[ PRODUCT PAPER 03 — TRUST ]
Community email that runs itself
The concept, trust architecture and pipeline behind GetCommunityMail — announcement email for clubs, congregations and neighbourhood groups, where the only interface a member ever needs is the inbox they already have.
Community email mostly runs on goodwill and a spreadsheet. A volunteer keeps the address list in their personal account, announcements go out as a BCC and arrive as spam, someone replies-all to four hundred people, and nobody can say for certain who agreed to receive any of it. The tools built for this are built for marketers — open rates and campaign funnels for what is actually a village notice board.
GetCommunityMail takes the opposite shape. An approved member writes an ordinary email from their own inbox to the community’s address. The platform verifies who they are, scans what they attached, composes a proper announcement, asks them to confirm with one click — and delivers an individual, personalised copy to every member, each with a working unsubscribe. No app, no member logins, no learning curve. One approval click is the entire administrative burden.
This paper describes the pipeline, the trust decisions and the architecture. It is the third of a set: the Nod Together white paper shows how small an Eirvanta product can be, the FanDrive Product Paper how large — this one shows how much invisible machinery it takes to make something feel effortless.
What this demonstrates
GetCommunityMail is Eirvanta building for trust: a product whose users are volunteers with no patience for software, whose failure modes are legal and reputational rather than cosmetic, and whose entire value is that nothing goes wrong. The interesting engineering — consent records, append-only audit trails, pre-send suppression, signed links for every member action — is exactly the engineering nobody sees.
The problem
Group email fails the same way everywhere, whatever the community:
- The volunteer bottleneckone person owns the list, the sending, the bounces and the complaints — forever
- Deliverability by luckBCC blasts from a personal account land in spam, and nobody knows whose
- No record of consentaddresses collected over years, on paper and in inboxes — indefensible when someone asks “why am I receiving this?”
- Attachments as attachmentsten-megabyte PDFs to five hundred people, unscanned, forever unaccountable
- Marketing tools for non-marketingcampaign software wants segments and funnels; a community wants one honest announcement channel
The idea: the inbox is the interface
Members never install anything and never create an account. The organiser’s side is a dashboard; the members’ side is email itself. Everything a member can do — join, confirm, unsubscribe, open an attachment, RSVP to an event, vote in a poll — happens through a cryptographically signed, single-purpose link that belongs to that member and does exactly one thing. There are no passwords to steal because there are no passwords.
Senders keep their own inbox too. An approved member writes to yourgroup@lists.getcommunitymail.com from ordinary Gmail or Outlook, and the platform does what a diligent volunteer would do with unlimited time: checks the sender is approved, scans every attachment for malware before anything is delivered, converts files into secure tracked links instead of inbox-clogging payloads, composes a clean announcement in both plain text and HTML, and sends the author a one-click confirmation. Click it — or simply reply APPROVE — and delivery begins.
That single confirmation is the only human step in the pipeline. Everything either side of it runs itself.
What “runs itself” actually means
The phrase is a claim about who absorbs the failure modes. In GetCommunityMail, the platform does:
- Suppression before every sendunsubscribes, bounces and complaints are checked before a single message leaves — never apologised for afterwards
- Bounces handle themselveshard bounces suppress immediately; soft bounces after three strikes; spam complaints instantly — the list cleans itself
- Scanning before deliveryattachments are malware-scanned on upload and held until the verdict; unscanned files are never served
- Consent with receiptsimports require a recorded consent attestation; public joins are double opt-in; unsubscribe links never expire
- A memory that cannot be editedevery administrative action lands in an append-only audit log — nobody, including the platform, can rewrite what happened
When a community needs to show that a notice went out on the fourteenth, or that a member consented, the answer is a record — not a recollection.
Design decisions
- No member accounts, as security policysigned single-purpose links remove password theft, phishing logins and account enumeration in one decision
- Secret ballots, structurally secretanonymous poll votes store no identity, and the record of who voted has no database path to how they voted
- Privacy in the schemaaccess events hash IP addresses one-way — enough for abuse detection, useless for member profiling
- AI at the gate, humans at the switcha small language model screens new community signups — nonsense bounces immediately, everything else stays capped until a person approves it
- No surveillance by defaultclick tracking exists in the infrastructure but stays off until an organiser deliberately turns it on
Across Eirvanta’s products the AI stance is one rule applied three ways: Nod Together uses none, FanDrive generates race facts but never driver voices, and GetCommunityMail lets a model reject gibberish but never approve a community. AI where it helps; people where it matters.
Technical architecture
A deliberately boring pipeline, in the best sense — every stage idempotent, every hand-off through a queue:
- API & workersPython services on Azure cloud — inbound, sending and events separated
- DataPostgreSQL with versioned migrations; append-only audit tables
- DeliveryPostmark, with delivery, bounce and complaint webhooks closing the loop
- FilesPrivate blob storage; malware scanning on upload; short-lived signed URLs
- DashboardA static web app for organisers — members never need it
- ProtectionBot challenges on public forms; LLM triage on signups; human approval gates
Every outbound message is multipart — real plain text alongside HTML, both carrying the full footer and that recipient’s own unsubscribe link — authenticated with SPF, DKIM and DMARC, and sent on a dedicated stream so community announcements never share a reputation with anything else. Deliverability is treated as an architectural property, not a support ticket.
The absences are deliberate here too: no member passwords, no raw file URLs, no tracking pixels sold as insight, no marketing funnel bolted to a notice board. The core pipeline is covered by an end-to-end test suite that runs an email from inbound webhook to delivered, suppressed and audited.
Try it
GetCommunityMail is live, with self-service signup and free and paid plans — every new community screened, capped and human-approved, exactly as described above.
Open GetCommunityMailAbout Eirvanta
Products people depend on must earn their trust. GetCommunityMail is a jointly owned product created by Eirvanta and a business partner: the original opportunity came from the partner’s direct market experience, and Eirvanta translated it into the product, experience and production platform. Eirvanta LLC is an independent product studio. We build small, purposeful products and learn through real use.
We also build products like this for others — the same approach, documented across this paper, the Nod Together white paper and the FanDrive Product Paper. If you have a product that deserves this treatment, talk to us.
More at https://www.eirvanta.com