Any questions? Please let us know here.

Login and Registration

The validation process allows us to establish that the email address is genuine, and that you didn't make a mistake when entering it. You don't need to validate your email if you decide to register using Google or Facebook.

If you have forgotten your password, you can ask for it to be reset. Click "Forgot your password?" on our sign in form, enter your email address, and we will send you instructions by email on how to reset it.


You can change the settings for a particular alias by going to the Aliases Setup tab in the Settings page and selecting passthrough for the default sender status.

You can't see your emails in Volto, you can only see the list of people that have sent you emails.

When you set the status of a sender as 'blocked', all the emails that are received from this sender get automatically discarded and we don’t save them in our system. So, if one day you decide to authorize a sender that was previously blocked, you won't receive any archived emails.

This is the default status for an alias. When you receive an email from a new sender and the alias status is set to 'pending', we save the email until you decide whether you want to authorize it to go through or you want to block it.

This is a limitation imposed to us by an email authentication protocol called DMARC which stands for "Domain-based Message Authentication, Reporting & Conformance".
DMARC is used to determine the origin and authenticity of email messages. For example if someone sends an email from a @gmail.com address but that this email is not originating from Gmail servers, it will get blocked.
Here at Volto we're forwarding a lot of emails on behalf of our users so DMARC is something we have to be aware of.
As a result we have to send emails from our own domain name. To do that, we don't use the sender's email address in the from: field but instead we use a variation of it.
We change sendername@sendercompany.com, to sendername{at}sendercompany.com@volto.io.
See what we've done there? We've changed the @ to {at} and we've added @volto.io at the end. This is so that we don't get our emails blocked by companies implementing DMARC.
However, the reply-to: field will have the sender's email address in clear.


Security is paramount for us, and we're constantly improving how we store your data and how we protect the site from malicious misuse.

While we do everything we can to protect your account on our end, you also need to make sure you're following some basic principles:
1. use a strong and unique password for your account
2. keep an eye on whether your email has been compromised in a breach or not, potentially revealing your password 3. when you visit https://volto.io, type the address in your browser starting with "https" rather than "http" or just "volto.io". This is valid for all secured websites you visit
You can check how strong your password is using Kaspersky's Secure Password Check and you can keep an eye on your email being found in a data breach using Troy Hunt's https://haveibeenpwned.com.

If you think your data might be compromised or you have noticed something strange, please let us know here.

If you've signed up using Facebook or Google, we don't store your password. Facebook and Google act as identity providers which means that they authenticate you and tell us that you are who you say you are.

If you've signed up using email and password, we don't store your password either. When you enter a password, it is salted, hashed and the result of this hash is stored in the database. We use the PBKDF2 algorithm as recommended by OWASP to hash passwords in a computationally intensive manner, so that dictionary and brute-force attacks are less effective. To learn more about this process, check out this article.

Look at the address in the browser, it starts with https://volto.io/…. and there is a padlock next to it. In simple terms, the "s" (for secure) in "https" means that
1. the website volto.io has been verified by a third-party to be who it claims to be
2. all the data transferred from your browser to our servers is encrypted so that it cannot be read by anyone
3. you have assurance that data has not been modified while in transit.

For more details look at the Wikipedia article for HTTPS.