Doposta
LoginStart Free Trial
Back to Blog
Security & Compliance

Email Encryption & Security: Protecting Data at Every Layer

DoPosta Team
February 5, 2026
12 min read

Email Encryption & Security: Protecting Data at Every Layer


Email platforms handle your most sensitive data: customer lists, personal information, behavioral tracking, campaign content. A breach exposes not just your data, but your customers' data. Enterprise-grade encryption isn't optional—it's foundational.


DoPosta implements **defense-in-depth encryption**: AES-256-GCM for API traffic, AES-256-CBC for file storage, TLS 1.3 for database connections, field-level encryption for sensitive data, plus comprehensive security headers and monitoring.


The Threat Landscape


Email marketing platforms are high-value targets for attackers:


**Contact list theft**: 10 million email addresses with engagement data sells for $50,000+ on dark web markets. Lists are often more valuable than credit card data (which expires quickly).


**Campaign hijacking**: Attackers modify campaigns to insert phishing links or malware. Your brand sends malicious emails to your own customers. Reputational damage is irreversible.


**API key compromise**: Exposed API keys allow attackers to send unlimited emails from your infrastructure, burning your IP reputation and potentially landing you on blacklists.


**Credentials in transit**: Unencrypted SMTP credentials intercepted during transmission give attackers direct server access.


**Database breaches**: If an attacker gains database access, unencrypted fields (emails, names, custom data) are immediately compromised.


DoPosta's encryption strategy mitigates every attack vector.


Encryption at Rest


All data stored in DoPosta's databases and file systems is encrypted:


Database Encryption (AES-256-CBC)


**Full disk encryption** on all database servers using AES-256-CBC. If physical drives are stolen or server is decommissioned, data is cryptographically unreadable.


**Field-level encryption** for highest-sensitivity data:

  • SMTP passwords (encrypted with unique per-customer keys)
  • API keys and tokens
  • OAuth credentials for integrations
  • Custom field data marked as "sensitive"
  • Payment information (credit cards, bank details)

    • Field encryption uses **envelope encryption**: Each field is encrypted with a data encryption key (DEK), and DEKs are encrypted with a master key encryption key (KEK) stored in a hardware security module (HSM).


    **Key rotation**: Master keys rotate every 90 days. Old encrypted data is re-encrypted with new keys in a background process. Zero downtime, complete compliance.


    File Storage Encryption (AES-256-GCM)


    Uploaded assets (images, HTML templates, CSV imports, exports) are encrypted in object storage (S3, R2, Azure Blob):


  • **Server-side encryption** with AES-256-GCM
  • **Unique encryption keys** per customer workspace
  • **Pre-signed URLs** expire after 60 seconds for temporary downloads
  • **Encrypted backups** with separate backup encryption keys

    • When you upload a template image, it's encrypted before touching storage. When displayed in the email builder, it's decrypted on-demand with time-limited access tokens.


    Backup Encryption


    Daily backups are encrypted separately from production data:


  • **Different encryption keys** - A production breach doesn't compromise backups
  • **Geographic separation** - Backups stored in different AWS regions
  • **Versioned retention** - 30 daily backups, 12 monthly backups, all encrypted
  • **Backup restoration testing** - Monthly tests ensure encrypted backups are restorable

    • Encryption in Transit


    Data moving between systems must be protected from interception:


    API Traffic (TLS 1.3)


    All API requests to DoPosta use **TLS 1.3** (or TLS 1.2 minimum for older clients):


  • **Perfect forward secrecy** - Compromising today's encryption keys doesn't decrypt past traffic
  • **Strong cipher suites only** - AES-256-GCM-SHA384, ChaCha20-Poly1305
  • **No weak ciphers** - TLS 1.0/1.1 disabled, RC4/3DES/MD5 rejected
  • **HSTS enforcement** - HTTP Strict Transport Security forces HTTPS

    • Try connecting to DoPosta's API with HTTP: curl http://api.doposta.com/v1/campaigns. Immediate 301 redirect to HTTPS with HSTS header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.


    Database Connections (TLS 1.2)


    Application servers connect to databases over **encrypted TLS connections**:


  • **Certificate validation** - Database servers present valid TLS certificates
  • **No plaintext fallback** - If TLS fails, connection is rejected (no unencrypted fallback)
  • **Internal network encryption** - Even within private networks, all DB traffic is encrypted

    • Email Transmission (TLS 1.2/1.3)


    Outbound emails from DoPosta to recipient servers use **opportunistic TLS**:


  • **TLS enforced** where supported (95%+ of recipients)
  • **MTA-STS support** - Respects recipient MTA Strict Transport Security policies
  • **Downgrade attack prevention** - Detects and logs TLS stripping attempts
  • **DANE validation** - DNS-based Authentication of Named Entities for enhanced security

    • When sending to Gmail, Outlook, Yahoo: TLS 1.3 with AES-256-GCM is negotiated. Delivery logs show encryption status per recipient domain.


