Service Notices

Privacy Policy updated. No material change, just further clarification. CodaMail website completely redesigned, click the CodaMail logo in upper left to browse the new website.

Attention account b*****g! You have been contacting us about being unable to access your account via our contact form while only providing a contact address of the account that you cannot access. We are replying, but you will never see it until you give us a way to contact you that you can access. If you have no other e-mail address, please set up a free trial account then contact us using that. ¯\_(ツ)_/¯

If you have not set up password recovery in your account and you forget your password, there is nothing we will be able to do to get you access to your account again. Please take the time to set up Password Recovery.

Reminder: We will never send you a formatted email message. We only send in plain text. We will also never send you anything unsolicited that is a link, always go manually to any of our pages. We have always been this way. So if you get a mail with a link or a button that says you need to do something, it's always a phish (scam). Don't click a button or link in an email that looks like it came from us. When in doubt, or really tempted, contact helpdesk first. So we can say "DON'T DO IT!"

We have disabled accounts that expired last month and were not renewed. If you find yourself suddenly unable to log in, this is probably why. To renew go to Our renew page.

Please note that payments are applied to expire date, not payment date. So if you let your account remain locked until just before we remove it (90 days) and then renew it, the payment still gets applied to the original expire date.

A regular reminder because it keeps happening, but if you contact helpdesk because you cannot access your account and the only return address given, is the account you cannot access. We reply, but you can't access to see our reply. Might want to give us a different address, just saying.

New blog post:

We pulled the IP data for 50 VPN providers and traced every network block back to the registered company and the datacenter buildings they use.

The short version: 41 of 50 providers rent servers from the same two UK-based hosting companies (M247 and Datacamp). Those companies rent their rack space from Equinix and Digital Realty -- two US companies. So "Foreign VPN" might mean your traffic goes through UK hardware in a US-owned building.

Also found that 73% of VPN server IPs are geolocated to a different country than where the network is registered. That "Nepal" or "Qatar" server might physically be in London.

VPN Infrastructure - Exposed

Spam and Your Aliases

If you're receiving spam on an alias, it means the company or organization you gave that address to has leaked it, whether through a data breach, by selling your information, or by sharing it with third parties. The fix is simple: delete (kill) the alias and create a new one. That's exactly what they're for and why we recommend not using main aliases, but instead using categorized catch-alls (see How to use CodaMail aliases).

However, if you're using a single address for everything, you're not using the service as it was designed. Aliases exist so you can give a unique address to each company or service you interact with. When one gets compromised, you kill it and move on. If all your mail flows through one address, you lose that ability, and you'll be stuck with the never-ending attempts to block the spam.

One address per company. When it goes bad, cut it loose, no more spam and no need for never-ending attempts to block it.

We have added the ability to direct alias subdomains or aliases for your verified private domain(s) to other CodaMail accounts. This will enable you to host a domain, but give another account an address or catch-all subdomain within your domain. See Settings -> Private Domains. Useful for groups, families, and organizations with separate accounts but the desire for each to be able to send and receive mail from their own address or catch-all subdomain within your private domain.

You can now block email based on the mail server that delivered it, not just the sender address.

When viewing a message, the Block menu now shows a Sending Server section with options to block:
- The specific sending server
- All servers from that domain
- All servers with that top-level domain (e.g. .ar, .ru .website, .cloud)

You can also manually add server blocking rules in Settings > Block List using the server: prefix:
- server:mail.spammer.com - block a specific server
- server:spammer.com - block all servers under that domain
- server:ru - block all servers with that TLD
- server:*.spammer.com - wildcard patterns work too

Blocking is applied at the connection level, mail from blocked servers or From addresses is rejected as User Unknown, without the server even accepting it. To senders, it looks exactly like a non-existant address. This causes most bulk senders to remove the address from their lists in order to keep their "bounce rate" low, a metric that affects them with the service they use.

We have disabled accounts that expired last month and were not renewed. If you find yourself suddenly unable to log in, this is probably why. To renew go to Our renew page.

Just a reminder that once you have verified your private domain(s) (if you use any), you can then add subdomains. Just enter your chosen subdomain.domain.tld after you have verified your domain and it will be automatically added.

