All systems operational
v0.1.0-alpha
Core Engine · Protocol Gateway · Identity Layer

Mail infrastructure engineered for the machine age.

Hermers is not a client. It is the programmatic substrate beneath every client ; speaking IMAP, SMTP, JMAP, gRPC, REST, and MCP simultaneously against a single, authoritative source of truth.

0.4ms p99 sync latency CONDSTORE COMPLIANT
99.99% uptime SLA
6 storage backends S3 · R2 · GCS · MINIO · AZURE · FS
1:1 exactly-once delivery TRANSACTIONAL OUTBOX
5 subscription tiers FREE → ENTERPRISE
// ACCESS.LAYER ALL ACTIVE

Four access modes. One source of truth.

Whether you're wiring up a legacy email client, building an AI agent, or shipping a real-time dashboard ; Hermers speaks your protocol. Every access mode reads from and writes to the same authoritative data layer.

REST API

Direct HTTP integration

Standard JSON over HTTPS. Full CRUD for every resource. Cursor-paginated responses. Works with any HTTP client in any language.

  • Mail, mailboxes, contacts, calendars, appointments
  • Cursor pagination with stable ordering
  • Structured 4xx/5xx error bodies
  • OpenAPI spec + TypeScript types included
gRPC

Streaming. Bidirectional. Low-latency.

Persistent HTTP/2 connections for real-time notification and bulk operations. Protocol Buffers for efficient binary transport.

  • StreamMessages ; live mailbox updates
  • StreamAvailability ; real-time free-busy
  • TLS mutual auth for agent workloads
  • Sub-millisecond event notification
Model Context Protocol

Tools your AI agents can trust.

Native MCP server via stdio transport. LLMs call structured tools without touching raw message content. Scoped keys enforce exactly what each agent can see.

  • hermes_list_messages, hermes_send_message
  • hermes_get_availability, hermes_book_appointment
  • hermes_search_contacts, hermes_list_events
  • Zero raw PII enters the context window
Native Protocols

Your existing clients. Zero config.

Connect the tools your team already uses. Apple Calendar, Thunderbird, Outlook, GNOME ; they all speak the protocols Hermers speaks natively.

  • IMAP :993 / SMTP :587 for mail clients
  • JMAP /v1 for modern programmatic access
  • CalDAV for calendar applications
  • CardDAV for contact managers
// PROTOCOL.LAYER RFC VERIFIED

Any protocol in. Any client out.

Hermers speaks every major open standard simultaneously. Legacy clients connect to native IMAP and SMTP with zero configuration. Modern systems use JMAP or gRPC for structured, high-throughput access. AI agents use MCP.

IMAP4rev2 RFC 9051 SMTP RFC 5321 JMAP RFC 8621 CONDSTORE RFC 7162 QRESYNC RFC 5162 RFC 8514 SAVEDATE RFC 8474 EMAILID RFC 4314 ACL gRPC / HTTP2 Protocol Buffers MCP stdio CardDAV RFC 6352 CalDAV RFC 4791 vCard 4.0 RFC 6350 iCalendar RFC 5545 DKIM + DMARC + SPF MTA-STS RFC 8461 DANE RFC 7671
// CAPABILITY MATRIX ALL VERIFIED
DKIM + DMARC + SPF
Per-domain signing keypairs provisioned automatically. DMARC aggregate and forensic reports ingested and surfaced in the console.
MTA-STS + DANE
RFC 8461 MTA-STS policies cached and enforced on every outbound relay. DANE TLSA records validated per RFC 7671 on delivery.
Sieve + ManageSieve
RFC 5804 ManageSieve server. One active Sieve script enforced per user. Vacation auto-responder deduplication per RFC 5230.
BIMI
Brand Indicators for Message Identification ; policy cache, VMC URL resolution, and logo delivery pipeline included out of the box.
CONDSTORE + QRESYNC
Reconnect after any disconnection without a full mailbox rescan. Clients compute their differential against the current modseq and request only what changed.
// DELIVERY.ENGINE STREAMING

Delta-sync. Not full-scan.

State divergence is resolved with a single integer comparison. No full mailbox rescans, no wasted bandwidth. Clients compute their differential against the current modseq and request only what changed.

RFC 7162 · CONDSTORE

Delta-Sync Engine

A monotonically increasing per-mailbox modification sequence drives incremental synchronization for both IMAP CONDSTORE and JMAP changes ; in a single round-trip.

