What is email metadata?

Metadata is everything about an email except the encrypted content. Sender and recipient addresses, subject (often), timestamps, IP addresses, transit servers, message IDs, attachment names and sizes, and the headers added by every server the message passes through. Even with E2EE protecting message bodies, the metadata is typically not encrypted.

Can my email provider see my metadata?

Yes, almost always. Even providers with E2EE for content (Proton, Tutanota) see metadata for messages flowing through their infrastructure. The metadata is necessary for delivery and storage; encryption of metadata at scale faces protocol-level challenges.

What does metadata reveal?

Communication patterns (who you talk to, when, how often), social graphs, geographic location (via IPs), professional context (subjects often reveal topics), and behavioral patterns over time. Metadata alone is often more useful for surveillance than message content because it scales and resists context-loss.

Can I encrypt metadata?

Partially. Some metadata can be obscured (using onion routing, mix networks, or anonymous remailers). Most cannot be encrypted at scale because intermediaries need it for delivery. The realistic stance is that metadata leakage is structural; defenses focus on minimizing what is generated and using providers that minimize retention.

What does Rythm collect?

Rythm uses OAuth-authorized access to read inbound mail through provider APIs. The processing happens in memory; content is not persisted. Operational logs and metrics are retained for service operation. Rythm does not retain copies of email content; metadata visible to the provider remains visible to the provider regardless of Rythm.

Email Metadata Leaks: What Your Provider Sees

Email metadata reveals more than most users assume. Here is what providers see, what they retain, and what realistic defenses look like.

Email metadata reveals more than most users assume. The structural reality is that even strong content encryption (E2EE) does not encrypt metadata; the metadata is necessary for delivery and is exposed to the providers that handle the message. This post is about what metadata is, what it reveals, what providers actually see, and what realistic defenses look like.

What Metadata Actually Is

The categories of data attached to every email.

Envelope information. Sender address, recipient address(es). Required for delivery. Visible to every server the message passes through.

Subject line. Plaintext on most providers and most protocols. E2EE providers may encrypt the subject; the broader email ecosystem typically does not.

Timestamps. When the message was sent, when it was received, when it was opened (where read receipts are enabled).

IP addresses. The IP of the sending mail client, transit servers, recipient’s mail server. Embedded in headers.

Transit servers. Each mail server that handles the message adds a Received header. The full path from sender to recipient is visible to anyone with access to the headers.

Message IDs. Unique identifiers for each message. Useful for threading and deduplication; also useful for correlation across systems.

MIME structure. Number and type of attachments, their names, their sizes. Sometimes their content type even when encrypted.

Custom headers. ESP-added headers (X-Mailer, List-Unsubscribe, X-Sender-IP), authentication headers (SPF, DKIM, DMARC results), and dozens of other server-added fields.

Threading information. In-Reply-To and References headers connecting messages in conversations.

TLS information. Whether the message was encrypted in transit between servers, what cipher was used, whether validation succeeded.

The metadata is large. A typical email has 30-50 lines of headers in addition to the body content.

What Providers See

The visibility chain.

The sender’s mail client sees everything. Includes everything the sender’s device knows: the sender’s IP, sending software identifier, timestamps.

The sender’s mail provider sees the message. Adds Received headers, applies authentication checks (DKIM signing), routes for delivery. May store copies in Sent folders.

Transit servers see the message in transit. Each Mail Transfer Agent (MTA) the message passes through sees the headers and (if not encrypted) the content. Adds its own Received header.

The recipient’s mail provider sees the delivered message. Stores it (typically as plaintext at rest unless the user has E2EE configured at the client level). Applies receiving authentication checks. Indexes for search.

The recipient’s mail client sees the delivered message. Renders for the user.

Search indexes hold metadata. Both sender and recipient providers index metadata for fast search. Subject lines, sender addresses, dates are typically searchable plaintext.

Backups and archives hold metadata. Retention policies vary; some providers retain emails for years, including in backup form, with full metadata.

The cumulative visibility is wide. Multiple intermediaries see at least the metadata.

What Metadata Reveals

The analytical value.

Communication patterns. Who emails whom, when, how often. Reveals professional and personal relationships at fine granularity.

Social graphs. Network of contacts. Useful for inferring organizational structure, project teams, family relationships.

Geographic location. IP addresses reveal source location. Patterns over time reveal travel.

Topical patterns. Subject lines, attachment names, sending domains reveal the topics of communication even without reading content.

Behavioral patterns. Time-of-day patterns, response latencies, communication frequencies. Useful for inferring work-life patterns and personal habits.

Authentication and trust signals. Whether messages are signed, whether they pass alignment, whether they come from established senders. Reveals security practices.

Volume signals. Sustained increases in email volume can indicate life events, business activity, or specific projects.

