Sealed Sender

Sealed Sender is a metadata-reduction feature in Signal that removes the sender's identity from what the server can observe. End-to-end encryption already hides message content from the relay, but by default the service still sees who is talking to whom. Sealed Sender attacks that residual leak by letting a sender deliver a message without authenticating to the server in the clear, so the server learns the destination but not the origin.

How it works

The analogy is physical mail: a normal letter shows both a sender and recipient address, but a sealed-sender message omits the return address. To prevent abuse, the sender must prove they hold a delivery token derived from the recipient's profile key, which is only shared with contacts and people the recipient has messaged. A short-lived sender certificate, validated cryptographically, lets the server confirm the message is well-formed and deliverable without revealing which account produced it. The recipient's device, which can decrypt the inner envelope, recovers the true sender.

What it does and does not protect

Sealed Sender provides one-way anonymity at the application layer: the server cannot read the sender field. It is a meaningful hardening, but it is not a full anonymity system. Network-level observers can still correlate traffic by IP address and timing unless the connection is routed over Tor or similar, and the server still necessarily learns the recipient. For threat models that require hiding the entire communication pattern, stronger architectures are needed.

For approaches that hide both ends of a conversation, see metadata-resistant messaging and the network-layer defenses of a mixnet.