Need help with heimdall?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

479 Stars 23 Forks MIT License 114 Commits 4 Opened issues


Self-hosted personal email guardian with one-step deployment

Services available


Need anything else?

Contributors list


Build Status Maintainability Test Coverage

Heimdall is a self-hosted email alias/forwarding service. I built this as a privacy tool to fight spam and also better manage access to my personal email address. As a self-hosted and self-managed service, you have complete control over your data. With 3rd party email forwarding services, you are forced to trust a company with your emails.

This has also been a really fun project for me to learn more about AWS and the Serverless framework.

Check out: How I built Heimdall, an open-source personal email guardian.

Changelog can be found under Releases.


  1. With Heimdall, you completely own and manage your data and the service. No feature limitations or having to trust a third-party company with your data.
  2. Heimdall is meant for individual users to deploy and use and contains user-friendly setup instructions.
  3. Heimdall is easy to run - it utilizes the idea of serverless computing, so there is zero server configuration or provisioning.
  4. Heimdall is easy to deploy - it uses the Serverless framework (not to be confused with small-letter serverless in Point 3 above) so you can deploy with a single command.



  1. Receive safely: Receive emails on single-use aliases and forward them to your personal inbox.
  2. Reply anonymously: Reply to emails from your alias without revealing your personal email address.
  3. Attachments: Attachments are supported on incoming and outgoing emails (subject to size limits - see below).
  4. Email commands: Manage your aliases through email directly - no separate app or website required.
  5. Usage stats: Easily check the usage stats of each alias.

Receiving emails

Heimdall operates as a whitelisting (default-deny) service. All incoming emails to your domain are rejected by default unless they are to valid aliases. Emails received on valid aliases will be forwarded to your personal email address.

Forwarded emails will preserve metadata information, such as any other recipients in the "to" or "CC" headers.


To reply, simply reply normally to the received email. Other recipients in the original email will not receive your reply.

You may include other recipients in the "to" and "CC" list, either by manually inserting them, or using "reply-all".

Note: If you do that, you will disclose your email address to them. However, the original sender will still not be able to see your email address, provided you are replying to the original sender through the alias. The original sender will also not be able to see the other recipients.


Attachments are supported, although size limits apply to the entire email message. This is a hard limitation imposed by AWS and cannot be circumvented. See Limitations below.


To interact with the service, send a single email to one of the following email addresses.

Generate an alias


[email protected]
with the description as the subject. You will receive the generated alias as a reply.

The description lets you identify an alias and its use. E.g. "Sign up for Service X".


List aliases


[email protected]
. You will receive a list of all aliases as a reply.

Dev note: This reads up to a maximum of 1MB of data (due to AWS's limitations).

Remove an alias


[email protected]
with the alias as the title (case-sensitive). You will receive the operation outcome (success/failure) as a reply.

Usage stats


[email protected]
with the alias as the title (case-sensitive). You will receive usage information for the particular alias.

Supported usage stats:

  • Alias creation date
  • Emails received
  • Emails sent
  • Date of last received email
  • Date of last sent email

Update an alias

Coming soon - not supported yet.

Known Limitations

Received emails must be <30MB. Outgoing emails must be <10MB.


Pre-requisites: You need to own a domain and have an AWS account. For reasonable use cases, you should not exceed AWS's free tier (which is very generous).

Optional: To be able to reply to emails, you need to request AWS Support to un-sandbox your SES account.

  1. Add and verify your domain in AWS Simple Email Service (SES).
  2. In AWS's SES console, generate a set of SMTP credentials. Take note of that, and also your connection information on SES's "SMTP Settings" page.
  3. Populate required environment variables in
    , and rename to
    . It is important that
    matches your personal email exactly.
  4. Run
    yarn global add serverless
  5. Run
  6. Set up Serverless, then run
    yarn run deploy-prod
  7. Add a receipt rule in SES to trigger your S3 bucket (created in step 6). For "recipients", enter your domain name (e.g.
    ). Preferably, name your rule descriptively (e.g.

Development (optional)

If you want to build new features or tweak existing features, you can set up a parallel development environment that runs alongside production (above).

  1. Ensure that the
    environment variable is set in
  2. Run
    yarn run deploy-dev
    . This creates a parallel development CloudFormation stack.
  3. Add a new receipt rule in SES before your production rule to trigger your development S3 bucket. For "recipients", enter the same test subdomain as you set in step 1 (e.g.
    ). Preferably, name your rule descriptively (e.g.

Note: You need to update your DNS records for
as you did when verifying your domain for AWS SES.


To run migration scripts, first compile using

tsc scripts/migrate_vX.ts
, then run using
node scripts/migrate_vX.js

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.