Originally aired on May 29 @ 1:30 AM - 2:00 AM EDT
Join Vivek Ganti (Sr. Product Marketing Manager, Cloudflare), Greg McKeon (Product Manager, Cloudflare), João Sousa Botto (Product Manager, Cloudflare), Hannes Gerhart (Product Manager, Cloudflare) as they discuss all of the exciting announcements from this past week in honor of Cloudflare's 11th Birthday!
Hello everyone and happy Friday. Welcome to the session on Cloudflare TV on birthday week. My name is Vivek and I'm with the product marketing team here at Cloudflare. I have the distinct honor of being joined by not one, not two, but three product managers from Cloudflare, all of who have launched very interesting and exciting products this past week for birthday week. And if you don't know what birthday week is, we'll talk about that in just a second. But before I do that, I want to make sure we all introduce ourselves. Joao, would you like to introduce yourself? Sure. I'm Joao Botto and I'm a PM here at Cloudflare. One of the products that you may know me from is email routing that we just launched this Monday as part of birthday week. And that's what we're going to talk about here. Hannes? Yeah. Hey, thanks for kicking it over. My name is Hannes Gerhart. I'm the product manager for DNS here at Cloudflare. Yeah. And also I was part of birthday week with a feature we'll be talking about in a bit and yeah, glad to be here today. Greg? Hey everyone. My name is Greg. I'm product manager for distributed data within the workers team. So we're going to be talking a little bit about R2 object storage, which we launched this week. Cannot wait to talk about all of these. All right. So for folks that are joining and are wondering what birthday week is, well, it's essentially the week that Cloudflare was born. Cloudflare was launched at the TechCrunch Disrupt Conference on September 27th of 2010. So this marks essentially Cloudflare's 11th birthday and every year since we've been observing our birthday this week. And the way we observe it is by launching new products and features and functionalities to the world that further our mission of helping build a better Internet. So you'll see that historically we've launched key products like SSL for SaaS, even rebranded ourselves with the smaller F in 2016. We were pioneers in launching unlimited and unmetered DDoS protection for everyone back in 2018. And of course, if you know us for Warp or Warp Plus and even Cloudflare Radar, which is actually one of my favorite products at Cloudflare was launched over birthday week. And this year we are on today's Friday, we've been launching super exciting products every single day of the week. One of them being email forwarding. So Joao, one thing that people know Cloudflare for is domain protection, domain security, domain website acceleration. So how did we get into the email space? Tell us about your announcement. Yeah, yeah. I think Matthew, our CEO has been telling for the longest time that we weren't getting into email. But now we think that we can really make a difference. Customers have been asking us forever to get into email and to handle their email since we already handle, as you mentioned, websites, their routing, we essentially manage their entire infrastructure. But email was definitely something that was missing. And so here we saw an opportunity of helping people be safer around the Internet, because when, as you mentioned, our mission is really to help build a better Internet. And building a better Internet is also building a more secure Internet and making sure that people are protected online. So email routing has a lot of different use cases. But one that I love to talk about is really that you shouldn't be using a single email account for all your Internet presence. So for instance, a lot of people use their email, or pretty much everyone uses an email address as the login for their online banking. But that same email is often the one that they use for subscribing to newsletters and coupons, and they found something that they want to buy, and they just give that email address away. And so there's so much stuff going to your email and so many things that are potentially insecure, that you really want to make sure that you have a better grip on it. So historically, what we recommended is that people have multiple email accounts, maybe one for newsletters and spam and promotions, another one for, say, communications with the government, another one for logins, say, social media logging into your Facebook and Twitter accounts, and then another one for, like, banking and critical services. But very few people did that, both because, one, some people didn't know about it, and two, because it's quite a hassle to manage multiple mailboxes. So if I'm constantly monitoring my work email or my Gmail accounts all day long, but if instead of one, I have, like, four Gmail accounts, it's very likely that I'm going to go, like, once a month to each one of those accounts. And so it was, like, super hard, and you needed to be really motivated to go down that safer route of having multiple email addresses. And so what we've done is really created this email routing solution that's where you can create unlimited number of email addresses, and those all route to your preferred email address. So for instance, I can create three or four different email addresses for myself that I use for different purposes, and still have them all land on my Gmail inbox, where I can see what was the destination, I can see that it came for that specific email on my domain, say, info.chuao.com. Like, I can, I know that it came for that address, I know where it came from, but it's just aggregated within my preferred mailbox. Again, Gmail, your corporate email, anything like that. That's great. So essentially, I know personally, I have multiple, I mean, as a consumer of email and many services, including banking and couponing, I've realized it's probably not the best idea to give out my Gmail address to every single retail provider out there. So I would use Cloudflare to, is it a fair analogy to say that you're re-lettering my letters and posting them to this one singular, unified email address, where I'm getting my email from all different accounts that I own? Yeah, not only it's a great analogy, but it's actually, it uses the same names in the digital world. So what we do is we change the envelope. So if you imagine physical mail, you get a letter, maybe inside of that letter, there's a header that says your address, that says where it's coming from, who it's coming for. But on the outside, you also have an envelope and the envelope also says, who is this targeting? Like, what's the destination? And what we do is essentially we change the envelope. We say, okay, we received this letter, we know that this letter should be forwarded somewhere else. And so we grab the letter and we put it inside of a different envelope that we ship to another place. So we don't temper with the letter. We don't change anything there. You know exactly where it came from. You know exactly where it was coming to. You know exactly the body and the content of your email. Like we're not messing with any of that. It's not our business. Like we're not trying to target you with ads or anything like that. So