Trust assumptions and threat model
The Economics chapter traces where every lamport goes; this page traces where trust goes: what each participant must assume about the others, which of those assumptions are enforced on-chain, and which live off-chain in an operator’s configuration or a service the postmaster runs. Nothing here is a hidden flaw — each item is a deliberate design boundary — but anyone holding real value in the system should know where the boundaries are.
The domain authority is fully trusted for relayed mail
On-chain, SendMail accepts a message when the signer is the sender named
in the email or the active authority of the recipient’s domain — the MX
operator’s wallet, for mail relayed in from traditional SMTP. The chain
cannot verify that the from address on relayed mail is genuine; it trusts
the authority’s signature entirely. Verifying the sender is the operator’s
job, off-chain, via SPF/DKIM/DMARC (the sender_auth setting in
sithbitd’s configuration).
The consequence of a lax or compromised MX is worse than ordinary spam:
because fromboxes are keyed by the from string, a relay that accepts
a forged from lets the forger consume a trusted correspondent’s prepaid
stamps and arrive at that correspondent’s discounted price. Spoofing
through a careless operator is simultaneously stamp theft from the
impersonated sender and a bypass of the recipient’s stranger pricing.
What this means in practice:
- Operators: run
sender_authatspfor stricter on any internet-facing MX. An authority that relays forgeries is spending its own users’ stamps. - Recipients: your spam-pricing guarantee is only as strong as your domain operator’s inbound authentication. A mailbox on a well-run domain inherits its rigor; a bare-pubkey mailbox with no domain accepts only sender-signed (wallet-to-wallet) mail, which needs no such trust.
- The protocol: today there is no on-chain accountability for authorities beyond the postmaster’s ability to deactivate a domain. Per-authority accountability (reputation or stake) is a recognized open design question, not current behavior.
The postmaster is a singleton
One key initializes the postoffice, authorizes and deactivates every domain, tunes the stamp fee (hard-capped on-chain), and sweeps postoffice revenue. Domain ownership itself is proven off-chain: the domain-sithbit service checks a DNS TXT record and co-signs with the postmaster key — so both the verifying agent and the authorizing key are, today, single points of trust.
The on-chain design already bounds the worst outcomes: the stamp fee is
capped (MAX_POSTOFFICE_STAMP_FEE_LAMPORTS), postage settles directly to
recipients and operators without passing through the postoffice, and rent
always returns to whoever paid it. What a compromised or coerced postmaster
key can do is deactivate domains — halting relayed mail for their
mailboxes until reactivation — and refuse to authorize new ones.
Wallet-to-wallet mail between bare pubkeys needs no domain and keeps
working regardless.
Operationally, the postmaster key should be held in a multisig, and deactivation is deliberately a reversible toggle rather than a close.
Message metadata is hashed, not hidden
No SithBit instruction or account carries an address string. A
message account stores the sender wallet, a blake3 hash of the
normalized from address (the frombox seed), the timestamp, and the
IPFS CID; the recipient appears only as the wallet the account’s PDA
seeds on, and the frombox instructions likewise carry the hash. The
human-readable From:/To: headers exist solely inside the sealed
body, readable only by the recipient’s key.
What a chain observer still learns — and should be treated as public:
- wallet-level flow: which wallet received mail, when, and which
sender wallet paid for it (accounts, signatures, and timestamps are
inherent to the chain, and history outlives
DeleteMail); - hash linkage: the same
fromaddress always hashes to the same value, so an observer can correlate “this sender identity again” and can confirm a guess of a known address by hashing it — the hash hides the string, it is not resistant to a dictionary of candidate addresses; - the CID of the sealed body (fetching it yields ciphertext).
What the observer no longer gets is the address book itself: reading
who-mails-whom as alice@corp.com → bob@example.org now requires
already knowing both strings.
Frombox custody favors the recipient
Two behaviors follow from the frombox being the recipient’s account (see Closing accounts):
CloseFromboxreturns the entire balance — rent and any unused prepaid stamps — to the recipient, not to whoever funded them. This is the recipient’s remediation against a sender who stockpiled cheap stamps before a price hike (raising the price never revalues stamps already bought; closing the frombox seizes them). The flip side: buying stamps for someone else’s frombox is a gift with no refund path. Fund a frombox only as generously as you trust its owner.- Anyone can transfer extra lamports into a frombox PDA directly. The
per-send value moved onto a message is
(balance − rent) / stamps, so a topped-up frombox inflates each remaining stamp’s settlement value — at the topper’s expense, to the recipient’s (and operator’s) benefit. Not an attack on anyone else’s funds; just don’t send lamports to a frombox except throughAddStamps.
What is enforced on-chain
For contrast, the guarantees that need no trust in any operator: PDA
ownership and derivation checks gate every lamport move; only the recipient
can reprice a frombox; only the sender or recipient can settle a message;
stamp arithmetic is overflow-checked (a u64::MAX price is an effective
per-sender block); the stamp fee is capped; and every account class has a
close path that returns rent to its recorded payer.