Skip to main content

Security & Trust

mailbot is built with security as a core requirement, not an afterthought. This page explains what you can trust today.

Authentication

  • All API requests require a Bearer token via the Authorization header
  • API keys are hashed with Argon2 before storage — plaintext keys are never stored
  • Only the first 8 characters are used for candidate lookup before hash verification

Authorization

  • The system is account-scoped — every API call is filtered by your account
  • Inboxes, messages, threads, webhooks, and audit logs are restricted to the authenticated account
  • MCP tools are scoped by a configured accountId

Data handling

  • Email bodies, headers, and metadata are stored per account
  • Attachments are stored separately and treated as sensitive data
  • All data access is restricted to the owning account

Email compliance

mailbot enforces email authentication standards before every send:

  • SPF — verified via DNS TXT record on your sending domain
  • DKIM — verified via default._domainkey.<domain>
  • DMARC — verified via _dmarc.<domain>

Sends are blocked if SPF, DKIM, or DMARC checks fail. This protects your domain reputation and deliverability.

Abuse prevention

mailbot includes guardrails to protect the platform and your sender reputation:

  • New accounts are limited to 10 outbound emails per 24 hours for the first 7 days
  • Suspicious phishing-style content is blocked before send
  • Inboxes are auto-disabled when bounce rate exceeds 10%
  • Inboxes are auto-disabled when complaint rate exceeds 0.3%
  • Warning headers are returned when complaint rates approach thresholds

Webhook security

All webhook payloads are signed with HMAC-SHA256:

  • Signature header: X-Mailbot-Signature
  • Timestamp header: X-Mailbot-Timestamp
  • Your application should always verify signatures before processing events

See the Webhooks documentation for verification code examples in Node.js and Python.

Network security

  • API runs behind HTTPS in production
  • SMTP supports STARTTLS
  • Database and cache services are not exposed to the public internet

Audit trail

mailbot maintains an append-only audit log:

  • Inbox creation and deactivation
  • Inbound message reception
  • Outbound send attempts
  • Blocked sends with compliance details

Access the audit log via GET /v1/audit-log or from the dashboard.

What we're working toward

We are transparent about where we are today:

  • mailbot provides technical security controls (authentication, authorization, encryption, audit logging, webhook signing)
  • These controls support a broader compliance program
  • We do not currently hold SOC 2, ISO 27001, or equivalent certifications
  • We will update this page as our compliance posture evolves

Questions

If you have security questions or need additional information for your procurement process, contact us at security@getmail.bot.