We protect email security infrastructure — it would be ironic if ours were weak. Here is how we approach security across our platform, team, and operations.
OnlyDMARC is hosted on cloud infrastructure within the European Economic Area (EEA). Our cloud provider operates data centres with ISO 27001 certification, physical access controls, redundant power, and environmental monitoring.
We use availability zones and geographic redundancy to maintain service continuity. Data is replicated across multiple zones and backed up daily with point-in-time recovery. Backups are encrypted and stored separately from primary data.
All data at rest is encrypted using AES-256. Encryption keys are managed through a dedicated key management service (KMS) with hardware security module (HSM) backing. Keys are rotated on a scheduled basis.
All data in transit between clients and our service is protected with TLS 1.2 or higher. We enforce HSTS and reject connections over older, insecure protocols. Certificates are issued by trusted CAs and renewed automatically.
Database instances are not publicly accessible. Access is restricted to application servers within our private network via security group rules. Database credentials are stored in a secrets management service, rotated regularly, and never embedded in code or configuration files.
Internal access to production systems follows the principle of least privilege. Staff are granted only the access necessary for their role. Access is reviewed quarterly and revoked immediately upon role change or departure.
All internal tooling and production access require multi-factor authentication (MFA). We use single sign-on (SSO) with MFA enforcement for all engineering and operations tooling. Privileged access management (PAM) is used for elevated administrative tasks.
Our infrastructure is segmented into public, application, and data tiers with strict firewall rules between each. Inbound traffic passes through a web application firewall (WAF) and DDoS mitigation layer before reaching application servers.
We monitor network traffic for anomalies and maintain intrusion detection across our environment. Security events are aggregated into a SIEM for real-time alerting.
Our development process incorporates security at every stage:
Critical findings from security testing are prioritised and remediated within defined SLAs: critical within 24 hours, high within 7 days, medium within 30 days.
All employees and contractors with access to production systems complete background checks before starting. Security awareness training is mandatory for all staff and refreshed annually.
Engineers complete secure development training and are required to follow our internal security policies and coding standards. We maintain a security champions programme with dedicated representatives in each engineering team.
We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Our on-call team monitors alerts 24/7.
In the event of a data breach that is likely to affect your rights or freedoms, we will notify affected customers within 72 hours of becoming aware, as required by UK GDPR. We will provide clear information about what happened, what data was affected, and what steps we are taking.
We are working towards the following compliance frameworks and certifications. This section will be updated as certifications are achieved:
We welcome security researchers who identify vulnerabilities in our platform and follow responsible disclosure. If you discover a security issue:
We commit to acknowledging your report within 24 hours, providing a resolution timeline within 7 days, and keeping you informed of our progress. We will not take legal action against researchers who follow these guidelines.
Please email security reports to:
For general security questions that are not vulnerability reports, please use our contact form.