Security
Effective July 15, 2026
Reporting a vulnerability
Email [email protected] with a reproducible description, affected endpoint, and impact. Do not include live credentials, private email content, or data belonging to another customer. We will acknowledge a valid report and coordinate a reasonable disclosure timeline.
Safe-harbor boundaries
Test only accounts and domains you control. Avoid denial of service, persistence, social engineering, automated account creation, privacy violations, and access to customer report data. Stop when you have enough evidence to demonstrate the issue.
Architecture controls
MailDNS separates scheduled authenticated monitoring probes into the worker. Public checks execute within bounded web requests with per-process admission controls and deadlines. Both paths block non-public network targets, validate untrusted protocol payloads, limit archive expansion, hash API tokens, sign webhooks, and scope persistence by organization. Failure-report ingestion remains off by default because it can contain personal message data.
Out of scope
Missing best-practice headers without exploitable impact, DNS records on domains you do not control, rate-limit findings requiring high-volume traffic, and third-party provider outages are not eligible reports.