Email Fast Get a sandbox key
Features

Enterprise identity, done the boring right way

SAML single sign-on and SCIM provisioning on enterprise plans, with passkeys, TOTP and recovery codes, and hardened sessions for every account.

Sign-in your security team won't fight

Email Fast is an SSO and SCIM email platform on its enterprise plans: SAML single sign-on against your identity provider, and SCIM to provision and deprovision users automatically from your directory. Passkeys, TOTP, and hardened sessions aren't gated at all — every account gets them.

How it works

  1. SAML SSO — connect your identity provider; sign-in happens where your directory lives. Available on enterprise plans.
  2. SCIM — provisioning and deprovisioning follow your directory, so offboarding removes access here the moment it happens there. Enterprise plans.
  3. WebAuthn passkeys — phishing-resistant sign-in, on every account.
  4. TOTP with recovery codes — standard authenticator-app two-factor, on every account.

Underneath all of it, sessions are hardened: __Host--prefixed cookies and CSRF protection.

The evidence

What the __Host- prefix buys

Per the cookie-prefixes rules in the current cookie specification (RFC 6265bis), a browser refuses a __Host- cookie unless it is set with Secure, from a secure origin, with no Domain attribute, and Path=/. The session cookie therefore structurally cannot be scoped wider than this host or sent over plaintext — an invariant enforced by the browser itself, not by our configuration staying correct.

Honest limits

Gating and lost-key reality

SAML SSO and SCIM sit on enterprise plans — the same answer the pricing page gives, because a feature page and a pricing page that disagree are their own kind of security problem. Recovery codes are shown once; store them like the credential they are. And SAML setup requires an administrator on your identity provider's side — that half of the handshake is necessarily yours.

Where to go next

The wider control set — audit chains, DLP, key custody — lives behind the enterprise door. Our disclosure posture is on the security page, and the data-handling side is under compliance. Evaluating vendors side by side? Start at the comparison hub.

Questions, answered plainly

Which identity providers work with SSO?

Any SAML identity provider — sign-in happens where your directory already lives, and Email Fast acts as the service provider.

Which plans include SSO and SCIM?

SAML SSO and SCIM are available on enterprise plans, matching the pricing page. Passkeys, TOTP, recovery codes, and session hardening come with every account on every plan.

What happens when we deprovision someone?

Removing a user in your directory deprovisions them here through SCIM — offboarding removes access without anyone filing a ticket or remembering a checklist item.

Passkeys or TOTP — which should we use?

Passkeys where you can: WebAuthn is phishing-resistant, since the credential is bound to the origin. TOTP with recovery codes remains available as the widely-compatible fallback.

See it for yourself

Sandbox keys run the real pipeline dry — real validation, real events, a hosted inbox, no email sent. Early access is onboarding now.