Security at Mandrill

Email is serious business. We take pride in being the fastest-growing email as a service platform, but we put just as much work into security as we put into the features and performance that drive that growth.

Between the ongoing revelations about widespread communications surveillance, and recent high-profile security issues such as the Heartbleed OpenSSL vulnerability, we're happy to announce a handful of significant new security features at Mandrill. We'll also talk a bit about the security-centric philosophy that has guided product development at Mandrill for the past two and a half years.

Opportunistic TLS

We recently enabled opportunistic TLS for all mail sent via Mandrill. This means that we'll attempt to use an encrypted connection for every message that we send. Internet surveillance typically involves widespread collection of data as it is being transmitted, which is ineffective if encrypted connections are used. Unfortunately, while support for TLS is growing, it isn't everywhere yet. Some recipient servers don't support TLS at all, and others are misconfigured—in these cases, we'll fall back gracefully to an unencrypted connection.

Google's Email encryption transparency report is one method of verifying TLS support for the mail we send.

Opportunistic TLS is rapidly becoming the industry standard for SMTP, but it's only a step toward all email delivery over encrypted connections. In addition to enabling opportunistic TLS, we're currently experimenting with strictly requiring TLS in cases where we've tested and confirmed that the recipient servers support it. This means that if a malicious third party intercepts and tampers with the network traffic to break the TLS handshake, we'll refuse to fall back to an unencrypted connection.

We currently require TLS for about 25% of our outgoing mail, and as we test and validate more mail providers, that percentage will increase. Because so many servers either don't support TLS or are configured incorrectly, we can't require TLS for all messages (we'd like to).

Encryption is only part of the story

Security is never a solved problem. We're always thinking of ways to improve Mandrill's comprehensive security features. Security also means a lot more than protecting your email from eavesdroppers. Mandrill accounts contain sensitive information and can send email on behalf of your domains - keeping that safe is as much a priority as protecting your email from eavesdroppers. With that in mind, we've spent the past two years building features to keep your account safe.

Account access restrictions

We added IP-based API restrictions last year, and two weeks ago we added an account security page to show you which IP addresses have accessed your account. As of today, you can also restrict web-based access to your account by IP address. These access restrictions, combined with the two-factor authentication mechanisms that we launched in April, make it easy to protect your account.

API access restrictions

From day one, Mandrill account passwords and API keys have been separate, and we've allowed multiple API keys per account. This makes it easy to change, update, and monitor access for different parts of your infrastructure. You can also restrict the methods that an API key can access to further control access.

Alerts and notifications

Alerts and rules to make it easier to detect and react to anomolous account behavior. When incidents occur, it's important to respond as quickly as possible. To that end, Mandrill will notify you when your password or contact information changes, and you can configure alerts for changes in send volume, bounce rate, and more (for new accounts, we'll enable some common ones automatically on sign up). We'll even send SMS alerts.

Logging

We log an enormous amount of data to help you better understand your email stream. You can search your email activity by sender, subject, and many other fields, including the API key that was used to send the message. If your API key somehow ends up on Stack Overflow (believe it or not, it happens!) you can revoke it and see if it was used nefariously. Message content logging also allows you to audit the email contents along with those searchable fields.

Methodology

By far the most important security feature at Mandrill, however, is our security-focused methodology. Fundamentally, security is a process, and not a result in and of itself. We're proud of the product we've built, and we're proud that 251,000 users trust us with their email, but we also know we have room to improve. We spend every day making Mandrill better and faster and more secure, and we're proud of it.