How can senders audit security in ESP dashboards?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Think about the last time someone left your team. Did you go into your ESP and remove their access that same week? If you're being honest, probably not. And that's exactly where most ESP security audits fall apart. It's not dramatic, it's just a handful of forgotten users and stale API keys that quietly pile up.
A proper audit covers four areas. Here's how to walk through each one.
User permissions and access levels
Most ESPs offer at least three tiers of access: admin (full control), send-only (can trigger campaigns but can't change settings), and report-only (read-only, analytics). Pull up your user list and ask yourself whether each person's permission level matches what they actually do. A contractor who ran one campaign six months ago doesn't need admin access today. Remove them or drop them to the lowest level that still lets them work. Check the last-login timestamp while you're there. If someone hasn't logged in for 90 days, that's a flag worth investigating.
API key inventory
API keys are easy to create and easy to forget. Open your key management page and list every active key. For each one, ask: do I know who created this? Do I know what it connects to? Is the scope limited to what that integration actually needs? A key with full account permissions tied to a single integration is a much bigger risk than it needs to be. Delete anything you don't recognize or can't explain, and make sure test keys from development aren't sitting live in production (this happens more than you'd think).
Activity logs
Now this is where you'd catch something actually going wrong. Look at login history for unusual locations or access times. Check for failed login attempts, especially repeated ones against the same account. Look for admin actions you don't remember authorizing: list exports, sender domain changes, suppression list edits. ESPs like Twilio SendGrid and Mailchimp keep detailed audit logs. If yours doesn't expose this in the dashboard, ask support how to access it.
Authentication settings
Confirm two-factor authentication (2FA) is turned on for every user with access, not just admins. Check your session timeout settings. If a session stays open for 30 days by default, that's a long window for an unattended laptop to cause damage. Some ESPs let you enforce 2FA organization-wide. If that option exists, use it.
But a realistic audit schedule looks like this. Every month, review who has access and remove anyone who shouldn't. Every quarter, go through your API keys and prune anything stale. Once a year (or after any team change), do a full review of permission levels to make sure they still make sense for how your team works now.
If you want to understand how your ESP handles account-level security on their end, that's a separate topic worth digging into. Check out how ESPs protect against account compromise and how webhook and API integrity gets verified if you're building something that connects to your ESP programmatically.
Stuck on something specific or not sure where to start? Our SOS hotline is free and there's no sales pitch waiting on the other end.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.