Security policy

Security starts with mail fundamentals.

KasaPost is owned and managed by KasaBase, a Dallas, Texas based company. We focus on authenticated sending, encrypted access, account controls, abuse prevention, monitoring, and recoverability.

Domain authentication

SPF, DKIM, DMARC, PTR, and hostname checks are used to protect sending identity and reduce spoofing risk.

Encrypted access

The public website and control center use HTTPS. SMTP authentication requires TLS, and mail clients should use secure IMAP and submission ports.

Transport policy

MTA-STS and TLS reporting are prepared so receiving mail can require encrypted server-to-server transport once DNS is published.

Account controls

Admin access is separated from mailbox use. Strong passwords and two-factor authentication are recommended for all operators.

Sender controls

Transactional API keys can be scoped, rotated, revoked, logged, and limited by tenant and domain reputation policy.

Abuse controls

Suppression lists, support intake, rate limits, warmup holds, DMARC report parsing, and blocklist monitoring help reduce harmful mail.

Backups

Backup readiness checks are tracked. Full clean-server restore drills should be performed before larger production scale.

Incident reporting

Security issues should be reported to security@kasapost.com with enough detail to reproduce or investigate the issue.

Roadmap

Independent security review, formal compliance artifacts, SSO options, and public incident history are future maturity items.