What does a non-custodial email stack look like?

A combination of email tools that do not hold the user's email content, contacts, or related data. Components include the email provider (most major providers are partially custodial), encryption tools that prevent the provider from reading content, inbox-layer filters that process in memory, and tools that operate on user-controlled keys rather than vendor-controlled databases.

Are major email providers non-custodial?

Generally not. Gmail, Outlook, Yahoo, and most major providers store email content on their servers and process it for various purposes (spam filtering, search, AI features). The user has access to their email, but the provider has custody of the content. Some providers (ProtonMail, Tutanota) offer encrypted storage that limits what the provider can read, which is closer to non-custodial in the encrypted-at-rest sense.

Can a non-custodial email stack work with Gmail or Outlook?

Partially. The underlying email provider is custodial, but tools that operate on top of the provider can be non-custodial. An inbox-layer filter that processes email in memory and discards it is non-custodial in its operation. End-to-end encryption tools that prevent the provider from reading specific messages are non-custodial for those messages.

Why does the non-custodial property matter for email?

Three reasons. Provider breaches cannot expose content the provider does not hold. Provider behavior changes (new AI features, new data uses, new pricing) cannot affect data the provider does not hold. Regulatory scope on the provider does not affect non-custodial tools. The user retains direct control over the data the provider does not hold.

Is Rythm part of a non-custodial email stack?

Yes. Rythm processes incoming email in memory to detect Cashu tokens and apply the cover-charge gate, then discards the content. Rythm does not store email content, payment tokens, or persistent metadata about the email contents. The non-custodial property applies to Rythm's specific role in the stack.

The Non-Custodial Email Stack 2026

Most email tools hold your data. Here is the non-custodial alternative stack: providers, filters, and tools that don't take possession.

The non-custodial concept generalizes from cryptocurrency wallets to many adjacent industries. For email, building a non-custodial stack requires composing tools that each minimize what they hold. No single tool produces a fully non-custodial email experience, but a thoughtful stack can substantially reduce custody scope.

This post is about what a 2026 non-custodial email stack looks like, what each component does, and where the limits sit.

What Non-Custodial Means for Email

The non-custodial property for email means that the tools operating on the user’s email do not take persistent custody of:

Email content (the bodies of messages).
Sensitive metadata (recipient lists, subject lines, attachment data).
Authentication credentials beyond the minimum required for operation.
Behavioral data about the user that is not strictly necessary for the tool’s function.

A fully non-custodial email experience would mean that no tool persistently holds any of the above. This is structurally hard to achieve in practice because:

Email by nature involves servers that hold messages temporarily during delivery.
Spam filtering, search, and various features benefit from access to content.
Some metadata (timestamps, sender, recipient) is fundamentally part of the email protocol.

A realistic non-custodial stack reduces custody scope rather than eliminating it entirely.

The Email Provider Layer

The largest source of custody is the email provider itself. Providers vary widely in their custody scope.

Major commercial providers (Gmail, Outlook, Yahoo). Highly custodial. Email content is stored on provider servers. Provider runs spam filtering, AI features, search indexing, and various other content-aware operations. Provider’s privacy policies document what they do with the data; the user accepts this as a condition of using the service.

Privacy-oriented providers (ProtonMail, Tutanota, Skiff (now part of Notion), Mailfence). Encrypted storage that limits what the provider can read. Email content is encrypted at rest with keys derived from the user’s password. The provider holds the encrypted blob but cannot read it without the user’s authentication. Closer to non-custodial in the at-rest sense, but the provider can read mail that arrives unencrypted from external senders.

Self-hosted email. The most non-custodial option in principle: the user runs their own mail server and holds all data. In practice, self-hosting modern email is operationally difficult because of deliverability challenges, anti-spam reputation requirements, and ongoing maintenance burden. We covered this at the self-hosting email trap (forthcoming).

Custom-domain mail with privacy-oriented providers. A middle ground: the user owns the domain, and the provider operates the mail server with encrypted storage. The user can switch providers without losing the domain. Closer to non-custodial than fully self-hosted but more accessible operationally.

For most users in 2026, a privacy-oriented provider with custom-domain support is the most practical non-custodial baseline.

The Encryption Layer

Encryption tools that operate on top of the email provider can shrink custody scope further.

End-to-end encryption (PGP, S/MIME). Email content encrypted with the recipient’s public key can only be decrypted by the recipient. The provider cannot read the content. PGP has a long history but poor user experience; S/MIME is more usable but less common outside corporate environments.

OpenPGP.js and similar libraries. Modern web-friendly implementations make PGP-like encryption more accessible.

Provider-internal encryption (within ProtonMail, etc.). Mail between users on the same encrypted-provider service is encrypted automatically. Mail to external recipients requires explicit encryption setup.

