Your messages carried by crows, not corporations
Privacy-first email from Iceland. Dedicated hardware. Genuine secure deletion. 100 mailboxes, no more.
Every email provider tells you the same thing. Secure. Private. Encrypted. Then they put your inbox on a shared server with ten million other people and call it a day.
We don’t do that.
KrakuMail runs on dedicated hardware in a private rack. Not AWS. Not Google Cloud. Not a virtualised slice of someone else’s computer. Physical servers. Physical drives. A physical location we control.
That infrastructure has a ceiling. We can serve roughly 100 mailboxes at the standard we consider acceptable. So that’s what we offer.
Here’s what nobody in this industry wants to explain to you.
When a provider says “unlimited accounts,” what they mean is: your email lives on a cluster alongside millions of strangers. Your data is a row in a shared database. Your encryption keys may be generated by the same system that generates everyone else’s. Your privacy depends entirely on policy, not architecture.
When we say 100, we mean your mailbox runs on a server we built, in a facility we operate, on drives we encrypted ourselves. There is no multi-tenant abstraction layer between you and your data. There’s metal.
The limitation isn’t a sales tactic. It’s a consequence of doing this properly.
We could virtualise everything, spin up cloud instances, and technically serve ten thousand accounts by Thursday. The marketing would be easier. The margins would be better. But then your “dedicated secure email” would be a container on a shared Kubernetes cluster in a data centre we rent by the hour. It would be the same product as everyone else with a different logo on the login page.
We chose not to do that. The tradeoff is that we can only offer 100 mailboxes. When they’re gone, they’re gone. We’re not going to spin up overflow capacity and quietly dilute the thing you’re paying for.
Most email providers won’t tell you what your inbox runs on. We will.
Your email lives on Supermicro X11SSL-F servers. Intel Xeon E3-1270 v6 processors. ECC memory — the kind that corrects bit errors before they corrupt your data. Not the cheap RAM in a consumer PC. The kind that goes into medical equipment and financial systems.
Your mailbox is stored on dedicated encrypted drives. Not a partition on a shared SSD. Physical Western Digital solid-state and NVMe storage, hardware-encrypted, mounted in chassis we assembled ourselves. If a drive fails, we replace it. We don’t file a support ticket with a cloud provider and wait.
The servers sit in a private rack on a private network. Not a rented cage in a colocation facility next to a cryptocurrency mining operation. A controlled environment with managed cooling, redundant power, and no shared tenancy.
The network is ours too. Mellanox ConnectX adapters on a dedicated switching fabric. Your mail doesn’t traverse shared backplanes with traffic from other customers, because there are no other customers on the network. There’s us and there’s you.
Hardware has limits. A Xeon E3-1270 has four cores. Those cores handle mail processing, spam filtering, DKIM signing, and encryption for about a hundred active mailboxes before performance degrades. We could throw more servers at it. We chose not to, because that introduces load balancers, shared storage layers, orchestration platforms — the exact multi-tenant complexity that makes big providers insecure by architecture.
One server. One purpose. One hundred mailboxes.
Every email you send is signed on that processor. Every email you receive is filtered on that processor. Every message at rest is encrypted on those drives. There is no abstraction. There is no virtualisation layer pretending to isolate you from strangers. There are no strangers.
The limitation isn’t a design flaw. It’s the design.
When you delete an email, we destroy it. Not figuratively.
Physically destroyed on disk
When most email providers “delete” a message, they simply remove the pointer in their database. The actual data remains on disk, recoverable until the storage system happens to overwrite that sector.
KrakuMail does things differently.
Hard disk drives allow deterministic overwrite of specific sectors. When you delete an email, we know exactly where it lives on the physical platter, and we write over that exact location with verified random data.
This is fundamentally impossible on SSDs, where wear leveling and the Flash Translation Layer (FTL) abstract away physical storage locations.
Every deleted message undergoes a verified overwrite process compliant with NIST SP 800-88 Rev. 2.
Hosted in Iceland, outside Five Eyes surveillance alliances. Your data is protected by some of Europe’s strongest privacy legislation, with GDPR compliance built in.
TLS 1.3 in transit, per-user mail-crypt encryption on disk. Even in the event of physical server access, your messages remain encrypted.
No data mining. No ad profiling. No metadata harvesting. We don’t read your email, ever. Our business model is subscriptions, not surveillance.
At 100 accounts, support isn’t a ticket queue. Something breaks, a person who knows the actual server fixes it. Not a chatbot. Not a tier-1 script reader.
Running a mail server properly is expensive and labour-intensive. A free tier would either degrade the service or require us to monetise you in ways we refuse to. So we don’t offer one. You pay for the service. We run the server.
No hidden fees. No tiers where the actual security features live behind a paywall. Every plan gets the same hardware, the same encryption, the same secure deletion. The difference is storage and scale, not safety.
Kraku comes from Old Norse kráka, meaning crow. In Norse mythology, Odin kept two ravens: Huginn (thought) and Muninn (memory). Each day they flew across the world, carrying messages back to their keeper. KrakuMail carries yours — faithfully, privately, and without reading them along the way.
Iceland runs on geothermal and hydroelectric power, making it one of the greenest places on Earth to operate servers. It sits outside the Five Eyes, Nine Eyes, and Fourteen Eyes intelligence-sharing alliances, and has centuries of fierce independence.
When your data is stored in Iceland, Icelandic law applies. Not American. Not British. There is no equivalent of a National Security Letter or FISA warrant here.
We built KrakuMail for people who need private communications and can’t afford to hope their provider means it. Journalists protecting sources. Activists organising under surveillance. Dissidents in places where the wrong email gets people killed. Lawyers handling sensitive cases. Anyone whose privacy isn’t a preference but a necessity.
If your threat model includes state-level actors, you need infrastructure that doesn’t bend to foreign court orders, doesn’t retain data it promised to delete, and doesn’t share a rack with ten million accounts that make it worth compromising. That’s what this is.
KrakuMail is built on Mailcow — a fully auditable, open-source email platform. The entire mail stack, from Postfix and Dovecot to SOGo webmail, is open source software that anyone can inspect, audit, and verify. We don’t ask you to trust proprietary code. We ask you to read the source.
We review every application. If there’s a slot and you’re a good fit, we’ll be in touch. If not, we won’t waste your time.
Already have an account? Sign in to webmail
Full IMAP/SMTP support — use with Thunderbird, Apple Mail, or any client