Security

How MailHow protects your mail and your account. Plain about what we do — and what we don't.

Account protection

Passwords are verified against the mail server and never stored in plain text. You can turn on two-factor authentication (TOTP, works with any authenticator app) with single-use recovery codes. Each mail client uses its own device password that you can revoke individually, so your main password never leaves the web app. Every active session is listed and revocable, and you can sign out everywhere at once.

Encryption

In transit: TLS on every connection — IMAP (993), submission (465), the web app (HTTPS), and server-to-server SMTP where the other side supports it. We publish MTA-STS and TLS-RPT so sending servers know to require encryption to us and can report failures.

At rest: mail is stored on encrypted volumes with per-account isolation. Stored device credentials are encrypted with AES-256-GCM.

Honest limit:MailHow is not end-to-end encrypted. Like all standard IMAP mail, the server can technically access message content to deliver and index it — we don’t read it (see the privacy policy), but if you need cryptographic guarantees that no server can, use PGP on top or a dedicated end-to-end service.

Sender authentication

Every domain you connect is set up with dual DKIM signatures (modern ed25519 + classic RSA), a strict SPF record, and DMARC— so receivers can verify your mail is genuinely from you, and spoofers can’t forge your domain. We monitor the sending IP against major blocklists daily.

Backups and durability

Mail and account data are backed up nightly, kept as 7 daily plus 4 weekly snapshots. Because MailHow speaks standard IMAP, you can always keep your own copy — drag folders in Apple Mail or use any IMAP backup tool. Your mail is never locked in.

Data handling

Hosted in the EU. Connection and delivery logs are kept at most 30 days, only for abuse prevention and debugging. No third-party trackers on this site or in the app, no ads, and we don’t train AI models on your mail.

Reporting a vulnerability

Found a security issue? Email security@mailhow.com. We’ll acknowledge quickly and work with you in good faith — no legal action for good-faith research.