Envello
Tutorial

Security alert emails: what to send when, without crying wolf

Envello Team·2026-07-17·4 min read

Security alert emails exist to get a user's attention for something that actually needs it. Send too many, for events that don't warrant real concern, and users start ignoring or filtering them, which defeats the purpose the one time it actually matters.

What actually warrants an email

  • A new device or location signing in, especially one clearly outside the user's normal pattern
  • A password or email address change on the account
  • A new API key created or an existing one's permissions changed, for products where that's account-level access
  • Account recovery flows being initiated, since this is exactly the kind of event an attacker triggers

What belongs in an activity log instead

Routine, expected logins from a known device and location don't need an email, they'd just train users to ignore security emails entirely. Keep a queryable account activity log for that lower-signal information, and reserve email for events that genuinely warrant interrupting someone.

What the email should actually say

Be specific: what happened, when, and from where (approximate location, device type) if you have that data, plus a clear, immediate action if the user didn't do this (a "secure your account" link, not just "contact support"). Vague alerts ("unusual activity detected") without specifics train users to dismiss them just as effectively as sending too many alerts does.

Envello

EU-hosted transactional email, done right by default.