diff --git a/policy/tpa-rfc-15-email-services.md b/policy/tpa-rfc-15-email-services.md
index 93ff9e653e5390ac55d63d9170f4a1ebbb9afa66..6edd39b326139b980cf5a496d85afaa993c9f15a 100644
--- a/policy/tpa-rfc-15-email-services.md
+++ b/policy/tpa-rfc-15-email-services.md
@@ -192,8 +192,6 @@ described in detail below:
  h. New mail relays
  i. Puppet refactoring
 
-TODO: architecture diagram
-
 ### End-to-end deliverability checks
 
 End-to-end deliverability monitoring involves:
@@ -346,6 +344,10 @@ tpo/tpa/team#40626][] for details. This should probably happen
 
 Note: this task list must match the cost estimates below.
 
+## Architecture diagram
+
+TODO: architecture diagram
+
 ## Timeline
 
 This timeline is a draft, and will be updated according to when this
diff --git a/policy/tpa-rfc-15-email-services/architecture-post.dot b/policy/tpa-rfc-15-email-services/architecture-post.dot
new file mode 100644
index 0000000000000000000000000000000000000000..2c8b6cf04b63164fb75d153c8ce0ceec6e3eb801
--- /dev/null
+++ b/policy/tpa-rfc-15-email-services/architecture-post.dot
@@ -0,0 +1,25 @@
+digraph email {
+        label="Email architecture TPA-RFC-15 plan, torproject.org, April 2022"
+        compound=true; nodesep=1.0;
+        labelloc=bottom
+
+        subgraph clustertpa {
+                label="TPA-managed machines"
+                tpoboxes [label="other non mail hosts"]
+                submission
+                mailhosts [color="orange" label="mail hosts\ngitlab, RT, CiviCRM"]
+                mailman [color="red"]
+                schleuder [color="red"]
+                relay [color="green"]
+                mx [color="green"]
+                mailbox [color="green"]
+                mx -> { mailbox, schleuder, mailman }
+        }
+        dotdotdot [label="remote mail hosts"]
+        user [shape=triangle]
+        user -> mailhosts
+        user -> { submission, mailbox }
+        submission -> dotdotdot -> mx
+        tpoboxes -> relay -> dotdotdot
+        mailhosts -> dotdotdot
+}
diff --git a/policy/tpa-rfc-15-email-services/architecture-post.png b/policy/tpa-rfc-15-email-services/architecture-post.png
new file mode 100644
index 0000000000000000000000000000000000000000..71aa0053ec46a2183d163549d197cc967a918f1f
Binary files /dev/null and b/policy/tpa-rfc-15-email-services/architecture-post.png differ
diff --git a/policy/tpa-rfc-15-email-services/architecture-pre.dot b/policy/tpa-rfc-15-email-services/architecture-pre.dot
new file mode 100644
index 0000000000000000000000000000000000000000..8048fcc26b2f008eab7a8fc1589c899a45f5276d
--- /dev/null
+++ b/policy/tpa-rfc-15-email-services/architecture-pre.dot
@@ -0,0 +1,32 @@
+digraph email {
+        label="Email architecture, torproject.org, April 2022"
+        compound=true; nodesep=1.0;
+
+        internet
+        subgraph clustertpa {
+                label="TPA-managed machines"
+                tpoboxes
+                subgraph clustermailhosts {
+                        gitlab
+                        civicrm
+                        RT
+                        label="mail hosts"
+                }
+
+                subgraph clustereugeni {
+                        label=eugeni
+                        mailman
+                        relay
+                        mx
+                        schleuder
+                }
+        }
+        RT -> internet [ltail=clustermailhosts]
+        internet -> RT [lhead=clustermailhosts]
+        internet -> mx
+        tpoboxes -> relay -> internet
+        internet -> riseup -> internet
+        internet -> gmail -> internet
+        internet -> dotdotdot -> internet
+        dotdotdot [label="..."]
+}
diff --git a/policy/tpa-rfc-15-email-services/architecture-pre.png b/policy/tpa-rfc-15-email-services/architecture-pre.png
new file mode 100644
index 0000000000000000000000000000000000000000..98aa4e0de100131757a783eccbe5b817683863af
Binary files /dev/null and b/policy/tpa-rfc-15-email-services/architecture-pre.png differ