Best Practices for Account Security
While Postmark is secure and redundant, these are some best practices you can take to help protect your Postmark account.
Don’t share user accounts#
Be sure that every person who accesses your Postmark account is set up as their own user. Postmark allows for unlimited users with no per-seat charges. Having each person accessing your account with their own user prevents password sharing and makes setting up and using 2FA much easier.
You can always limit access a user has to the account and its servers as well. More on that here.
Set up Emergency Contacts#
If your sending within Postmark ever needs to be temporarily paused due to high bounce rates, high spam complaint rates, spambot abuse, etc, Postmark will always email the account owner and any listed Emergency Contacts to let them know of the issue and the instructions for getting sending resumed quickly. As such, it's a very good idea to list some Emergency Contact email addresses in your Account settings tab, so that you and your team can be alerted and can help resolve any issues as fast as possible.
Powerful Passwords#
After everyone has their own account, each user needs to use a unique, strong password for your Postmark account.
Yup, it’s time to stop using the same password with every service. Services like 1Password or even your browser’s password generator are great ways to create and store secure passwords.
Enable and Require 2FA#
Be sure each user has enabled Two-Factor authentication (2FA). It’s another important step to help secure your account and its information.
Postmark allows you to enforce that all users must use 2FA, this is turned on in the Account section in Postmark.
After setting up 2FA, download and store backup codes in a secure place. This helps prevent locking yourself out of your user account if your phone in the event it’s lost.
The Users page in Postmark lets you can see who does and doesn’t have 2FA enabled.
Rotate API Tokens#
Be sure you rotate your account and server API Tokens on a regular basis. Never share your API Token through email, group messaging (e.g. Slack), forums, or source code. This reduces the risk of a bad actor getting hold of them. Postmark support will never need to know the full API Token you’re using. Even if you don’t believe you have ever shared your API Token, rotating them on a regular basis is still a great idea. You can generate and delete your server’s old API token in your server’s API Tokens tab, seen in this example:
(I’ve since generated a new API token and deleted the old one, so don’t get any funny ideas scammers!)
Protect forms from spambot abuse#
While spambots abuse your public facing forms, and not necessarily your Postmark account itself, it's still a great idea to ensure you're protecting your account's sending against such malicious activity. We have a great guide on how to protect your forms against spambot abuse here that will help ensure that your Postmark sending stays clean and safe.
Use Webhooks#
By using Postmark's various webhooks you can keep a pulse on how your messages are faring. Monitoring webhooks can help alert you of issues if you notice sudden increases in sending, bounces, or spam complaints.
If you’re using Laravel, make sure your site is not on debug mode#
Laravel debug mode is a way for developers to troubleshoot issues with a site during local development. Letting a developer see what tokens or passwords they're using is a great way to speed up development. Debug mode itself isn’t a vulnerability with Postmark or Laravel—many frameworks have this type of feature.
However, this sensitive data is available in plain text and can become very dangerous when debug mode is left on for a live site. That means a scammer can discover this information and can use it, too. Using cheap and simple automated tools, bad actors can quickly check if a site has debug mode on and extract sensitive information from the site. Making sure your site is not on debug mode, will protect you from this. You can read more on this in this blog post.