SECURITY & TRUST

Secure by construction.
Explainable in product terms.

Postillion is authorization-first. Mail is authenticated before it's trusted, every sensitive action is audited, and the policy engine answers concrete questions without ever exposing its internals.

Authenticate, then trust

DMARC-style alignment is required for an authenticated visible author. Domains are canonicalized; the local-part is preserved for exact identity. Authentication alone never grants delivery.

ReBAC, hidden

OpenFGA decides every relationship, but users see product controls — never tuples, model IDs, or relationship names. Internal same-workspace trust is defaulted through relationships, not shortcut logic.

Everything sensitive, audited

Content reads, spam access, draft discards, policy mutations, auth failures, selector lifecycle, and reconciliation repairs — all append-only, metadata by default, never duplicating bodies.

PRECEDENCE

Platform safety wins. Always.

Decisions resolve in a fixed order. Users can configure trust within their scope, but no grant can override a platform abuse, security, or deliverability block.

HIGHEST
Platform blocks
Abuse, security, and deliverability protections. Cannot be granted around.
THEN
Authentication
Visible sender claim verified via DMARC alignment.
THEN
ReBAC / inbox policy
Communication controls decide accept, spam, or reject.
YOUR SCOPE
Customer configuration
Allow/block, identities, visibility — within platform bounds.
CALM BY DESIGN

Policy errors are structured,
safe, and actionable.

Trusted admins get a clear reason they can act on. Untrusted callers never learn whether a resource exists or which abuse heuristic fired. Safe block reasons, never internals.

DO Show a trusted admin a safe, specific reason.
DON'T Leak existence, internals, or abuse signals to untrusted callers.
trusted admin — explain denied 
$ postillion explain delivery msg_3c1d
✗ blocked  scope: inbox ibx_c8d3
  reason: sender domain not in receive allow-list
  fix: add domain or enable open inbound
  etag v22 · audited
untrusted caller — same query 
$ GET /v1/messages/msg_3c1d
404 { "error": "not_found" }
# existence is never confirmed
SIGNING & DNS

Signing material rotates. It never lingers.

Per-inbox DKIM selectors sign managed outbound. Reactivating an archived inbox rotates the selector rather than silently reusing old key material.

selector
pbx-2026a
SIGNING
on reactivate
pbx-2026c
ROTATED IN
old selector
pbx-2026a
ROTATING OUT
retired
pbx-2025z
REVOKED
DATA & COMPLIANCE

Preserved, not deleted.

Delivered and sent messages aren't removed by normal workflows. Archive, spam, labels, and retention handle cleanup — and there are no destructive delete affordances for delivered mail. Your audit trail stays whole.

Read the data model
SOC 2
Type II in progress
Encrypted
In transit & at rest
Retention
Policy-driven cleanup
Tenant isolation
Workspace boundary

Questions for our security team?

We're happy to walk through the authorization model, audit guarantees, and data handling.

Talk to us Read the docs