Checking DNSSEC Domains

Recently we’ve started to receive support requests about DNS problems that turn out to be broken DNSSEC. Unfortunately we can’t fix DNSSEC problems on external domains, but you can run the following tests:

These tools will also show if a domain does not have DNSSEC. Running DNSSEC checks is particularly handy when using another tool that is not DNSSEC aware. Test tools that are not DNSSEC aware may return false positives when validation is broken.

Announcements Q&A

Mail Mirroring as “Email Insurance”

On a semi-regular basis we receive a call or email for help because something has happened to someone’s email: messages were accidentally deleted, their mail server had a config change and rejected everything or accepted and silently discarded messages. Although we do maintain disaster recovery backups, we charge for staff time hourly to try and find and restore a few files without any guarantees to how far back we can look, and that’s only for IMAP; with POP3 the client can remove messages as they are received which never make it into a backup window. Then there’s the SMTP queue: the queue is constantly changing, but since we’re not secretly storing copies of messages just in case, there’s almost no chance to recover anything. In the end, the messages are gone and there’s no simple way to recover them, if at all.

That’s where the Mail Mirror feature comes in. included with every account. A mail mirror uses hosted mail boxes to store copies of messages that pass through our system. Mail Mirror allows you to define addresses or domains to “mirror” to a hosted mail box by storing a copy for backup or emergency access purposes. It uses the independent storage of a normal hosted mail box, which is not affected by the constantly changing mail queue. Once a message goes into a mirror it remains there until it expires based on how long you configure it to keep messages or is manually deleted by logging into the mirror box. This way, a mirror is self-maintaining and won’t keep growing in size. Mail Mirror is available to all accounts and only counts as hosted mail box storage, but for it to work it needs to be enabled before there’s a problem, not after.

Mail mirroring works with all types of mail configurations. You may never need to access your mail mirror, but just like insurance, it’s there just in case.

We’ve also posted a topic to our forums for any questions or discussion on this feature: Mail Mirror – A Helpful Safety Feature

Announcements Q&A

Two Factor Auth Q and A

We’ve received a bunch of questions about YuibKey two factor authentication, so we’re going to summarize them here.

How can I add a YubiKey to my account?

Email with your account name and your 12 character key IDs. Online management is in development. Once keys are associated to your account you won’t be able to log in to the account control center without providing the OTP at login time.

Do you support multiple keys?

Yes. In the current test phase we’re only supporting two keys per account: primary and secondary. We plan to allow an arbitrary number of YubiKeys to be associated with an account and support both OTP and U2F.

How do I recover access if my key is lost?

We encourage a backup key (or two) for safekeeping in case the primary is lost, stolen, or damaged. Most people will carry their primary key with them on a daily basis. The backup key(s) should be kept in a safe, secure, or trusted location. We don’t like the idea of disabling the second factor to “recover” access because doing so defeats its purpose if it can be easily turned off.

Are you going to support Google Authenticator?

We’re also looking at support for Google Authenticator (TOTP) and Authy as other methods, but for now we’re focusing on YubiKey since we use them internally at our office.


Q&A: “Do your walls extend past the ceiling?”

One question we’re frequently asked on tours is if our walls extend (or “cut”) past the false ceiling. The answer is yes; all of our walls extend the full height up to the floor of our mezzanine level, and the remaining overhead spaces are too narrow for someone bypass doors by going through the ceiling. At the same time, we do not permit unescorted site access.

Full walls cutting the false ceiling.

Many times businesses will save money on construction costs by only building up to the bottom of a false ceiling, but since our facility is an integral part of our services we always opt to cut the ceiling. We also dress overhead wiring with d-rings even though it’s hidden.

Overhead wire dressing.


File Into Folders with Hosted Mail Extensions

A question came across the forums last week about address extensions ( not working because it wasn’t filing into folders automatically based on the extension part. They do work, but that anticipated behavior is actually a modified one rather than standard, but such a thing can be accomplished with Roller Network hosted mail boxes and a quick Sieve script:

require ["fileinto", "variables"];

if header :matches "Delivered-To" "user+*" {
  fileinto "${1}";
else {

Add this using the managesieve online interface (or managesieve plugin that allows direct entry), replacing “user” and “” with entries appropriate to your hosted mail box. This script will automatically file anything with an extension into a folder of the same name or default to INBOX if there wasn’t an extension.

We have been considering adding this functionality as a per-mailbox account control center option, but a Sieve script will quickly do the job just the same without having to wait for us.