Security

Security notes for zaSend accounts and email sending

zaSend handles email infrastructure, credentials, domain keys, logs, and webhook events. This page explains the controls users usually ask about before connecting production email.

API keys

API keys are shown once at creation. Stored key material is hashed, and users can revoke keys from the dashboard.

Domain Sending Keys

Domain keys are scoped to one verified domain and can be used for SMTP or domain-key API sending.

DKIM private keys

DKIM private keys are encrypted at rest and used to sign outbound mail for verified domains.

Webhooks

Webhook payloads are signed. Production webhook URLs must use HTTPS and cannot target private or local network addresses.

Dashboard protection

Dashboard actions use authenticated sessions and CSRF protection. Admin actions are restricted to admin accounts.

Operational logs

Logs and message metadata exist to debug delivery, detect abuse, and support account operations.

Your side of the security model

Keep API keys and SMTP keys on the server, rotate keys if exposed, verify webhook signatures, and only add domains you control. If a key leaks, revoke it immediately from the dashboard.