Cock-mail — yeah it's webmail with cocks

est. 2026

About

Cock-mail is the world's first fully client-side webmail client. It's what webmail should have been. Cock-mail connects directly to IMAP and SMTP over WebSockets and manages the entire session in your browser from start to finish. This approach eliminates a broad stroke of security risks you take every time you use a server-side webmail application. Instead of relying on a crusty PHP or C backend to log in for you and manage client state, cock-mail speaks mail protocols natively and skips the middleman.

Another problem with webmail is the issue of how to convert an HTML e-mail into something that can be safely displayed in browsers. This is a hard problem and has been the source of innumerable XSS vulnerabilities in existing webmail applications. Cock-mail addresses this by refusing to convert HTML to anything other than plaintext. More specifically its HTML converter uses DOMParser to parse HTML message parts, extract links, and convert the untrusted code to plaintext with innerText. This way the features of modern browsers designed to handle untrusted input are used for their intended purpose.

This is not a hobby project; it's developed so our own users can access webmail. We shut down our previous choice of software after we briefly audited it and decided it was too dangerous to use. If we had another option we would have deployed it as a replacement. Extensive research over several months came up with nothing that met our requirements and so we started writing cock-mail instead.

Cock-mail's developers strongly believe the best e-mail client is a desktop client and aim to replicate one.

Features

Cock-mail is in beta state. It can send and receive mail but there's no filter support yet. Here's a list of interesting features:

IDLE support (watch for updates on new/deleted mail)
Mark messages as Un/read, Un/flagged, and Deleted
Move and copy messages
Bulk mail controls with checkbox or Ctrl/Shift select
Convert HTML e-mail to plaintext and show extracted links
MIME decoding, split into inline/attachment parts
Display images/videos/messages inline or as attachment
Vew message headers, full source, and download message to file
Complete charset support (intl+unicode headers, body, filenames)
Management of locally stored data
Receive notifications on new mail
Mobile/portrait layout
Send e-mails with attachments
Create/Delete/Rename/Reorder mailboxes

Here's the rough order new features will arrive in:

NOTIFY support (watch for updates on flag changes + multiple folders at once)
Decrease RAM usage (load bodies into ram only when opened
Complete offline support (no errors, download all mail, outbox)
Horizontal mailbox view (one line per message)
Filter support (v1.0 goes here)

These features will never be added to cock-mail:

Rich HTML formatting (HTML is converted to plaintext)
Remote images/content

Screenshots

Click on an image to enlarge it.

Screenshot: cock-mail showing two inline images

Screenshot: cock-mail showing an e-mail containing another e-mail as an attachment

Screenshot: cock-mail showing a message being composed and sent

Download

Current version: 0.3.2 (beta)

Cock-mail is a single HTML file. If you are connecting to existing WebSocket endpoints all you need is view-source:https://mail.cock.li/. Configure your endpoints at the bottom of the file.

If you would like to deploy cock-mail for access to a mail server without existing WebSocket support, you can download the complete package. It uses docker to build a base image from scratch and docker compose to build and deploy a patched version of websockify which adds support for --haproxy=2 and --ssl-target-name=mail.example.com. Using docker isn't necessary and if you know what you like you're probably smart enough to figure it out.

cock-mail-0.3.2.tar.gz (270KB, 54KB compressed)

Complete build instructions can be found in README.txt.

Cock-mail is free to use under a broadly permissive license you can read at the top of index.html.

Donate

You can support the development of cock-mail by donating to cock.li.

Updates

0.3.2 — 2026-02-22

Fix a bug where new mail doesn't automatically appear if latency is high enough

0.3.1 — 2026-02-21

"View Logs" prompt with loglevel filtering, download, copy, and "send to support" features
Switch to internal logging, increases performance over console.log
Add literal support to LIST parser and mailbox escaping. You can now use a mailbox named \\\\"""\"\""\\"""\"\""\.
Load mailboxes faster
Load all templates at init
You can now send e-mail to addresses without an '@' (mail server supporting)
Fix a bug saving mailbox order
Fix a crash when a command is queued while waiting for initial IDLE response

0.3.0 — 2026-02-18

Display subfolders in tree format
Create/Delete/Rename/Reorder mailboxes
Basic support for IMAP Namespaces
Flag controls (Un/read, Un/flagged, Delete)
Filter (for now) unsolicited CONDSTORE responses. Fixes a crash when you receive a message while fetching that mailbox.
Make some ImapClient methods generic
Remove initImap() as it was implemented into the views. A generic example showing how to use ImapClient etc. will be added one day.

0.2.0 — 2026-02-16

Send e-mails with attachments
Account settings (name, signature, reply top/bottom, reply signature)
Rework views to use templates
Formally close SMTP connections
Portrait view improvements
Decode MIME parameters at the end of continuations, fixes a bug where a filename containing unicode characters split across MIME parameter continuations decodes incorrectly

0.1.0 — 2026-02-12

Send e-mail with SMTP
Save sent messages to the Sent special-use mailbox (create if needed)
Reply/all/list, forward, and compose links
Prompt to re-enter password if you didn't save it

0.0.6 — 2026-02-07

Add handlers for the different response types. This means in the future mailboxes can build one by one instead of adding all messages at the end.
Rework response buffer to keep bytes instead of text. This fixes a bug where unicode characters broken across two websocket messages would break the client.
Connection management (disconnect, reconnect, logout)
Notifications on new mail
Migrate storage to indexedDB and auto-delete localStorage
Message bodies are now stored thanks to fatter storage
Storage Management screen showing bytes used and ability to delete individual databases
Mobile/portrait layout
Queue all commands and responses. Fixes bugs like undefined behavior if you click a message while a new mailbox is loading.

0.0.5 — 2026-01-29

MIME decoding and display. More or less implements RFCs 2045, 2046, 2047, 2183, and 2231.
Inline and attachment view of message parts
Image/Video/Message embedding and display
Convert HTML e-mail to plaintext and extract links
Download raw e-mail to file
Settings window to disable media rendering

0.0.4 — 2026-01-25

Bulk mail controls (Mark un/read, Trash, Delete)
Ctrl/Shift message select support
Message counts for current mailbox
Toggle raw headers

0.0.3 — 2026-01-24

Set Message flags (only Unread, Deleted)
Make use of mailbox special use flags (like \Trash)
Move message to Trash (and create if needed)
Fix handleResponseBuffer performance
Fix random IDLE breaks

0.0.2 — 2026-01-23

RFC 2047 MIME encoded-word support
Correct byte reading for UTF-8 Content-Type support

0.0.1 — 2026-01-20

Initial Release