--- title: "GPG-encrypted email forwarding is back, and the mxcrypt relay is now open source" type: "post" post_id: "208745" slug: "gpg-encrypted-email-forwarding-is-back-and-the-mxcrypt-relay-is-now-open-source" canonical: "https://easydns.com/blog/2026/05/27/gpg-encrypted-email-forwarding-is-back-and-the-mxcrypt-relay-is-now-open-source/" markdown_url: "https://easydns.com/blog/2026/05/27/gpg-encrypted-email-forwarding-is-back-and-the-mxcrypt-relay-is-now-open-source.md" json_url: "https://easydns.com/blog/2026/05/27/gpg-encrypted-email-forwarding-is-back-and-the-mxcrypt-relay-is-now-open-source.json" txt_url: "https://easydns.com/blog/2026/05/27/gpg-encrypted-email-forwarding-is-back-and-the-mxcrypt-relay-is-now-open-source.txt" published: "2026-05-27T14:00:51+00:00" modified: "2026-05-27T14:05:56+00:00" author: "Mark E. Jeftovic" categories: - "What's New" tags: - "Bill C-22" - "GPG Encrypted Email Forwarding" - "Lawful Access" site_name: "easyDNS" publisher: "" language: "en-US" generator: "easyPress Markdown" generator_version: "1.0.3" --- ![](https://easydns.com/wp-content/uploads/2026/05/mx-crypt-relaunch-2.png) Back in 2013 we [announced GPG-encrypted email forwarding](https://easydns.com/blog/2013/12/04/behold-add-gpg-encryption-to-your-email-forwarding/) a way to add your public GPG keys into an email forwarding path so that any mail coming through your mailmap would arrive at its destination GPG encrypted. It was never intended to be end-to-end encryption. What it *does* provide is encrypted data-at-rest. That means you can use Gmail, iCloud Mail, Rogers, Bell, Telus, or virtually any hosted email provider while ensuring the messages stored in your mailbox are encrypted with *your* GPG key, while the host has no ability to decrypt it. Back in 2013, almost nobody cared. Almost nobody used it. Eventually, we unceremoniously turned it off. With Bill C-22 the topic of much debate right now, Canadians are suddenly waking up to the prospect that warrantless back-door access to all of their private communications (business plans, medical records, legal advice, et al) are fair game. With this in mind, we’ve re-enabled GPG-encrypted email forwarding. That means if you have your own domain name with a personalized email address sitting in front of your Gmail, or more poignantly: iCloud, Rogers, Bell, Telus, et al mailboxes, you can make sure all your messages arrive already encrypted and unreadable to anyone except you. Not the provider. Not their sysadmins. Not law enforcement, CSIS or the CSE (or any one of the other 20+ government and quasi-government agencies empowered under Lawful Access legislation to access your communications). Nobody without your private key. ### How To Enable GPG-encrypted email forwarding here: - enable “beta features” flag in your personal settings - enable email forwarding for one of your domains (or one already using mailmaps) - add your GPG public key to the mailmap(s) you want to protect - set your domain’s MX record to **mx-crypt.easydns.com** - (and forwarding maps without keys are passed-thru as-is ![](https://easydns.com/wp-content/uploads/2026/05/gpg-forward-email-screen.png) -------------------------------------------------------------------------------- The mxcrypt postfix relay is open source ---------------------------------------- As noted, this is not an end-to-end encryption solution, it provides encrypted data-at-rest. Under the “Lawful Access” provisions of Bill C-22, if you are using email encrypted forwarding to your mailbox on a Canadian provider such as Rogers, Telus, or Bell (or you’re a Canadian using Apple’s iCloud email) – and they are “requested” to provide back-door access to your emails, there is nothing they can provide. The messages they host have arrived already encrypted and they don’t have the private key. *However* the operator of the mxcrypt *relay* could then receive a similar request – asking them to provide access *before* the encryption takes place. While nobody can do anything about already-encrypted messages, the mail forwarding operator complying with the order could implement an intercept at the point of the relay (our position, articulated already, is that we would invoke the systemic vulnerability safeguard under C-22…) > As someone who runs a company that is probably captured under the definition of an ESP in C-22, our position will be that the systemic vulnerability safeguard precludes us from complying. > > Any “backdoor” data extraction method introduces systemic vulnerability, thus we would… > > — Mark E. Jeftovic (@jeftovic) [May 16, 2026](https://twitter.com/jeftovic/status/2055644249056493573?ref_src=twsrc%5Etfw) But to really help nurture an asymmetric response, we’ve gone ahead and [open sourced the mxcrypt postfix utility via our github here](https://github.com/easydns/easygpg-mxcrypt). This means anybody can setup relays, anywhere. In their basement, or outside of Canada, and provide GPG encrypted forwarding services to Canadians (or anybody else in the world). Those relays can encrypt and forward email anywhere – it is not simply an ingress into the easyDNS system, you can use this software with any email provider in the world. The micropayments angle ----------------------- The world we live in today is much different from the one we were in in 2013. With [x402 and L402 micropayments](https://easydns.com/blog/2026/01/10/can-x402-save-the-open-source-software-movement/) now a reality, not to [mention autonomous hosted agents](https://get.easynode.ai/easyclaw), it’s easy to imagine a cottage industry of independent encrypted-forwarding operators emerging worldwide. Need an encrypted forwarding hop outside your jurisdiction? Your agent could discover one, negotiate payment, provision forwarding, provide your public keys, and activate routing automatically (via [an MCP server handling your DNS](https://github.com/easydns/easydns-mcp), of course). All on demand. Open source encryption, decentralized infrastructure, autonomous agents, and programmable micropayments are creating systems that are beyond the ability for centralized authorities to meaningfully control. Most national governments are playing checkers in a game of 4-D chess. What a time to be alive. Getting Started --------------- - To enable [GPG encrypted forwarding](https://easydns.com/features/gpg-encrypted-email-forwarding/) in [your control panel settings](https://cp.easydns.com). - Clone, fork and modify [the mxcrypt source code here](https://github.com/easydns/easygpg-mxcrypt)