Email security hardening: DNSSEC, DANE, IPv6
Summary
WAYSCloud has completed a multi-step hardening of the internal email delivery layer used by the workspace platform, including DNSSEC, DANE/TLSA, and IPv6 support.
These changes strengthen protection against tampering, downgrade attacks, and spoofing, and are externally verifiable.
This work covered WAYSCloud's own platform mail infrastructure only. Customer-operated mail servers and customer-managed email systems were not in scope and were not affected.
What Happened
Email delivery is a high-value target for in-transit attacks. To address this, multiple independent security layers were deployed across the platform mail infrastructure:
DNSSEC was enabled to ensure integrity of DNS responses.
DANE/TLSA was introduced to bind mail delivery to trusted certificates.
IPv6 was enabled on public mail endpoints.
Supporting controls were also validated, including SPF, DMARC, CAA, and enforced TLS on all SMTP endpoints.
Impact
There was no service interruption.
The changes were additive and require no action from customers. Mail flow continued normally during and after the rollout.
For senders performing DNSSEC or DANE validation, delivery to WAYSCloud platform addresses is now stricter. For senders that do not perform these checks, behavior is unchanged.
No customer data was accessed, modified, or exposed. No credentials were rotated as a consequence of these changes. No third party gained additional access.
Customers operating their own mail servers on WAYSCloud infrastructure were not impacted and do not need to take any action as a result of this work.
Actions Taken
The rollout was performed in a controlled sequence:
DNSSEC signing and validation was enabled across all relevant zones, with Delegation Signer records published at the parent zone to anchor the chain of trust.
DANE/TLSA records were deployed and verified end to end. The Subject Public Key Info hash of the active mail certificate was computed, the TLSA record was published over the now-DNSSEC-protected zone, and validation was performed against a live STARTTLS handshake.
IPv6 was enabled on inbound and outbound mail endpoints, AAAA records were published, and the TLS certificate was reissued to cover both transports.
All changes were validated through external verification — querying multiple public DNSSEC-validating resolvers and performing live TLS handshakes against the published endpoints — before the rollout was considered complete.
Preventive Measures
The following practices have been established:
A pre-published TLSA rotation slot is now standard for mail endpoint certificate renewals, ensuring zero-downtime certificate rotation for DANE-aware delivery.
DNSSEC key rollover and DS resubmission are tracked as scheduled operational tasks, with monitoring against external resolvers to detect signature expiry well before clients would observe it.
Continued hardening of mail infrastructure based on industry standards is part of WAYSCloud's ongoing engineering work.
Two follow-up items remain in progress and are tracked openly: reverse DNS coverage for the IPv6 endpoint, which depends on the upstream transit provider, and Route Origin Authorization (RPKI) publication for the announcing prefix. Neither affects current mail delivery.