Security at GrapphenMail
Every layer of our platform is built with security as the foundation — from email authentication to infrastructure hardening.
Email Authentication
GrapphenMail automatically configures and manages the full email authentication stack for every domain you add.
DKIM
Cryptographic signatures on every outbound message. Keys rotate automatically every 48 hours to limit exposure.
SPF
Sender Policy Framework records generated and maintained for each domain to authorise your sending IPs.
DMARC
Domain-based Message Authentication policy published and monitored. Aggregate reports delivered to your dashboard.
BIMI
Brand Indicators for Message Identification — display your verified logo in supporting email clients including Gmail and Apple Mail.
MTA-STS
Mail Transfer Agent Strict Transport Security forces TLS on inbound connections to your domain, preventing downgrade attacks.
TLS-RPT
TLS Reporting receives and surfaces failed TLS negotiation reports so you can monitor transport security in real time.
Access & Identity
Protect accounts with modern authentication methods — from TOTP 2FA to hardware security keys and enterprise SSO.
TOTP 2FA
Time-based one-time passwords via any authenticator app (Google Authenticator, Authy, 1Password). Enforceable per tenant by admins.
Passkeys & WebAuthn
Phishing-resistant FIDO2 passkeys and hardware security keys (YubiKey, Google Titan). Biometric authentication on supported devices.
SAML 2.0 SSO
Integrate with Okta, Azure AD, Google Workspace, or any SAML 2.0 IdP. Automatic user provisioning on first login.
SCIM 2.0
Automated user lifecycle management from your identity provider. Users provisioned, updated, and deprovisioned in real time.
Role-Based Access
Owner, Admin, and Member roles with granular permission boundaries. Tenant isolation ensures complete data separation between organisations.
Session Management
View and revoke all active sessions from the security dashboard. Configurable session expiry for compliance requirements.
Data Protection & Encryption
- TLS 1.2/1.3 for all data in transit between clients, servers, and mail relay.
- AES-256 encryption for email data at rest on AWS infrastructure.
- S/MIME per-mailbox certificate management for end-to-end email signing and encryption.
- Zero-knowledge encryption option available — your encryption keys, your data.
- DLP policies to detect and block outbound messages containing sensitive patterns (PII, credit cards, custom keywords).
- Immutable audit logs for every action — user ID, IP, timestamp, resource. Export-ready for forensics.
Compliance & Certifications
Our platform is built to help you meet your compliance obligations.
- GDPR tools: right-to-erasure workflows, data export, consent tracking, and retention policy automation built into every account.
- Retention policies: set automatic data retention windows per mailbox for regulatory compliance.
- Compliance archive: immutable message archive for e-discovery and legal hold.
- AI-powered phishing detection: BEC risk scoring, one-click admin reporting, quarantine workflows.
Vulnerability Disclosure
We take security reports seriously. If you discover a vulnerability in GrapphenMail, please email security@grapphen.com. We will acknowledge your report within 48 hours and work with you on a responsible disclosure timeline. We do not take legal action against good-faith security researchers.