Security
Security notes for zaSend accounts and email sending
zaSend handles email infrastructure, credentials, domain keys, logs, and webhook events. This page explains the controls users usually ask about before connecting production email.
API keys
API keys are shown once at creation. Stored key material is hashed, and users can revoke keys from the dashboard.
Domain Sending Keys
Domain keys are scoped to one verified domain and can be used for SMTP or domain-key API sending.
DKIM private keys
DKIM private keys are encrypted at rest and used to sign outbound mail for verified domains.
Webhooks
Webhook payloads are signed. Production webhook URLs must use HTTPS and cannot target private or local network addresses.
Dashboard protection
Dashboard actions use authenticated sessions and CSRF protection. Admin actions are restricted to admin accounts.
Operational logs
Logs and message metadata exist to debug delivery, detect abuse, and support account operations.
Your side of the security model
Keep API keys and SMTP keys on the server, rotate keys if exposed, verify webhook signatures, and only add domains you control. If a key leaks, revoke it immediately from the dashboard.