The problem Basemail solves

Email owns the internet

What is the most important account you have online? The account that if it got hacked or you lost access to it, it could cause the most pain and headaches for you.

If your answer isn't your primary email account, then you either have really good opsec, a large amount assets in crypto, or you didn't consider that: Email owns the internet. A common answer might be an online bank account, but you can regain access to that via email.

The problem with email

Ok, so we use our email address as our primary access control mechanism for most of the internet. So what? It works. Email is an old, tried and true technology, and one of the killer use cases of the internet. Major tech companies have created scaled, secure infrastructure all the while giving you an account for free.

Therein, lies the rub. Email itself, like the internet, is a (set of) decentralized protocol(s). However, in practice, it has become centralized around a few large providers. Most companies, let alone individuals, get email services from a major provider. The cost / benefit analysis of running your own server doesn't make sense for most people. It's also become much harder to run a mail server without getting blacklisted, so what's the point?

Centralization of email, like with banking and social media, provides many conveniences and allows for economies of scale. The downside is you give up control, control over accessing the account and control of your data. Without control over access, they can shut you out. Without control over data, they can use/sell/disclose it.

Make email decentralized again

Basemail is a first step towards a vision of a making email more decentralized again. It allows users to own an email account with a Coinbase smart wallet (providing good UX and recoverability). It relies on a centralized provider hosting the mail account still, but we cannot shut your access off without shutting down the service. Future versions hopefully do more.

Challenges we ran into

We ran into several challeneges during the buildathon, which slowed us down executing the vision. We started the project with a decent idea for what components would be needed, but the integration points proved to be more difficult than expected.
The biggest challenge was finding a mail server stack that would work for our intended design and could be configured or modified to support Basemail authentication (ownership of an NFT proved via SIWE). Most mail servers allow you to use username and password auth or support using an OIDC provider for external auth. We originally considered using OIDC since it would be external. Spruce provides a hosted SIWE OIDC provider. However, it only supports Ethereum, Polygon, and a couple other older chains. No big deal. Their implementation is open source, and we could fork it. OIDC requires a redirect to be implemented on the web client and makes handling the state between wallet / auth a bit tricker. After much research, we found Stalwart Lab's Mail Server which is a modern implementation written in Rust, which we felt confident enough to make small modifications to. It leverages the newer JMAP mail protocol which can be accessed from the web client a simple API and has it's own OAuth server built-in for creating session tokens for users. We ended up being able to use a basic custom SIWE auth server that provides the user with a JWT access token and then being able to provide that plus and account ID to the mail-server to receive a second JWT access token for the mail interactions. The security of this implementation could probably be improved, but it accomplished our goal of allowing wallet authentication and checking NFT ownership to determine access control for an email account.

Due to time constraints, we weren't able to build a fully functional mail client, but the app does prove the concept of creating a mail account and accessing it using a smart wallet.

Reused some code for the Auth server API.