New article: The Walled Garden Approach: What Privacy Email Services Don't Tell You About E2EE

We have created the Privacy Law Directory. This directory covers 38 country jurisdictions across the United States, the European Union, and international partners as of February 2026. Each page examines not just data protection legislation but also surveillance laws, intelligence agencies, data broker contracts, Internet exchange point taps, surveillance company contracts, mutual legal assistance treaties (MLATs), data sharing agreements, data retention laws, encryption laws, child protection laws, oversight boards, and enforcement actions, because understanding privacy requires understanding the full picture.

We have disabled accounts that expired last month and were not renewed. If you find yourself suddenly unable to log in, this is probably why. To renew go to Our renew page.

Just to bump it back to top again. If you are here because your e-mail app was working but stopped, it's because you need a new password for your email app. You ONLY need a new password, nothing else will change.

DO NOT CHANGE YOUR EXISTING SERVER NAMES OR SERVER SETTINGS when making this change! Doing so will make this much harder than it has to be.

Go to Settings -> App Passwords in the new webmail. Click create Create App Password. Give it a name and enter any other restrictions you want or just leave it all as is and click Save. Leave this next dialog open. Copy the generated password with the copy button. Go to your mail app, check mail, when prompted for password paste in the generated password (if there is any checkbox about saving this password, click it). Then send mail, when prompted for password, paste in new one. That is it.

If you do go and change servers or anything but just the password, then you will be essentially setting up your mail from scratch and you will need to go to the Support section to the bottom of the page and follow instructions for setting up your e-mail app.

The support section has been better organized and expanded, and the new user guide rewritten to incorporate our new features.

Settings -> Block List now supports wildcards * and ? enabling you far more control over blocking. Everythig blocked is rejected during the SMTP handshake, meaning not only does our server not even accept it, but the sender thinks the address doesn't even exist. This causes them to remove you from their lists to keep their bounce rate down.

Settings -> Private Domains now supports adding subdomains once your custom primary domain has been verified.

The changes in preparation for faster initial full text search have been completed. Downtime was about 20 min total. At this time we have only moved indexes out of your home directory, which removes them from being part of your quota and should give you about 30% more space for mail overall. Improving the indexing has not yet been done. Of note, Calendar, Contacts, tasklists, and notes are also not part of your mail quota.

This Sunday Feb 1 we will be taking the mail cluster off line for optimization in preparation to be able to add improved search functionality, including fast first run speeds. We expect this to take a few hours in total. No mail will be lost, it will be queued and deliver when the cluster is back online. This will not affect our web hosting servers, the cotse.net proxies, or vpn servers.

Due to abuse with the free trial accounts, free trial accounts cannot receive mail from Facebook or Instagram. Only paid accounts can receive mail from these services.

Ironically, one of the machines we were planning to replace tomorrow had it's system board fail today, which caused our mail gateway to be unavailable for a few hours while we replaced hardware. All is again functional. Tomorrow's full maintenance window is now not needed and we expect little to no downtime while we handle the rest of what is planned.

Sunday, January 25 we will be performing maintenance on the mail cluster. This will affect email and calDAV/cardDAV access during this time but will not affect any proxies, VPN servers, or hosting servers. We expect this to take a few hours. Updates will follow as we get closer to Sunday.

We have resolved a caldav issue with older versions of gnome-online-accounts. Older versions try NextCloud instead of straight caldav, so we added a base translator. More versions now work with caldav and carddav.

Just to bump it back to top. If you are here because your e-mail app was working but stopped, it's because you need a new password for your email app. You ONLY need a new password, nothing else will change.

DO NOT CHANGE YOUR EXISTING SERVER NAMES OR SERVER SETTINGS when making this change! Doing so will make this much harder than it has to be.

Go to Settings -> App Passwords in the new webmail. Click create Create App Password. Give it a name and enter any other restrictions you want or just leave it all as is and click Save. Leave this next dialog open. Copy the generated password with the copy button. Go to your mail app, check mail, when prompted for password paste in the generated password (if there is any checkbox about saving this password, click it). Then send mail, when prompted for password, paste in new one. That is it.

