We are thrilled to announce a series of significant enhancements and advancements in our industry-leading DNS infrastructure.
As the pioneers in Domain-based Message Authentication, Reporting, and Conformance (DMARC)-as-a-service, with the patents to prove it, Valimail has been at the forefront of innovation in email security, continually setting new industry standards. We’ve been involved in co-authoring the Authenticated Receiver Chain (ARC) protocol, the co-chair and co-editor of the IETF Working Group, and founded and currently chair the AuthIndicators (BIMI) Working Group.
In this blog post, we’ll delve into our recent enhancements and advancements in our DNS infrastructure, our commitment to DMARC enforcement, and the steps we’re taking to ensure scalability, visibility, and security for our valued customers who have put their trust in us to authenticate their email, and prevent bad actors from spoofing their domains.
Leading the Way in DMARC
Valimail has solidified its position as the leader in DMARC-as-a-service. Over the last 3 years, we’ve added thousands of new customers to bring our total customer count over 30,000, a 500% increase in our DMARC solution. We have pioneered numerous innovations in the industry, including our patented Instant SPF technology, which has played a pivotal role in advancing the landscape of email security.
Our technology has been instrumental in helping over ten thousand companies worldwide achieve DMARC enforcement. With the highest enforcement rates in the industry, we authenticate billions of emails every week and have thwarted billions of phish attempting to impersonate thousands of the world’s most prominent brands.
At our core- Valimail runs a DNS service for our customers that responds to authentication requests to provide precise, accurate, and real-time email protection. This service is extremely robust, and has had greater than 99.999% uptime each year. In our quest to offer unparalleled DMARC services, we recognize the critical importance of continuously enhancing our DNS infrastructure.
To tackle these challenges head-on, we are enhancing scalability, visibility, and security in various ways:
1. Containerization strategy for our DNS infrastructure
We have replaced our historic blue-green deployment strategy for our email infrastructure, with a new containerized approach. Now, instead of updates to our infrastructure taking hours, whenever an engineer completes their thorough testing, the container engine picks up their changes, and automates a distributed rollout and cutover to the new code in minutes. This significantly up-levels what we’re able to do with our email authentication infrastructure, including:
- Ultrascale to support more than 100 times our peak traffic
- Easier updates, restarts, and rollbacks to prior versions
- Self-healing capabilities if any nodes become unreliable
- Ability to distribute our email authentication infrastructure across multiple cloud providers in a uniform manner
Finally, this containerization strategy provides increased visibility through bolstered monitoring capabilities, allowing for in-depth analysis of any suspicious activities, further strengthening our security posture.
2. Enhanced, globally distributed resiliency
Earlier this year, following a surge in global DDoS attacks that hit many DNS providers in Q2, we decided to upgrade our DDoS mitigation capabilities. While these attacks did not have a significant impact on us, we saw this as an opportunity to invest in leading anti-DDoS solutions from our cloud infrastructure providers, giving our infrastructure the ability to absorb potential DDoS against us or our customers.
Utilizing the native solutions of AWS, CloudFlare, or Microsoft’s Azure provides us with protections beyond anything we’ve ever utilized before. These protections, in combination with our new container management infrastructure, have already paid off, as more recent DDoS attacks have come and gone without customer impact. Autoscaling based upon load with our containers allows for faster scaling to handle the increase in traffic while the new protections from our cloud infrastructure provider analyze the new traffic, applying heuristics which will result in a block of the malicious traffic.
3. Enhanced responses to bad requests
Our email authentication infrastructure is designed to answer standards-based SPF, DKIM, DMARC, and BIMI requests (amongst others) on behalf of our customers who point these records to us. We do not operate a recursive resolver, nor answer to other record types unrelated to what we serve on behalf of our customers.
The way our system works, if we receive a request that we do not believe is valid on behalf of a customer, we respond with REFUSED. This is critical, in case a system queries us by accident, so that they do not cache an incorrect answer to their DNS query.
However, a disclosure from a researcher was sent to us in July that highlighted an avenue where an attacker could craft, utilizing a custom MTA to allow and transmit invalid hostnames, an email message in such a way as to leverage this REFUSED response to send mail that could bypass a customer’s DMARC policy. This attack would only work against a few specific mail systems (Microsoft and Google were not susceptible), and there was no evidence in our logs of this attack ever being used against a customer of ours.
We did a thorough review of how our system responds to these types of esoteric, invalid requests, and have made several enhancements to our infrastructure to ensure there are no avenues to leverage this behavior, however esoteric they might be. Of course, the path here was not a straight road, as the difference between what the specs say, and how the real world operates, are not completely aligned, and we needed to take extra precautions to prevent any unintended customer impact. This is particularly acute with underscores in hostname and other DNS labels.
Over the past 6 weeks, we’ve rolled out three significant updates, including changes to how our Instant SPF technology handles invalid characters, how we handle similar invalid characters in DKIM selector names, and how we handle hostnames for each that have underscores, in particular as the first character. The resulting updates have made our DNS infrastructure even more secure for all our users.
Our Commitment to Innovation and Trust
At Valimail, our commitment to delivering innovation and building trust with our customers through industry-leading DNS technology remains unwavering. Our scheduled roadmap efforts will continue throughout this year and beyond, focusing on innovation in core DNS technology.
We are dedicated to maintaining open and frequent communication with our customers regarding changes to our DNS technology. We will continue to share updates about the investments we are making in our core infrastructure and will use scheduled maintenance windows to keep customers informed.
Furthermore, our ongoing engagement with contracted penetration testers and external security researchers ensures that we stay ahead of the latest threats in the DMARC ecosystem.
Valimail is proud to be the best in the industry, but we never take that for granted. We remain committed to pushing the boundaries and advancing our core DNS technology for the benefit of our customers and the broader DMARC ecosystem.