If there is a problem with the Valimail platform it "fails open". This means that in the unlikely event that our service goes down, your email still flows, but it would be unauthenticated. For the few minutes it would take for the service to be restored, it would be potentially possible for your emailing domain to be spoofed.

Valimail provides our customers the ability to check the availability of our platform as well as the option to subscribe to get notified in the event of an incident here.

Valimail manages your _dmarc and _domainkey records. In the unlikely event of our DNS being unavailable, a receiver querying for your DMARC record would not get an answer. The receiver would treat the domain as if there is no DMARC record, meaning that there is no policy in place. The same goes for your DKIM keys as Valimail will not respond to queries against _domainkey.

SPF "fail open" works differently than DMARC/DKIM since we are using a TXT record and not a delegation. The SPF record that Valimail provides its customers ends with a softfail (~all). If Valimail's service were to go down, our include statements would not work, and the querying entity would get an SPF softfail result causing SPF to fail open. With no DMARC policy in place during this brief period the softfail will have no effect on the message reaching the intended recipient.

In the very unlikely event that Valimail DNS servers are offline, or if a client’s DNS servers are offline, how mailbox providers will handle these failures is “left to the discretion of the Mail Receiver” per RFC 7489.

Mailbox providers cache DNS records, including email authentication and email deliverability-related entries, like public DKIM keys and DMARC records. If the DNS failure exists only for a very brief period of time, there may be no impact at all, with locally cached DNS allowing the mailbox provider to continue to read DMARC and SPF records and decode DKIM signatures.

In the event that the DNS failure persists, some mailbox providers will “fail open,” resulting in email messages continuing to be delivered.

Other mailbox providers, for example, Gmail, will temporarily defer mail delivery when they are unable to properly process email authentication records for a domain due to a DNS failure. Gmail will return an error with the code “451-4.7.26” that states that “Unauthenticated email from example.com is not accepted due to the domain's DMARC policy, but temporary DNS failures prevent authentication. Please contact the administrator of example.com. domain if this was a legitimate mail. To learn about the DMARC initiative, go to https://support.google.com/mail/?p=DmarcRejection.”

In this case, when DNS is restored, any queued mail will be successfully accepted and processed at the next retry. Errors related to DNS downtime cause no negative lasting impact to email deliverability and will not damage a domain’s sending reputation or a mail server’s IP reputation.