Actually, its really simple. You operate your own mail system, and require secure network access to use it.
For example, The social security administration requires each state to do this for the state employees who handle disability-related business. Those employees must use their mail system.
You're looking for a unicorn. There isn't a convenient way to have a third-party deliver something to someone without knowledge of where that thing is going.
If you need a trusted chain of custody for whatever you're moving, than you need to build that infrastructure (as in the example I provided previously). If you need the ability to securely communicate outside of a secure infrastructure, there are various ways to do that (bank-style, ssl-secured messaging centers, PGP, S/MIME, etc).
Anonymity is a separate problem. Spies use techniques like dead drops. The boss in "The Godfather" didn't use the phone. Corporate executives use PIN-to-PIN blackberry messaging and swap phones periodically.
But in this case the you that's worried about security is the social security administration for the state.
The real problem with the argument is that it's hard for people to set up their own secure mail servers, but organizations, like in this example, can do it decently well.
For example, The social security administration requires each state to do this for the state employees who handle disability-related business. Those employees must use their mail system.