Team Accounts and Domain Access Guide
Invite teammates to Postscale, assign roles, scope members to domains, and understand how member API keys inherit domain permissions.
TL;DR
Use Team accounts to invite admins and scoped members without sharing an owner login. Admins can manage the organization and all domains. Members only see assigned domains, can be read-only or read/write per domain, and can create API keys only for domains where they have read/write access.
What you will learn
- Choose the right role for admins, members, contractors, and support teams
- Assign read or read/write access to the domains a member should use
- Understand how scoped API keys, offboarding, and domain visibility work
How Team accounts work
Every Postscale organization has users. The first user is the owner. Owners and admins can invite additional teammates from Dashboard > Account > Team.
There are two layers of access:
- Role - what the user can do at the organization level.
- Domain access - which domains a member can see or modify.
This lets you keep organization control with a small admin group while giving teammates enough access to operate email infrastructure.
Roles
Postscale supports three roles.
| Role | Access |
|---|---|
| Owner | Full organization access. Owners can manage billing, settings, users, invitations, API keys, and every domain. |
| Admin | Full organization access for trusted operators. Admins can manage users, invitations, settings, API keys, and every domain. |
| Member | Scoped access. Members only see domains assigned to them and cannot manage billing, users, invitations, or organization settings. |
Use owners and admins sparingly. Most teammates should be members with explicit domain access.
Domain access levels
Members can receive one of two access levels per domain.
| Access level | Member can do |
|---|---|
| Read | View the assigned domain, DNS setup, DKIM records, aliases, inbound rules, stats, DMARC data, and warming status. |
| Read/write | Do setup and operational work for the assigned domain, including DNS verification, DKIM management, domain settings, aliases, inbound rules, and warming actions. |
Unassigned domains are hidden from members. If a member opens a direct URL for a domain they do not have access to, Postscale returns a not-found response instead of revealing that the domain exists.
Invite a teammate
- Open Dashboard > Account > Team.
- Enter the teammate's email address.
- Choose Admin or Member.
- Click Invite.
The invitee receives an invitation email. After accepting the invitation and verifying their email, they join your existing organization directly. Invited users are not sent through owner onboarding or plan selection.
Assign domain access to a member
After the member accepts the invitation:
- Open Dashboard > Account > Team.
- Find the member row.
- Click Access.
- Select the domains the member should use.
- Choose Read or Read/write for each domain.
- Save the changes.
Changes apply immediately. The member's dashboard and API access update to match the assigned domain list.
What members can work on
A member with read/write access to a domain can help with the domain's normal setup and operations:
- verify ownership, MX, SPF, DKIM, DMARC, and Return-Path DNS
- generate, rotate, deactivate, and verify DKIM keys
- update domain type and catch-all settings
- create and edit aliases
- create and edit inbound rules
- start, pause, and resume warming
- view stats and DMARC reports
- create API keys scoped to writable domains
A read-only member can inspect the same domain data but cannot make changes.
API key behavior
API keys created by members are scoped to the member's writable domains.
If a member creates an API key and does not choose explicit domains, Postscale scopes the key to the domains where the member has read/write access. If the member chooses explicit domains, every selected domain must be writable for that member.
Read-only domain access does not allow creating a write-capable API key for that domain.
Owners and admins can still create organization-wide API keys when an integration needs full-account access.
Common access patterns
Staging and production
Give developers read/write access to staging domains and read-only access to production domains. Give operations or senior engineers read/write access to production.
Example:
| User | Access |
|---|---|
dev@example.com | Read/write: staging.example.com; Read: example.com |
ops@example.com | Read/write: example.com, staging.example.com |
Agency or client domains
If one Postscale account manages domains for multiple clients, invite client contacts as members and grant access only to their own domains.
Example:
| User | Access |
|---|---|
client-a@example.com | Read/write: client-a.com |
client-b@example.com | Read/write: client-b.com, mail.client-b.com |
Support and operations teams
Support teams often need to inspect aliases, inbound rules, delivery stats, and DMARC data without changing setup. Grant read access unless the team is also responsible for edits.
Contractors and external partners
Give contractors read access when they only need to copy or validate DNS records. Upgrade to read/write only if they should perform setup actions in Postscale.
Offboarding
When someone leaves the team:
- Open Dashboard > Account > Team.
- Deactivate or remove the user.
- Review any organization-wide API keys that were shared outside Postscale.
Deactivating or deleting a user revokes that user's active API keys. Removing a member also removes their domain access because the user account is no longer active.
Things to keep in mind
- Admins and owners always have access to every domain.
- Members need explicit domain access before they can see a domain.
- Domain access is per-domain, not per-alias or per-rule.
- Read access is for visibility. Read/write access is for setup and operations.
- Member-created API keys can only target writable domains.
- At least one owner must remain on the organization.
Related resources
Frequently asked questions
- Can a member work on domain setup?
- Yes. Give the member read/write access to that domain. They can verify DNS, manage DKIM, aliases, inbound rules, warming actions, stats, and DMARC for assigned domains.
- Can a member see every domain in the organization?
- No. Members only see domains assigned to them. Unassigned domains behave as not found in the dashboard and API.
- Do member API keys respect domain access?
- Yes. Member-created API keys can only include domains where that member has read/write access.
Related guides
Put the guide into production
Postscale brings sending, inbound processing, DMARC reporting, and masked addresses behind one API so the operational pieces stay connected.