e2e encryption email utility
Personal & Enterprise
any IMAP email account
any non-browser email app
you need email encryption -
no, you don't already have it.
Learn more

Regular email

Regular email is only encrypted (by TLS) while in transit between devices (blue arrows).

It is not encrypted on any of the four devices on which it is indefinitely stored once sent.

Unencrypted email stored on the sender's and recipient's email servers (red boxes) is the biggest hacking vulberability to email.


With VESmail, the sender's email is stored in an encrypted state on both servers (blue boxes).

This eliminates the biggest vulnerability with email.

why, what, who
Learn more


Email works universally because it’s free.
To work universally, encrypted email must also be free.

For Individuals

No watered down version.
No limitations.
Get started

For Enterprise

Free trial on a monthly basis.
At month's end you can easily extend the monthly trial,
if you need more time to evaluate.
No credit card info needed to sign up.
Cancel any time without obligation.
Eventually, a paid account is required.
simply have employees use the free Idividual VESmail product,
but forgo the additional benefits of VESmail Enterprise. Get started

makes VESmail special?

Safety AND Security
Learn more

Safety AND Security

Prior to VES, users of encryption had to choose between safety and security.

They could opt for the full security of undiluted end-to-end encryption, but with no safety of recovering content if the key is lost. Or, they could choose safety by sharing copies of keys with others, but in the process dilute the security and privacy of encryption.

VES sets a new paradigm that allows for the full privacy and security of undiluted e2e encryption, AND the safety of recovering encrypted content if the key is lost making e2e encryption pracitcal for mainstream use.

To learn more about VES the and risk odds from key loss, visit and in particular the The Math page - an interactive cacluator to estimate risk under different scenarios.


Convenience starts with not needing to have a special email account to use encryption. With VESmail you keep your existing IMAP email account, all your past email messages and all your contacts.

But VESmail takes convenience to a whole new level. Selecting the AUTO option in the VES encryption settings allows for seamless, set & forget operation. The VES app operates invisibly in the background - enacting VES encryption on emails sent to other VESmail users, while not using VES on emails sent to those who don't use VESmail. This means your recipients who don't use VESmail don't need to do any extra inconvenient steps to read your emails, so you don't have to hear them complain to you to stop sending them encrypted messages. You never have to think twice about sending an email - because anything less is less than convenient.


VESmails works with all IMAP email accounts. It works with all non-browser email clients/apps. It works on all iOS, android, macOS and windows devices. It works for both enterprise and personal emails accounts. The same VESmail app on any device handles unlimited enterprise and personal email accounts.

Simply download the VESmail app to any device, connect all the email accunts and all the email apps you use on that device and you're good to go!

Learn more

Safety AND Security

VES provides the security of undiluted end-to-end (e2e) encryption, and the safety of recovering content if the key is lost, eliminating the prior tradeoff between security and safety.

This new combination finally enables e2ee (end-to-end-encyrption) to be practical for mainstream use with email.


There are no shared keys on a server or anywhere else, eliminating that common backdoor vulnerability. Neither is there a collusion risk that friends who can assist in recovery can rebuild a key and access your content.

With those two vulnerabilities mitigated, the security of e2ee is uncompromised.


VES provides a means of recovery from key loss that can acheive a failure rate of lower than 1 in 14 trillion. Simply, VES can achieve new benchmark levels of safety from key loss.

Visit The Math to learn more about VES and the variable odds of VESrecovery.


This unique combination of safety and security is the basis behind VES being offered as a stand alone SAAS (Software As A Service) to other SAAS providers. They can integrated VES into their products and extend the benefits of VES to their users.

In fact, VESmail is the first example of this. When creating a VESmail account, a user is also simultaneously creating a VES account for the exact same email address. The PIN is actually associated with the VES account and is used for key management and key loss VESrecovery. These PINs and VES accounts can be used to recover lost encrypted content for any SAAS provider that integrates with VES.

Vist for more information about VES and VES as a SAAS.

ideal for friends & family


You and your posse download the VESmail app to each of your devices. Then add your email accounts and adjust the settings to your email apps, but leave the VES encryption in the default AUTO setting. Lastly, list each other as friends in VESrecovery and you're done.

