What happens if Valimail's authentication service goes down?

If there is a problem with the Valimail platform it "fails open". This means that in the unlikely event that our service goes down, your email still flows, but it would be unauthenticated. For the few minutes it would take for the service to be restored, it would be potentially possible for your emailing domain to be spoofed. 

To date, we have had 100% uptime, and provide SLAs with our service. An independent third party provides automated service uptime alerting for all our customers. 

You can find Valimail status updates at status.valimail.com

What do we mean by failing open? 

Valimail manages your _dmarc and _domainkey records. In the unlikely event of our DNS being unavailable, a receiver querying for your DMARC record would not get an answer. The receiver would treat the domain as if there is no DMARC record, meaning that there is no policy in place. The same goes for your DKIM keys as Valimail will not respond to queries against _domainkey.

SPF "fail open" works differently than DMARC/DKIM since we are using a TXT record and not a delegation. The SPF record that Valimail provides its customers ends with a softfail (~all). If Valimail's service were to go down, our include statements would not work, and the querying entity would get an SPF softfail result causing SPF to fail open. With no DMARC policy in place during this brief period the softfail will have no effect on the message reaching the intended recipient.