On July 18, 2019, more than 350 people received a letter telling them their vision would expire.

They were blind, with a genetic condition called retinitis pigmentosa. “Second Sight Medical Products” charged $150,000 to wire their eyes back up.¹ For a time, it worked. The blind saw: differently from sighted people, worse, but that was something.

The letter announced their implants were obsolete and “Second Sight” was moving on towards a new goalpost, an “Orion” brain implant.² Tracking the timeline since then turns up two articles^{3 4}, both of which orbit the merger. Said articles don’t convince me the Argus II patients got the required support in the end.

The way I see it, no switch was flipped and the process was quieter, “cleaner”: most of the staff who knew the system were laid off on 30 March 2020.^{2 5}

That makes me wonder who would, with no schematics, source code, or permission, supply the replacement parts and fix the software bugs. The electronics we manufacture don’t last indefinitely; eventually they will fail and the implant in the eye will have nothing to talk to. According to their written statement, they would “do our best to provide virtual support”.²

I keep thinking about the patients who were faced with such treatment. This pattern has become routine, though rarely this visible, which is why I chose it.

The data issue

The architecture that failed the Argus II patients is the same architecture that is, most probably, holding up your data. Your data is your livelihood. It’s your personal and business projects, your family history, the contacts of friends who left your city. It’s a side of who you are.

Autonomy, in terms of data, is the set of load-bearing walls defining your relationship with the world. You are autonomous when you have the continuous ability to operate when services vanish. Some promise to replace those walls with something better, but what arrives is often just a prettier facade we call convenience.

This autonomy cannot be emotional. Feelings lie. Consider the levers for misdirection: the hype cycle, FOMO, the social pressure. Watching crowds celebrate new plastic and glass under a brand reminds me of the cargo cults building bamboo planes to summon food. Data autonomy is not a fleeting intuition of freedom, because intuition is built for speed, not for accuracy. And while some celebrate the veneer, the actual load-bearing walls come down silently, one after another.

Let me ask you some rhetorical questions.

• Do you self-host or do you keep your data stored in computers of some public provider?
• Do you have an exit strategy, can you leave your data providers without losing what’s yours?
• What is your degree of dependency on each specific service?
• How safe are you from a situation when a service you depend on suddenly fails or is suddenly erased entirely?
• Are you fully aware of every shifting rule in your service provider’s TOS? Do you read them on each update?
• Can you confidently work with your data in any way you want without asking for permission?
• Can you use any software you want anytime to work with your data however you want?
• Can you keep your own life’s history in a form you have actual control over?

The nonchalance issue

What bothers me is that most people I talk to are unbothered.

Someone recently described, with the calm of someone discussing the weather, a future in which everyone would eventually be required to be implanted with some form of invasive tracker. What struck me wasn’t the prediction. It was the pre-acceptance.

When I expressed the concern about our society’s direction to one of my friends, without either disclosing the first person’s identity or hinting at it, their response was that it might become a social good. While I was expressing my disapproval, I was told that we, essentially, wanted the same thing, and that we were just putting an emphasis on different things.

What happened to more than 350 “Second Sight” patients may very well be happening to the rest of us, slower, through silent decisions.

So, I would like to put my emphasis on certain things in writing, because I think there are steps we can take, things we can improve. Small, specific, actionable.

Today’s step

Consider hosting your own email server. Email remains one of the rare places where digital autonomy is still within reach, and I’ve found it’s more achievable than it seems. I’ve been practicing my own advice for years, detailed in “How I got here”.

Two people on their own infrastructure can reach each other across organisational boundaries. The protocol’s original federated intent survives the artificial barriers, piled up over decades. That capability isn’t a policy add-on: it’s baked into the address format itself. The address format, user@domain, declares federation as part of the identifier. You cannot have an email address without naming who federates on your behalf. This federation means email servers on different domains communicate directly, without going through a central provider.

To be clear: this is an essay about the communication methods, self-hosting, how digital autonomy has shifted, and what I learned migrating to Stalwart. It’s not a manual, not step-by-step instructions, but my impressions from the journey. NixOS and Stalwart are documented, and I may work on my own guide if the need arises.

The passport from a small nation

Politeness only gets you so far when you’re crossing borders. Self-hosting email remains possible, though increasingly adversarial, because digital autonomy has become contested ground.

Some of the barriers are anti-spam measures doing real work. Others are the shape large providers prefer. Separating the two is harder than it should be.

You can think of IP reputation systems and SPF/DKIM/DMARC as de facto requirements. I can’t stop wondering if they solve anything, wondering about feature creep and a compliance theater. The enforcement of the newer email requirements sits with a handful of large providers. They’re harder (albeit slightly) to set up if you self-host, because you need to learn to imitate the large providers and play their game. Deliverability policies treat every “suggestion” like a houseguest who arrives with a suitcase and starts rearranging your furniture.

• SPF was optional, then it wasn’t.
• DKIM was encouraged, then expected.
• BIMI is being pushed, VMC certificate in hand⁶.

