Security Policy

Last updated: April 2026

Our Commitment

At HalixonMail, the security of your account and personal data is our highest priority. We employ industry-standard practices to protect your information at every layer of our platform.

Account Security

  • All passwords are hashed using SHA-512 with per-user salts. We never store passwords in plain text.
  • Two-factor authentication (TOTP) is available for all accounts, compatible with Google Authenticator, Microsoft Authenticator, and similar apps. We strongly recommend enabling it.
  • TOTP secrets are encrypted at rest using AES-256-GCM authenticated encryption.
  • All login attempts are audited, including the outcome, timestamp, and originating IP address.
  • Password complexity requirements enforce a minimum of 15 characters using at least 3 character categories.
  • Email address changes and forwarding address changes require verification via a link sent to the new address before taking effect.

Session Management

  • Sessions are stored server-side in a distributed database. Your browser only holds an opaque session cookie.
  • Session cookies are configured with HttpOnly, Secure, and SameSite=Lax attributes.
  • Sessions expire after a configurable period of inactivity.

Payment Security

  • All payments are processed by Stripe. We never see, store, or process your card details.
  • Stripe webhook events are verified using cryptographic signatures before processing.
  • All pricing is determined server-side and cannot be influenced by client-side manipulation.

Infrastructure

  • The portal is served exclusively over HTTPS. All traffic between your browser and our servers is encrypted using TLS 1.2 or higher.
  • HTTP Strict Transport Security (HSTS) is enforced with a two-year max-age, instructing browsers to always use HTTPS.
  • Our infrastructure sits behind Cloudflare, providing DDoS protection, Web Application Firewall (WAF) rules, and bot mitigation.
  • Human verification (Cloudflare Turnstile) is required for login and account creation to prevent automated attacks.
  • Rate limiting is applied to sensitive endpoints to prevent brute-force and enumeration attacks.
  • TLS certificates are issued by Let's Encrypt and automatically renewed.

Email Security

  • All inbound and outbound SMTP connections require TLS encryption (TLS 1.2 or higher). SSLv2, SSLv3, TLS 1.0, and TLS 1.1 are disabled.
  • DNSSEC is enabled on all domains, protecting against DNS spoofing and cache poisoning attacks.
  • Outbound mail is signed with DKIM (DomainKeys Identified Mail) using RSA-SHA256, allowing recipients to verify message authenticity.
  • SPF (Sender Policy Framework) records are published for all domains and inbound mail is checked against the sender's SPF policy.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) is enforced. Messages failing DMARC evaluation are rejected.
  • SRS (Sender Rewriting Scheme) is applied to forwarded mail to preserve SPF alignment at the destination.
  • The SMTP VRFY command is disabled to prevent address enumeration.
  • SMTP submission connections are secured with TLS using Let's Encrypt certificates.
  • SMTP authentication passwords (used for sending mail from your purchased address) are hashed using SHA-512 with per-user salts, the same standard used for account passwords.
  • Forwarding addresses cannot be set to domains owned by HalixonMail, preventing circular routing.
  • Purchased email addresses are reserved in the database during checkout to prevent race conditions.

Data Protection

  • We comply with UK GDPR. You can request a full export of your personal data from your profile at any time.
  • Account deletion requests can be submitted via a support ticket and are processed by our team.
  • We do not sell or share your personal data with third parties for marketing purposes.
  • Sensitive information such as encryption keys, API secrets, and passwords are never logged.

Responsible Disclosure

If you discover a security vulnerability in our platform, please report it responsibly by contacting us at security@halixonmail.com. We ask that you:

  • Do not access or modify other users' data.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
  • Provide sufficient detail for us to reproduce and fix the issue.

We appreciate the security research community and will acknowledge valid reports.