Security

Built to keep ownership from becoming exposure.

Supromail gives teams control over their domains, phones, routes, and data. The security model is designed to isolate workspaces, reduce retained sensitive data, and make every integration verifiable.

Last updated: July 4, 2026

Workspace isolation

Every workspace is separated at the application and database level, with row-level controls documented for hosted and self-hosted deployments.

Encrypted secrets

DKIM private keys and webhook signing secrets are sealed at rest with AES-256-GCM using a deployment master key.

Signed webhooks

Webhook payloads include HMAC signatures and timestamps so your systems can reject spoofed or replayed delivery events.

Workspace isolation

Supromail scopes domains, phones, messages, members, API keys, webhooks, suppressions, logs, and settings to a workspace. The documented backend model uses Postgres Row-Level Security and a non-superuser runtime role so one workspace cannot read another workspace's rows.

  • Workspace-scoped records for accounts, sending assets, and message history.
  • Role-based controls for owners, admins, and members.
  • Audit events for meaningful workspace administration actions.

Secrets and credentials

API keys are shown once and stored as hashes. Device tokens are private to paired phones. DKIM private keys and webhook secrets are encrypted at rest and should be backed up with the deployment master key in self-hosted environments.

  • Scoped API keys for email and SMS permissions.
  • Key revocation and credential rotation for exposed secrets.
  • Short-lived QR pairing codes for Android SMS devices.

SMS recipient minimization

SMS delivery requires the dialable phone number while a message is in flight. After the message reaches a final status, Supromail is designed to erase the full number and retain only a masked display value plus a non-reversible hash for abuse controls and history.

Webhook safety

Supromail signs webhook deliveries with a timestamped HMAC signature. Receivers should compute the signature over the raw request body, reject stale timestamps, and accept either active signature during the documented rotation overlap.

Outbound webhook delivery validates the actual destination IP after DNS resolution and disables redirects to reduce SSRF risk against internal networks and cloud metadata services.

Access control

Supromail uses passwordless login and workspace roles. Owners and admins can invite members, enable channels, manage domains and devices, create or revoke API keys, configure webhooks, and review activity. Removing a member or deleting an account revokes access within the product's short token lifetime.

Abuse controls

Rate limits, quotas, duplicate collapse, recipient caps, premium or satellite prefix blocking, suppression handling, bounce handling, and complaint handling help contain abuse from mistakes, leaked keys, or misconfigured automations.

Self-hosting security

Self-hosted operators control the deployment environment, database, Keycloak login service, Redis if used, reverse proxy, backups, TLS, domain settings, SMTP relay, and master encryption keys. Operators should keep secrets outside source control, use the non-superuser database role, back up the encryption key separately, and sync backups off-host.

Report a vulnerability

Send security reports to security@supromail.com. Please include affected URLs, reproduction steps, impact, screenshots or proof of concept where safe, and whether any customer data or credentials may be involved.

If you believe an API key, webhook secret, DKIM key, or device token was exposed, revoke or rotate it immediately from the dashboard or deployment environment.