Email Notifications for Tor Hidden Services: Privacy-Safe Implementation 2026

When your hidden service connects to an SMTP server to send email, the SMTP server logs the connecting IP address. This creates two exposures: the SMTP provider knows your server's IP (deanonymizing the hidden service location), and the email recipient sees email headers that may include your server's IP. Tor SMTP solutions: route SMTP connections through Tor (the SMTP provider sees a Tor exit IP, not your server's real IP), use an outbound-only email relay accessible via a .onion address, or use an asynchronous email architecture where a separate clearnet server handles SMTP on behalf of the hidden service.

Configure Postfix (or your application's SMTP client) to route connections through Tor's SOCKS5 proxy. Postfix SOCKS5 support: Postfix does not natively support SOCKS5 proxying. Use proxychains or torify to wrap the Postfix SMTP client. Alternatively, use a mail relay that supports SOCKS5 (many SMTP libraries support it). Application-level SMTP via Tor: Python smtplib with SOCKS proxy: import socks; socks.set_default_proxy(socks.SOCKS5, '127.0.0.1', 9050); socket.socket = socks.socksocket. Then use smtplib normally. Node.js nodemailer with SOCKS5: configure a custom connection that uses socks-proxy-agent. Most SMTP libraries can be adapted to use SOCKS5 proxying. Email headers: even when sending via Tor, some mail providers include the connecting IP in Received headers - inspect headers of sent emails and configure the provider to strip source IPs if possible.

The cleanest privacy-preserving email architecture: a dedicated email relay server accessible via a .onion address. The hidden service application sends email to the relay's .onion address (connection stays within Tor). The relay sends email outbound via its own clearnet connection (separate from the hidden service's IP). This separates the hidden service's IP from the SMTP sending IP. Relay options: a self-hosted Postfix instance on a separate server (not the hidden service server), configured to accept connections on a .onion address and relay outbound. Commercial transactional email (Mailgun, Postmark, Sendgrid) from the relay server - the relay's IP is associated with the commercial provider, not with the hidden service's network. The relay adds a layer of indirection, but the relay server's location is still exposed to the commercial email provider.

Not all notifications require synchronous SMTP delivery. Alternative patterns: push notification via application: instead of email, send notifications via an in-app messaging system (user checks inbox on the .onion service). No email exposure at all. Delayed email via queue: the hidden service queues notification tasks, a separate clearnet worker processes the queue and sends email. The clearnet worker's IP is exposed, but it is a dedicated server, not the hidden service itself. Anonymous email addresses: allow users to subscribe to notifications via anonymous email addresses (Protonmail .onion, Tutanota, Cock.li). The email goes to a privacy email provider, not to a clearnet address that could identify the user. SMS via anonymous providers: some users accept SMS notifications via anonymous VoIP numbers. Less common but avoids email infrastructure entirely.

Even when email delivery is anonymous, email template content can reveal information about the hidden service. Best practices: do not include server IP addresses or internal hostnames in email content, do not include log file paths or error messages in notification emails, use relative URLs within emails pointing to the .onion address (not clearnet URLs), include unsubscribe links that point to the .onion service (not to a separate clearnet service), and avoid third-party tracking pixels (email open tracking reveals user email clients and IP addresses to the tracking service). PGP-signed emails: sign outbound notifications with the service's PGP key. Users can verify notifications came from the legitimate service, not a phishing attack. Include the PGP fingerprint in the email footer.