May 29, 2026 New
Contacts, full-text search, and deliverability protection
Three big things in one go. Contacts: a new /contacts section — your own address book per mailbox. Add people manually, or just send them mail (recipients are auto-added so composer autocomplete picks up «recent» on its own). Fields: name, organization, job title, additional emails and phones, notes, starred. Full-text search: instead of filtering by metadata, search now runs a real Postgres FTS query inside body text (HTML included), subject and sender; the matching fragment is highlighted in the snippet. Works for every new message immediately; older mail backfills in the background. Deliverability protection: automatic bounce handling from remote servers — hard bounces (address doesn't exist) and accumulated soft bounces are added to a suppression list, and the next outbound to that address is blocked before our sending reputation suffers at Gmail/Microsoft. Workspace admins see the full list and bounce history in the admin console.
May 29, 2026
Referral program — bring customers, earn a share of every payment
Every account now has its own referral code and shareable link at iam.atpigeon.com/referral. When someone signs up through your link and pays for any plan, you earn a percentage of every invoice — for as long as they keep paying. The commission percentage is set by the service administrator. Attribution cookie window is 30 days from the click. You can either apply earnings as credit to your own account (applied automatically to your next invoice, no minimum) or request a PayPal payout (minimum threshold is configurable; payouts go through manual admin approval). Earnings and payout history are visible on the same page. The program has to be enabled by the administrator — if it isn't yet, you can still share your link: earnings will start accruing the moment the program goes live.
May 29, 2026
Anti-spam, block lists, and click-time link checking
A big upgrade to inbound mail protection. The spam filter now consults the major IP and domain reputation lists (Spamhaus, SURBL), flags newly-registered domains (a textbook sign of throwaway senders), and catches a common phishing pattern: messages that pass SPF but have no DKIM and a weak DMARC policy — almost always a fresh sender domain. In webmail you'll find new buttons — Block sender, Block this domain, Mark as spam, Not spam — that immediately add the sender to your personal list and feed the filter for next time. Domain owners get a new Spam policy page in the admin console: a workspace-wide allow/block list — let Stripe or GitHub through for everyone in one click, or block a specific marketing domain across the whole team. Links in incoming mail are now wrapped by our click-time guard: when you click, we re-check the target against the latest phishing feeds, and if the domain landed on a list after the email arrived we show a warning with a "continue anyway" option. Your own messages in Sent and Drafts are left alone.
May 20, 2026
Password reset and email verification
If you forget your password, the login page now has a Forgot password link — type your email and we'll send a reset link to your recovery address. Email verification on sign-up and recovery-address changes also runs through a one-time link now. The iOS app got the same reset link straight on the login screen.
May 18, 2026
AtPigeon for iPhone — and admin tools for teammates
The iOS app is in TestFlight. Push notifications for new mail with a tap that deep-links to the message, native bottom-sheets for account switching, the More menu and Hide-my-email, and a pinch-zoom on message bodies so cramped marketing layouts read comfortably (only the email zooms; the chrome stays steady). On the workspace side, admins can now reset a teammate's password — type a new one or let us generate a strong one shown once for you to copy. You can also audit and revoke individual app passwords, reset two-factor for someone who lost their authenticator, and remove a domain (with its PayPal subscription automatically cancelled). Avatars without an uploaded picture stopped showing the broken-image glyph.
May 13, 2026
Folders, labels, Gmail import — and paid plans
Webmail gained nested custom folders and Gmail-style labels (a message can carry several labels). Drag and drop between folders, attach labels in bulk from the list, manage everything from a clean modal — no IMAP client required. A new import from Gmail or any IMAP source pulls mail across with an App Password, and original Gmail labels are preserved as AtPigeon labels. Send-only mailboxes (noreply@, alerts@) are now first-class: they can't receive but ship with their own SMTP App Password for your application. Billing went live: pay by PayPal or bank transfer, with a wire-transfer flow that lets you upload a receipt for review. Checkout supports promo codes, proration when you upgrade mid-cycle, and emailed confirmations on every charge.
