Security

We build a security product, so we hold our own service to the same standard. Here is how we protect your data and how to report an issue.

Reporting a vulnerability

If you believe you've found a security vulnerability, please email security@emailposture.comwith enough detail to reproduce it. We'll acknowledge your report, keep you updated on the fix, and credit you if you'd like. Please give us a reasonable chance to remediate before any public disclosure, and don't access or modify data that isn't yours while testing. Our machine-readable policy lives at /.well-known/security.txt.

How we protect your data

• Read-only by design.We only query public DNS via DNS-over-HTTPS. The service never connects to your mail servers and only ever reads records you've published.
• No card data on our servers. All payments are processed by Stripe; we store only a customer reference and subscription status, never your card details.
• Hashed access tokens. Manage links use 256-bit tokens stored only as cryptographic hashes and rotated on every email we send.
• Encrypted in transit. All traffic uses TLS with HSTS, a strict Content Security Policy, and standard hardening headers.
• Proof of control.Monitoring requires a DNS-based ownership challenge, so the service can't be turned against domains you don't control.
• Abuse resistant.Requests are rate-limited, and sign-up responses are designed so the service can't be used to enumerate who is or isn't a subscriber.

Scope

Reports concerning emailposture.com and its subdomains are in scope. Findings in third-party providers we use (such as Stripe, Resend, our database host, or Vercel) should be reported to those vendors directly.