The Secure E-mail API makes sure your e-mails to clients, users and other audiences are compliant with mandatory GDPR/AVG regulations for businesses. When sending (bulk) business e-mails it is hard to make sure that the e-mail servers of all your addressees have the right standard security configured and that the e-mails arrive at the intended mailboxes. By law, it is not allowed to send sensitive data over unsecured e-mail.

The Secure E-mail API solves this problem for you by checking the security of the connection with e-mail servers and only sending your message through to secure servers.

API specification

Test the API on SwaggerHub

Base URL

Conceptual model

Conceptual model



In this context, an account is the entity where organizational parameters are held and maintained.

Apex domain

An apex domain is a root domain that does not contain a subdomain. For example, is an apex domain but is not, because it contains the subdomain part www.


The AVG (in Dutch: Algemene verordening gegevensbescherming) is the Dutch name for the GDPR.


Domain Name Service. A service that translates domain names to IP addresses and vice versa.


DomainKeys Identified Mail (DKIM) is an e-mail authentication method designed to detect forged sender addresses in e-mails (e-mail spoofing), a technique often used in phishing and e-mail spam.


DMARC (Domain-based Message Authentication, Reporting and Conformance) is an e-mail authentication protocol. It is designed to give e-mail domain owners the ability to protect their domain from unauthorized use.


This is the domain name, from which you will be sending your secure e-mails.


The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.


MX (Mail Exchange-record) specifies where the e-mails for your domain should be delivered.


Sender Policy Framework (SPF) is an e-mail authentication method designed to detect forging sender addresses during the delivery of the e-mail.


These records are used to store text-based information related to your domain. One of their most common uses is for SPF data. SPF is an attempt to control forged e-mail.

API workflow

API workflow


  • You must be able to configure the DNS records of your registered domain to route e-mails to the SecuMailer platform.


  • Always deliver e-mail to secure e-mail servers.
  • Supports bulk e-mails.
  • Compliant with GDPR/AVG regulation.

Getting started

Make sure you've read What's in it for you for more info on how to register and start testing APIs.


The API follows the KPN Store API Authentication Standard to secure the API. It includes the use of OAuth 2.0 client_id and client_secret to receive an access token.

Go to the Authentication tab on top of this page to find out how to:

  • Authenticate to an API using cURL.
  • Authenticate to an API on Swaggerhub.
  • Import Open API Specifications (OAS), also called Swagger files into Postman.

Setting up your third-party account with SecuMailer

To start e-mailing with the Secure E-mail API, you need to create a SecuMailer account.

Use the API request POST /account to create an account on the SecuMailer platform, providing the domain name and an e-mail address on which you would like to receive notifications. You will receive a notification, for example, when a secure e-mail can't be sent to the addressee.

POST ​/account See on SwaggerHub

^^Request body^^
  "domain": ""

Configuring your DNS registration

To send secure e-mails, you need to make changes to your DNS registration. You need to create:

  • 2 MX records for a subdomain of the apex domain (the default is
  • A number of TXT records (SPF, DKIM and DMARC) that establish proof of ownership of the domain.

You can retrieve the set of required DNS changes by calling the GET /account endpoint. You need to supply the domain for which you are retrieving the DNS settings as documented by the Swagger file. You will receive the values that you need to implement as DNS changes.

GET ​/account See on SwaggerHub

^^Example of MX and TXT records^^
  "domain": "",
  "mx": {
    "value": "10",
    "hostname": "",
    "type": "MX"
  "spf": {
    "value": "v=spf1 ~all",
    "hostname": "",
    "type": "TXT"
  "dmarc": {
    "value": "v=DMARC1; p=quarantine;;; pct=0; fo=1",
    "hostname": "",
    "type": "TXT"
  "ses": {
    "hostname": "",
    "value": "RsDYehqnkyd6xPZ8i7i5dKawKrOWlveYmN1q6ahL9Gw=",
    "status": "Success",
    "type": "TXT"
    "status": "Success"

The values consist of a section named receiving_dns_records and sending_dns_records:

  • The first section shows the MX records. They need to be applied to the host value as documented in the hostname attribute of the response. This will generally be in the form of

Do not apply these settings to your root domain as this will interfere with your regular e-mail.

  • The second section shows a number of TXT records. These need to be applied to the host as determined in each hostname attribute of a TXT record.

DNS changes take time to process. As soon as your DNS changes are validated correctly, the state attribute in the domain section will change from unverified to valid. When this is the case, you can start sending messages via the /message endpoint.

Take into account that syncing DNS can take up to 24 hours.

How to...

Send secure e-mails

Use the POST /message endpoint to send a secure e-mail. Send the following application/JSON payload in the request.

  • A sender.
  • One or more recipients.
  • A MIME-encoded, escaped e-mail message.

The payload date and Message-ID should be unique.

Return codes

Code Description
200 Success.
201 Created.
202 Accepted.
302 Found. Link in location header.
400 Bad request.
401 Unauthorized.
403 Forbidden.
404 Not found.
405 Method not allowed.
412 Precondition failed.
429 Too many requests.
500 Internal server error.
502 Bad gateway.
503 Service unavailable.

HTTP response headers

The following tables display the standard response headers that are returned with each API response:

Standard response field name Description
sunset This field will be populated with the deprecation details. By default the value is n/a.
api-version Indicates the API version you have used.
quota-interval Used to specify an integer (for example, 1, 2, 5, 60, and so on) that will be paired with the quota-time-unit you specify (minute, hour, day, week, or month) to determine a time period during which the quota use is calculated.
For example, an interval of 24 with a quota-time-unit of hour means that the quota will be calculated over the course of 24 hours.
quota-limit Number of API calls an user can make within a given time period.
If this limit is exceeded, the user will be throttled and API requests will fail.
quota-reset-UTC All quota times are set to the Coordinated Universal Time (UTC) time zone.
quota-time-unit Used to specify the unit of time applicable to the quota.
For example, an interval of 24 with a quota-time-unit of hour means that the quota will be calculated over the course of 24 hours.
quota-used Number of API calls made within the quota.
strict-transport-security The HTTP Strict-Transport-Security (HSTS) response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. All present and future subdomains will be HTTPS for a maximum of 1 year and access is blocked to pages or sub domains that can only be served over HTTP including HSTS preload lists of web browsers.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
Access control field name Description
access-control-allow-credentials Tells browsers whether to expose the response to frontend JavaScript when the request's credentials mode (Request.credentials) is include.
When a request's credentials mode (Request.credentials) is include, browsers will only expose the response to frontend JavaScript if the Access-Control-Allow-Credentials value is true. Boolean.
access-control-allow-origin Indicates whether the response can be shared with requesting code from the given origin.
access-control-allow-headers Used in response to a pre-flight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
access-control-max-age Indicates how long the results of a pre-flight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached.
access-control-allow-methods Indicates which HTTP methods are allowed on a particular endpoint for cross-origin requests.
For example: GET, PUT, POST, DELETE.
content-length The Content-Length entity header indicates the size of the entity-body, in bytes, sent to the recipient.
content-type The Content-Type entity header the client what the content type of the returned content actually is.

Mopinion feedback