What happens

Use your email exactly as you did in the past. In AUTO mode, every time you press the Send button, VESmail automatically decides whether to encrypt the message or not. Emails sent to your posse, or anyone else with a VESmail account, will be encrypted. Emails sent to everyone else will not be encrypted.

Benefits of set & forget

You never need to think about email encryption again.

You have the peace of mind that all information shared with your posse is secure and private with e2ee. And, you never need worry about switching off encryption when sending to others who don't have a VESmail account because that's done automatically. You don't inconvenience them with the extra manual steps of decrypting your emails, and they don't inconvenience you by complaining that opening your encrypted emails is a hassle.

This set & forget email encryption functionality is the way e2ee email should be...the way it must be.

Learn more Hide
2 critical features

Corporate Compliance

Without the ability to access user encrypted emails, email encryption just doesn't work for corporations. There must be oversight to ensure users are not engaging in questionable activities or misrepresenting the enterprise.

VESmail provides oversight for corporate compliance by enabling the enterprise admin to designate email addresses that are coppied on all emails sent by users as well have the encryption key.

To ensure this functionality is not abused, there are a number of safeguards. First, there is an invitation/rsvp process for admitting email addresses to the enterprise instance. An invitation is sent to the potential user when the enterprise admin adds the email address to the Access List. The owner of the email is alerted to the access rights and must accept the invitation to join the Access List.

In addition, the enterprise admin can only send invitations to email addresses that have the same domain as the one the admin used to create the corporate instance.

VESrecovery Inheritance

A key aspect of VES is VESrecovery, whereby the user can recover encrypted content is the encryption key is lost. Critical to VESrecovery is that each user must select a group of friends to assist them in VESrecovery.

VESrecovery Inheritance gives the enterprise admin the ability to pre-select a group of friends that each user immediately inherits when joining the enterprise instance, bypassing the need for users to select a group of friends themselves. Users can add/delete friends to their network afterwards. This gives the entire enterprise an immediate, robust VESrecovery network to ensure against key loss.

For more information about VES and VESrecovery, vist

Learn more Hide
abridged checklist

Any size enterprise
No IT skills needed for setup or admin
No company server needed
Setup in seconds
No scalability issues
Set & forget admin
Simple to add/delete users
Compliance/oversight of user emails
Set & forget user experience
No user training
Universal to your universe

Any size enterprise

VESmail is completely independent of size and works just as well for a two person enterprise as it does for a massive enterprise. The same software, same setup process, same tools, same everything are used for all cases without limitations and without special considerations. It's plug-and-play regardelss of size.

No IT skills needed

Anyone can setup and run VESmail enterprise without any IT skills. Once set up, the only periodic administration that may be required would be to change the user access, which also requires no IT skills.

No company server needed

For simplicity and convenience, VESmail enterprise was designed so that your enterprise instance is created on our server. It can be left there and your enterprise will still have full e2e encryption. Or, if you have a company server, you can easily migrate your enterprise instance to your server.

Setup in seconds

For any size enterprise, it only takes about 30 seconds to setup the enterprise instance. It then takes about another one to three minutes to configure your Enterprise Compliance and VESrecovery Inheritance. All of this is easily done through the browser based VESmail interface.

The amount of time it takes to add users to your instance depends on the number of users. The VESmail interface allows you to type in the name section of the email address (the part before the @) one at a time. For larger enterprises, that have a server and an IT function, bulk uploads of user email addresses are possible.

That's all there is to setup.

No scalability issues

If you're a two person firm, you're not too small for VESmail enterprise. Then, you can forget about scalability no matter how large or fast your grow. The only thing you need do is add names to your User Access List, which can be hundreds of thousands long and still present no scalability issue to you.

Set and forget admin

Once you setup your instance, Enterprise Compliance, and VESrecovery Inheritance, you really never need bother with them again. Your only ongoing task is to keep your User Access List up to date - adding and removing users as needed. It doesn't matter how small or big your enterprise is, that's really all there is to it.

Simple to add/delete users

Log into your VESmail account, go to the User Acces List page, enter the email address to add a user or select the delete button next to an existing email address to remove the user. That's it.

