Data encryption
Data Transfer
Maxemail only allows data to be transmitted over secure protocols, eg. HTTPS, SMTP with encryption, SFTP. This covers all access points to Maxemail, including the user interface, file uploads, scheduled imports, Maxemail API, third-party APIs, Transactional SMTP and recipient responses.
Encryption mechanisms
Maxemail supports the following protocols:
- TLS v1.2
- TLS v1.3 (API & web only)
(Support for TLS 1.0 was removed in October 2019); TLS 1.1 was removed in March 2020)
Maxemail uses a range of ciphers, to which new ones are added as they are made available, and old ones are removed when they are no longer required (see Browser Support).
Xtremepush undertakes to remove protocols and ciphers with known vulnerabilities unless we have active mitigation in place, so that we can give a longer timeframe for any clients which may still be using it. Notice of changes which would affect clients will be made on Maxemail's status page.
Email delivery
As an exception to the Data Transfer rule above, outbound email from Maxemail to third-party mail servers (ie. during the delivery of email campaigns and system notifications) may not be encrypted if the receiving Inbox Service Provider ("ISP"; eg. Gmail, Office365, corporate mail servers) does not support encryption.
Maxemail will use TLS by default, falling back to unencrypted if the ISP does not announce their support for encryption during the standard SMTP protocol connection, or the TLS connection fails when attempted. This ensures delivery of emails to recipients.
As at April 2022 we send <2% emails without encryption. TLS v1.3 accounts for 83% of all email communication, with TLS v1.2 covering the remaining.
Data at rest
All data is encrypted at rest, using AES-256 device-level encryption.
Active data
Where necessary to store data securely (eg. credentials for Maxemail to automatically connect to an SFTP site), this is done using AES-256, using independently verified encryption mechanisms.
Updated 10 months ago