Skip to content
mailiam Docs

Security Overview

mailiam’s security is built-in, not bolted-on. Every form, email, and API request is protected by enterprise-grade security measures.

Security Architecture

Section titled “Security Architecture”

Multi-Layer Protection

Section titled “Multi-Layer Protection”
  1. Input Validation - All form data is validated and sanitized
  2. Spam Detection - AI-powered spam filtering with honeypots
  3. Rate Limiting - Per-IP and per-domain request limits
  4. API Authentication - Secure API key-based access control
  5. Encryption - All data encrypted in transit and at rest
  6. Access Control - Role-based permissions and tenant isolation

Security by Default

Section titled “Security by Default”

Every mailiam form automatically includes:

  • Honeypot fields to catch bots
  • CSRF protection with origin validation
  • Rate limiting to prevent abuse
  • Input sanitization to prevent XSS
  • Spam filtering with content analysis
  • Geographic blocking for known threat regions

API Security

Section titled “API Security”

Authentication

Section titled “Authentication”

mailiam uses API key-based authentication with fine-grained permissions:

Terminal window
# Generate API key
mailiam keys create "Production API" --permissions forms,domains,collections


# API key format
sk-1234567890abcdef1234567890abcdef


# Usage in requests
curl -H "X-API-Key: sk-1234567890abcdef1234567890abcdef" \
     https://api.mailiam.dev/v1/forms

Permission Scopes

Section titled “Permission Scopes”

API keys can be scoped to specific permissions:

  • forms - Create and manage forms
  • collections - Manage form collections
  • domains - Configure domains and DNS
  • templates - Manage email templates
  • analytics - Access usage statistics
  • admin - Full account access
# Configuration with API key requirements
collections:
  secure:
    name: "Secure Forms"
    settings:
      requireApiKey: true    # Require API key for submissions
      allowedKeys:           # Specific keys allowed
        - "sk-form-submissions-only"
        - "sk-marketing-forms"

Request Signing

Section titled “Request Signing”

For high-security applications, enable request signing:

domains:
  enterprise.com:
    security:
      requestSigning: true
      signingAlgorithm: "HMAC-SHA256"
      clockSkew: 300        # 5 minutes

Spam Protection

Section titled “Spam Protection”

Built-in Anti-Spam

Section titled “Built-in Anti-Spam”

Every form submission is automatically checked against:

  • Content patterns - Common spam phrases and patterns
  • Sender reputation - IP and domain reputation databases
  • Behavioral analysis - Submission speed and patterns
  • Geographic filtering - Block known threat regions
  • Disposable email detection - Block temporary email services

Honeypot Fields

Section titled “Honeypot Fields”

mailiam automatically adds invisible honeypot fields to catch bots:

<!-- Automatically added to all forms -->
<input type="text"
       name="_mailiam_honeypot"
       style="display:none"
       tabindex="-1"
       autocomplete="off">

Custom honeypot configuration:

forms:
  contact:
    security:
      honeypot:
        enabled: true
        fieldName: "_trap"
        customCSS: "position:absolute;left:-9999px"

Spam Detection Levels

Section titled “Spam Detection Levels”

Configure spam protection strength:

forms:
  contact:
    security:
      spamProtection: "strict"    # strict, normal, lenient


      # Strict mode settings
      blockDisposableEmails: true
      requireValidMX: true
      maxLinksAllowed: 2
      contentFiltering: "aggressive"


      # Custom spam rules
      customRules:
        - name: "Block promotional content"
          pattern: "(buy now|limited time|act fast)"
          action: "quarantine"
        - name: "Suspicious email patterns"
          pattern: "\\b[a-z]{20,}@gmail\\.com"
          action: "flag"

Rate Limiting

Section titled “Rate Limiting”

Multi-Level Rate Limiting

Section titled “Multi-Level Rate Limiting”

mailiam implements rate limiting at multiple levels:

  1. Global rate limiting - Overall system protection
  2. Per-IP rate limiting - Prevent individual IP abuse
  3. Per-domain rate limiting - Domain-specific limits
  4. Per-form rate limiting - Form-specific protection
  5. Per-collection rate limiting - Collection-level limits

Configuration Examples

Section titled “Configuration Examples”
# Global settings
settings:
  rateLimiting:
    globalLimit: 10000      # Requests per minute globally
    perIPLimit: 100         # Requests per minute per IP
    burstAllowance: 20      # Burst capacity


# Domain-level limits
domains:
  mysite.com:
    security:
      rateLimit: 500        # Requests per minute for this domain


# Form-specific limits
forms:
  contact:
    security:
      rateLimitPerMinute: 10    # 10 submissions per minute per IP
      rateLimitPerHour: 50      # 50 submissions per hour per IP
      rateLimitPerDay: 200      # Daily limit per IP


# Collection limits
collections:
  support:
    settings:
      rateLimit: 100        # Applies to all forms in collection

Rate Limit Response

Section titled “Rate Limit Response”

When rate limits are exceeded, mailiam returns:

{
  "error": "Rate limit exceeded",
  "code": "RATE_LIMIT_EXCEEDED",
  "retryAfter": 60,
  "details": {
    "limit": 10,
    "window": "1 minute",
    "remaining": 0,
    "resetTime": "2024-01-15T10:31:00Z"
  }
}

Data Protection

Section titled “Data Protection”

Encryption

Section titled “Encryption”
  • In Transit - All API requests use TLS 1.3
  • At Rest - All stored data encrypted with AES-256
  • Key Management - Regular key rotation and hardware security modules
  • Database Encryption - Full database encryption with AWS KMS