Limits. End-to-end encryption only works when both sender and recipient support it. Mail from unencrypted senders arrives unencrypted regardless of the recipient’s setup. The encryption layer reduces custody scope but does not eliminate it for mixed-provider correspondence.

The Filter Layer

Filters and inbox tools that operate on incoming mail can be more or less custodial.

Server-side filtering (Gmail, Outlook). Custodial. The provider scans content and applies filters at the server level. The provider has access to the content during filtering.

Client-side filtering. Less custodial in operation but still subject to the provider’s underlying custody. Outlook desktop’s client-side rules run on the user’s machine but the mail is still stored on the provider’s servers.

Third-party server-side filters (Proofpoint, Mimecast). Custodial. The third-party service has custody of the content during filtering.

In-memory inbox-layer filters (Rythm). Non-custodial in operation. The filter processes incoming mail in memory and discards the content after processing. No persistent storage of email content.

Encrypted-storage filters. A theoretical option where the filter operates on encrypted content without the ability to read it. Limited practical implementations.

The Authentication Layer

Authentication tools also vary in custody.

Password-only authentication. The user holds the password. The provider holds the password hash (not the password). Generally non-custodial for the credential itself.

App-based MFA. The user holds the authenticator app. The provider holds a verification secret. Non-custodial for the authentication factor.

SMS-based MFA. The carrier holds the phone number routing. Custodial in the routing sense; non-custodial in the credential sense.

Hardware-key MFA (FIDO2/WebAuthn). The user holds the hardware key. The provider holds a public key for verification. The most non-custodial form of MFA available; the cryptographic challenge happens entirely between the user’s hardware and the provider’s server.

The Realistic Non-Custodial Stack

For users wanting to maximize non-custodial properties:

Email provider. Privacy-oriented provider (ProtonMail, Tutanota) on a custom domain. Encrypted storage. Limited provider read access.

Encryption. PGP or provider-internal end-to-end encryption for sensitive correspondence. Use it for high-stakes mail; expect mixed support across senders.

Filter. In-memory inbox-layer filter (Rythm) for unknown-sender filtering. Non-custodial in operation. Composes with the provider’s encrypted storage.

Authentication. Hardware-key MFA on the email account. The strongest non-custodial authentication available.

Backup. Regular local backups of email content. Non-custodial backup is a manual process but is meaningful for data sovereignty.

Aliases. Custom-domain catch-all addressing for non-custodial alias management. Or dedicated alias services (SimpleLogin) that minimize their own custody. We covered this at email address hygiene: should you use aliases.

The total cost of this stack is meaningful (privacy-oriented providers are typically more expensive than Gmail) but the custody-reduction is real.

Where the Stack Falls Short

Even a thoughtfully composed non-custodial stack has limits.

External senders are not non-custodial. Mail from senders outside the stack arrives in whatever format the sender uses. The recipient cannot impose non-custodial properties retroactively.

Email metadata is hard to fully obscure. Sender, recipient, timestamps, and routing data are part of the email protocol. Even encrypted-content email leaks some metadata.

Backup and recovery is manual. Non-custodial means the user is responsible for backup. Lost devices, lost passwords, lost hardware keys all become the user’s problem to solve.

Regulatory and legal compliance varies. Some industries have specific regulatory requirements that conflict with non-custodial properties. Healthcare BAAs, financial-services audits, and corporate compliance programs may require custodial features.

Operational sustainability. Maintaining a non-custodial stack requires ongoing user attention. Many users abandon the stack after initial setup because the operational cost exceeds their patience.

The realistic assessment: non-custodial email is achievable for users who care about it and are willing to bear the operational cost. It is not achievable as a no-effort default in 2026.

A Specific Honest Note

Building a non-custodial email stack is a real undertaking. Each component reduces custody scope; the composed stack reduces scope substantially compared to default email. The trade-off is operational complexity and (often) cost.

For users who care about non-custodial properties, the stack is achievable. For users who do not, default email remains adequate for most threat models.

Rythm is one component in the non-custodial stack: an inbox-layer filter that processes email in memory and does not store content or tokens. Rythm composes naturally with privacy-oriented providers, encryption tools, and hardware-key MFA. We are part of the non-custodial conversation but not the entire conversation.

For the related guides, see what non-custodial means in 2026, non-custodial architecture, what is a non-custodial email service, email address hygiene: should you use aliases, and Rythm is not a cryptocurrency service. For the broader frame, see the two missing pieces of the internet and what is an email paywall. Rythm is $1.65 per month, cancel anytime.

The Non-Custodial Email Stack: Tools That Don't Hold Your Data