Your inbox,
unread by us.
A mail client with no server.
Sift is a desktop email client that never sees your mail. No IMAP proxy, no analytics SDK, no "AI" scanning your messages to surface the right coupon. Your credentials live in your OS keychain. Your messages live on your disk. We ship a binary and a public audit — and that is the entire company.
Three rules we won't break, even if everyone else did.
Your mail never touches our infrastructure.
Sift connects directly from your machine to your provider over IMAP and SMTP. There is no relay, no sync server, no "cloud" folder. If we disappeared tomorrow, your mail would still arrive — because we are not in the path.
No model reads your messages. Not ours. Not anyone's.
There is no on-device LLM, no smart-reply model, no embedding pipeline. Search is BM25 over a local index. Sorting is rules you write. The only "intelligence" in Sift is yours — we refused the rest as a design constraint, not a config option.
Your data is yours, in formats you can leave with.
Mail is stored as standard mbox files. Index is a SQLite DB you can open with any tool. Settings are a plain TOML file. If you uninstall Sift on day one, you keep everything — and you can prove it to yourself in under a minute.
Built like a tool, not a product.
Every feature below was chosen because it survives the test: does it work fully offline, with no account, on a machine that has never spoken to us? Anything that failed that test was cut.
Keyboard-first everything
Every action is bound, every binding is remappable, every list is fuzzy-searchable. The mouse is a fallback, not a requirement.
Local full-text search
BM25 over a SQLite FTS5 index. Sub-50ms across 100k messages. No query ever leaves your machine.
Rules, not "AI sorting"
A deterministic rules engine with regex, header matching, and sieve import. Predictable. Debuggable. Yours.
OS-native secret storage
Credentials live in Keychain, Credential Manager, or libsecret — never in a config file, never in memory longer than required.
Multi-account, unified inbox
Unlimited accounts. Color-coded. Per-account signatures, identities, and outbound SMTP. Switch with ⌘1–⌘9.
PGP & S/MIME built in
Sign, encrypt, verify. Keys managed via gpg or native. Autocrypt supported. No plugin required.
Plain-text composer
Markdown to HTML on send. No rich-text editor, no tracking pixels, no remote images by default. Your words, your bytes.
Scheduled send & undo
Hold any outbound message in a local outbox for up to 60 seconds — or schedule it for any future time. Cancel with one key.
Reproducible builds & public audit
Every release is built from a tagged commit via a deterministic pipeline. The SHA-256 of the binary you install is published alongside the source, signed with our long-term key, and verifiable locally with sift audit --verify-bin. Two independent reviewers audit the diff between minor versions; their reports are public, including the things we refused to fix and why.
One number. Paid once. No subscription.
$39 once. That is the entire pricing page.
One payment, every future update included, forever. No tiers, no "Pro" version, no per-seat enterprise dance. If you want a refund for any reason within 60 days, you email one person and they send it. We do not ask why.
Download Sift. Run it offline. Keep it forever.
The binary below is the same one we ship to paying customers. Try it free for 14 days, no account, no email required. If it ever phones home, the audit failed and you should not have paid us.
signature → -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE… -----END PGP SIGNATURE-----
audit → reports/sift-1.4.2.pdf · signed by M. Vernet, K. Ito · 2025.03.04