back to Jitbit Blog home About this blog

SaaS update: tightening email authentication for *.jitbit.com addresses

by Alex Yumashev · Updated May 15 2026

TL;DR

We are changing SPF and DMARC handling for *.jitbit.com email addresses to "hard fail" after a wave of spoofing attacks, reach out to support if you're affected.

Background

For years we kept SPF and DMARC rules for email addresses under *.jitbit.com more relaxed than a security person would like.

Not because we thought email spoofing was charming, but because real customer setups are messy. The kind of messy where someone sends mail through their own SMTP server, or SendGrid, or some internal relay last touched in 2014, but still uses support@company.jitbit.com as the From address because that is what their users recognize.

And for a long time, bending a little made the product easier to use.

Unfortunately, the internet saw this tiny bit of flexibility and did what the internet does best: turned it into a problem.

Hackers and spammers started abusing our .jitbit.com domain family by sending fake emails that appeared to come from customer subdomains. Think addresses like support@adidas.jitbit.com or other convincing-looking tenant domains. The emails did not come from Jitbit (we have toh-ons of protections from that), but to a mail server or a human skimming quickly, they looked more credible than random garbage from a disposable domain.

And replies to these messages could end up in our ticketing system, generating nice autoreplies & email confirmations - all using our name as a cheap credibility costume.

So we are changing it

Starting this week, we are tightening SPF and DMARC policies for *.jitbit.com email addresses to hard fail/reject.

Now if an email claims to be from a *.jitbit.com address, but it is not authenticated as allowed to send for that domain, receiving mail servers will reject it instead of shrugging and letting it through.

This is the correct security posture. But it is also the kind of change that can break weird-but-working setups, which is why we avoided doing it until the abuse got serious enough that the tradeoff flipped.

Who might be affected

You might be affected if you send outgoing helpdesk email through your own SMTP server, SendGrid, or another third-party mail service while using a support@yourcompany.jitbit.com From address.

If your mail is already sent through Jitbit's normal outbound mail path, you should not need to do anything.

If your custom setup suddenly starts bouncing, failing DMARC, or disappearing into the modern email-deliverability swamp, please contact us at support@jitbit.com. We will help you figure out the least painful fix, add your server to our whitelist, or something like that.