> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mail.ugmail.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview: Protecting Your UGMail Account

> UGMail offers two-factor authentication, app passwords, API token management, and domain-level email authentication (SPF, DKIM, DMARC) to keep your email infrastructure secure.

UGMail protects your email infrastructure across two distinct layers: the **account layer** and the **domain layer**. The account layer governs who can access your UGMail dashboard and use your sending credentials, while the domain layer ensures that mail leaving your domains is cryptographically verified and trustworthy to receiving servers. Together, these layers defend against unauthorized access, credential abuse, phishing, and spoofing — the most common threats to email infrastructure.

## Account Layer

The account layer controls access to your UGMail account at [my.ugmail.co](https://my.ugmail.co) and to the services your account authorizes.

**Two-Factor Authentication (2FA)** adds a second verification step at login, so a stolen password alone is not enough for an attacker to access your account. UGMail supports TOTP-based 2FA with any standard authenticator app.

**App passwords** are separate, independently revokable credentials you create for specific clients or integrations — SMTP clients, scripts, or third-party services. If one integration is compromised, you revoke only its app password without disrupting anything else.

**API token management** lets you issue and revoke Bearer tokens for the UGMail Management API from your account Settings. Treat API tokens like passwords: rotate them regularly, store them in secrets managers, and never embed them in source code.

## Domain Layer

The domain layer uses DNS records to prove to the world that your outbound mail is legitimate.

**SPF** (Sender Policy Framework) publishes a list of servers authorized to send mail on behalf of your domain. Receiving servers reject or flag mail from unlisted sources.

**DKIM** (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing message. Receivers use your published public key to verify the signature, confirming the message was not tampered with in transit.

**DMARC** (Domain-based Message Authentication, Reporting & Conformance) tells receivers what to do when SPF or DKIM checks fail, and sends you aggregate reports so you can monitor authentication health across your domain.

## Explore Security Topics

<CardGroup cols={2}>
  <Card title="Two-Factor Authentication" icon="shield-halved" href="/security/two-factor-auth">
    Enable 2FA and create app passwords to protect your account credentials.
  </Card>

  <Card title="SPF, DKIM & DMARC" icon="envelope-circle-check" href="/security/spf-dkim-dmarc">
    Authenticate your outbound email with DNS-level records to stop spoofing and improve deliverability.
  </Card>
</CardGroup>

## Security Checklist

Work through this checklist to make sure your UGMail setup is fully hardened.

* [ ] Enable 2FA on your account
* [ ] Use app passwords for integrations (not your main password)
* [ ] Set up SPF for your domain
* [ ] Enable DKIM signing
* [ ] Configure DMARC policy
* [ ] Rotate API tokens regularly
* [ ] Never commit API tokens to version control
