Custom-domain DNS verification fix

During an internal review of the meil.no custom-domain feature, we identified a defect in the DNS-based ownership-verification step. The verification compares a value issued by the platform against the value the customer is asked to publish as a DNS record at their domain. The comparison was case-sensitive.

DNS standards do not require providers to preserve record values byte-for-byte; some DNS providers normalize stored values, including by changing letter case. When a registrar applied such normalization, the value retrieved by the verification routine differed from the issued value only in case. The case-sensitive comparison rejected an otherwise valid record, leaving the domain in a non-progressing verification state.

The defect was identified during internal review before any customer experienced an unresolved verification. No customer data was exposed, and no other service was affected.

No customers experienced unresolved domain verification. The defect was identified during internal review and addressed before customer impact occurred. No data was exposed and no other service was affected.

The verification comparison was updated to compare values case-insensitively, ensuring valid records are recognized regardless of registrar storage behavior.

Beyond fixing the immediate symptom, the token-generation algorithm itself was changed: verification values issued going forward are produced from a character set that survives common normalizations such as case folding. This eliminates the underlying class of issue rather than only the case-sensitive comparison that exposed it — tokens issued by the new algorithm cannot be invalidated by registrar-side case changes at all.

A regression test was added to ensure any future change that re-introduces case-sensitive comparison fails the build.

Going forward, any value the platform asks a third-party system to publish or store on a customer's behalf will use a character set resilient to common normalizations. Comparisons between values retrieved from third-party systems and values issued by the platform will be case-insensitive by default unless an explicit reason for strict matching is documented.

Monitoring has been extended to flag any custom domain that remains in a non-progressing verification state for an extended period, so similar patterns are detected proactively rather than relying on customer reports.