    SMTP Credential Protection


    PowerMTA configuration files contain SMTP credentials. DoPosta encrypts these:


  • **Credentials encrypted** in DoPosta's database (AES-256 field-level)
  • **Transmitted to servers** over encrypted API connections
  • **Written to PMTA config** in memory only (never unencrypted on disk)
  • **Rotated regularly** - Automated credential rotation every 90 days

    • API Security


    DoPosta's REST API implements multiple security layers beyond encryption:


    Authentication (JWT with RS256)


    API authentication uses **JSON Web Tokens (JWT)** signed with RSA-256:


    Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...


  • **RSA-256 signatures** - Tokens cryptographically signed, can't be forged
  • **Short expiration** - Tokens valid for 1 hour only
  • **Refresh tokens** - Long-lived refresh tokens (30 days) for re-authentication
  • **Scope-based access** - Tokens include permission scopes (read-only, send-only, admin)

    • Token payload includes user ID, workspace ID, role, and allowed permissions. Tampering with payload invalidates the signature.


    Rate Limiting


    Prevent brute force and abuse:


  • **Global rate limit**: 1000 requests/minute per API key
  • **Endpoint-specific limits**: 10 login attempts/minute, 100 campaign creates/hour
  • **Adaptive throttling**: Automatic slowdown on suspicious patterns
  • **IP-based backup**: Rate limits by IP if API key is compromised

    • Exceed limits and receive 429 Too Many Requests with Retry-After header.


    Request Signing (HMAC-SHA256)


    For maximum security, enable **request signing** on API keys:


    Each request includes a signature generated with HMAC-SHA256:


    X-DoPosta-Signature: sha256=3a5d2f8b...


    Server recalculates signature using shared secret. Mismatched signatures are rejected. Prevents request tampering and replay attacks.


    IP Whitelisting


    Restrict API key usage to specific IP addresses:


  • **Single IP**: 203.0.113.42 only
  • **CIDR ranges**: 203.0.113.0/24 for entire subnet
  • **Multiple IPs**: Comma-separated list for HA deployments

    • API calls from non-whitelisted IPs are rejected with 403 Forbidden.


    Web Application Security


    DoPosta's web dashboard implements comprehensive security headers:


    Content Security Policy (CSP)


    Prevent XSS attacks with strict CSP:


    Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-xyz'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.doposta.com;


  • **No inline scripts** without hash whitelisting
  • **No eval()** or unsafe JavaScript execution
  • **Restricted external resources** to known CDNs only
  • **Report-URI** logs CSP violations for monitoring

    • Additional Security Headers


    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

    X-Frame-Options: DENY

    X-Content-Type-Options: nosniff

    Referrer-Policy: strict-origin-when-cross-origin

    Permissions-Policy: geolocation=(), microphone=(), camera=()


  • **HSTS**: Force HTTPS for one year, include subdomains
  • **X-Frame-Options**: Prevent clickjacking by blocking iframes
  • **X-Content-Type-Options**: Prevent MIME-sniffing attacks
  • **Referrer-Policy**: Don't leak URLs in referer headers
  • **Permissions-Policy**: Disable unnecessary browser APIs

    • CSRF Protection


    All state-changing requests require CSRF tokens:


  • **Token in form**: Hidden input with cryptographic token
  • **Token in header**: X-CSRF-Token for AJAX requests
  • **Validation on server**: Rejects requests without valid tokens
  • **Per-session tokens**: Tokens rotate on login

    • XSS Prevention


    Multiple layers prevent cross-site scripting:


  • **Input validation**: Reject malicious patterns on input
  • **Output encoding**: Escape HTML entities on output
  • **Context-aware encoding**: Different encoding for HTML vs JavaScript vs CSS contexts
  • **Template auto-escaping**: React/Vue automatically escape variables

    • Compliance & Certifications


    DoPosta's encryption and security practices meet:


    SOC 2 Type II

    Independent audit of security controls including encryption at rest, encryption in transit, key management, access controls, and incident response. Annual re-certification.


    GDPR (General Data Protection Regulation)

    Right to erasure (data deletion including encrypted backups), data portability (encrypted exports), breach notification (within 72 hours), data processing agreements, and EU data residency options.


    HIPAA (for healthcare customers)

    Business Associate Agreements (BAA) available, encrypted PHI (Protected Health Information), audit logging, access controls, and breach notification procedures.


