Skip to main content
Back to Home

Security

At fly.email, security is foundational to everything we build. Your email is private, and we treat it that way. This page details the technical measures we use to protect your data.

Encryption at Rest

All emails stored on our platform are encrypted using AES-256-GCM (Galois/Counter Mode), an authenticated encryption standard that provides both confidentiality and integrity verification.

  • Envelope encryption: Each account has its own Data Encryption Key (DEK), which is itself encrypted by a master key managed through AWS Key Management Service (KMS).
  • Automatic key rotation: KMS keys are rotated annually to limit the impact of any potential key compromise.
  • Memory safety: Decryption keys are cleared from memory immediately after use.

Encryption in Transit

All data transmitted between your browser, our servers, and third-party services is protected by TLS (Transport Layer Security). This includes:

  • HTTPS for all web traffic
  • TLS for email transmission via Amazon SES
  • Encrypted connections to our database and storage systems

Authentication

We support modern, phishing-resistant authentication methods to protect your account.

  • Passkeys (WebAuthn): Hardware and platform authenticators that verify your identity without transmitting secrets. Passkeys are bound to our domain and cannot be phished.
  • Email and password: Traditional authentication with secure password hashing.
  • Session management: Sessions track device information and can be revoked at any time.

Email Security

We implement industry-standard email authentication protocols to ensure deliverability and prevent spoofing.

  • SPF (Sender Policy Framework): Verifies that emails are sent from authorized servers.
  • DKIM (DomainKeys Identified Mail): Cryptographic signatures that verify email integrity and authenticity.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Policy enforcement for SPF and DKIM.
  • Spam and virus scanning: Inbound emails are automatically scanned at receipt.

Infrastructure Security

Our infrastructure is built on AWS with security best practices throughout.

  • No static credentials: We use OIDC (OpenID Connect) for all deployments. No long-lived AWS credentials are stored in code or CI/CD systems.
  • Least-privilege access: Each service component has only the minimum permissions required to function.
  • Infrastructure as Code: All infrastructure is defined and version-controlled using AWS CDK, ensuring reproducibility and auditability.
  • S3 bucket security: All storage buckets block public access and require KMS encryption.

Access Control

We implement role-based access control at multiple levels to ensure users can only access what they should.

  • User roles: Platform-level roles (admin, user) control access to administrative functions.
  • Domain permissions: Domain-level roles (owner, admin, member) control who can manage domains and email accounts.
  • Type-safe APIs: All API inputs are validated against strict schemas, and branded ID types prevent accidental access to wrong resources.

Monitoring and Incident Response

  • Dead-letter queue monitoring: Failed email processing triggers alerts for investigation.
  • Delivery monitoring: Emails stuck in processing are automatically flagged.
  • Bounce and complaint tracking: Delivery issues are logged and surfaced to users.

Data Privacy

  • We do not sell your data to third parties.
  • We do not use your email content for advertising.
  • Email content is only accessed for delivery, security, and troubleshooting purposes.
  • See our Terms of Service for our data handling policies.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly. We appreciate your help in keeping fly.email secure.

Contact: hey@dak.dev

Please include details about the vulnerability and steps to reproduce. We will acknowledge your report and work to address the issue promptly.