Cloudflare DMARC Management is now generally available

When we first launched DMARC Management, it was driven by a simple belief: every domain on the Internet deserves strong email authentication, and cost should never be the reason it doesn't happen. As part of our mission to help build a better Internet, we made DMARC Management available for free to every Cloudflare customer. We wanted to give everyone the tools to understand and improve their DMARC posture without needing to hire an email security consultant or parse XML report files by hand.

Today, we are taking that commitment further. Cloudflare DMARC Management is now generally available, with a redesigned experience built to help you reach full DMARC enforcement as easily as possible.

The DMARC Management dashboard offers a unified view of your email authentication posture.

What email authentication actually does for you

Every time someone receives an email "from" your domain, their email provider asks a simple question: did the real owner of this domain actually send this? Without a way to answer that question, anyone can send an email pretending to be you and your recipients will have no way to tell the difference.

Email authentication is the set of DNS records that answers that question. There Continue reading

Growing the Cloudflare AI team with talent from Ensemble AI

Today, we’re excited to share that key members of the team at Ensemble AI are joining Cloudflare to help accelerate our work in AI infrastructure and make it easier for developers to run powerful AI models efficiently at scale.

Ensemble AI, founded in 2023 in San Francisco, has spent the last few years focused on one of the most important challenges in AI: making large models faster, smaller, and more cost-effective to serve, without sacrificing quality. The team has developed new approaches to model compression and efficient inference that are designed to reduce the memory, compute, and deployment overhead of large language models and multimodal architectures.

As AI becomes a core part of how developers build applications, the economics of inference matter more than ever. Models are getting larger; workloads are becoming more dynamic. And customers increasingly expect AI to be available everywhere: globally distributed, fast, reliable, and affordable. Bringing the Ensemble AI team into Cloudflare strengthens our ability to make that possible.

Incorporating Ensemble’s expertise 

The team at Ensemble AI has focused on preserving the structure inside modern AI models while reducing the cost of running them. Instead of treating model efficiency as only a quantization or hardware problem, Continue reading

Quake demos raytraced again

This is a follow-up to a previous post about raytracing Quake demos.

But first, the money shot:

e1m1 flat shaded e1m1 with textures

And flat shaded and textured videos. Youtube is Very Aggressive™ with its compression, so the quality there is not good. For pixel quality the above images showcase it better.

A new raytracer

One of my original reasons for creating the quake demo povray files is that it was a good source of data for 3D experiments. POV-Ray is a great raytracer, though entirely CPU (no GPU) and no longer state of the art.

POV-Ray has plenty of built in options, but takes forever to render the 30-60fps demos I want to play with.

Also POV-Ray is AGPL now, so nope nope nope nope nope. That’s a dead end.

Another AI detour

We live in interesting times. We could be living in a time when no two people are running the same email client, or music player, or shell. There used to be a barrier to writing these things custom. I know people who wrote their own shell and use it as a daily driver. I wrote my own email client, and use that.

There are many people out there, me included, who Continue reading

Installing Step CA in My Homelab

Step CA is an open-source private CA made by Smallstep. I will use it to generate certificates for some componenents in my lab.

First we install the dependencies:

sudo apt-get update && sudo apt-get install -y --no-install-recommends curl gpg ca-certificates

Then we get the Smallstep repository signing key:

sudo curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg   -o /etc/apt/keyrings/smallstep.asc

Then we add the Smallstep repository:

cat << 'EOF' | sudo tee /etc/apt/sources.list.d/smallstep.sources > /dev/null
Types: deb
URIs: https://packages.smallstep.com/stable/debian
Suites: debs
Components: main
Signed-By: /etc/apt/keyrings/smallstep.asc
EOF

Then we install step-cli and step-ca:

sudo apt-get update && sudo apt-get -y install step-cli step-ca

Then we check the install:

step-ca version
step version
Smallstep CA/0.30.2 (linux/amd64)
Release Date: 2026-03-23T00:18:00Z
Smallstep CLI/0.30.4 (linux/amd64)
Release Date: 2026-06-10T06:10:28Z

Next, we’ll run the initializer:

step ca init \
  --name "lostintransit.se" \
  --dns "stepca.lostintransit.se" \
  --address ":443" \
  --provisioner "[email protected]"
✔ Deployment Type: Standalone
Choose a password for your CA keys and first provisioner.
✔ [leave empty and we'll generate one]: 

Generating root certificate... done!
Generating intermediate certificate... done!

