Mailchimp Hardening Guide
Email marketing security for API keys, audience protection, and domain authentication
Overview
Mailchimp manages email marketing with audience data, campaign history, and customer engagement metrics. API keys, OAuth apps, and integrations access subscriber lists and behavioral data. Compromised access enables mass phishing distribution through trusted sender reputation, or exfiltration of subscriber databases.
Intended Audience
- Security engineers managing marketing platforms
- Marketing administrators
- GRC professionals assessing email marketing compliance
- Third-party risk managers evaluating marketing integrations
Table of Contents
1. Authentication & Access Controls
1.1 Enforce MFA
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
ClickOps Implementation
Step 1: Enable Two-Factor Authentication
- Navigate to: Account → Settings → Security
- Enable: Two-factor authentication
- Configure authenticator app
Step 2: Enforce for All Users
- Require 2FA for all account users
- Configure backup methods
- Review recovery codes
1.2 Implement Access Levels
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
ClickOps Implementation
Step 1: Define User Levels
| Level | Permissions |
|---|---|
| Owner | Full access (1 user) |
| Admin | Manage users, full features |
| Manager | Create campaigns, manage audiences |
| Author | Create content only |
| Viewer | Read-only |
Step 2: Configure User Access
- Navigate to: Account → Settings → Users
- Assign minimum required level
- Review access quarterly
2. API Security
2.1 Secure API Keys
Profile Level: L1 (Baseline) NIST 800-53: IA-5
Description
Manage Mailchimp API keys securely.
Rationale
Attack Scenario: Compromised API key exports entire subscriber list; enables mass phishing through trusted sending domain.
ClickOps Implementation
Step 1: Audit API Keys
- Navigate to: Account → Extras → API keys
- Review all active keys
- Delete unused keys
Step 2: Create Scoped Keys
- Create separate keys per integration
- Document key purposes
- Rotate keys annually
2.2 OAuth App Security
Profile Level: L1 (Baseline) NIST 800-53: CM-7
ClickOps Implementation
Step 1: Review Connected Apps
- Navigate to: Account → Settings → Connected apps
- Review all OAuth authorizations
- Revoke unused apps
Step 2: Integration Audit
- Review integration permissions
- Remove unnecessary access
- Document all integrations
3. Audience Security
3.1 Protect Subscriber Data
Profile Level: L1 (Baseline) NIST 800-53: SC-28
ClickOps Implementation
Step 1: Configure Export Restrictions
- Limit export permissions
- Enable export notifications
- Audit export activity
Step 2: Segment Access
- Use audience segments
- Limit access by user level
- Protect sensitive segments
3.2 Email Authentication
Profile Level: L1 (Baseline) NIST 800-53: SI-3
ClickOps Implementation
Step 1: Configure Domain Authentication
- Navigate to: Website → Domains
- Authenticate sending domains
- Configure DKIM
Step 2: Enable DMARC
- Set up SPF records
- Configure DMARC policy
- Monitor email deliverability
4. Monitoring & Detection
4.1 Account Activity
Profile Level: L1 (Baseline) NIST 800-53: AU-2, AU-3
ClickOps Implementation
Step 1: Review Login History
- Navigate to: Account → Settings → Security
- Review login activity
- Investigate suspicious logins
Detection Focus
-- Detect bulk exports
SELECT user_email, export_type, record_count
FROM mailchimp_activity
WHERE action = 'export'
AND record_count > 1000
AND timestamp > NOW() - INTERVAL '24 hours';
-- Detect suspicious campaign creation
SELECT user_email, campaign_name, audience_size
FROM campaign_log
WHERE created_at > NOW() - INTERVAL '24 hours'
AND audience_size > 10000;
Appendix A: Edition Compatibility
| Control | Essentials | Standard | Premium |
|---|---|---|---|
| 2FA | ✅ | ✅ | ✅ |
| User Levels | Limited | ✅ | ✅ |
| API Access | ✅ | ✅ | ✅ |
| Audit Logs | ❌ | ❌ | ✅ |
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial Mailchimp hardening guide | Claude Code (Opus 4.5) |