If you do go and change servers or anything but just the password, then you will be essentially setting up your mail from scratch and you will need to go to the Support section to the bottom of the page and follow instructions for setting up your e-mail app.

We have disabled accounts that expired last month and were not renewed. If your's was one and you wish to renew it, you can do so here.

We have updated the support documentation for blocking mail, whether To address or From. It is available here.

New blog article: Why Commercial Open Source Is Not a Trust Model

If you are here because your email app just stopped working, we have been trying to reach you by email and notices for a while now. In short, your webmail password no longer works for regular email clients, you now need a separate password for them. To create this:

*** You should not create any app passwords if you only use the webmail ***

1. Go to ⚙ Settings -> App Passwords in the CodaMail web interface
(you can also log in using the web browser on your phone, it makes it easier to copy and paste the password on a phone).

2. Click Create App Password button.

3. Give it a name and set whatever restrictions you want or just leave them all as they are.

4. Click the Save button (leave the next dialog open so you can copy and paste, the password has already been saved by this point)

5. Click the copy buttton to copy the new password

6. Next, check email with your email app, it should prompt you for a new password. Paste it in, also click the save password checkbox if there is one (thunderbird has one, iPhone just automatcially saves on successful login).

7. Then send a mail to yourself, you should be prompted again for the SMTP password. Paste it again, click the save password checkbox if there is one (thunderbird has one, iPhone just automatcially saves on successful login).

That's it. Your mail app should work as normal again. Nothing else needs to be changed, not servers, not username, not email addresses, not ports, only the password changes.

We will be shutting off the ability for your webmail passwords to be used by third party email apps this evening EST. After this, only app passwords will work for third party email client access and your webmail password will only work for logging into webmail.

We have introducted a text mode that is very basic, like 1995 basic, html. It has been optimized for screen readers and terminal browsers like lynx. It is not full featured, but it is functional for reading and replying and can access necessary settings, including app passwords, masked aliases, account aliases, personal domains, catch-all management, block list management, ability to upload public keys and set up pgp auto-encryption, and more.

So, those who could not set up app passwords before, now have a way. To enable the hidden mode of vanilla html without script, css, or even frames, use this url: https://codamail.com/mail/?text. To shut text mode off, click the link in the footer or use this url: https://codamail.com/mail/?notext.

...and yes, TOTP 2fa works in the hidden text mode, even with lynx.

We will switch completely to app passwords for third party mail clients this coming weekend Dec 27 or Dec 28. those who have not set up app passwords by then will need to do so for third party email apps to work.

The switch over to app passwords has been delayed by a day or two. We will be releasing a skin for the webmail that is plain vanilla html only, without any script or frames, for some specific use cases, such as screen readers. We will switch the app passwords over after this is released.

Manage Catch-alls Enhancements

We've added new features to Settings → Manage Catch-alls that provide more granular control over your domains and aliases.

Previously, blocklist and whitelist modes applied to all of your domains equally. If you wanted one domain to operate in whitelist mode while keeping another domain as a catch-all, it wasn't possible. All were in whitelist mode or all were in blocklist mode.

Now it is possible. Two new exception formats are supported:

- @example.com — Create a domain exception
- ! prefix — Create an alias exception

Examples:

Blocking an alias across all domains with an alias exception for one domain:
When in block mode, enter sales to block sales@anything, across all your domains. Then, additionally, you add !sales@example.com (or !sales@alias.example.com) to allow delivery to just that one domain while keeping the block in place everywhere else.

Operating in whitelist mode while keeping catch-all domain(s) with a domain exception:
When in whitelist mode, add @example.com (or @alias.example.com) to exclude that domain/catch-all from the whitelist. Everything else remains in whitelist mode, but that domain continues to accept all mail as a catch-all. Then, if you further want to block one alias in @example.com, enter another exception, for example !sales@example.com. This then leaves the catch-all domain exception @example.com accepting everything but sales@example.com.

These two exceptions now let you mix blocklist and whitelist catch-all behavior across your domains as needed.