These protection mechanisms resemble security theater more than well-thought-out solutions, prioritizing compliance over genuine reliability. I have learned to be polite but firm with houseguests.

Email is not unique in this regard. There were beautiful ideas for global networking once, like Xanadu, a global library catalogue of everything, connected and free. HyperCard was also one of the predecessors of the modern Web, which I regret learning about only recently. And research confirms Big Tech tracks users even when they opt out⁷. We’ve got something closer to a shopping mall that happens to contain a tiny library, except the librarians are recording your every move to have the ability to spam you for life, selling your data to other malls, and you need a loyalty card to enter.

Both patterns, the tracking and the compliance theater, carry the distinct smell of enshittification that moves value from users to platforms.^{8 9}

The Overton window has shifted for digital autonomy long ago. This isn’t irreversible, windows can be pushed back. Independent servers demonstrate that ownership can be reclaimed. Public discussion reframes the debate from “convenience versus security” to “control versus dependency”. Each new server makes it progressively harder for providers to treat small senders as anomalies, gradually normalizing user sovereignty.

The standards themselves are published for anyone to read, but checking the compliance boxes may not always guarantee your emails will reach their destination.

Running your own email is like holding a passport from a small, principled nation that most countries have never heard of. There are major powers that run the border checkpoints. They won’t refuse your mail outright, that would be undiplomatic. But they will inspect your luggage thoroughly, ask you to fill out forms in triplicate, and occasionally lose your correspondence behind a filing cabinet because you didn’t purchase the optional “trusted traveler” badge.

I keep a mental ledger of barriers, sorted by pedigree.

• Natural: spam filters, rate limiting, the basic impoliteness of sending mail from an IP that was, until the last Tuesday, a compromised WordPress instance.
• Artificial: VMC certificates, brand indicators, DMARC policies that shift like tax codes.
• Mixed: DKIM, which had some signs of a sensible signature system and has metastasized into a compliance theater where the script may change between acts.

Clearing these barriers brings you to the border, but even then, it’ll be a partial escape. In his 2014 article “██████ has most of my email because it has all of yours“¹⁰, Benjamin Mako Hill shows that more than half of his emails pass through ██████: 57% of messages he replied to in 2013, a proportion that’s exceeded one-third since 2006 and over half since 2010. It is weird to apply terms like “market share” to our ability to communicate to each other, and yet… █████’s market share means that running your own server is, statistically, shouting into a room where one wall is a two-way mirror and the voyeurs are taking notes for advertisers. It exempts you from being a company product, but not from being tracked deep within a company’s infrastructure. There is, as the saying goes, no cloud, simply other people’s computers. I find it useful to remember this when I am told that my data lives “in the cloud”, as though it had floated up to heaven rather than being warehoused in some facility. It is subject to terms I did not write, by a company whose quarterly earnings depend on my continued participation.

Replicating Mako Hill’s measurement is complicated by the fact that I am not Mako Hill. He measured a typical academic inbox in 2013; I measure, among others, a narrow slice of technical correspondents and Asian site registrations. The methodology is identical. The sociology is not.

I ran a similarly designed script against my primary mailbox, the one where spam filtering happens upstream, so the 1,536 messages represent actual correspondence rather than the usual detritus of modern email. Only 37 carried the border checkpoint operator’s address in the From field: a neat 2.4%. The real figure is 614 messages, or 40%: wrong by a factor of nearly seventeen if you trust the envelope. Restricting to handwritten mail (the 1,239 messages without List-Unsubscribe headers), that major power still touched 467, or 37.7%. I pay for a server, I maintain the server, I configured every DKIM selector by hand, and more than a third of my private correspondence passes through the gatekeeper anyway.

How I got here

Modoboa

Modoboa works.

It’s a machine assembled from off-the-shelf parts that fit together, sometimes tightly, sometimes loosely: Postfix, Dovecot, Django, some jQuery on the frontend. You maintain it. You dig inside. You break it, tune it, and learn its shape. The parts are recognisable and the internals are open to you, which is a real virtue I won’t deny.

But the abstraction points you inward. You end up thinking about the machine, about which piece is misconfigured this week, which migration broke something during the update. The interface doesn’t invite you to consider that you could be automating anything. An important API, JMAP, doesn’t even appear in the current Modoboa docs as of April 19, 2026. The tool shapes the question, and the question it shaped for me was “how is this thing put together?”.

From maintenance to composition

To start a comparison, Stalwart is simply a different abstraction. It just lands on Nix, gives you an admin interface, and the interface turns your attention outward: not toward the internals (which are still reachable) but toward what you can practically do with an email server. Things like “tossing mail between directories”, “writing a small script that measures something”, “building toward semi-automated control without asking permission”.

This distinction applies well beyond mail servers. Tools that surface their internals invite you to become a maintainer of the tool. Tools that surface their capabilities invite you to become a composer of your own workflows. Both are legitimate relationships, and neither is lazier than the other. The question is only ever: “where would you like your curiosity to be spent?”.

