Security - MailChannels

Treat your email integration as production infrastructure. It can send messages to customers, expose personal data in logs, and affect your sender reputation.

API keys

Store API keys in a secrets manager or environment variables.
Use separate keys for development, staging, and production.
Use one key per application or service.
Rotate keys on a schedule and immediately after suspected exposure.
Revoke unused keys.
Never expose API keys in client-side code, mobile apps, screenshots, logs, or support tickets.

Webhook security

Verify every webhook signature before trusting the payload.
Reject signatures outside a short freshness window.
Store the raw body before parsing.
Make processing idempotent because replay and duplicate delivery can happen during recovery workflows.
See the webhook documentation for more details on webhooks and best practices.

Data handling

Email content and metadata can contain personal data. Avoid logging full message bodies, private DKIM keys, API keys, unsubscribe links, and sensitive recipient data. When support needs examples, provide request_id, timestamps, and sender and recipient domain.

Transport security

MailChannels sends outbound email over TLS when the receiving mail server supports it.

Security contact

If you believe you found a security issue, contact MailChannels support with a clear description, reproduction steps, affected endpoints, and any relevant timestamps.

Authentication Domain Lockdown

⌘I

​API keys

​Webhook security

​Data handling

​Transport security

​Security contact

API keys

Webhook security

Data handling

Transport security

Security contact