Both Manage Catch-Alls (this controls To addresses) and Block List (this controls From addresses) features will cause mail to be rejected prior to being accepted by our servers. In other words, blocking happens during the SMTP handshake, instead of just silently accepting the mail and deleting it, which causes the sender to believe it is still active.

Anyone who sends mail to anything blocked by either of these two features receives a User Unknown response, indistinguishable from an address that does not exist. This does decrease future unwanted mail because many bulk mail senders will automatically remove "User Unknown" rejections from their mailing lists (they call this list cleaning). They do this so they don't get terminated by their bulk mail service for too many bounces (most bulk sending services terminate when bounce rate is too high).

We resolved an issue with accessing the filters. This caused logins to fail for a short period during the resolution. All is again functional.

There have been a few cotse.net users who have contacted helpdesk that seem to believe that logging into the new webmail interface means your email address must change, this is not true. Cotse users can log into the new webmail and keep your cotse address. Your email address is not tied to the old webmail interface.

Those with Cotse addresses can use either webmail. Both display the exact same email, when you log into the new webmail you will see the same email you see in the old interface in the same folders. It is no different than using the webmail sometimes and other times using something like Thunderbird, Apple Mail, or other to read your mail. The new webmail is nothing but a different client (a much improved client) for the same mail.

You also don't have to keep using it, you can continue using the old webmail once you have created your new password for your third party mail clients (you just won't see all the new added features in the old webmail). The old webmail client doesn't support the new features and so some of them can only be accessed through the new webmail client, like app passwords.

We have disabled accounts that expired last month and were not renewed. If yours was one and you would like to renew it, you can do so here. Expired paid accounts that go 90 days without renewal are deleted and the account name cannot be used again, not even by the original owner.

App Passwords Now Available - Bridge Mode Active

This only affects third party e-mail clients (like Thunderbird, Apple Mail, Outlook, etc.). If you only use the webmail then no changes are needed.

We have enabled app passwords in a bridge mode. During this transition period, your regular password will continue to work with third-party email clients (Outlook, Thunderbird, Apple Mail, etc.) until you create an app password.

Once you create an app password for IMAP, POP, and SMTP, your webmail password will no longer work for third-party email clients and you don't have to do anything more, you'll be all set when we switch December 21.

Sunday, December 21 app passwords will be required for all third-party email clients. After that date, your regular password will only work through the webmail interfaces and will no longer work for your third party email client.

How to Create an App Password:

1. Log into the CodaMail web interface. (the legacy webmail does not support this feature)
2. Go to Settings → App Passwords
3. Click Create App Password
4. Select your protocols (IMAP or POP, plus SMTP for sending)
5. Optionally set IP or network restrictions (CIDR format) and/or an expiration date
6. Click Save
7. Copy the displayed password immediately, it is not stored by us and it will not be shown again
8. Paste this password into your email client (your username and server settings remain the same)
9. Click Done

Typically, once you do this and try to check mail, your email client will prompt you for the password and you can just paste in the new one (and don't forget to try to send mail, too, so the SMTP also prompts for new password).

If you lose an app password, simply delete it and create a new one. As always, send any questions you have to Helpdesk.

This is only for existing third party email setups, if you are setting up your email client for the first time prior to Dec 21, you must contact helpdesk first. This is because new setups will require helpdesk support during this period.

We are performing some maintenance in preparation for the pop and imap changes, during which there may be a brief periods where the service is temporarily unavailable (under 5 min).

Just to answer some common questions about the "application passwords" that will be implemented. First, if you only use webmail nothing is going to change for you, this only affects those who use a third party email client via pop or imap.

The "application passwords" will be nothing more than a separate password for imap/pop/smtp access. You will log into the CodaMail web interface, generate a password for pop/imap/smtp, set whatever permissions you want it to have, then copy and paste it into your email application as the new password.

This separates your full account from the email client in the event your email client is ever compromised by password stealing malware. If this was to happen, the attacker will not be able to log into your webmail account. It will also help protect against bot attacks on our services, which are getting smarter with AI.