For the last few years, mine had been spent on Modoboa’s internals, and I hadn’t noticed. The migration to Stalwart took an afternoon, with a day after to tidy things up. I spent the next day waiting for something to break. It didn’t. I found this slightly unnerving, the unnerving part being that I suddenly had an evening free to think about what to do with the mail, rather than with the server.

Stalwart

When I was stressed about a Modoboa update, a friend had mentioned Stalwart; I tried it, and the fresh backup restoration was easy enough. Without that suggestion, I would likely still be performing elective surgery on Modoboa, swapping out its organs one by one in the optimistic belief that I might eventually assemble something to my taste.

I have started to think of Stalwart as the digital equivalent of a water pump: unglamorous, but when you turn the handle, water arrives. And the thing is, all of us need water.

Trying Stalwart reminded me that the best tools are often the most boring. If you happen to make software, please put as much or more effort in coding and testing your software to make it boring.

Why JMAP matters

Boring software becomes powerful when it offers a straightforward interface. Stalwart’s commitment to JMAP is what makes boring software great.

“We should have some way of coupling programs like garden hose.”

— Doug McIlroy

The Unix philosophy, distilled in Doug McIlroy’s 1978 memo, tells us to “make each program do one thing well” and to “expect the output of every program to become the input to another, as yet unknown, program”. It warns against “stringently interactive input” because, without establishing specific data exchange standards, the interactive programs like editors, REPLs, TUIs compose poorly. They become monoliths by default, but some design aspects like an internal scripting language, a clear API, and the ability to compose them with other programs make them great.

Email has always been an interactive application. IMAP reflects this: it smuggles client-layer assumptions into the protocol, along with some composition and rendering concerns that leaked downward into the data layer. Any “IMAP client” ends up reimplementing a whole session-management ghost that belongs to the previous client you used. The boundary between the data and the interface isn’t just awkward; it’s absent.

JMAP is request-response JSON over HTTP. The protocol doesn’t know what a pixel is, which is precisely what lets the interface be swapped without touching the data. The interface is not privileged. The data is. You can do whatever with it: hit it with curl, pipe it through jq, feed the result into a shell script, show a widget using the JMAP data, use a TUI you wrote in an afternoon, a voice synthesizer, or eventually, heck, some kind of neural interface when these become the new black.

When a protocol is awkward enough, the monolithic client bundle wins by default because writing your own is too expensive. When the protocol is clean enough that a shell one-liner is a legitimate client, the bundle stops being load-bearing. You can keep it if you like it. You can discard it if you don’t. The software stops deciding for you.

This is the same argument as the federation point at the top of this piece, one layer down. Federation at the address level means no single provider decides who you can talk to. Protocol-level addressability means no single client decides how you read. █████ holds both levers. Stalwart + JMAP hold neither on your behalf.

I wrote the checkpoint-participation measurement above as a short Python script against the JMAP endpoint. I toss mail using the terminal from another one, gradually working towards semi-automated control and an automated backup strategy. Neither tool is clever: I simply stare at CLI, think of what I actually want to do, and it gets done. Both exist because the protocol didn’t fight me and lets me iterate on small things quickly.

Replication and control

There’s a famous quote, photographed on a blackboard at Caltech on 15 February 1988:

“What I cannot create, I do not understand.”¹¹

— Richard Feynman

Thinking about digital infrastructure through Feynman’s lens, I see a parallel limitation: when I cannot replicate how something works, my understanding is incomplete, and that incompatibility limits my control.

I was not able to replace an outside provider’s hold on my mail, so I was not able to control it. With Modoboa, automation always felt like a future project I kept postponing because I had no clear roadmap in my mind. JMAP’s straightforward API inspired many of the current roadmaps.

The upside is that I can write a curl request against a JMAP endpoint! I can write a configuration for Stalwart in NixOS. I can replicate the backup and restore of my mail store on a quiet afternoon without waiting for something to break.

Running your own mail server is not a political statement. It is the quiet, persistent work of ensuring that the tools you depend on are small enough to be understood and boring enough to be trusted.

Stalwart lands on NixOS cleanly: it’s available as a Nix package with sensible defaults, and Bulwark runs in an OCI image. The declarative configuration model of NixOS pairs well with Stalwart’s approach, though there are some configuration mismatches to navigate.

I praise Stalwart because it works well for me, but even the boring software has its rough edges. For a thorough examination of issues I faced on a fresh NixOS Stalwart installation, I’ll keep updating the “Stalwart under the microscope” article.

Small autonomies

The shopping mall stands firm, and the librarians keep recording people’s reading habits.

But my correspondence leaves from an address I control, travels over infrastructure I maintain, and often arrives without first passing through a brand-validation checkpoint. It is a small autonomy, your own “water pump”, easily mocked by those who prefer the convenience that comes with a price tag and an ever-changing terms-of-service agreement.

I find I can live with the mockery. I have never liked the mall’s acoustic soup.