  • Per-mailbox modseq counter, bumped on every meaningful write
  • Tombstone tracking for deleted mailboxes ; clients learn of removals without rescanning
  • IMAP QRESYNC: full resync after reconnect with uid, modseq, and known-expunged sets
  • JMAP RFC 8620 §5.2: Mailbox/changes, Email/changes, Thread/changes in one request
EXACTLY-ONCE

Transactional Outbox

Every downstream event ; webhook, gRPC push, Kafka relay ; is written atomically with its originating state change. If the transaction rolls back, the event is never published.

  • Kafka relay polls unsent rows on a hot partial index for zero-latency pickup
  • OpenTelemetry trace IDs threaded through every outbox row for distributed tracing
  • 7-day GC on acknowledged events ; full audit trail without unbounded table growth
  • Tenant and privilege-change events auto-emitted, no application code required
// IDENTITY.LAYER ISOLATION ENFORCED

Isolation at the infrastructure layer, not the application layer.

Tenant boundaries are enforced by strict data isolation policies ; not middleware, not application logic. An unset session variable returns zero rows by design. There is no application path to cross-tenant data.

MULTI-TENANT

Personal & Team Tenants

A personal tenant is provisioned automatically at signup. Team tenants own multiple users, shared domains, and billing. Every resource is scoped and isolated at the row level.

  • Five subscription tiers: free, starter, pro, business, enterprise
  • Team invitations with preset roles ; admin, member, readonly ; plus custom permission overrides merged at acceptance
  • Argon2id password hashing, TOTP 2FA, and a per-user audit trail out of the box
  • User preferences auto-provisioned at creation. Sensible defaults on day one.
OPENDAL

Backend-Agnostic Storage

Message bodies, attachments, and calendar objects are stored as SHA-256 hashed blobs via OpenDAL. Swap backends ; in any environment ; without touching application code or migrating data.

  • Supported: local filesystem, S3, MinIO, Cloudflare R2, GCS, Azure Blob
  • Encrypted at rest by default. Backend, bucket, and object key abstracted behind a single pointer row
  • Content-addressed deduplication: identical payloads produce identical hashes
  • MIME type, size, and encryption state tracked alongside every object pointer
// QUICKSTART CLI · SDK · API

From zero to production in minutes.

Install the Hermers CLI, initialize a tenant, and start sending and receiving mail with your first API key. No credit card required for the free tier.

// TERMINAL ; INIT & KEY PROVISIONING BASH
# Install the CLI
$ curl -fsSL hermes.io/sh | sh
hermes v0.1.0 installed

# Initialize a tenant
$ hermes tenant init --name "acme" --plan pro
Tenant T0Xe2f4a3... initialized
IMAP ready at imap.hermes.io:993
SMTP relay active on :587
REST API at api.hermes.io/v1

# Provision an API key
$ hermes keys create --name "agent-prod" --scope mail.read cal.write
Key K0X9a1b2c3... created
Scope: mail.read cal.write
Copy this key ; it won't be shown again.
// REST API ; SEND YOUR FIRST MESSAGE TYPESCRIPT
import Hermers from '@hermes/sdk';

const client = new Hermers({
  apiKey: process.env.HERMES_KEY,
});

const msg = await client.mail.send({
  from: 'you@acme.io',
  to: 'alice@example.com',
  subject: 'Hello from Hermers',
  text: 'Infrastructure that just works.',
});

console.log(msg.id); // M0Xf7e8d9...
// TIER.MATRIX 5 TIERS

From hobby to hypergrowth.

Every tier runs on the same infrastructure. Enterprise overrides are provisioned instantly ; no redeployment, no support ticket required.

Feature Free Starter$4 / mo Pro$29 / mo Business$249 / mo EnterpriseCustom
Email Accounts (Mailboxes) 1 5 25 150 Unlimited
API Requests / min 60 300 1,000 5,000 Unlimited
Sends / day 0 1,000 10,000 100,000 Custom
Storage 1 GB 10 GB 50 GB 500 GB Custom
Access Modes REST + Native REST + gRPC + Native All modes All modes All modes
Webhooks - 5 endpoints 20 endpoints Unlimited Unlimited
MCP Access - -
SLA Best effort 99.9% 99.95% 99.99% Custom

All tiers include: tenant isolation, Argon2id auth, TOTP 2FA, DKIM/DMARC/SPF, MTA-STS enforcement, delta-sync, and the full protocol suite.

// FOR DEVELOPERS

Start with a free tenant.

Deploy a programmatic mailbox in under five minutes. IMAP, SMTP, JMAP, REST, and MCP available immediately. No credit card required.

Initialize Tenant →
// FOR ENTERPRISES

Custom quotas. Dedicated infrastructure.

Unlimited sends, bespoke storage limits, quota overrides provisioned without redeployment, and direct engineering support from day one.

Contact Sales →