Skip to main content
MailHook
Dashboard

Security

Last updated

MailHook handles inbound email, so we take security seriously. This page describes the controls in place today.

Encryption

  • In transit. All production endpoints use TLS 1.2+.
  • At rest — raw MIME. Original email bytes are stored in Cloudflare R2 (raw.mailhook.in) with provider-managed encryption and pruned per your plan's log retention window (Free 3 days, Pro 10 days, Scale 90 days).
  • At rest — integration secrets. Webhook secrets, API tokens, bot tokens, and phone numbers are encrypted with AES-GCM (256-bit) using INTEGRATION_ENC_KEY. The key is provisioned as a Worker secret and never stored with the ciphertext. Only the config_secret_enc column is encrypted; non-sensitive destination config lives in a separate config_public column.

Authentication & access control

  • Dashboard accounts use Supabase Auth; sessions are short-lived JWTs.
  • Row-level security is enabled on every multi-tenant table (accounts, inboxes, routings, integrations, messages, deliveries, billing). Access is gated through membership in account_users.
  • The dashboard calls the worker with a user's Supabase access token; the worker validates it via /auth/v1/user and enforces per-account membership and admin roles.
  • Service-role database access is limited to the Worker runtime and is never exposed to the browser.

Webhooks

  • Every webhook POST includes:
    • X-MailHook-Signature: HMAC-SHA256 of the body, keyed on your per-integration webhook secret.
    • X-MailHook-Timestamp: Unix seconds at send time; we recommend rejecting requests older than 5 minutes.
  • Signature verification snippets are in our Webhook guide.

Reliability

  • Inbound email is ingested by a Cloudflare Worker, buffered into a dispatch queue, and fanned out to delivery queues per destination.
  • Transient delivery failures are retried by Cloudflare Queues. Scale plans retry with exponential backoff up to 40 attempts across a 48-hour window; Pro retries once on transient failure; Free attempts delivery once.
  • Messages that exhaust retries are moved to a dead-letter queue for inspection.

Infrastructure

  • Email ingest runs on Cloudflare Workers + Queues, isolated per account and per plan.
  • Secrets are bound at the Worker level (wrangler secret put) and never sent to the dashboard or the browser.

Responsible disclosure

Email support@mailhook.in with reproducible security issues and SECURITY in the subject line. We acknowledge reports within three business days and work with you on a fix.

Changelog

  • 2026-04-18 — Initial publication.