undefined | Better HN

0 pointsttul2y ago0 comments

Appreciate the skepticism; it keeps us on our toes. Let's cut to the chase:

Domain Lockdown: We added this to our Cloudflare Workers integration. It mandates a DNS TXT record to authorize a Worker to send emails from a specific domain. You can't forge the CF-Worker header, so impersonation is off the table.

Pre-Lockdown Vulnerability: Yes, we were more exposed before. Thanks to the researchers who pointed it out, we've patched this up with Domain Lockdown.

SMTP Relay & Web Hosting: Domain Lockdown isn’t mandatory yet in the rest of our service for the web hosting industry. But we’re developing updates for our cPanel WHM plugin and other integrations to make this scalable for millions of domains. Note that our service has to work for applications like public mailing lists where locking the sender domain down breaks stuff.

Scale & Standardization: We service a broad range of configurations. Rolling out universal changes takes time. We're also working with industry groups like M3AAWG to push for improvements to DMARC and other standards to help everyone be more secure.

Tech docs for the curious: https://support.mailchannels.com/hc/en-us/articles/456589835...

Appreciate all the questions and criticism here. reply

0 comments

2 comments · 1 top-level

pests2y ago· 1 in thread

Thank you for the transparency and the update.

I didn't mean anything negative towards MailChannels - I know this is a weak link in the chain for many people. I did know it was resolved and I should have mentioned that but I couldn't figure out the search query to find that post.

ttulOP2y ago

No worries. My initial response was horrible; trying to do better.

j / k navigate · click thread line to collapse