We've listed out some industry best practices when it comes to password management. While Postmark is secure and redundant these are best practices users can take to help protect their account.
Don't share user accounts
Be sure that every person who accesses your Postmark account is set up as their own user. Postmark allows for unlimited users with no per-seat charges. Having each person accessing your account with their own user prevents password sharing and makes setting up and using 2FA much easier.
You can always limit access a user has to the account and its servers as well. More on that here.
After everyone has their own account, each user needs to use a unique, strong password for your Postmark account.
Yup, it's time to stop using the same password with every service. Services like 1Password or even your browser's password generator are great ways to create and store secure passwords.
Be sure each user has enabled Two-Factor authentication (2FA). It's another important step to help secure your account and its information.
After setting up 2FA, download and store backup codes in a secure place. This helps prevent locking yourself out of your user account if your phone in the event it's lost.
The Users page in Postmark lets you can see who does and doesn't have 2FA enabled.
Rotate API Tokens
Be sure you rotate your account and server API Tokens on a regular basis. Never share your API Token through email, group messaging (e.g. Slack), forums, or source code. This reduces the risk of a bad actor getting hold of them. Postmark support will never need to know the full API Token you're using. Even if you don't believe you have ever shared your API Token, rotating them on a regular basis is still a great idea. You can generate and delete your sever's old API token in your server's API Tokens tab, seen in this example:
(I've since generated a new API token and deleted the old one, so don't get any funny ideas scammers!)