Compliance/oversight of user emails

To ensure that users are not engaging in nefarious or negligent activity through their encrypted email correspondance, VESmail provides a means of oversight. The administrators of your enterprise instance can designate email addresses from your User Access List to have encryption key access, and be coppied on all encrypted emails sent by all users on your Access List.

You can designate a real user email address or create an email address designated for this purpose but shared by multiple actual people, so that the regular inboxes for your auditors won't be innundated with these emails.

Set & forget user experience

Vesmail works seamlessly and invisibly in the background. This means your users never have to think about selecting any encryption settings when sending an email. They just press the send button without a second thought.

No user training

Since VESmail works seamlessly and invisibly, you don't have to retrain your enterprise users on how to use email. They simply continue using it exactly as before. No training, no training documents, nothing to update.

Universal to your universe

Since VESmail works with all IMAP email accounts, all non-browser email apps and all standard operating systems and devices, it works with everything in your enterprise universe. It fits in with all the personal laptops, phones and tablets that your users use. Moreoever, since the same VESmail app downloaded on their devices works for any personal or enterprise VESmail account, you get the additional benefit of your users expanded VESrecovery network in ensuring VESrecovery for the encrypted emails through your instance. And, you get this for free.

Learn more Hide
VESmail works

An Instance

An Instance is a copy of software code. The VESmail Instance you use is where encryption and decryption takes place for your VESmail account.

You can have a differenct Instance for each email account but only one Instance for each account. A single instance can be used for multiple email addresses, which is the case of the VESmail app on one of your devices.


The Instance you use can reside anywhere: your device, company server, home server, your server in the cloud and you can even use the VESmail public Instance located on our server in the cloud.

In all cases, the code is exactly the same and your outgoing emails are stored in an encrypted state. That's the most important thing in keeping your info secure.

If you use an Instance on a hardware device under your direct physical control, it is technically called end-to-end-encryption (e2ee) because you don't have to trust that anyone is survelying your information as it is being encrypted or decrypted. You have e2ee when your Instance is on your device, on a server in your house or on a company controlled physcial server.

Email path

When you send an email, it is encrypted by TLS and is sent to your VESmail Instance, wherever it may reside.

At the Instance, the email is decrypted from TLS and re-encrypted with state-of-the-art encryption used by VES. It is then additionally encrypted with TLS and sent to your Outgoing email server.

When it arrives at your Outgoing server, the email is decrypted from TLS, but it remains encrypted with VES; the server doesn't have a key to decrypt VES. The email is stored in this VES encrypted state. It is also re-encrypted with another round of TLS and sent to the recipient's Inbox server.

The process is repeated at the Inbox server where the email is again stored in the VES encrypted state, and also sent to the recipients device.

If the recipient has a VESmail account, the recipient's Instance receives the email before it gets to the recipeint's email app and it is decrypted from the VES encryption. If the recipient does not have VESmail, they will need to enter a PIN to create/use a VES account to read the email. (they do not need to have a full VESmail setup to read the email.)

How VES recovery works

Visit and watch the video to see how VES recovery works.

Learn more Hide
What's that?

A relay

SNIF (Server Name Identification Forwarding) is a relay that exists in the cloud that serves two purposes.

First, in most cases, SNIF is a relay enabling direct e2ee communication between your local email and VESmail apps. It may sound odd that two apps on your device are talking to each other through a relay in the cloud, but there's a very good reason for this and it doesn't slow anything down.

Trusted TLS for the VESmail app

Second, in all cases, SNIF is a way of achieving publicly trusted TLS certification in conjunction with full e2e TLS encryption for a unique host name owned by the VESmail app. Having this level of trust and security at the app level was previously not available. This gives your local VESmail app a level of trust that is universally recognized by all platforms and all email apps.

Achieving utility level status... & more

Through SNIF, the VESmail app achieves universal trust, essentially giving it utility level status.

SNIF has potential that extends beyond VESmail, so we made it open source with the thought that it could be used to enable a fully e2e solution for The Internet of Things. An internet draft on SNIF has been submitted with IETF regarding this potential and as a result, IoTSF has requested our CTO to join their workgroup tasked with solving this problem.

Learn more about SNIF

Learn more Hide