Security

Best practices for email security

Learn how to secure your Mailpipe integration with API key management, webhook verification, and encryption best practices.

API Key Security

Never expose API keys in client-side code

API keys should only be used in server-side code. For browser/client use, use Supabase session tokens instead.

  • Store API keys in environment variables, never in source code
  • Use the minimum required scopes for each key
  • Create separate keys for different services/environments
  • Use mp_test_* keys for development and staging
  • Add your API keys to .gitignore and use .env.local

Key Rotation

Rotate your API keys regularly, especially if you suspect a key has been compromised:

  1. Generate a new key in Settings → API Keys
  2. Update your environment variables with the new key
  3. Deploy your application with the new key
  4. Verify the new key works correctly
  5. Revoke the old key from the dashboard

We recommend rotating keys every 90 days as a security best practice.

Webhook Signature Verification

Always verify webhook signatures to ensure requests originate from Mailpipe:

Node.js
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler:
app.post('/webhooks/mailpipe', (req, res) => {
  const signature = req.headers['x-mailpipe-signature'];
  const isValid = verifyWebhookSignature(
    JSON.stringify(req.body),
    signature,
    process.env.MAILPIPE_WEBHOOK_SECRET
  );

  if (!isValid) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  // Process the webhook...
});

Transport Security

  • TLS 1.2+ — All API connections require TLS. HTTP requests are rejected.
  • At-rest encryption — API keys are hashed with SHA-256 before storage. Email content is encrypted at rest in Supabase.
  • Provider credentials — Email provider API keys (Resend, Postmark, etc.) are encrypted with AES-256 before storage.
  • DKIM signing — All outbound email is DKIM-signed for authentication and integrity.

Data Privacy

  • On Mailpipe Cloud, email is stored in Mailpipe's managed Postgres database; with BYOS it's stored in your own Supabase project
  • Row-level security ensures users only access their own organization's data
  • We don't sell your email or use it for advertising, and access it only as needed to operate, secure, and support the Service
  • You can export or delete your data at any time from Settings

Still have questions?

Our team is here to help with anything from setup to scaling.

Contact support