Security

The mail servers

Both mail servers have the following in place:

TLS encryption

Opportunistic DANE TLS encryption with strong cipher preference is used for all emails sent through our service.

DNS-based Authentification of Named Entities (DANE) helps protect against MiTM (Man in The Middle) downgrade attacks. It does this by instructing cooperating mail servers to expect encrypted communication and to verify the destination's certificate by checking their TLSA DNS record.

SMTP MTA Strict Transport Security (MTA-STS) is used on all shared domains, this is similar to DANE in that it is designed to avoid (Man in The Middle) downgrade attacks and verify the destination.

SMTP TLS Reporting (TLS-RPT) is also used. This allows us to receive daily reports from external mail servers that connect to an addy.io domain. These reports can be used to detect potential attacks and identify any connection problems. Check out our security report by running a scan on Hardenize or Internet.nl.

At this time it is not possible to enable MTA-STS on username subdomains since this would require a wildcard certificate of the format mta-sts.*.anonaddy.me.

DNSSEC

DNS Security Extensions (DNSSEC) is employed, this protects the user from getting bad data from a signed zone by detecting the attack and preventing the user from receiving any tampered data.

DNSSEC adds two important security features to the DNS protocol:

Perfect forward secrecy

PFS is a method of encryption that enables short-term, completely private key exchanges between clients and servers. It gives assurances that session keys will not be compromised even if the private key of the server is compromised. PFS is a large leap forwards in protecting data on the transport layer. Our server's and MTA's cipher suites are ordered to enable PFS. Check out the site on SSL Labs.

SPF

Sender Policy Framework (SPF) is designed to tackle the issue of email forgery. SPF records allow domain owners to authorize which mail servers are permitted to send email on their behalf. Other cooperating mail servers can then check this SPF record upon receiving the email and act accordingly by either delivering it, marking it as spam or rejecting it.

DKIM

DomainKeys Identified Mail (DKIM) is designed to allow senders to claim ownership of an email message and to identify any alterations to it along its journey.

It does this by digitally signing emails with a signature that receiving mail servers are able to verify by checking the sending domain's DKIM record e.g. (default._domainkey.example.com). Any alterations to the email message during transit will cause the DKIM-Signature: header verification check to fail.

DMARC

Domain-based Message Authentication (DMARC) allows you to inform cooperating mail servers what they should do with your email message if both SPF and DKIM checks fail. You can tell the mail servers to do nothing, to quarantine (mark/send to spam) or to reject the email. addy.io informs other mail servers that they should reject any emails claiming to come from us if they fail both SPF and DKIM checks.

The web application

The web application is hosted on its own server with UpCloud in the Netherlands. Our site uses modern security features such as; HSTS (HTTP Strict Transport Security), a strict CSP (Content Security Policy), Subresource Integrity, no mixed content, DANE, Expect CT and XSS Protection.

addy.io also passed an independent security audit carried out by Securitum in September 2023 - no significant vulnerabilities were identified.

Badge with text: 100% score in website test

The database server

All information you provide to us is stored on our secure servers in the Netherlands (UpCloud). Sensitive data in our database such as your recipient email addresses are encrypted using OpenSSL and the AES-256-CBC cipher. Furthermore, all encrypted values are signed with a message authentication code (MAC) to detect any modifications to the encrypted string.

Login protection

I recommend that you use a long passphrase to protect your account, you can store this in a reputable password manager such as Bitwarden. A minimum password length of 8 characters is required when creating an account.

Two Factor Authentication (2FA) is also available on our site and we encourage users to enable it. You can use any compatible app such as Aegis or andOTP (both available on F-droid). You can also use a hardware authentication device such as a YubiKey.