The Secure E-mail API makes sure your e-mails to clients, users and other audiences are compliant with mandatory GDPR/AVG regulations for businesses. When sending (bulk) business e-mails it is hard to make sure that the e-mail servers of all your addressees have the right standard security configured and that the e-mails arrive at the intended mailboxes. By law, it is not allowed to send sensitive data over unsecured e-mail. The Secure E-mail API solves this problem for you by checking the security of the connection with e-mail servers and only sending your message through to secure servers.

API specification

Test the API on SwaggerHub

Base URL

Conceptual model

Conceptual model



In this context, an account is the entity where organizational parameters are held and maintained.

Apex domain

An apex domain is a root domain that does not contain a subdomain. For example, is an apex domain but is not, because it contains the subdomain part www.


The AVG (in Dutch: Algemene verordening gegevensbescherming) is the Dutch name for the GDPR.


Domain Name Service. A service that translates domain names to IP addresses and vice versa.


DomainKeys Identified Mail (DKIM) is an e-mail authentication method designed to detect forged sender addresses in e-mails (e-mail spoofing), a technique often used in phishing and e-mail spam.


DMARC (Domain-based Message Authentication, Reporting and Conformance) is an e-mail authentication protocol. It is designed to give e-mail domain owners the ability to protect their domain from unauthorized use.


This is the domain name, from which you will be sending your secure e-mails.


The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.


MX (Mail Exchange-record) specifies where the e-mails for your domain should be delivered.


Sender Policy Framework (SPF) is an e-mail authentication method designed to detect forging sender addresses during the delivery of the e-mail.


These records are used to store text-based information related to your domain. One of their most common uses is for SPF data. SPF is an attempt to control forged e-mail.

API workflow

API workflow


  • You must be able to configure the DNS records of your registered domain to route e-mails to the SecuMailer platform.


  • Always deliver e-mail to secure e-mail servers.
  • Supports bulk e-mails.
  • Compliant with GDPR/AVG regulation.

Setting up your third-party accounts

To start e-mailing with the Secure E-mail API, you need to create a SecuMailer account.

Use the API request POST /account to create an account on the SecuMailer platform, providing the domain name and an e-mail address on which you would like to receive notifications. You will receive a notification, for example, when a secure e-mail can't be sent to the addressee.

POST ​/account See on SwaggerHub

^^Request body^^
  "domain": ""

Configuring your DNS registration

To send secure e-mails, you need to make changes to your DNS registration. You need to create:

  • Two MX records for a subdomain of the apex domain (the default is
  • A number of TXT records (SPF, DKIM and DMARC) that establish proof of ownership of the domain.

You can retrieve the set of required DNS changes by calling the GET /account endpoint. You need to supply the domain for which you are retrieving the DNS settings as documented by the Swagger file. You will receive the values that you need to implement as DNS changes.

GET ​/account See on SwaggerHub

^^Example of MX and TXT records^^
  "domain": "",
  "mx": {
    "value": "10",
    "hostname": "",
    "type": "MX"
  "spf": {
    "value": "v=spf1 ~all",
    "hostname": "",
    "type": "TXT"
  "dmarc": {
    "value": "v=DMARC1; p=quarantine;;; pct=0; fo=1",
    "hostname": "",
    "type": "TXT"
  "ses": {
    "hostname": "",
    "value": "RsDYehqnkyd6xPZ8i7i5dKawKrOWlveYmN1q6ahL9Gw=",
    "status": "Success",
    "type": "TXT"
    "status": "Success"

The values consist of a section named receiving_dns_records and sending_dns_records:

  • The first section shows the MX records. They need to be applied to the host value as documented in the hostname attribute of the response. This will generally be in the form of

Do not apply these settings to your root domain as this will interfere with your regular e-mail.

  • The second section shows a number of TXT records. These need to be applied to the host as determined in each hostname attribute of a TXT record.

DNS changes take time to process. As soon as your DNS changes are validated correctly, the state attribute in the domain section will change from unverified to valid. When this is the case, you can start sending messages via the /message endpoint.

Take into account that syncing DNS can take up to 24 hours.

How to...

Send secure e-mails

Use the POST /message endpoint to send a secure e-mail. Send the following application/JSON payload in the request.

  • A sender.
  • One or more recipients.
  • A MIME-encoded, escaped e-mail message.

The payload date and Message-ID should be unique.

Return codes

Code Description
200 Success.
201 Created.
202 Accepted.
302 Found. Link in location header.
400 Bad request.
401 Unauthorized.
403 Forbidden.
404 Not found.
405 Method not allowed.
412 Precondition failed.
429 Too many requests.
500 Internal server error.
502 Bad gateway.
503 Service unavailable.

Mopinion feedback