Security Best Practices — Protect Your Account & Aliases
CloakMetric is built with privacy and security at its core. Follow these best practices to keep your account and aliases safe.
Account Security
Section titled “Account Security”Use a Strong Password
Section titled “Use a Strong Password”Your password should be at least 8 characters. Use a mix of uppercase, lowercase, numbers, and symbols. Consider using a password manager.
Monitor Active Sessions
Section titled “Monitor Active Sessions”Regularly review your active sessions in Settings > Account. If you see a session you don’t recognize, revoke it immediately and change your password.
Verify Your Email
Section titled “Verify Your Email”Always keep your account email verified. This ensures you can recover your account and receive important security notifications.
Alias Best Practices
Section titled “Alias Best Practices”One Alias Per Service
Section titled “One Alias Per Service”Create a unique alias for each service you sign up for. If one service leaks your email, you’ll know exactly which one — and you can disable just that alias without affecting others.
Disable, Don’t Delete
Section titled “Disable, Don’t Delete”When you’re done with an alias, deactivate it instead of deleting it. This way, if legitimate emails arrive later, you can re-enable it. Deleted aliases bounce all emails permanently.
Monitor Health Scores
Section titled “Monitor Health Scores”Check the Analytics page regularly. A declining health score may indicate your alias is being used for spam or is on a blocklist.
Domain Security
Section titled “Domain Security”Configure All DNS Records
Section titled “Configure All DNS Records”When using a custom domain, ensure all five DNS records (Verification, MX, SPF, DKIM, DMARC) are properly configured. Missing records weaken your email authentication and increase the chance of spoofing.
Use DMARC with Quarantine or Reject
Section titled “Use DMARC with Quarantine or Reject”A DMARC policy of p=quarantine or p=reject tells receiving servers to handle unauthorized emails strictly. This protects your domain from being impersonated.
API Key Security
Section titled “API Key Security”Principle of Least Privilege
Section titled “Principle of Least Privilege”Only grant the minimum permissions an API key needs. Use Read-only keys for monitoring and Standard keys for automation. Reserve Full Access for admin tools.
Rotate Keys Regularly
Section titled “Rotate Keys Regularly”Set expiration dates on API keys and replace them before they expire. Never use keys without expiration for production integrations.
Never Expose Keys in Code
Section titled “Never Expose Keys in Code”Store API keys in environment variables or secret management tools. Never commit them to version control.
Team Security
Section titled “Team Security”Assign Appropriate Roles
Section titled “Assign Appropriate Roles”Use the role system to give team members only the access they need. Viewers for stakeholders, Members for contributors, Admins for managers.
Remove Inactive Members
Section titled “Remove Inactive Members”Regularly audit your team and remove members who no longer need access. Revoke access immediately when someone leaves your organization.