Security with substance
Keep your email private and secure, with robust encryption of your data both in transit and at rest.
Your email is the de facto password to everything else you do on the web. The portal to your medical records. The history of your purchases. Maybe even access to your bank. Fastmail helps you keep it private and secure, with robust encryption of your data both in transit and at rest.
- All data is stored encrypted on disks inside locked racks in our highly secure data centers.
- Communication between our data centers, servers, and your devices is always encrypted at the highest level, with full support for the latest standards including TLS 1.3 and Perfect Forward Secrecy.
- Full support for two-step verification to keep your account safe even if your password is stolen.
- Passkey support for fast, phishing-proof, passwordless login.
- A Strict Transport Security header protects all modern browsers against an SSL stripping man-in-the middle (MITM) attack.
- Our strict Content Security Policy ensures only code we’ve written can run in our webmail.
- The Fastmail Bug Bounty Program encourages third party review of our security. We also perform regular internal audits and stay aware of the latest best practice and security research.
Frequently asked questions
-
Does Fastmail support end-to-end encryption?
Fastmail customers looking for end-to-end encryption can use PGP or s/mime in many popular 3rd party apps. We don’t offer end-to-end encryption in our own apps, as we don’t believe it provides a meaningful increase in security for most users, while the trade-offs are significant.
End-to-end encryption is not just a checkbox. To work, it requires both sender and receiver to support it, and have a secure and private way of exchanging keys. This infrastructure simply doesn’t exist right now. Adding end-to-end support in our webmail also provides little extra security against server compromise, as the code doing the decryption is itself deployed from the server. Meanwhile, the trade-offs are severe: if the server can’t access the contents of the email it can’t offer fast, full text search. It can’t show message previews efficiently in your inbox. Spam checking can’t analyse the content. If you lose your private key, we can’t help you recover access to your email history.
Ultimately, if you trust the server then end-to-end encryption doesn’t add any extra security (as emails are already encrypted at rest and in transit). If you don’t trust the server, you can’t trust it to load uncompromised code, so you should be using a third party app to do end-to-end encryption, which we fully support. And if you really need end-to-end encryption, we highly recommend you don’t use email at all and use Signal, which was designed for this kind of use case.