MailChannels

MailChannels
Company type	Private
Industry	Information Security, SaaS
Founded	2004; 20 years ago
Headquarters	Vancouver, Canada
Area served	Worldwide
Key people	Ken Simpson, CEO
Products	Spam Filtering, Anti-spam
Services	Computer Security

MailChannels is a Canadian technology company that specializes in email security for businesses and internet service providers (ISPs). Founded in 2004 by Ken Simpson and headquartered in Vancouver, British Columbia, the company operates in email security and the infrastructure market. The business provides a products and services designed to safeguard email systems against spam, phishing, and other harmful content. They guarantee the dependable delivery of legitimate messages and offer a mail relay API for numerous websites^{[citation needed]}.

Quick Facts Company type, Industry ...

Close

MailChannels was founded in 2004 by former engineers of ActiveState (acquired by Sophos), who created one of the first commercial spam filters.

The company's first product was an SMTP proxy that provides tar-pitting and transparent SMTP proxy functionality for inbound email filtering.

In 2007, MailChannels joined M³AAWG and closed a series A round led by early Microsoft employees.

In 2010, the company launched an outbound email filtering software that claims to be capable of filtering up to 30 million messages per hour, transparently in the network. Outbound email filtering involves scanning email traffic as it exits the network, identifying compromised accounts, and reducing the risk of having IP addresses blocked by receiving networks.

In 2013, the company launched a cloud-based outbound email filtering service.

In 2018, the company launched a cloud-based inbound email filtering service.

In 2022, the company decided to stop supporting Plesk for outbound email filtering.

In August 2023, security researcher Marcello Salvati presented findings at DEF CON 31 regarding what he termed a potential vulnerability in MailChannels' email infrastructure.^[1] Salvati's research demonstrated that it was possible to send emails addressed from any domain through a free email sending API that MailChannels had been offering to Cloudflare Workers users. Salvati's talk highlighted how email receivers often interpret a passing SPF check as an indication that an email message was authentically sent by the owner of a given domain name, even though the SPF RFC specifically advises against interpreting SPF results in this manner.^[2]

SPF has several notable limitations that are described in the RFC:^[2]

SPF only authenticates the envelope sender (MAIL FROM) and HELO/EHLO identities, not other identities in the message headers.
A passing SPF result does not guarantee the message is not spoofed or malicious.
SPF can't verify specific email addresses, only domains.

The authors recommend receivers use SPF as part of a larger set of evaluations rather than treating it as dispositive on its own.^[2]

Furthermore, RFC 5321, which defines SMTP, explicitly states that SMTP mail is inherently insecure:

SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else. [...] Real mail security lies only in end-to-end methods involving the message bodies, such as those that use digital signatures.
— RFC 5321, Section 7^[3]

MailChannels' Response

MailChannels CEO Ken Simpson addressed the complexity of the situation, stating, "MailChannels sends email for 30 million different domains that are hosted behind over 600 web hosting provider networks. We cannot force every domain owner to verify the ownership of their domain because domain owners do not even authenticate domain ownership with their own hosting provider".^[4]

In response to these findings, MailChannels developed and implemented a new security feature called "Domain Lockdown." This feature enhances domain authentication by linking registered domain names to MailChannels accounts and implementing sender ID verification, providing an additional layer of security beyond SPF.^[5] While not requiring Cloudflare users to register an account with MailChannels, since the mechanism operates using DNS records alone.

[1]
DEF CON 31 - SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan - byt3bl33d3r, 16 September 2023, retrieved 2023-09-27
[2]
Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. April 2014. sec. 2.4. doi:10.17487/RFC7208. RFC 7208.
[3]
Simple Mail Transfer Protocol. October 2008. sec. 7. doi:10.17487/RFC5321. RFC 5321.
[4]
Sabin, Sam (11 August 2023). "Exclusive: An email security vendor is leaving 2M domains open to phishing hacks, study finds". Axios. Archived from the original on 16 August 2023. Retrieved 28 September 2023.
[5]
"Introducing MailChannels Domain Lockdown". Cloudflare. 21 June 2023. Retrieved 28 September 2023.

[1] [1]
DEF CON 31 - SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan - byt3bl33d3r, 16 September 2023, retrieved 2023-09-27

[RFC7208-2] [2]
Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. April 2014. sec. 2.4. doi:10.17487/RFC7208. RFC 7208.

[3] [3]
Simple Mail Transfer Protocol. October 2008. sec. 7. doi:10.17487/RFC5321. RFC 5321.

[4] [4]
Sabin, Sam (11 August 2023). "Exclusive: An email security vendor is leaving 2M domains open to phishing hacks, study finds". Axios. Archived from the original on 16 August 2023. Retrieved 28 September 2023.

[5] [5]
"Introducing MailChannels Domain Lockdown". Cloudflare. 21 June 2023. Retrieved 28 September 2023.

[1]

[2]

[3]

[4]

[5]

MailChannels

MailChannels' Response

Wikiwand in your browser!

MailChannels

MailChannels' Response

Wikiwand in your browser!

Company history

MailChannels and Email Authentication Considerations

See also

References