Guide · Security
Are magic links & password-reset emails secure?
A magic link or password-reset link is a one-time key to someone's account. Whoever can read that email can take over the account — so who can access the email, and whether the link is tampered with in transit, matters more than for ordinary mail.
Why these emails are high-value targets
Unlike a receipt or a newsletter, a magic link is a bearer credential. Two risks are specific to it: who holds a copy of the email (your sending provider, its jurisdiction, its retention), and whether the link is rewritten or pre-fetched before it reaches the user.
The US CLOUD Act risk
If your transactional email runs through a US-owned provider, the emails it processes and stores — including the ones carrying live reset tokens — can be compelled under the US CLOUD Act, wherever they are physically stored. A UK-owned, UK-hosted provider keeps your copy of those emails under UK law only, with no US entity to compel.
The link-tracking risk (often overlooked)
Many email providers rewrite every link to track clicks. For a magic link that's dangerous: your one-time token is routed through the provider's servers (where it's logged), and automated "click" pre-fetching by scanners can consume a single-use link before your user even clicks it. We never track or rewrite links — the token is delivered byte-for-byte as you sent it, never logged or proxied by us. (It's also why we don't do open/click tracking at all — see our privacy stance.)
What Sovereign Mail does
- UK-only processing & storage of the email — outside US jurisdiction.
- No link rewriting or click tracking — tokens are never logged or proxied.
- TLS in transit (MTA-STS / TLS-RPT) and DKIM signing, so the email is encrypted to the recipient and authenticated (harder to spoof for phishing).
- Minimal retention you control.
What you should still do
- Make tokens short-lived (e.g. 10–15 minutes) and single-use.
- Use HTTPS links; never put the token in the subject line.
- Rate-limit reset/login requests and bind the link to the requesting session where you can.
One honest caveat
Sovereignty and no-tracking protect the link throughout our pipeline. Once delivered, the recipient's own mailbox provider holds a copy — that's outside any sending provider's control. End-to-end, also consider your users' inbox providers.
Frequently asked questions
Can the US government read magic links sent through Sovereign Mail?
No. The emails carrying your magic links are processed and stored only in the UK by a UK-owned company, so there is no US entity that can be compelled to hand them over under the US CLOUD Act. (Once delivered, the recipient's own mailbox provider holds a copy — that is outside any sending provider's control.)
Do you rewrite or track the links in emails?
No. Many providers rewrite links to track clicks, which routes your one-time token through their servers (where it is logged) and can pre-fetch and invalidate single-use links. We never track or rewrite links, so your token is delivered exactly as you wrote it.
Does this make password resets completely secure?
It removes the provider-side and foreign-jurisdiction risks and avoids link tracking. You should still issue short-lived, single-use tokens over HTTPS and rate-limit requests — security is a shared responsibility.
Send reset & magic-link emails from the UK
UK-owned, UK-hosted, no tracking, outside US CLOUD Act reach.
Create an accountThis is general guidance, not legal or security advice.