When you generate a password you will be able to assign priviledges to it and also be able to set a date when that password will stop working (if you desire). You will also be able to restrict which IP addresses or network ranges are allowed, again, if you desire to restrict it even further. You will be able to delete and create them at will. You will have more control and it is a much safer way for us to allow pop/imap, and smtp.

Again, this is not active yet. We are just providing early notice. We will be sending out more mail regarding the change before implementation.

After the express1 outage, which was a full restore, some have reported being unable to log in to the express1 proxy. If you are one, please contact helpdesk so we can resolve it.

We are experiencing an outage with our ssh server express1, this is being worked on and it will return asap.

Express1 is back up

We will be implementing Application Passwords for imap, pop, and SMTP using a variation of our DAV authentication. These will replace our existing protections while still incorporating the CIDR restrictions and allowing granular selection of services and multiple separate imap/pop/smtp logins. Webmail will not be able to be logged into using app passwords, this only affects IMAP, POP, and SMTP access..

This change will require everyone (Cotse and CodaMail users) to log into the CodaMail web interface to create their app passwords for regular email clients to work. No changes will be necessary for webmail only use. This is not active yet, this is just early notice. Please check here for further updates.

Please note, that these are developed, tested, and ready to implement. The delay is to give people a chance to see the Notices and for us to send out some e-mail informing people to read the notice.

We updated the Enable/Disable IMAP/POP feature to give you the ability to click a button to add your current IP to your allowed list. This makes it easier to quickly enable pop or imap just for your current IP address.

New blog post: The Truth About Zero Knowledge / Zero Trust

Follow-up Blog Post: How to Use CodaMail in the Most Secure Fashion Possible

New blog post: A beginner-friendly guide to evaluating website security

We have updated our Notes app so that now if you upload a pdf or odf file as a Note you can click the icon representing it and it will display in a viewer/editor, as it does for attachments in mail, calendar events, and tasklist entries.

An important note, especially for existing subscribers. We do not recycle usernames. This includes masked aliases and it is for your protection because it prevents someone else from signing up for an account you left. However, it also means that if your account expires, is not renewed, and ends up past the 90 day mark where it gets deleted, you can never get it or any of your aliases back.

We have disabled accounts that expired last month and were not renewed. If yours was one, and you'd like to reactivate it, you can renew here: https://codamail.com/renew.html

We are performing some regular patching that will require periodic reboots. We expect any downtime to be minimal.

Tomorrow we will be disabling accounts that expired last mo that have not renewed. You can check your account status under Settings -> Account Information or renew here: https://codamail.com/renew.html

We have pushed our latest update to caldav/carddav into production. This update adds additional functionality and resolves a few more client based nuances for better compatibility with more clients.

FYI: We do take requests for color combinations to be able to be selected within webmail. Unfortunately, due to the static nature of these, we are currently unable to just provide color pickers. Instead they must be individually compiled. However, we do take requests.

Please note that if you delete a masked alias, you cannot get it back without contacting helpdesk (and even then, they will only be reactivated for the account, they cannot be reactivated for a new account). Masked aliases cannot be reused.

We will soon be disabling accounts that expired last month or before that have not yet been renewed. Please note that we do not auto-rebill any service but month-to-month billing as our goal is to be both easy to onboard and off-board with us. This means any subscription that is not month-to-moth must be manually renewed each time at the end of it.

We resolved an issue some were having where attempting to display the tasklists caused an internal server error message.

We have resolved an issue with MKCALENDAR VTODO (ie. creating a task list from your phone or other device) when you have granted the authentication pair (token) the create tasklist permissions. Prior to this fix, creating a tasklist from a remote device was rejected even if you had granted the permissions to do so. This is a regression bug that was reintroduced with our last update.

Just an early note, we will soon be disabling accounts that expired last month and have not been renewed. To check your account status go to Settings -> Account Information, you can renew there as well or at https://codamail.com/renew.html

A recent change to the site's security headers affected the paypal button, which caused it not to forward to paypal for payments. This has been corrected.

Note: Calendar, Contacts, and Tasklist syncing via CalDAV/CardDAV is only available in the new webmail. It is not available in our legacy webmail.

