Over the past few weeks, I built PostMarker, a platform that allows users to send anonymous emails and receive replies without exposing their real email addresses.
At first, the idea sounded straightforward:
- User writes a message.
- Email gets delivered.
- Recipient replies.
- Sender receives the reply.
Simple, right?
Not even close.
What looked like a weekend project quickly turned into one of the most technically challenging systems I've built so far.
The Problem
Most anonymous messaging platforms only support one-way communication.
I wanted to build something different.
I wanted users to:
- Send an anonymous email
- Receive replies
- Maintain a conversation
- Never reveal their real email address
This introduced a completely new set of challenges.
The Architecture
PostMarker is built using:
- Next.js
- MongoDB
- Nodemailer
- IMAP
- SMTP
The flow looks like this:
- User creates a conversation.
- A unique thread is generated.
- A temporary email alias is assigned.
- The outbound email is delivered through SMTP.
- Replies are collected through IMAP.
- Messages are synchronized into a private inbox.
Instead of storing messages forever, conversations automatically expire after 7 days.
Technical Challenges
1. Anonymous Replies
Sending emails is easy.
Receiving replies anonymously is hard.
I needed a system that could:
- Match replies to the correct conversation
- Verify the reply belongs to the intended recipient
- Prevent abuse
- Maintain privacy
To solve this, PostMarker uses:
- Custom email headers
- Thread identifiers
- Reply verification
- Sender validation
2. Private Inboxes
I didn't want users creating accounts.
Instead, PostMarker generates a secure access token.
The token acts as the inbox key.
For additional security:
- Tokens are never stored in plaintext
- SHA-256 hashes are stored instead
Even if the database is compromised, inbox access tokens cannot be recovered.
3. Abuse Prevention
Anonymous platforms are magnets for abuse.
Several protections were added:
- Rate limiting
- Reply validation
- Alias verification
- Thread ownership checks
Without these protections, the platform could easily become a spam relay.
4. Email HTML Security
Emails can contain:
- Tracking pixels
- Embedded scripts
- Malicious HTML
PostMarker sanitizes email content before rendering it inside the inbox using DOMPurify.
This prevents XSS attacks and protects users from malicious email content.
What I Learned
This project taught me more than I expected about:
- SMTP
- IMAP
- Email infrastructure
- Security engineering
- System design
- Building products around real-world constraints
One lesson stood out:
Building software is often less about writing code and more about handling edge cases.
The happy path is usually easy.
The difficult part is making sure everything still works when things go wrong.
What's Next?
PostMarker is still evolving.
Future improvements include:
- Better analytics
- Enhanced alias management
- More anti-abuse protections
- Improved inbox experience
- Custom domains
Try It Yourself
GitHub:
https://github.com/JhaSourav07/postmarker
Live Demo:
https://postmarker.vercel.app
Feedback, suggestions, and contributions are always welcome.
If you've built something involving SMTP, IMAP, or email infrastructure, I'd love to hear about your experience in the comments.
Top comments (0)