Security

How Ray Protects
Your Data

We believe the tools that protect your email should themselves be transparent about how they work. Here's exactly what Ray does and how it's built.

What Data Ray Collects

Ray processes DMARC aggregate reports, which are XML files that mailbox providers (Gmail, Microsoft, Yahoo, etc.) send to the address in your DMARC DNS record. These reports contain:

  • Source IP addresses that sent email using your domain
  • Message counts per source IP
  • SPF and DKIM pass/fail results
  • DMARC policy evaluation outcomes
  • The reporting organization's name and the time period covered
Ray never sees the content of your emails. DMARC aggregate reports contain metadata about authentication results, not message bodies, subjects, recipients, or attachments.

Ray also performs DNS lookups against your domain to check SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI records. This is the same publicly available DNS data that any tool or person can query.

Encryption

At Rest

All stored data is encrypted using AWS KMS (Key Management Service) with dedicated encryption keys. DynamoDB tables, S3 buckets, and SQS queues all use KMS encryption. Key rotation is managed by AWS.

In Transit

All traffic uses TLS. API endpoints enforce HTTPS. Internal service communication uses SigV4-signed requests over TLS. All data paths use encryption.

Authentication

Passkeys (WebAuthn/FIDO2)

Ray supports passkey authentication, the phishing-resistant standard backed by Apple, Google, and Microsoft. Your credential never leaves your device. There is no password to leak, phish, or brute-force.

Magic Links

For environments where passkeys aren't available, Ray offers magic link authentication. A single-use, time-limited link is sent to your verified email address. No password involved.

Passwordless by Default

Ray is designed around passwordless authentication. Users sign in with passkeys or magic links, not passwords. Passwords are the most common attack vector for account compromise, and we chose to build without them.

Session Management

Sessions use short-lived tokens issued by AWS Cognito. Tokens are cryptographically signed, rotated automatically, and designed to resist forgery and replay.

Access Control

Ray uses organization-based access control with three roles:

Owner

Full control over the organization, including managing members, billing, and deleting the org. Each organization has exactly one owner.

Admin

Can manage domains, view all reports, and invite or remove members. Cannot delete the organization or change the owner.

Member

Can view domains and reports assigned to their organization. Cannot modify settings or manage other users.

Permission checks happen at the API layer. Every request is evaluated against the user's role and organization membership before any data is returned.

Domain Verification

Before you can manage a domain in Ray, you must prove you control it. Ray uses DNS-only verification: you add a TXT record at a dedicated underscore-prefixed subdomain (e.g., _ray-verify.example.com). Ray checks for this record and confirms ownership. No CNAMEs, no HTTP challenges, no email-based verification.

This approach follows RFC 8552, the IETF standard for scoped interpretation of DNS resource records through underscored naming. Using a dedicated subdomain keeps the verification record isolated from your other DNS records and avoids the namespace collisions that happen when multiple services all ask you to add TXT records at the domain root.

DNS verification is the strongest proof of domain control available. If you can modify DNS for a domain, you control that domain. There is no weaker fallback.

Infrastructure

Rust

Backend services are written in Rust. Rust's ownership model prevents entire classes of vulnerabilities (buffer overflows, use-after-free, data races) at compile time, not runtime.

Serverless on AWS

Every service runs on AWS Lambda (ARM/Graviton). No servers to patch, no OS to maintain. AWS manages the execution environment.

Infrastructure as Code

All AWS resources are defined in SAM/CloudFormation templates. No manual console changes. Every infrastructure change is version-controlled, reviewed, and deployed through CI/CD.

Service-to-Service Auth

Internal services authenticate using IAM roles and SigV4 request signing. There are no shared secrets, API keys, or static credentials passed between services.

Audit Logging

Ray maintains append-only audit logs for security-relevant events. Logs capture the user, action, timestamp, source IP, and affected resource. Audit records are available for 90 days in the dashboard and API, giving you time to export them for long-term retention. Records are protected from modification or deletion by any user, including organization owners.

Logged events include: authentication attempts, membership changes, domain additions and removals, role changes, and API key operations.

Data Retention and Portability

Retention

DMARC report data is retained according to your plan. Raw report XML files are stored in S3 with the same KMS encryption as all other data. You can request deletion of your data at any time.

Portability

All data accessible through the dashboard will also be available through the API. You will be able to export your data at any time in standard formats. There is no lock-in and no export fees.

Data Residency

All Ray data is stored in AWS in the United States. This includes DMARC reports, domain analysis results, audit logs, and account data. There is no replication to regions outside the United States.