How shipmail protects your email

We do not scan your email for ad targeting. There is no ad-supported tier, so there is no incentive to read your messages. This is a structural difference from providers that offer a free tier funded by advertising.

We do not sell or share your data with third parties. The companies that process data on our behalf (Stripe for payments, Neon for our database, Cloudflare for storage, AWS SES for outbound delivery) handle only what is necessary to provide their service.

We do not use tracking cookies. Our website analytics use DataFast, a privacy-focused tool that collects zero personal data and does not require a cookie banner.

We make money from subscriptions, not from your data.

Every connection between your device and shipmail is encrypted. IMAP, SMTP, and the web interface all require TLS. There is no option to connect unencrypted.

Email sent between shipmail and other servers is encrypted in transit whenever the receiving server supports TLS. The vast majority of business email servers do.

We enforce MTA-STS in strict mode, which tells other email servers they must use encryption when delivering mail to your mailbox. This prevents a class of attacks where someone intercepts email by forcing it to travel over an unencrypted connection.

shipmail supports encryption at rest using your own encryption key. You upload your OpenPGP public key or S/MIME certificate, and incoming email is automatically encrypted before it is stored on disk.

The important detail: your private key never touches our servers. We encrypt with your public key, but only you can decrypt with your private key. This means that even if someone gained access to our storage, they could not read your encrypted messages. Neither can we.

This is different from end-to-end encryption as offered by Proton Mail, where messages are encrypted on your device before they leave. shipmail encrypts at the server level after the message arrives. Both approaches have valid use cases, and we are honest about what ours does and does not cover.

Encryption at rest is optional. If you do not upload a key, your email is stored in standard format on encrypted infrastructure (Cloudflare R2, which encrypts all data at rest by default).

Every domain on shipmail gets DKIM, SPF, and DMARC configured automatically during setup. These are the email authentication standards that prevent attackers from sending email that pretends to come from your domain.

DKIM attaches a cryptographic signature to every outbound message, proving it came from your actual mail server. SPF publishes which servers are authorized to send on your behalf. DMARC ties them together and defines what receiving servers should do when a message fails authentication.

We also support ARC (Authenticated Received Chain), which preserves authentication results when email is forwarded through intermediary servers. This prevents legitimate forwarded mail from being flagged as suspicious.

Every incoming message passes through a built-in spam and phishing filter. The filter checks messages against known spam databases, applies pattern-matching rules, and uses a statistical classifier that learns from message patterns.

Phishing protection specifically targets spoofed sender addresses, homographic attacks (where characters from different alphabets look identical), and known phishing URLs.

The filter runs entirely within shipmail. No third-party service sees your email content during filtering.

The mail server powering shipmail is written in Rust, a memory-safe language. Entire categories of security vulnerabilities (buffer overflows, use-after-free bugs, data races) are eliminated at compile time rather than caught after the fact.

The mail engine has been independently audited twice by Radically Open Security, a nonprofit security auditor. The most recent audit in September 2025 described the codebase as 'robust, well-architected, and cleanly compartmentalized.' The full reports are public.

Failed login attempts are tracked per IP address. After repeated failures, the IP is automatically blocked. Automated scans probing for common vulnerability paths (/.env, /wp-login.php, /.git) are detected and blocked within two attempts.

Every significant action on your account is logged: domain changes, mailbox creation and deletion, team member access changes, API key generation, email sends, and account-level operations. Over 100 distinct event types are tracked.

Audit logs capture who did what, when, and from which IP address. They survive account deletion so the trail is never lost. You do not need to set this up. It runs automatically on every account.

Every action in shipmail is rate-limited: login attempts, email sends, API calls, account changes. The limits are tuned per operation. Sending email is capped at a different rate than reading mailboxes.

API access has four tiers: reads (1,000/minute), writes (200/minute), sends (100/minute), and domain verification (1/minute). If an API key is compromised, the rate limits contain the damage while you rotate the key.

At the network level, brute force attacks against login, IMAP, and SMTP trigger automatic IP bans. The system blocks IPs after 25 failed authentication attempts per day.

You can export all your data as a ZIP file from the dashboard at any time. The export includes email, contacts, calendar data, and account information.

Account deletion is a full cascade: mail server accounts are removed first, then outbound sending identities, then database records. Archived mailbox data on object storage is cleaned up as well. The process is audited end-to-end.

The database uses continuous write-ahead log archiving to Cloudflare R2, giving a recovery point of roughly 60 seconds. Full backups run daily at 03:00 UTC. A separate logical backup (pg_dump) runs weekly.

Object storage (Cloudflare R2) has bucket versioning enabled. Seven full backup copies are retained at all times.

shipmail uses standard protocols: IMAP for mail access, SMTP for sending, CalDAV for calendars, CardDAV for contacts. These work with every major email client. There is no proprietary app required.

This also means you can leave anytime. Connect any IMAP client, download your email, and you have a complete copy. Your data is never trapped.

shipmail is not a privacy-first email provider in the way Proton Mail is. We do not offer end-to-end encryption, and we are upfront about that. We also do not currently offer MFA or formal compliance certifications (SOC 2, HIPAA).

What we offer: an email host that does not monetize your data, uses established security standards, encrypts connections and storage, logs every action, rate-limits every endpoint, and has been independently audited. For businesses that do not need end-to-end encryption, this covers the security requirements without the client compatibility issues that come with Proton-style encryption.

If you want to read the full details, visit the security page at shipmail.to/security.