Our Amanah to You
In Islam, amanah means trust and responsibility. When you give us your email, you are trusting us with your private communication. We take that seriously.
This page tells you exactly what we protect, what we don't, and what you can do to protect yourself further. No marketing language. No vague promises. Just the truth.
Encryption in Transit
All connections between your device and our server are encrypted with TLS, secured by Let's Encrypt certificates. Nobody between you and our server can read your email in transit.
Encryption at Rest
Emails stored on our server are not encrypted at rest. They are stored in a database (RocksDB) with compression but without cryptographic protection. This is the standard for most email servers, including Postfix, Dovecot, and most hosted email providers.
What this means: someone with root access to the server could, in theory, extract email content from the database. In practice, this requires specific tooling and deliberate effort.
Who Can Access Your Email
Full access via IMAP, webmail, or any email client.
Tab Hasan (UMG founder) has root access to the mail server. He has the technical ability to access stored email, but will not do so except: (a) when required by law, or (b) to diagnose a technical issue you have reported. This is our amanah.
Hetzner (Germany) has physical access to the hardware. They operate under EU law and GDPR, which provides stronger legal protections than US-based providers. They do not access customer data without a valid legal order.
No advertisers. No data brokers. No AI training. No third parties. Your email is not a product.
End-to-End Encryption (Optional)
If you need absolute privacy where even we cannot read your messages, enable OpenPGP encryption in your email client. When you encrypt a message with PGP before sending, it is stored as an opaque blob on our server. We cannot decrypt it. Only the intended recipient with the matching private key can.
PGP is supported in:
- Webmail (webmail.ummah.email) has built-in PGP support
- Thunderbird has native OpenPGP support
- Apple Mail via GPG Suite
- K-9 Mail / FairEmail on Android with OpenKeychain
When PGP is active, your email is end-to-end encrypted. The server stores ciphertext it cannot read. This is the strongest protection available.
Email Authentication
Every email sent from ummah.email is signed with DKIM (DomainKeys Identified Mail). This means recipients can verify that the email actually came from our server and was not tampered with in transit.
We also publish SPF and DMARC records to prevent others from sending email that appears to come from @ummah.email.
What We Will Never Do
- Scan your email to show you ads
- Sell or share your data with third parties
- Use your email content to train AI models
- Insert tracking pixels into your messages
- Read your email without your knowledge or a legal obligation
- Hand over data to any government without a valid legal order under EU jurisdiction
Infrastructure
Our mail server handles IMAP, SMTP, JMAP, CalDAV, CardDAV, spam filtering, and DKIM signing. It is a single-component stack with no external databases, no analytics, and no third-party integrations touching your mail.
Reporting a Security Issue
If you discover a vulnerability in our systems, please contact security@ummah.email. We will acknowledge your report within 48 hours and work to resolve it promptly.
We do not currently offer a bug bounty program, but we deeply appreciate responsible disclosure.
"Indeed, Allah commands you to render trusts to whom they are due." — Quran 4:58
Questions? Email info@ummah.email.