How to audit an email tracker blocker
Any extension that can block trackers in your inbox can also read your mail, so before trusting one you should be able to check what it does — and most closed-source blockers do not let you. Auditing means three concrete things: reading the permissions it requests, watching what network calls it makes, and, ideally, reading the source. Mailshade is built to pass that audit. Its full source is published under AGPL-3.0 at github.com/mailshade/mailshade, so you can read the blocking rules directly; it stores blocked-events and block-lists only in local IndexedDB; and its sole outbound request is the Polar checkout for a license, not any analytics endpoint. This guide walks through how to audit a tracker blocker yourself — what to look for in the manifest, how to confirm it sends no inbox data, and why an open licence is the strongest signal across Gmail, Outlook and the other clients it runs on.
Step 1 — Read the permissions
Open the extension's details in Chrome and check host permissions. A tracker blocker needs access to its mail domains and the declarativeNetRequest permission to block requests. Be wary of broad all-sites access it does not need.
Step 2 — Watch the network
Open DevTools, use the extension normally, and look at outbound requests. Mailshade should make none about your inbox; the only call you should see is the Polar checkout when you buy a license.
Step 3 — Read the source
This is where open source matters. Mailshade's AGPL-3.0 code on GitHub lets you confirm that blocking uses declarativeNetRequest, that storage is local IndexedDB via Dexie, and that there is no telemetry. Closed tools offer none of this.
Why the licence is the strongest signal
AGPL-3.0 keeps the source open even for hosted versions, so the audited build cannot quietly become a closed, data-collecting one. That permanence is what makes the audit meaningful over time.
FAQ
How can I tell what an email tracker blocker does with my inbox?
Check its Chrome permissions, watch its network calls in DevTools, and read its source if it is open. Mailshade is auditable on all three: its AGPL-3.0 code, local IndexedDB storage and single Polar checkout call are all verifiable.
Does Mailshade send any inbox data to a server?
No. Blocked-events and block-lists are written only to local IndexedDB. The only outbound request is the Polar checkout for a license; you can confirm this in DevTools and in the source.
What permissions should a tracker blocker need?
Host access to the mail clients it supports and the declarativeNetRequest permission to block requests. Mailshade requests its six mail domains and DNR; a blocker asking for far broader access without reason is worth questioning.
Why does an open-source licence make auditing more trustworthy?
AGPL-3.0 requires the source to stay open, including for any hosted build, so the version you audited cannot silently turn into a closed, data-collecting one. Closed tools give you no way to verify behaviour at all.
How much does Mailshade cost if I want to audit then buy?
The source is free to read under AGPL-3.0; the license is paid, from $3.99 per month or $19 one-time for Founders Lifetime. You can audit the code before paying.