Thunderbird Monthly Development Digest: March 2026
Welcome back from the Thunderbird development team!
Reflecting back, the first quarter of the year has been a mix of deep technical focus and forward-looking planning. Much of the team’s energy has gone into tackling some of the more complex, “gnarly” parts of our projects to land key milestones. In parallel, we’ve been laying the groundwork for what’s next from ongoing hiring efforts to aligning our goals with broader company initiatives that support the roadmap ahead.
Security & Hardening
We’ve continued to make good progress on improving Thunderbird’s security and privacy model, not just at a technical level, but in ways that are more usable and transparent for everyday users.
Unobtrusive Signatures
Kai recently presented his work at the IETF on Unobtrusive Signatures, which aims to make email signatures more reliable and less intrusive. The goal is to ensure message authenticity can be verified automatically and consistently, without requiring constant user attention or confusing workflows.
Improving Key Safety and Revocation
We’re also exploring better ways to handle key revocation. Today, users often have no reliable way to know when a key should no longer be trusted. A proposed revocation service aims to improve how this information is distributed, while avoiding overly centralized or privacy-invasive approaches.
Moving Beyond “Encrypted or Not”
A major shift underway is how we present trust in encrypted email.
Instead of treating encryption as a simple on/off state, we’re moving toward a graduated confidence model. Thunderbird will evaluate the strength of each recipient’s key whether it’s manually verified, CA-backed, or unverified, and present an overall confidence level to the user.
This allows encryption to work more automatically, while still giving users clear insight into how much trust they can place in a given message. Kai has worked with the design team and internal subject matter experts to refine the UX in this area and is getting close to a final UI.
Ongoing Security Fixes and Improvements
Alongside these larger initiatives, Kai, Magnus, and Justin have been actively triaging and addressing security issues and long-standing feature gaps. Recent work includes:
- Enabling search within encrypted messages
- Fixing issues with incorrect IMAP literal size handling
- Addressing a link spoofing vulnerability (CVE-2025-13015)
Together, these efforts reflect a broader direction: making strong security more accessible, while ensuring users remain informed and in control.
Exchange Email Support
Since our last update in February, the team has been moving quickly and has now completed Phase 1 and Phase 2 of the Graph API implementation for email, with Phase 3 already underway.
These phases focused on establishing a solid foundation and delivering core functionality required for real-world usage. Highlights include:
- Graph API login with OAuth
- Connectivity checks and account validation
- Autodiscover support for Graph endpoints
- Folder synchronization (fetching and populating folder hierarchy)
- Sending messages (including support for different recipient types)
- Support for POST requests and improved request handling
- Delta query support for efficient syncing
- Support for pageable results (x-ms-pageable)
- Test infrastructure for Graph (xpcshell and mochitests)
- Continued backend refactoring and interoperability work (C++/Rust integration, shared protocol components)
With these milestones in place, Phase 3 is now underway, focusing on deeper message handling (such as fetching message headers) and continued feature expansion.
Keep track of our Graph API implementation here.
Add-ons, Extensions and Experiments
While onboarding a new junior team member, John has also made a strong impact on the add-ons ecosystem, reaching an important milestone in the effort to move away from legacy, insecure experiments.
A key piece of this work is the VFS Toolkit, which leverages the Origin Private File System and introduces a more secure and maintainable way for WebExtensions to interact with the file system. As part of this, John developed a provider that allows extensions to access a user’s local home folder through a controlled interface.
Under the hood, this works by combining WebExtensions with a small native helper application. The extension communicates with this helper via native messaging, allowing safe, permissioned access to local files, something that modern WebExtensions cannot do directly
The current focus is to enhance the Calendar API ahead of the next ESR release with some of this work tracked here.
Linux System Tray – Contributor Spotlight
We’d like to give a special shoutout this month to Christophe Henry, who has gone above and beyond with an ambitious contribution to improve Thunderbird’s system tray integration on Linux.
This work isn’t a small patch and spans multiple parts of the codebase, including JavaScript, C++, and Rust, and even bridges into XPCOM interfaces. The goal is to unify how unread mail indicators and tray icons behave across platforms, which is a surprisingly complex problem once you account for the differences between Linux environments, Windows, and macOS.
What really stood out was the level of persistence behind this contribution. Over multiple iterations, Christophe worked through build failures, lint issues, platform quirks, and detailed review feedback, all while tackling tricky problems like image encoding, system tray APIs, and cross-language integration.
This kind of work is rarely straightforward, and often requires deep dives into unfamiliar parts of the stack. Seeing it pushed forward with this level of care and determination is exactly what makes open source collaboration so powerful.
Thank you for the dedication and effort! It truly makes a difference.
Calendar UI Rebuild – Front End Team shoutout
A huge shoutout to the Front End team, who recently met in person in London for a work week and absolutely delivered.
Getting the chance to collaborate face-to-face made a real difference. The team came together to align on priorities, cut through complexity, and focus on what mattered most – and the results speak for themselves. They successfully pushed through the Event Read and Enhancements milestones at an impressive pace, clearing the path to shift full attention onto the First Time User Experience (FTUE) work.
It’s not easy to balance quality, speed, and coordination across a distributed team, but this was a great example of what happens when everything clicks. Thoughtful planning, strong collaboration, and excellent execution all came together to move things forward in a big way.
Stay tuned to our milestones here: