Security Overview

Keeping your data safe and secure is a huge responsibility and a top priority for us at SimpleLogin.


Domains

SimpleLogin currently operates on the following domains:

Most of our domains implement the following standards:

Domain Name System Security Extension (DNSSEC)

DNSSEC or Domain Name System Security Extensions is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses. It’s intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice.

Without DNSSEC, a malicious hacker can point SimpleLogin MX record to their own server and receive emails sent to SimpleLogin servers.

Certification Authority Authorization (CAA)

CAA is a standard that allows SimpleLogin to restrict which Certificate Authorities (CA) are allowed to issue certificates for our domains. By default, every public CA is allowed to issue certificates for any domain name in the public DNS, provided they validate control of that domain name. That means that if there’s a bug in any one of the many public CAs’ validation processes, every domain name is potentially affected. This has happened in the past, affecting Google, Windows Live among others.

CAA provides a way for domain holders to reduce that risk. Without CAA, someone could potentially obtain an unauthorized SSL certificate for SimpleLogin domains that could allow man-in-the-middle hacks.

All SimpleLogin certificates are issued by Letsencrypt. Which is a certificate authority SimpleLogin trusts.

Hardenize

Hardenize is a comprehensive security tool that provides assessments of website and network security configuration.

Here are Hardenize reports for our domains:


Mail Servers

Currently SimpleLogin operates two mail servers with the help of (Proton AG.).

Our mail servers support the following security standards.

Sender Policy Framework (SPF)

SPF (Sender Policy Framework) is a protocol that allows domain name owners to control which internet hosts are allowed to send email on their behalf.

By default, only our mail servers can send emails on behalf of SimpleLogin. We use the strictest SPF policy which is -all. Without SPF, anyone can send emails that seem to come from SimpleLogin.

DomainKeys Identified Mail (DKIM)

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature.

All emails sent from SimpleLogin servers, including emails forwarded to your mailbox and emails sent from your mailbox are DKIM-signed.

Domain based Message Authentication, Reporting, and Conformance (DMARC)

DMARC is an email-validation system. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

Built around SPF and DKIM, a DMARC policy tells the receiving mail server what to do if neither of those authentication methods passes.

SimpleLogin uses a strict DMARC policy that rejects emails that fail the SPF or DKIM check.

Email Encryption

Emails sent to & from our servers are encrypted using TLS versions 1.1, 1.2, or 1.3. Network attackers won’t be able to man-in-the-middle (MITM) attack the emails being sent and received by you and your recipient this way.

Additional Measures and Precautions

In addition to the measures and precautions stated above, SimpleLogin mail servers also implement the following standards:


Web Servers

SimpleLogin currently runs two web app instances.

All of the data in transit between SimpleLogin servers and end users are encrypted via SSL/TLS.

We again, also implement the following additional measures in conjunction with SSL/TLS encryption:

We take more than reasonable security measures such as using strong, unique, and long passwords, two-factor authentication, and a whitelist of people who can deploy changes to our servers.


Database & File Storage

Our database uses Postgresql to store and encrypt user data at rest and are backed up everyday. Backups older than 7 days are deleted. The database is only accessible from our mail and servers. Nobody but us has access to our database.

For file storage we use UpCloud Object Storage which is used to store user profile pictures and temporary bounced emails. All bounced emails are deleted after 7 days.