Account Layer
The account layer controls access to your UGMail account at my.ugmail.co and to the services your account authorizes. Two-Factor Authentication (2FA) adds a second verification step at login, so a stolen password alone is not enough for an attacker to access your account. UGMail supports TOTP-based 2FA with any standard authenticator app. App passwords are separate, independently revokable credentials you create for specific clients or integrations — SMTP clients, scripts, or third-party services. If one integration is compromised, you revoke only its app password without disrupting anything else. API token management lets you issue and revoke Bearer tokens for the UGMail Management API from your account Settings. Treat API tokens like passwords: rotate them regularly, store them in secrets managers, and never embed them in source code.Domain Layer
The domain layer uses DNS records to prove to the world that your outbound mail is legitimate. SPF (Sender Policy Framework) publishes a list of servers authorized to send mail on behalf of your domain. Receiving servers reject or flag mail from unlisted sources. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing message. Receivers use your published public key to verify the signature, confirming the message was not tampered with in transit. DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receivers what to do when SPF or DKIM checks fail, and sends you aggregate reports so you can monitor authentication health across your domain.Explore Security Topics
Two-Factor Authentication
Enable 2FA and create app passwords to protect your account credentials.
SPF, DKIM & DMARC
Authenticate your outbound email with DNS-level records to stop spoofing and improve deliverability.
Security Checklist
Work through this checklist to make sure your UGMail setup is fully hardened.- Enable 2FA on your account
- Use app passwords for integrations (not your main password)
- Set up SPF for your domain
- Enable DKIM signing
- Configure DMARC policy
- Rotate API tokens regularly
- Never commit API tokens to version control

