Possible Errors:
- Is the email service SOC2 compliant?
- What's the DKIM encryption key length used in the email service?
- Does DKIM key rotation happen automatically?
- Do we support S/MIME encryption?
- What are the security protocols for email servers?
- What is the encryption level and method for the data in transit and at rest?
- How is email data stored and purged?
Resolution Path:
Is the email service SOC2 compliant?
Yes, the in-house email service is SOC2 type 2 compliant.
What's the DKIM encryption key length used in the email service?
The in-house email service supports a DKIM encryption key length of 2048 bits. However, the backup is configured from SendGrid which is 1024 bits. For manual security keys (which we use), SendGrid supports only 1024 bits even if it's a brand new authentication. Because of this, at this point, we can't update the SendGrid DKIM key to 2048 bits. If a customer wants to have 2048-bit DKIM keys only, then we could suggest to turn off SendGrid as backup for them so that they always use the in-house email service that has 2048-bit DKIM keys.
Does DKIM key rotation happen automatically?
No, DKIM key rotation doesn't happen automatically. It can only be performed on demand. However, if customers want the keys to be rotated urgently, they can delete the existing DKIM configuration and re-configure. New keys are generated each time DKIM is re-configured.
Do we support S/MIME encryption?
S/MIME encryption isn’t currently supported. It’s on the roadmap and tentatively planned for a 2023 release.
What are the security protocols for email servers?
The email service uses encrypted TLS channels (TLS 1.2 protocol) for processing emails. Opportunistic TLS encryption is used to send emails from Freshworks to the recipient mail servers. If the recipient mail server doesn’t support TLS, then the mails are sent using normal TCP connection. If the customers configure their own mailboxes (custom SMTP) and enable SSL, then mails are transferred using TLS. If SSL isn’t configured, then plain TCP connection is used. Further, we can also support enforced TLS if needed, but please note that in such a case emails will be dropped (undelivered) if the recipient mail server doesn’t support TLS. We also support enforced TLS support for incoming mails.
What is the encryption level and method for the data in transit and at rest?
For encryption of data in transit, please refer to the above FAQ. Server-side encryption is done for email data/content at rest using 256-bit Advanced Encryption Standard (AES-256), which is one of the strongest block ciphers available.
How is email data stored and purged?
No emails persist with the email service after they are delivered. However, all emails (both incoming and outgoing) are archived in encrypted S3 buckets. All the buckets are encrypted using Amazon S3 default encryption. The archived copy is available till 45 days after which it's automatically deleted from S3 (based on default S3 expiration policy). We have an API to delete the archived emails for a particular customer account. More details here: Email Data Storage and Deletion.