On July 13th, Valimail received a responsible disclosure report regarding a potential vulnerability in our SPF solution. As part of our mission to build trust in internet communications and protecting brands and users, our team validated that the report was viable, we responded to the issue, and implemented a comprehensive fix over the weekend in under 48 hours.
Collaboration and continual improvement across the cybersecurity market is paramount and we appreciate that security was prioritzed in disclosing this issue.
In placing the security of our customers first, we investigated whether this vulnerability had been actively exploited and were able to determine that no active exploitation by an attacker had occurred.
Below, we’ll go into detail about our SPF technology and the steps we took to remediate the vulnerability.
The role of Valimail’s Instant SPF technology
Valimail has patented technology to manage SPF records that mitigates the SPF 10 DNS lookup limit. We refer to this patented technology as Instant SPF, and it enables our customers to define unlimited authorized senders. Instant SPF leverages the macros already defined in the SPF standard to:
- Extract identifying information
- Map this information to the originating service
- Return service-specific SPF rules that the receiver can evaluate
- Valimail Instant SPF dynamically generates a tailored SPF record, instantly, in response to each mail server request.
This allows our customers to properly authenticate messages from an unlimited number of sending services, protecting all of the systems that matter. This advancement allows Valimail customers to successfully reach DMARC enforcement 90%+ of the time compared to the ~20% success rate in the industry. In responding to and mitigating this report, we were mindful of the importance that our Instant SPF service plays in ensuring properly authenticated email is securely delivered for our customers.
The fix
Once we determined that the vulnerability was viable through our standard response process, our team deployed a fix for this issue. The fix updated our Instant SPF technology to return “v=spf1 -all” instead of “REFUSED” (DNS RCODE: 5) for requests with an invalid hostname. By updating to this response, this ensures that the assigned DMARC policy is honored regardless of the hostname. Furthermore, customers do not need to rely on downstream email recipients to honor RFC 5321 to have their DMARC policy be honored.
According to our logs, this vulnerability was not abused, and no customers were affected. We also set up active monitoring to ensure the vulnerability was not exploited as we were implementing and testing the fix.
Conclusion
The continual improvement of our product and security of customers are our top priorities. Thousands of organizations rely on Valimail to authenticate their messages. Having an open and healthy security culture is at the heart of how we live up to these commitments. If anyone has any questions about this alert, or would like to speak with our team please feel free to reach out to pr@valimail.com.