Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Security here at Purelymail

            Created by Alice Joynson-Ellis, Modified on Wed, 27 Aug at 8:32 PM by Alice Joynson-Ellis

            Here at Purelymail, we value keeping your information as secure as possible. Nobody but you should have access to your data.


            In this guide, we go over some of the ways that we keep your data secure. However, for security purposes we won't go over specifics to accomplish that, like the architecture of our system. If you have a specific concern, then you can always make a ticket above or contact us at support@purelymail.com.

            All data is encrypted at rest

            One method to keep your data secure is encrypting it at rest. "At rest" means when the data is being stored on our servers, which is any permanent storage. It, however, won't be encrypted when it is stored in RAM or cache, since this will be when you will using it.

            Email content is encrypted using your password, meaning that even we can't read the content of your email! However, it will be accessible if password reset is disabled. Please note that partial content of emails can be recovered using search indexes without your password, however this feature can be disabled for your user.

            All protocols are encrypted with SSL

            All protocols we use here at Purelymail (IMAP/SMTP/POP) as well as the Webmail and admin pages utilize SSL (Secure Sockets Layer). This establishes asymmetric encryption for all traffic between your computer and us. No one else listening on the network or the internet will be able to read the content of messages sent. This keeps content confidential and secure. Mail delivery also uses SSL wherever possible, provided you have this enabled on your account. 

            Passwords are encrypted at rest

            No passwords are ever left in clear text. We have separate hashes for encryption of your mail and authentication. Note, hashing is a one way process. No one will be able to reverse this without trying every combination of password that is possible. Hackers will often have lists of some of the most commonly used passwords, which is why we have extensive password requirements for each user. This helps to ensure that it will take a massively long time to break.

            Two factor authentication

            We support the use of two factor authentication for your accounts. This adds an extra layer of security meaning that an attacker would have to have a code sent to your security methods, a rotating code that changes every 60 seconds on your app or a physical device called a passkey (this can sometimes be your mobile device).

            Good security practice

            Our team is well versed in best security practice for products and services. This includes blocking any unnecessary ports, frequent security updates where available, resource isolation where possible and attempting to maintain a minimal attack surface.

            We try to collect as little data as possible

            More often than not, we don't require much information from you at all! Therefore, meaning we don't have to secure information that we don't have. No one can access it! In terms of billing, this is all handled by the well seasoned professionals at Stripe and PayPal, who work to keep all payment information secure. We will never have access to it.

            Physical security through AWS

            An often overlooked side of cyber security is physical security. That's why we host with Amazon Web Services! RThey have top notch security over all machines that they run, which is where all of our infrastructure is hosted! You can find out more about their security practices here.

            Paid email hosting

            Paid email hosting means you are always our customer, not a product to earn more from. Your data will never be sold or used to be monetized in any way. You can find out more about this in our Privacy Policy.

            Our goals to improve security

            While we believe that our current solution is secure, it can always be improved. This is why we will strive to do the following:

            Webmail specific settings

            Any settings on our Webmail platform including contacts could be encrypted along with mail data. This will help protect your account from attackers trying to find who you are communicating with.

            Developing secure workarounds for email protocol limitations

            While these protocols are designed in a way to be secure, they use industry standards designed a while ago. This includes protocols like IMAP and SMTP sending your password over the network in clear text (although this is confidential and secure through use of SSL). Additionally, with IMAP, decryption of your mail has to be done on our servers.

            S/MIME support

            S/MIME is a method used to encrypt or digitally sign the emails you send to people. This will be optional since it can be inconvenient to set up and utilize daily, but it would allow fully encrypting emails in transit, without our servers needing to or being able to decrypt them. All encryption and decryption would be done entirely on your side, where we have no access.

            Things we can't do.

            Unfortunately there are some security considerations that wouldn't be feasible to implement on a service like ours. Outlined will be a few of these, with alternative suggestions.

            Serverside end-to-end encryption at time of delivery

            A quick summary on why this can't be achieved is that end-to-end encryption isn't particularly suited for email as a protocol. Even when it can work, it is often very rare at best and introduced some practical considerations. If end-to-end encryption is something that you value or require, you should consider using an email client that supports S/MIME or a different application entirely like Signal, where this is supported. Signal also has high security considerations, which can be seen in their blog post here.

            Data retention

            To be able to provide you with a convenient service, we do retain backups of deleted email messages for one month after the date of deletion. This includes original undelivered messages. This is done to prevent data loss from any mistake or accident on our part. We also delete any and all system logs older than one month. These logs generally only contain event information like any errors, or metadata. No important or easily identifiable user information is stored in those.

            Got a security concern to report?

            We always value finding issues in our service to be able to fix! If you have noticed any security issues with Purelymail, feel free to send us a ticket with "[Security Concern]" or "[Security Report]" in the subject, or send us an email using this link: Security email, and we can work on this to improve for the whole service!


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0