Security & Reliability

How we keep your email flowing reliably and your data safe.

Email is critical infrastructure. When you trust ImprovMX with your domain's email, you deserve to know exactly how we protect it. This page is our commitment to transparency about our reliability and security practices.

Why we don't pursue SOC 2 or ISO 27001

Compliance certifications like SOC 2 and ISO 27001 are often treated as proof of security. Oftentimes, they're just security theatre — expensive audits that verify you have processes, not that those processes actually keep you safe. Companies with these certifications still suffer breaches and the certifiers themselves are often fraudulent (see the Delve fiasco).

Instead of spending that money and effort on paperwork, we invest directly in real security: penetration testing, monitoring, infrastructure hardening, and the engineering discipline to do it right.

Yearly penetration testing

We conduct annual penetration tests performed by independent security professionals. These aren't surface-level scans — they're thorough assessments of our infrastructure, APIs, and email pipeline. When findings arise, we remediate them promptly and transparently.

We also supplement traditional pen-testing with AI-driven security testing, which continuously probes our systems for new classes of vulnerabilities that manual testing might miss.

Built by an SRE

ImprovMX was built and is operated by a founder with hands-on Site Reliability Engineering experience. This is infrastructure designed with production-grade reliability principles: redundancy, graceful degradation, automated failover, and defense in depth.

Uptime & reliability philosophy

Our SMTP servers run across multiple availability zones with auto-scaling and load balancing. We monitor every stage of the email pipeline — from inbound reception through processing and outbound delivery. Round-trip monitoring sends test emails through ImprovMX and verifies delivery to major providers including Gmail, Outlook, Yahoo, and iCloud.

You can check our live uptime at status.improvmx.com.

Defense in depth

We don't rely on a single layer of security. Our approach is layered:

  • Network level: Traffic filtering, rate limiting, and DDoS protection.
  • Email validation: Every inbound email is checked against SPF, DKIM, and DMARC policies, with SpamAssassin scoring and attachment analysis.
  • Data handling: Emails are stored temporarily in S3 for delivery, then automatically cleaned up. We don't keep your emails longer than necessary.
  • Access control: Infrastructure access is tightly restricted, with separate permissions across services.
  • Encryption: TLS in transit for all SMTP connections that support it, and encryption at rest for stored data.

Postmortem transparency

When incidents happen — and in any complex system, they eventually will — we commit to publishing honest postmortems. We believe accountability and continuous improvement are more valuable than pretending nothing ever goes wrong. Our status page is always up to date with any ongoing or past incidents. And you can see all our postmortems on our blog.

Our commitment

We'd rather show you how we keep your email safe than hand you a certificate. If you have questions about our security practices, reach out to me personally at matthew@improvmx.com.

Matthew Tse,

ImprovMX owner

Matthew Tse signature