✔ Root certificate: /home/ddib/.step/certs/root_ca.crt
✔ Root private key: /home/ddib/.step/secrets/root_ca_key
✔ Root fingerprint: 8f08102ae41eb7fc6a57f62fbaccaf82cb7a67dbedca858a0352a75b4fa763cd
✔ Intermediate certificate: /home/ddib/.step/certs/intermediate_ca. Continue reading

AI solving problems

I’ve been able to find some time, lately, to work on my project backlog. And because it’s 2026, I’ve been using AI as a diligent intern.

I’ve ranted before about seccomp, but still used it for a project or two. But then, rarely, it triggered an unexpected openat. That’s exactly the kind of I do want to detect and kill the binary for, so I don’t just want to allow it. I want to know where it’s coming from.

strace showed it’s trying to read /proc/sys/vm/overcommit_memory.

It’s certainly not my code. But just the Rust transitive dependency tree is quite a few crates:

$ cargo tree | sed -r 's/^[^a-z]+//;s/ .*//' | sort -u | wc -l
236

Step 1 was to run it in gdb, and reproduce the problem. But it’s a bit trickier than that, because seccomp fully kills the process, so no backtrace. And setting breakpoints requires a few more syscalls to work, just for the process to work under gdb (e.g. sigaltstack).

And turns out some calls fail with EINTR if running under a debugger.

Yes, I can fix all these things. But why not put the AI intern on it?

AI Continue reading

Scaling Security Insights: how we achieved a 10x increase in global scanning capacity

Security Insights provides actionable security recommendations for every Cloudflare account. To find these insights, we perform regular scans for all accounts, zones, and DNS records, looking for potential security risks and misconfigurations.

However, two key issues emerged. First, our scans were too infrequent. Scans were only being performed every week or two, and therefore newly introduced security risks could remain undetected for up to two weeks. Second, automatic scanning was opt-in for many free plan accounts – meaning lots of accounts weren’t being scanned at all.

The risks of infrequent or nonexistent scans are rising: as automated attacks accelerate, the window for detecting security misconfigurations is shrinking. Making sure that we’re finding these issues for all of our customers is crucial to our aim of building a better Internet for everyone.

We calculated that to increase our scanning frequencies and enable automatic scanning for all accounts, we would need to increase our scanning throughput by around 10x on average – from 10 scans per second to 100 per second. But our system was already struggling with its load: millions of events were filling up our backlog waiting to be processed; our API was frequently timing out; our processes were crashing. Continue reading

AI in Networking with Andrew Yourtchenko

I always wanted to find someone who is more positive about AI than I am, while having solid “can deliver working stuff at scale” credentials. Andrew Yourtchenko definitely fits the bill. I first met him (online) when he was still an engineer in Cisco TAC, and when we finally met in person, he was busy automating the deployment of Cisco Live networking infrastructure. He was also instrumental in bringing us closer to ubiquitous IPv6 deployment with Happy Eyeballs.

Read more …

Cisco Live 2026 – Requiem For A Corner

Cisco Live US 2026 was an interesting ride this year. There was a lot of talk about AI. There was a big discussion about security and how we are protecting our software from the AI models on the horizon that are ready to uncover every bug ever conceived. And there was even more discussion about whether Cisco was ahead of the game or behind the curve on their support for everything from eBPF to the latest Mythos reports. I say there was a lot of discussion, but I’m not sure where exactly it was happening.

Social Desert

One of the biggest things I heard from my friends at the event was how light everything felt. Fewer people was a common theme. The reported number was around 22,000 but it felt closer to 20,000 to me. The World of Solutions felt very spread out this year, with most of the back side being Cisco booth space.

The other thing was the Social Hub. It had shrunk from last year. At least the couches were facing each other this year. And there were some cool stickers and some interesting puzzles to work on. But there were far too few tables for people Continue reading

Installing Dnsmasq in My Homelab

Dnsmasq is an application which has features like DNS caching, DHCP server, and so on. It’s useful as a DNS server in a homelab as it can reply to DNS queries for what’s in its database, and forward everything else to an authoritative server or recursive resolver. This is useful in my lab as I want to resolve for example gitlab.lostintransit.se locally, but lostintransit.se (my web server) or any other domains via recursive resolvers. Most DNS servers are authoritative for a zone or parts of a zone, but dnsmasq responds only to what it knows and forwards everything else, which is perfect for my needs.

First I’ll configure a static IP on the host by modifying the file in /etc/netplan:

sudo vi 50-cloud-init.yaml

The contents are now:

sudo cat 50-cloud-init.yaml 
network:
  version: 2
  ethernets:
    ens160:
      dhcp4: no
      addresses:
        - 192.168.128.53/24
      routes:
        - to: default
          via: 192.168.128.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4

I’m using recursive resolvers for now but will update it later.

Then apply the configuration:

sudo netplan apply

The IP has been updated:

ip addr show ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP>  Continue reading
1 2 3 3,878