Security
Last updated: March 8, 2026
Security is the foundation of MailZyro. This page describes our encryption model, infrastructure protections, and how to report vulnerabilities.
1. Encryption Model
MailZyro uses OpenPGP to encrypt all stored email content. We employ two complementary encryption modes:
1.1 End-to-End Encryption (E2EE) — Between MailZyro Users
When you send email to another MailZyro user, encryption happens in your browser with the recipient's public key. The plaintext never reaches our servers.
- Key generation: Your PGP key pair is generated in your browser. The private key never leaves your device in plaintext.
- Encryption: Outgoing emails are encrypted with the recipient's public key before leaving your browser.
- Server storage: Our servers only store the ciphertext. MailZyro operators cannot read the content.
1.2 Zero-Access Encryption — Inbound External Email
Emails received from external senders (Gmail, Outlook, etc.) arrive via SMTP in plaintext — this is a fundamental limitation of the email protocol. MailZyro immediately encrypts the email body with your public key upon receipt and stores only the encrypted copy. After encryption:
- The encrypted content can only be decrypted with your private key
- MailZyro operators cannot read the stored email content
- The plaintext is processed only in memory during the brief encryption step
1.3 Key Storage
- Your private key is encrypted with your passphrase (AES-256) before being stored. We never see your passphrase.
- For SSO users, key material is derived client-side (see section 2) — no passphrase needed.
For a complete technical specification, see our .encryption whitepaper.
2. SSO Key Derivation
For users who sign in via Maluki Auth (SSO), encryption keys are derived deterministically:
- Key material is derived using HMAC-SHA256 from your authenticated session
- The same identity always produces the same key — no passphrase to remember
- Keys are computed client-side and never transmitted to our servers
- This provides seamless encryption without compromising security
3. What We Cannot Access
| Data | Accessible to MailZyro? |
|---|---|
| Email body (E2EE between MailZyro users) | No — encrypted in your browser, never reaches our servers as plaintext |
| Email body (inbound from external senders) | No — encrypted with your public key on receipt, stored as ciphertext |
| Attachments (E2EE) | No — encrypted before upload |
| Private encryption key | No — encrypted with your passphrase / SSO-derived key |
| Passphrase / SSO key | No — never transmitted to our servers |
| Email metadata (from, to, timestamps). Subject is encrypted for E2E emails. | Yes — required for email delivery |
| IP address at login | Yes — for abuse prevention (90-day retention) |
4. Infrastructure Security
4.1 Hosting
- Servers hosted by Hetzner Online GmbH in Germany (EU)
- Dedicated cloud instances with SSH key-only access (password auth disabled)
- Containerized services via Docker with minimal attack surface
4.2 Network
- TLS everywhere: All connections use TLS 1.2+ with automatic certificate renewal (Let's Encrypt via Caddy)
- HSTS: Strict Transport Security headers enforced
- DDoS protection: Cloudflare DNS proxy on public-facing domains
- Email transport: STARTTLS enforced for server-to-server email delivery
4.3 Authentication
- Authentication via OpenID Connect (OIDC) through Maluki Auth
- Two-factor authentication (TOTP) supported at the identity provider level
- Session cookies are HTTP-only, Secure, SameSite=Lax
- CSRF protection on all state-changing operations
4.4 Email Authentication
- SPF — prevents sender address forgery
- DKIM — cryptographic signing of outbound emails
- DMARC — policy enforcement for domain spoofing protection
5. Vulnerability Disclosure
If you discover a security vulnerability in MailZyro, we ask that you disclose it responsibly:
- Email [email protected] with details of the vulnerability
- Include steps to reproduce the issue
- Allow us reasonable time to investigate and fix the issue before public disclosure
- Do not access other users' data or disrupt the service during testing
We commit to acknowledging reports within 48 hours and providing an initial assessment within 7 days.
6. Incident Response
In the event of a security incident that may affect user data, we will:
- Investigate and contain the incident within 24 hours
- Notify affected users via email within 72 hours
- Publish a post-incident report describing the scope and remediation
- Report to relevant authorities as required by applicable law
7. Contact
Security reports: [email protected]
Privacy inquiries: [email protected]
For detailed information about our encryption architecture, key management, and threat model, see .How MailZyro Encryption Works.