Best Practices for Account Security

We’ve listed out some industry best practices when it comes to password management. While Postmark is secure and redundant these are best practices customers can take to help protect their account.

Don’t share user accounts#

Be sure that every person who accesses your Postmark account is set up as their own user. Postmark allows for unlimited users with no per-seat charges. Having each person accessing your account with their own user prevents password sharing and makes setting up and using 2FA much easier.

You can always limit access a user has to the account and its servers as well. More on that here.

Powerful Passwords#

After everyone has their own account, each user needs to use a unique, strong password for your Postmark account.

Yup, it’s time to stop using the same password with every service. Services like 1Password or even your browser’s password generator are great ways to create and store secure passwords.

Enable and Require 2FA#

Be sure each user has enabled Two-Factor authentication (2FA). It’s another important step to help secure your account and its information.

Postmark allows you to enforce that all users must use 2FA, this is turned on in the Account section in Postmark.

After setting up 2FA, download and store backup codes in a secure place. This helps prevent locking yourself out of your user account if your phone in the event it’s lost.

The Users page in Postmark lets you can see who does and doesn’t have 2FA enabled.

Rotate API Tokens#

Be sure you rotate your account and server API Tokens on a regular basis. Never share your API Token through email, group messaging (e.g. Slack), forums, or source code. This reduces the risk of a bad actor getting hold of them. Postmark support will never need to know the full API Token you’re using. Even if you don’t believe you have ever shared your API Token, rotating them on a regular basis is still a great idea. You can generate and delete your server’s old API token in your server’s API Tokens tab, seen in this example:

Rotate your server’s old API token in your server’s API Tokens tab

(I’ve since generated a new API token and deleted the old one, so don’t get any funny ideas scammers!)

Last updated February 23rd, 2022

Still need some help?

Our customer success team has your back!