Soverin Knowledge Base - Questions about security and encryption

Can my emails still be tracked through the IP address?

We remove your personal IP address from the headers of your email. Nobody needs to know your location when you send an email.

Do you backup my mailbox?

Yes, we back up your mail so we can recover from major incidents. These backups are not used to restore individual mailboxes or messages on request. If you leave Soverin, your data is removed from our systems, including backups, in line with our data retention policies.

Do you publish CAA and TSLA records?

Yes. We use DNS-based Authentication of Named Entities (TLSA) and DNS Certification Authority Authorization to tell mail servers and browsers about our certificates. This allows browsers and mail servers to verify they are talking to Soverin by verifying the fingerprints of our certificates and the provider of our certificates.

Do you send HSTS headers?

Yes. HTTP Strict Transport Security (HSTS) means we send headers to your browser telling it to always communicate securely with Soverin. If your connection is hijacked and some other site pretends to be Soverin this will fail because your browser will force https. We use this for all our websites including webmail.

Do you support 2-factor authentication?

Yes, you can enable 2FA through your account settings. If your account is managed by an admin, they can also make 2FA mandatory for your account.
Follow these instructions to set up 2FA.

Do you support DKIM for your own and customer domains?

DomainKeys Identified Mail (DKIM) signs your emails telling the receiver that your email was actually sent by a system you trust and that it was not modified in any way during transport.

Do you use DANE?

Yes. Our outbound SMTP servers check for TLSA records and honor them, if the certificate of the server does not match the fingerprint provided by the TLSA record we will not deliver the email. For our inbound MX servers we publish TLSA records for the private key of the certificate, this means DANE supporting servers can check if they are really talking to our servers, secured with the intended certificate.

Do you use encrypted connections?

Yes. We ALWAYS use encrypted connections. We never send emails over unencrypted connections (between you and us, and not between us and mail servers of people you email, especially this last part is important!)

Do you use SPF & DMARC?

Yes. Domain-based Message Authentication, Reporting and Conformance (DMARC) and Sender Policy Framework (SPF)are used to tell other mail servers who is allowed to send email for our and our customer domains. It also instructs other email servers what to do with emails they receive from other (unauthorized) systems.

How are your domains secured?

We have chosen a provider for our and our customer domains which provides Domain Name System Security Extensions (DNSSEC) support. This means all domains maintained by Soverin are secured and DNS Spoofing becomes a great deal more difficult.

How does the Have I Been Pwned (HIBP) check work?

At Soverin, we take your privacy seriously, even when using external tools like Have I Been Pwned (HIBP) to verify your password. HIBP is a well-known and trusted database containing billions of leaked passwords and email addresses from data breaches. By checking passwords against this database, we can prevent you from using a password that may already be known to malicious actors.

How Do We Protect Your Privacy with HIBP?

We never share your passwords directly with third parties, including HIBP. Instead, we use a process called "hashing":

• A hash is a unique, encrypted representation of your password, ensuring the password itself is not visible.
• During a check, we send only a portion of this hash (the first 5 characters) to HIBP.
• HIBP then returns a list of possible matches with hashes that share the same beginning.
• We compare this list locally on our systems with the full hash of your password.

This means your full password is never sent to HIBP, and HIBP cannot see your password. The process is entirely anonymous and secure.

Why Is This Process Reliable?

• Hashes are one-way encryption: they cannot be reversed into the original password.
• By sharing only a small portion of the hash, we minimize the risk of unauthorized access or misuse.
• All full comparisons and verifications happen on our own systems.

How Does This Work in Practice?
When Logging In: When you log in, we regularly check whether your password appears in a leaked database via HIBP. If so, we will ask you to change your password the next time you login to the Soverin Control Panel.

Is Soverin ISO certified?

Yes. Soverin is independently audited and certified to meet international standards:

• ISO 27001 – ensures strict controls for information security, so your data stays private and protected
• ISO 14001 – sets environmental standards, reflecting our commitment to sustainability
• ISO 9001 – focuses on consistent quality and continual improvement in everything we do

We’re also ready for today’s digital threats and regulatory landscape:

• NIS2 Ready – we meet the new EU-wide cybersecurity requirements for resilience, continuity, and transparency
• NEN 7510 (in progress) – the Dutch healthcare security standard, ensuring protection of medical and personal health data

Have a look on our recognition page for more information.

Where are Soverin’s servers hosted?

Everything is hosted in servers that are separately located within Europe, with secured infrastructure and disc encryption in case our hardware is ever confiscated. We select our hosting providers based on our strict privacy requirements.

Who is your certificate provider?

We have chosen Let’s Encrypt as our certificate provider. Let’s Encrypt is a non-profit certificate authority with a very good track record. A green/verified certificate on our website, dashboard and webmail gives you a way to verify which company is behind Soverin (Soverin B.V.).