This post was originally published on the Twilio SendGrid blog.
At Twilio SendGrid, our top priority is our customers and protecting their brands. Building the world’s most powerful and performant email platform is only the beginning—we’ve also built technology to secure your accounts and prevent them from falling into the hands of bad actors.
We know security is a journey we take together with our customers, sharing the responsibility to ensure a secure and trusted communications solution. And with the recent trend around breached credentials, we’ve decided to compile some best practices to help you do your part in securing your account.
Here are 7 ways you can keep your account more secure.
1. Password security
Ensure you are using a strong password that is not shared between other websites and is unique to your account. Today, a strong password does not need to be a sequence of hard to remember characters. You should pick passwords that are over 14 characters and easier to remember. Here are some tips.
We recommend you update your password if it does not follow the above guidelines. To update your password in the Twilio SendGrid console, see Resetting your username and password.
2. Two-factor authentication
Two-factor authentication helps prevent unauthorized access even if your password is stolen or hacked, by some estimates it is 99.9% effective against automated attacks. Two-factor authentication adds an additional layer of security to your accounts.
When enabled, users are prompted to enter a code sent via text message to their registered and secure phones. Without this code, you cannot access the requested website, app, or information. While not a silver bullet for perfect security, two-factor authentication boosts your security posture a good deal. Learn how to implement this feature.
3. Environment variables for your API keys
Never hard code API Keys. If you do, then every time you push code to the repository you are sharing your API Keys with everybody else in your project. Even if you are working alone it can cause problems as anyone who sees your code will also have access to your secret information.
To avoid this problem, you should store your API Keys as environment variables. This is a much safer practice with the added benefit that you can change them once instead of hunting them down everywhere they are used. There are plenty of documents online that show you how to do that and we highly recommend you check them out.
4. Limit the scope of your API key
We recommend users take the "least privileged” approach and only create API Keys with the bare minimum permission levels they need. Try to create multiple API Keys with fewer permissions instead of 1 API Key with all permissions.
If your API key gets compromised, it's easy to delete and create a new API key and update your environment variables with the new key. API key permissions can be set to provide access to different functions of your account, without providing access to your account as a whole.
5. IP access management
Some customers may secure their accounts with the IP access management feature. This feature allows you to control who can access your Twilio SendGrid account based on the IP address they are using.
This is a powerful tool that ensures only you and your team from known specified IP addresses can access the account. One thing that you must be mindful of is that it is possible to remove your own IP address from your list of allowed addresses, thus blocking your own access to your account.
While we are able to restore your access, we do require thorough proof of your identity and ownership of your account. We take the security of your account very seriously and wish to prevent any "bad actors" from maliciously gaining access to your account.
Your current IP is clearly displayed to help prevent you from accidentally removing it from the allowed addresses. To learn more about this feature and how to implement it, see IP Access Management.
6. Sender authentication
Now let’s go deeper and talk about your brand security by setting up sender authentication for your domains in order to set up SPF and DKIM. This feature allows you to authenticate your domains with your Twilio SendGrid account by using industry-standard email authentication technologies.
Not only can this increase your reputation from an ISP standpoint, build trust, and improve your brand’s consistency and deliverability, but it can also help secure your sending domain. There are three components to a thorough email authentication configuration. You should familiarize yourself with all three technologies and consider them to protect your brand, your customers, and ultimately make the inbox a safer place for everyone:
SPF (Sender Policy Framework) is the original form of email authentication. SPF is a text record in your DNS and creates an association between the sending IP and the domain. SPF on its own is not full proof but it is an additional data point that mailbox providers like Gmail use in establishing a sender’s reputation. By completing sender authentication, SPF will automatically be handled for you. To learn more about SPF see SPF Records Explained.
DKIM (Domain Key Identified Mail) leverages a public/private key pair to assign a unique identifier and signature to your email. DKIM allows the receiver of an email message to ensure that message wasn’t tampered with during delivery. By completing sender authentication, DKIM will automatically be handled for you. We have a great blog post that talks about DKIM in detail: How to Use DKIM to Prevent Domain Spoofing.
DMARC - On top of SPF and DKIM, DMARC (Domain-based Message Authentication, Reporting & Conformance) allows domain owners to publish a policy for receiving domains, e.g. Gmail, on what to do if a message fails SPF, DKIM or both.
When someone tries to impersonate a domain that has enabled DMARC, they will be notified through a forensic report by domains that verify and check DMARC. This can help prevent malicious senders from potentially spoofing you and damaging your sender reputation.
Setting up SPF and DKIM are prerequisites for DMARC. We recently partnered with Valimail to make this much easier for you which allows you to analyze and monitor your DMARC reports. We strongly urge anyone setting up DMARC to use an enforcement flag of p=quarantine or p=reject.
7. Use subdomains to send out emails
Use subdomains instead of your parent domain. You can more easily isolate what is affecting your sending reputation and deliverability on each of your subdomains by separating your marketing and non-marketing emails. But in an event that your email domain gets compromised and flagged by a mailbox provider as a bad sender, your parent domain is not compromised.
It is always also a good practice to separate your marketing emails from your transactional emails as end-users view these types of emails differently and they are handled differently under CAN-SPAM. It’s not unusual for marketing emails to have a lower reputation than transactional emails—how often do you mark a shipping notification as spam?
Separating your mailstream by mail type, and from your top-level corporate domain, gives you granular reporting and flexible control to ensure that a reputation hit on one of them doesn’t necessarily affect all of your traffic.
As your partner in email delivery, we are continuously monitoring and improving our security practices and want to ensure you are aware and up to date on all of the ways you can protect your SendGrid account. For more account security recommendations, check out The 11 Step SendGrid Security Checklist.