Security is the whole product.

Authentication

Webmail accounts use bcrypt password hashing with constant-time verification — meaning attackers can't tell from response timing whether an email is registered. Sign-ins are rate-limited per IP and per email address; repeated failures lock further attempts for an hour.

Two-factor authentication uses TOTP (compatible with Bitwarden, iCloud Keychain, and other authenticator apps you already use). Each account also gets one-time recovery codes for the case where you lose access to your authenticator. Active sessions are listed in webmail Settings; you can revoke any session — including ones on devices you no longer have.

Mail authentication

Every outbound message is signed with DKIM using a key under your own domain — never a shared signer. Your domain's SPF and DMARC records authorize our infrastructure to send on your behalf, and they tell receiving servers what to do with mail that fails authentication. We help you publish the records during onboarding and re-verify them on demand.

Your data

We don't read your mail and we don't sell what we'd find. Mail content stays in your mailbox; metadata stays scoped to your account. Webhooks and integrations you set up are signed with HMAC-SHA256 so the apps receiving them can verify authenticity.

Mailbox data and metadata are backed up daily to encrypted off-site storage. The backups are tested periodically by restoring from them.

Reporting a vulnerability

If you've found something concerning, we want to know. Use our support form and pick a high priority — the form goes straight to us and your message is visible to the right person quickly. Please include reproduction steps; we'll get back to you with a status. We treat responsible disclosure seriously and we don't sue researchers acting in good faith.