Set up DMARC and see who's sending email using your brand's domain.

Is Postmark secure and redundant?

Postmark's primary data and servers are hosted at Deft's data center (located outside of Chicago) and Amazon Web Services (AWS). We provide multiple levels of backups and redundancy to ensure uptime and peace of mind.

This includes:

  • Fully redundant servers for the API, SMTP, Inbound and Web interface.
  • Secure protocols (SSL / TLS) across the web, api and smtp endpoints.
  • Separately hosted Help system and Public site
  • 256-bit SSL encryption on the web app and payment processing.
  • All passwords are stored using one-way cryptographic hashing functions.
  • We run a dedicated environment behind redundant firewalls and switches.
  • Hardened, patched OS with frequent security updates.
  • External monitoring and audits by highly respected security firms.

Deft details

A DuPont Fabros facility, the Deft data center is SOC 2 Type 2 accredited and includes keycard protocols, biometric scanning protocols and round-the-clock surveillance. Our environment is colocated, meaning we have full control of the physical environment and only our policies affect the access and use of the hardware, network and software. We provide multiple levels of backups and redundancy to ensure uptime and peace of mind. Data transferred from our customers to our servers is encrypted via SSL that is configured to meet or exceed all industry standards. Cold data at rest is encrypted with 2048-bit RSA.

Even though Postmark itself has not undergone a SOC audit, our data center has. We can provide a copy of the SOC report for the data center after completing an NDA.

We use technical and physical controls designed to prevent unauthorized access to your personal data. We restrict access to personal data only to our employees, contractors and agents who need to know this information in order to operate, develop or improve our service. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

To learn more about Deft, read all about it on Deft's website.

Amazon Web Services (AWS) details

The Amazon Web Services infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure AWS data centers. For a detailed overview of all security and privacy measures, see the AWS Cloud Security Page. For a list of all current security accreditations, see the AWS Compliance Programs page.

All access to the Postmark interface is secured over SSL (HTTPS), ensuring the information is encrypted. Our SSL configurations are regularly and automatically scanned to ensure we can quickly remediate any vulnerabilities discovered, such as Heartbleed. Additionally, we provide both TLS and HTTPS connections to the Postmark SMTP and API services, ensuring emails sent to the service are encrypted. Account passwords are encrypted in the Postmark database, preventing even our own staff from viewing them. We offer a method to recycle API keys at anytime in the Postmark interface.

We do not encrypt email messages on our servers since it must be decrypted in the interface. Our staff may also need to view email messages to ensure compliance with the Postmark Terms of Use. All sent email messages are stored on Postmark servers for 45 days by default (it is possible to adjust this timeframe from 7 to 365 days with our Retention Add-on), while bounces and spam complaints are stored indefinitely in a Streams Suppression list for reporting and list hygiene.

Employee policies

Only a select few have access to the servers where data is stored. We go to great lengths to ensure the right balance between support and a secure infrastructure. Employees can only access accounts if they have explicit permission from an account owner or the account is in review for compliance of the Postmark Terms of Use.

Redundancy and backups

Postmark contains redundancy in as many areas as possible to avoid and recover from failure. This includes a load balanced and clustered environment with automatic recovery on physical hardware failures. Our data center includes redundancy across all aspects of potential failure including network transit, routing, and power.

Customer data is stored across redundant disk arrays with high availability failover protection. Backups are performed continuously and transferred offsite in accordance to our disaster recovery plan.

Reporting a security issue:

If you have discovered a security issue, please report it through our responsible disclosure process.

Last updated August 1st, 2023

Still need some help?

Our customer success team has your back!