    PCI DSS (Payment Card Industry)

    Credit card data never stored unencrypted. Payment processing via PCI-compliant providers (Stripe). Encrypted transmission of payment data.


    Key Management


    Encryption is only as strong as key management:


    Hardware Security Modules (HSM)


    Master encryption keys stored in **FIPS 140-2 Level 3** hardware security modules:


  • **Keys never leave HSM** - Encryption/decryption happens inside HSM
  • **Tamper-evident** - Physical intrusion attempts destroy keys
  • **Dual control** - Two operators required for sensitive operations
  • **Audit logging** - Every key operation logged immutably

    • Key Hierarchy


    DoPosta uses a multi-tier key hierarchy:


    1. **Root key** - Stored in HSM, never rotates, only encrypts KEKs

    2. **Key Encryption Keys (KEK)** - Rotate every 90 days, encrypt DEKs

    3. **Data Encryption Keys (DEK)** - Unique per customer, encrypt actual data


    Rotating a KEK re-encrypts all DEKs but doesn't require re-encrypting customer data (only DEKs need re-encryption).


    Key Rotation Schedule


  • **API keys**: Manual rotation recommended every 90 days
  • **SMTP passwords**: Automated rotation every 90 days
  • **Master keys (KEK)**: Automated rotation every 90 days
  • **Database encryption keys**: Annual rotation
  • **TLS certificates**: Automated renewal every 85 days (Let's Encrypt)

    • Monitoring & Incident Response


    Security monitoring runs 24/7:


    Security Monitoring


  • **Failed authentication attempts** - Alert on 5+ failures in 5 minutes
  • **Unusual API access patterns** - ML-based anomaly detection
  • **Encryption failures** - Alert if decryption errors spike
  • **Certificate expiration** - 30-day advance warnings
  • **Vulnerability scanning** - Daily scans for CVEs

    • Incident Response Plan


    If a security incident occurs:


    1. **Detection** (Target: <5 minutes) - Automated alerts to security team

    2. **Containment** (Target: <15 minutes) - Isolate affected systems, rotate keys

    3. **Investigation** (Target: <2 hours) - Determine scope and root cause

    4. **Remediation** (Target: <24 hours) - Patch vulnerabilities, restore service

    5. **Notification** (Target: <72 hours) - Inform affected customers if data exposed


    Customer notification includes: What happened, what data was affected, what we're doing, what you should do, and dedicated support contact.


    Best Practices for Customers


    DoPosta encrypts platform data, but you control campaign security:


    API Key Security

  • **Never commit** API keys to Git repositories
  • **Use environment variables** for key storage
  • **Rotate keys** after employee departures
  • **Use read-only keys** for analytics dashboards
  • **Enable IP whitelisting** for production keys

    • Password Management

  • **Enforce strong passwords** (12+ characters, mixed case, numbers, symbols)
  • **Enable 2FA** for all users (mandatory for admins in DoPosta)
  • **Use password managers** (LastPass, 1Password, Bitwarden)
  • **No shared accounts** - Use DoPosta's RBAC for permission management

    • Email Content Security

  • **HTTPS for all links** in emails (encrypted landing pages)
  • **No sensitive data** in email content (use secure portals instead)
  • **Validate external images** before using in campaigns
  • **Test phishing resistance** - Don't train customers to click suspicious links

    • Encryption Performance Impact


    Strong encryption comes with computation cost. DoPosta's optimizations:


  • **Hardware AES acceleration** - Modern CPUs have AES-NI instructions (near-zero overhead)
  • **Connection pooling** - Reuse TLS connections (avoid repeated handshakes)
  • **Caching decrypted data** - Frequently accessed data cached in memory (encrypted at rest, decrypted in RAM)
  • **Async encryption** - Background workers handle encryption for uploads/imports

    • Result: Encryption adds <5ms latency to API requests, imperceptible to users.


    Conclusion


    Email platform security requires comprehensive encryption: AES-256 for data at rest, TLS 1.3 for data in transit, field-level encryption for sensitive fields, secure key management in HSMs, and defense-in-depth with security headers, rate limiting, and monitoring.


    DoPosta's encryption architecture meets SOC 2, GDPR, HIPAA, and PCI standards. Your data is protected at every layer.


    Ready to secure your email infrastructure? [Start your DoPosta trial](/register) with enterprise-grade encryption enabled by default.


    [View security documentation](/features) or [request a security audit report](/contact) for compliance reviews.


    Ready to Transform Your Email Marketing?

    Start your free trial today. Experience all the features mentioned in this post.

    Start Free Trial