We resolved an issue with the Apple Reminders App and tasklists. Taskslists will now update via the Reminders App.

We had an issue with our SMTP that caused it to be unavailable for a bit due to abuse, it has been resolved.

WebDAV/CalDAV/CardDAV Update:

I don't speak tech, in layman's terms please:

You can sync your calendars and contacts with all of your favorite devices like your phone, tablet, watch, or favorite email app. You can also share with your family, friends, business contacts, or groups, all privately.

I want the tech:

Our proprietary WebDAV server, built from the ground up for privacy, now supports (updated 11/2):

RFC 3253 WebDAV Versioning (expand-property REPORT, protected properties)
RFC 3744 WebDAV ACL (Access control, privileges, owner, acl properties)
RFC 4791 CalDAV (Calendar properties, REPORT, calendar-query, free-busy)
RFC 4918 WebDAV (Core properties, PROPFIND, PROPPATCH, collections, COPY, MOVE, Class 1/2/3 compliance)
RFC 5397 WebDAV Current Principal (current-user-principal discovery)
RFC 5545 iCalendar (ICS/VCS format for events/tasks, ORGANIZER/ATTENDEE, CATEGORIES)
RFC 5689 Extended MKCOL for WebDAV (creating collections with properties in single request)
RFC 5842 WebDAV Bindings (resource-id for unique resource identification)
RFC 6350 vCard Format (VERSION property ordering, REV property injection, property preservation)
RFC 6352 CardDAV (Addressbook properties, vCard handling, addressbook-query, addressbook-multiget)
RFC 6578 WebDAV Sync (sync-token, sync-collection REPORT with allprop compatibility)
RFC 6638 CalDAV Scheduling (calendar-user-address-set, schedule-inbox-URL, schedule-outbox-URL)
RFC 7617 HTTP Basic Authentication (proper realm and credential caching)
RFC 7809 CalDAV Time Zones by Reference (calendar-timezone property with UTC default)
RFC 8144 Use of the Prefer Header Field in WebDAV (return-minimal for PROPPATCH optimization)
RFC 9110 HTTP Semantics (ETag, If-None-Match, 304 Not Modified, conditional requests)
CalendarServer Extensions (calendar-proxy, notification-URL, dropbox-home-set, email-address-set, getctag)
Apple Extensions (calendar-color with 8-char ARGB alpha channel preservation, calendar-order, calendar-enabled, calendar-transparency with PROPPATCH support)

The above properties which would normally contain identifying information are returned with privatized data. Randomized principals properly map. ACLs also properly map to our own unique method level dynamic permissions.

This ensures out-of-the-box compatibility with clients such as Apple Calendar, iOS, macOS Contacts, Thunderbird, DAVx5 with Android, Outlook with DAV plugins, and others, all without requiring protocol extensions or proprietary modifications.

We have updated the troubleshooting section for setting up DAV clients (ie. syncing your phone or other device calendar to the webmail calendar, contacts, and tasklist/todo). You can find this at the bottom of https://codamail.com/dav-setup.html. Specifically, things to check if it doesn't sync or only syncs one way.

We have updated our whitepaper on our unique privacy protecting CalDAV/CardDAV/WebDAV server with method level dynamic permissions. You can read it here: https://codamail.com/render.php?file=dav_reimagined.md.

We have disabled access to accounts that expired in Sept and were not renewed. If your account was one and you would like to renew it, you can do so here: https://codamail.com/renew.html

We resolved an issue with exporting private pgp keys today that was caused by a routine system update, so if you had difficulty exporting a private key (and possibly other pgp key management, though we are only aware of the private key export) this was why.

Just a reminder for those just checking notices, we completely rebuilt our VPN network in July. If you have not downloaded new configs since and cannot connect to a VPN, this is why. You will need to download the new configuration files from our Support section.

We also retired our Denver site this week and in doing so moved our Denver VPN and Socks5 servers to Chicago.

Please note: Our support section is well fleshed out, please take a moment (if you have not already done so) and check out https://codamail.com/support.html. You just might find that the service is capable of a lot more than you are aware.