I Thought Building an Anonymous Email Platform Would Be Easy. I Was Wrong.

Sourav Jha — Wed, 10 Jun 2026 19:55:54 +0000

Over the past few weeks, I built PostMarker, a platform that allows users to send anonymous emails and receive replies without exposing their real email addresses.

At first, the idea sounded straightforward:

User writes a message.
Email gets delivered.
Recipient replies.
Sender receives the reply.

Simple, right?

Not even close.

What looked like a weekend project quickly turned into one of the most technically challenging systems I've built so far.

The Problem

Most anonymous messaging platforms only support one-way communication.

I wanted to build something different.

I wanted users to:

Send an anonymous email
Receive replies
Maintain a conversation
Never reveal their real email address

This introduced a completely new set of challenges.

The Architecture

PostMarker is built using:

Next.js
MongoDB
Nodemailer
IMAP
SMTP

The flow looks like this:

User creates a conversation.
A unique thread is generated.
A temporary email alias is assigned.
The outbound email is delivered through SMTP.
Replies are collected through IMAP.
Messages are synchronized into a private inbox.

Instead of storing messages forever, conversations automatically expire after 7 days.

Technical Challenges

1. Anonymous Replies

Sending emails is easy.

Receiving replies anonymously is hard.

I needed a system that could:

Match replies to the correct conversation
Verify the reply belongs to the intended recipient
Prevent abuse
Maintain privacy

To solve this, PostMarker uses:

Custom email headers
Thread identifiers
Reply verification
Sender validation

2. Private Inboxes

I didn't want users creating accounts.

Instead, PostMarker generates a secure access token.

The token acts as the inbox key.

For additional security:

Tokens are never stored in plaintext
SHA-256 hashes are stored instead

Even if the database is compromised, inbox access tokens cannot be recovered.

3. Abuse Prevention

Anonymous platforms are magnets for abuse.

Several protections were added:

Rate limiting
Reply validation
Alias verification
Thread ownership checks

Without these protections, the platform could easily become a spam relay.

4. Email HTML Security

Emails can contain:

Tracking pixels
Embedded scripts
Malicious HTML

PostMarker sanitizes email content before rendering it inside the inbox using DOMPurify.

This prevents XSS attacks and protects users from malicious email content.

What I Learned

This project taught me more than I expected about:

SMTP
IMAP
Email infrastructure
Security engineering
System design
Building products around real-world constraints

One lesson stood out:

Building software is often less about writing code and more about handling edge cases.

The happy path is usually easy.

The difficult part is making sure everything still works when things go wrong.

What's Next?

PostMarker is still evolving.

Future improvements include:

Better analytics
Enhanced alias management
More anti-abuse protections
Improved inbox experience
Custom domains

Try It Yourself

GitHub:
https://github.com/JhaSourav07/postmarker

Live Demo:
https://postmarker.vercel.app

Feedback, suggestions, and contributions are always welcome.

If you've built something involving SMTP, IMAP, or email infrastructure, I'd love to hear about your experience in the comments.

DEV Community: Sourav Jha