under Network Access.
When a recipient replies to a Postmarker email, their email client preserves the custom X-PostMarker-Thread-ID header (set on the original outbound message). The sync pipeline uses a 4-tier strategy:
| Priority | Method | Speed |
|---|---|---|
| 1 | HEADER X-PostMarker-Thread-ID: <threadId> |
β‘ Instant |
| 2 | HEADER X-Thread-ID: <threadId> |
β‘ Instant |
| 3 | SUBJECT contains <threadId> |
πΆ Fast |
| 4 | Scan last 50 UNSEEN emails by envelope | π΄ Last resort |
Once a message is saved to MongoDB, it is immediately marked \Seen on the IMAP server. Future syncs skip it at the server-side search level β zero re-download, zero re-parse.
See CONTRIBUTING.md for guidelines.
See SECURITY.md for how to report vulnerabilities.
This project follows the Contributor Covenant Code of Conduct.
MIT Β© Sourav Jha