Data Retention

Section titled “Data Retention”
domains:
  mysite.com:
    privacy:
      dataRetention:
        submissions: "90d"      # Keep form submissions for 90 days
        analytics: "2y"         # Keep analytics for 2 years
        logs: "30d"             # Keep logs for 30 days


      autoDelete: true          # Automatically delete expired data


      # GDPR compliance
      gdpr:
        enabled: true
        contactEmail: "privacy@mysite.com"
        deletionRequests: true

Privacy Controls

Section titled “Privacy Controls”
forms:
  contact:
    privacy:
      collectIP: false          # Don't log IP addresses
      collectUserAgent: false   # Don't log browser info
      anonymizeAfter: "30d"     # Anonymize data after 30 days


      # Cookie consent integration
      cookieConsent:
        required: true
        categories: ["functional"]

Access Control

Section titled “Access Control”

Tenant Isolation

Section titled “Tenant Isolation”

Each mailiam account is completely isolated:

  • Database isolation - Separate data partitions
  • API isolation - Account-scoped API access
  • Resource isolation - No cross-account access possible
  • Audit logging - All actions logged per account

Role-Based Access

Section titled “Role-Based Access”
# Team member permissions
team:
  - email: "admin@company.com"
    role: "admin"
    permissions: ["*"]


  - email: "marketing@company.com"
    role: "marketing"
    permissions: ["forms", "collections", "analytics"]
    scopes: ["collections:marketing", "forms:newsletter"]


  - email: "support@company.com"
    role: "support"
    permissions: ["forms", "analytics"]
    scopes: ["collections:support"]

Security Monitoring

Section titled “Security Monitoring”

Audit Logging

Section titled “Audit Logging”

All security-relevant events are logged:

Terminal window
# View security events
mailiam logs security --last 24h


# Specific event types
mailiam logs security --event-type failed_auth
mailiam logs security --event-type rate_limit_exceeded
mailiam logs security --event-type spam_detected

Security Alerts

Section titled “Security Alerts”

Configure alerts for security events:

security:
  alerts:
    - event: "spam_detection_rate_high"
      threshold: "10 per minute"
      notification: "security@company.com"


    - event: "rate_limit_exceeded"
      threshold: "100 per hour"
      webhook: "https://company.com/security-webhook"


    - event: "invalid_api_key"
      threshold: "5 attempts"
      notification: ["security@company.com", "admin@company.com"]

Security Monitoring Dashboard

Section titled “Security Monitoring Dashboard”
Terminal window
# Security metrics
mailiam security metrics --last 7d


# Threat analysis
mailiam security threats --analysis


# Compliance report
mailiam security compliance --report gdpr

Compliance & Standards

Section titled “Compliance & Standards”

Standards Compliance

Section titled “Standards Compliance”
  • SOC 2 Type II - Annual security audits
  • GDPR - EU privacy regulation compliance
  • CCPA - California privacy law compliance
  • HIPAA - Healthcare data protection (enterprise plans)
  • ISO 27001 - Information security management

Security Certifications

Section titled “Security Certifications”
  • TLS 1.3 - Latest encryption standards
  • OWASP Top 10 - Protection against common vulnerabilities
  • PCI DSS - Payment card industry standards (when applicable)

Best Practices

Section titled “Best Practices”

1. API Key Management

Section titled “1. API Key Management”
Terminal window
# Create role-specific keys
mailiam keys create "Frontend Forms" --permissions forms --scopes "collections:public"


# Regular key rotation
mailiam keys rotate sk-old-key-id --generate-new


# Monitor key usage
mailiam keys usage sk-key-id --last 30d


# Revoke compromised keys immediately
mailiam keys revoke sk-compromised-key

2. Form Security Configuration

Section titled “2. Form Security Configuration”
forms:
  sensitive-form:
    security:
      # Maximum protection
      spamProtection: "strict"
      requireRecaptcha: true
      rateLimitPerMinute: 3


      # IP restrictions
      allowedIPs: ["203.0.113.0/24"]
      blockedCountries: ["CN", "RU", "KP"]


      # Content filtering
      contentFiltering: "strict"
      maxFieldLength: 1000
      bannedKeywords: ["spam", "viagra", "casino"]

3. Monitoring and Alerting

Section titled “3. Monitoring and Alerting”
monitoring:
  securityAlerts:
    email: "security@company.com"
    slack: "#security-alerts"


  thresholds:
    spamDetectionRate: "5%"
    rateLimitHits: "100/hour"
    invalidApiKeys: "10/day"


  responseTime:
    autoBlock: true
    blockDuration: "1h"
    escalationThreshold: "severe"

4. Regular Security Review

Section titled “4. Regular Security Review”
Terminal window
# Monthly security audit
mailiam security audit --comprehensive


# Review API key permissions
mailiam keys audit --unused-permissions


# Check for security updates
mailiam security update-check


# Compliance status
mailiam security compliance --all-standards

Security Incident Response

Section titled “Security Incident Response”

Incident Types and Responses

Section titled “Incident Types and Responses”

Spam Attack:

Terminal window
# Immediately increase spam protection
mailiam forms update-all --spam-protection strict


# Block attacking IPs
mailiam security block-ip 203.0.113.100


# Review and update content filters
mailiam security update-filters --auto-learn

API Key Compromise:

Terminal window
# Revoke compromised key
mailiam keys revoke sk-compromised-key --immediate


# Generate replacement
mailiam keys create "Replacement Key" --permissions forms,collections


# Audit recent usage
mailiam logs api-key sk-compromised-key --last 7d

DDoS Attack:

Terminal window
# Enable emergency rate limiting
mailiam security emergency-mode --enable


# Block attacking regions
mailiam security block-country CN RU


# Contact support for additional protection
mailiam support create-ticket --priority critical --type security

Emergency Contacts

Section titled “Emergency Contacts”

For security emergencies:

Security isn’t just a feature at mailiam - it’s the foundation that everything else is built on.