May 4, 2026
Reading and writing, properly
Incoming HTML now renders inline (no more iframe scrollbar), and wide marketing layouts shrink to fit the column instead of overflowing. Each message carries a Yandex-style sender-validity badge built from real SPF / DKIM / DMARC / TLS results — you see at a glance whether the email is really from who it claims. The composer got a proper rich editor with bold, italics, lists, links and a fullscreen mode for longer writing; outgoing mail is sent as multipart/alternative so plain-text-only clients still receive a readable copy. The multi-account chooser now shows an unread-mail dot per account, so new mail is visible without opening each inbox.
May 2, 2026
Identity & security center
iam.atpigeon.com is now its own surface. View and revoke active devices, set a recovery email, generate one-time backup codes for emergencies, upload an avatar, and tune notification preferences. The activity log records every sign-in, session revoke, and recovery action. Light, dark, and auto theme apply at once across webmail, console, and identity.
May 2, 2026
Two-step sign-in: codes and passkeys
Turn on two-step sign-in at iam.atpigeon.com/security/two-factor. Two ways to do it: a 6-digit code from any authenticator app (1Password, Google Authenticator, Authy), or a passkey via Touch ID, Windows Hello, or a hardware security key. With a passkey you can skip the password entirely — pick the credential on the login page, that’s it.
May 2, 2026
Multi-account dropdown — switch mailboxes like Gmail
Sign in to several mailboxes on the same browser and flip between them from the avatar menu. The same dropdown lives in webmail, console, and identity, so the chooser, theme picker, and cross-app links are identical wherever you are. A dedicated re-auth screen handles accounts whose session expired — passkey first, password as fallback, the email is already filled in.
May 2, 2026
App passwords required for IMAP and SMTP
Mail clients (Apple Mail, Thunderbird, Outlook) now sign in with an app-specific password generated at iam.atpigeon.com/security/app-passwords. Each app password has its own label and can be revoked individually without touching your account password or the webmail. Your account password no longer works on IMAP or SMTP.
May 1, 2026
TLS on every IMAP and SMTP port
IMAP and SMTP submission now require TLS — both via STARTTLS on the standard plaintext ports (143, 587) and via Implicit TLS on the dedicated TLS ports (993, 465). Plaintext authentication is refused everywhere. Most modern clients default to the Implicit-TLS ports; either flavour works.
May 1, 2026
Documentation published
First version of the docs is live at /docs. Covers what’s shipped today: setting up DNS, sending and reading mail in the webmail, connecting IMAP and SMTP clients, managing domains, mailboxes, and aliases from the admin console, and how DKIM, SPF, and DMARC fit together. Available in English and Russian.
April 30, 2026
DKIM-signed outbound mail with direct MX delivery
Every outgoing message is DKIM-signed with a per-domain 2048-bit RSA key (relaxed/relaxed canonicalisation, RFC 6376) and delivered straight to the recipient’s MX over STARTTLS — no relay in between. Subject lines and filenames with non-ASCII characters are encoded per RFC 2047 so they arrive intact.
April 30, 2026
Live DNS verification in the console
Adding a domain generates a DKIM keypair on the spot — the public half appears in the DNS instructions immediately. The Verify button runs live DNS lookups against public resolvers with a 3-second timeout; each record turns green as it resolves correctly, and you can re-run as many times as you need. SPF guidance uses include:_spf.atpigeon.com so future IP rotations don’t require DNS edits on your side.
April 30, 2026
Webmail attachments and HTML sanitisation
Compose accepts attachments — 25 MB per file, 50 MB per message. Incoming HTML is sanitised: scripts, iframes, and forms are stripped, but inline images and safe inline styles render normally. Plain-text-only messages render as preformatted text. All text parts are decoded into Unicode regardless of the source character set.
April 30, 2026
Project launch
AtPigeon is live. A focused mail product on your own domain: calm webmail, full IMAP/SMTP, and an admin console for domains, mailboxes, and aliases. Hosted in the EU.