In aggregate, metadata is often more revealing than message content because it scales and is computable. A surveillance operation that wanted to map a target’s social network would learn more from a year of metadata than from one carefully chosen email body.

What “E2EE” Actually Encrypts

The clarification.

Message body. Encrypted. The content of the email is unreadable to intermediaries.

Subject line. Sometimes encrypted (Proton, Tutanota for in-network mail). Often not encrypted (most providers).

Envelope (sender, recipient). Not encrypted. Required for delivery.

Timestamps, IPs, transit servers. Not encrypted. Embedded in headers visible to intermediaries.

Attachment names and sizes. Sometimes obscured; often visible.

Threading information. Visible to intermediaries.

The fact that you sent an email. Visible to your provider, the recipient’s provider, and any intermediary.

E2EE addresses content disclosure. It does not address metadata disclosure. The two are different threats; tools that claim “E2EE” should be evaluated on what they actually encrypt.

Realistic Defenses

The options.

Use providers with strong metadata minimization policies. Some providers (Proton, Tutanota, Posteo, Mailfence) explicitly minimize metadata retention and resist disclosure requests. Standard providers (Gmail, Outlook, Yahoo) have different practices around metadata retention.

Use Tor or VPN for sending. Reduces IP-based location revelation. Mailbox location can be obscured if the receiving provider does not log or share IP information.

Use anonymous email accounts for sensitive correspondence. A separate account with no personal information attached. Mitigates linkage between content and identity.

Use encrypted messaging for sensitive content. Signal, Element, etc. Both content and metadata practices are typically stronger than email.

Limit metadata generation. Use BCC instead of To/CC where appropriate. Use generic subject lines. Avoid sending from personal devices for sensitive correspondence.

Use mix networks or onion routing. Tor email systems and similar tools obscure routing. Niche but effective for specific use cases.

Be aware of correlation risk. Even with metadata minimization, patterns across many emails can correlate identities. Operational security training matters for users with strong threat models.

The realistic defense is layered. No single technique fully protects metadata; combinations reduce exposure significantly.

Why Metadata Defenses Are Hard

The structural reasons.

Metadata is necessary for delivery. Email cannot work without sender, recipient, and routing information. Encryption of metadata at scale faces protocol-level barriers.

Provider business models often depend on metadata. Free providers (Gmail, Outlook free tier) use metadata for service operation, abuse detection, and (historically) ad targeting. Privacy-aware providers do not, but charge subscription fees.

Cross-provider interoperability requires metadata standards. SPF, DKIM, DMARC all add metadata to enable cross-domain authentication. The privacy benefits of dropping these would be smaller than the security losses.

Legal requirements often mandate metadata retention. Records-retention laws, subpoena compliance, and regulatory requirements compel providers to retain at least some metadata.

User experience depends on metadata. Search, threading, contact suggestions, time displays all rely on metadata being accessible. Users who want full metadata privacy give up some user-experience features.

The conclusion: metadata defenses are partial. Significant reduction is possible; complete elimination is not realistic in the standard email ecosystem.

What Rythm Sees and Retains

The transparency disclosure.

OAuth-authorized API access. Rythm reads inbound mail through provider APIs (Gmail API, Microsoft Graph). The provider retains the mail; Rythm processes it through API calls.

In-memory processing. When Rythm processes an email, the content is loaded into memory, parsed for tokens, and released. Persistent storage of email content does not happen.

Operational logs. Standard service operational logs (request times, success/failure, queue lengths) are retained. PII redaction is applied to logs to minimize personal information exposure.

Metadata about processing. Rythm tracks when emails were processed, what action was taken (token detected, no token, payment melted), and per-user metrics. This metadata stays with Rythm.

Provider metadata is unaffected. Whatever Gmail or Outlook sees and retains about your mail is visible to them regardless of Rythm. Rythm does not change provider-side metadata practices.

Non-custodial for payments. Cashu tokens are not stored. The melt operation runs in memory; the resulting Lightning payment lands at the user’s wallet.

The honest stance: Rythm minimizes its own retention. The provider’s metadata practices are independent and outside Rythm’s control. Users with strong metadata privacy concerns should choose providers with appropriate metadata-minimization stances.

A Specific Honest Note

Email metadata reveals more than most users assume. E2EE for content does not encrypt metadata; the protocol does not allow it at scale. The realistic defense is layered: use providers with appropriate practices, use Tor or VPN where appropriate, limit metadata generation through operational practices, and use encrypted messaging for sensitive content.

For Rythm specifically: in-memory processing, no persistent content storage, non-custodial payments. The provider-side metadata is independent and unchanged by Rythm. Users with strong metadata threat models should choose providers accordingly; Rythm composes with whichever provider the user picks.

Email Metadata Leaks: What Your Provider Sees About You