we just put it inside of another envelope and ship it away. You read my mind. That was going to be my next question. As a privacy focused customer or consumer of email, should I be worried that Cloudflare is looking into my email and maybe, I don't know, targeting ads? Because I get that with Gmail a lot. Yeah, we're definitely not doing that. Although if you're redirecting this to your Gmail accounts, they can still see it, obviously. But on our side, we're definitely not looking into any of that. And you just configure it the way that you want. Yeah. So privacy is built in. That's great. For sure. What I also love about this feature, Joe, and you will definitely be winning me as a power user of this. Now that we launched registrar for everyone, you can just easily sign up a new domain on Cloudflare and just create a completely new email address. You can come up with whatever name you want, my fancy party on friday.com or whatever, and then have an email address and be routed to your Gmail account. Yeah, I actually did that. I actually created a brand new domain on registrar to test it out. And I paid, I don't know, like $6 for a year of that new domain because Cloudflare isn't making any money with registrar. It's just a service that we need to provide. And so, yeah, I bought an email, a domain for super cheap, and then I created a bunch of addresses with it. It's really cool. I love that. Yeah. And for folks that are wondering, one of the other announcements of this week, and we don't have a PM for that here today, but Cloudflare has had a registrar for a couple of years now, but now with this latest announcement this past week, we're becoming a full registrar. And while previously you had to transfer your domains to Cloudflare, beginning this week, if I'm right, and correct me, Joao, if I'm not, all Cloudflare customers will have full registrar access, including the ability to register new domains. And not just that, but we're also introducing 40 new top-level domains, including .qk, which is the biggest app. .qk is huge. Yeah. Yeah. And as Joao just mentioned, we're not obviously charging any more than what we are charged ourselves. There's no additional cost for the user. What you seize off and what you pay, unlike a lot of other vendors out there, I won't name them, who give you a discount for the first few months and then jack up their price. So, Anis, moving on to your announcement, which is also to do with email or an extension of that. Tell us, what did you launch this past week? Yeah, cool. I'm very, very happy to. So, the feature I was involved in during the last couple of weeks and we launched on Monday, besides email routing, is called Email Security DNS Wizard. We like the name because it suggests a little bit of magic in the background. What it is doing is two things, actually. So, it solves two problems with fighting against email spoofing and email phishing. There are already DNS-based security mechanisms out there. Some of you might know them. It's SPF, DMARC, and DKIM. But wait, before we get into the solution itself, explain the problem to me. Tell me what email spoofing is and email phishing is. Yeah, definitely. So, spoofing is the process if somebody else impersonates another person. It's itself nothing bad, right? So, I can impersonate, I can spoof a domain, change a letter that it looks very like the original website, and then I can try to attract the users to my new website, which looks very similar but is a different website. And then that can lead to malicious things, right? I can try to get sensitive data out of those users. Yeah, that is more into the direction of phishing. For email spoofing, it's very, very likely to domain spoofing. I would actually send emails and change the from header. And then my email I'm sending from my email server in my basement looks like it came from jao at Cloudflare.com, for example, right? So, and I'm sending this to his friends, to his customers. And I am impersonating him. And if they are not the right mechanisms in place, that could, you know, lead to serious and bad things like email phishing. And how big a problem is this? Is this very common? How concerned should people in general be? Yeah, so phishing is one social engineering attack. And it's actually the most common one. And it leads to millions of dollars of loss every year. So, it's very serious. So, yeah, we should do everything we can to tackle it. Wow. These are some big problems. So, what is the solution that Cloudflare is offering? Yes. So, the mechanisms are already out there. There is the sender policy framework. It's a record that you publish on your domain that informs email receivers who is authorized to send email on your behalf. So, we basically would specify the specific IP addresses of the authorized senders. This is built as a part of the DNS protocol? Or is this something, is it a different tool altogether? Yeah, it is a mechanism that is implemented by email receivers. And it leverages the DNS in order to publish the policy. Got it. Yeah. Then we have another mechanism called DKIM. This is used for email signing. Basically, to cryptographically sign part of the email, the body, for example, to make sure that the receiver can then verify the signature and prove this actually came from the legitimate sender. And then we have DMARC, the last of the three, which makes sure to enforce these policies and also to provide a way of getting the sender aggregate reports. So, the sender is aware what's happening on my domain, right? And are there many attempted spoofing attacks, right? How many emails are failing these checks? How many are conformed? So, they just get some data into that. Got it. So, these, it sounds like SPF, DKIM, and DMARC are existing tools in the toolbox that I can use to prevent email spoofing and phishing. Exactly. And so, how does Cloudflare help me adopt these protocols? Yeah, exactly. So, the problem with these three mechanisms is that the adoption is not as high as it should be. SPF has been around, I think, since 2006 or so. DMARC and DKIM came a little bit later. And if you look at a couple of different reports, we still see that, for example, DMARC is around 50% of all domains have a DMARC record, right? So, that's not high enough. Even if you're not sending email on your domain, you should still use these mechanisms in order to signal receivers, please don't accept any email on this domain, right? So, nobody can spoof your domain. So, this is where Cloudflare comes in. Cloudflare is the largest DNS provider on the planet. Around 14% of all websites or domains are using Cloudflare for DNS. So, what we are doing now with this feature is we will let users know who are using Cloudflare for DNS. When they go to our dashboard, they will see warnings. Hey, you actually don't have an SPF record. You should create one. Or you don't have a DMARC record. Here's how you can create one very easily and quickly. And the second big problem is that those policies are not so easy to configure. They can become quite complex very soon. So, with this UI wizard, we make it easy to create those records, right? It's a couple of steps and you have the records configured and we directly publish it to your domain. That's great. So, essentially, what you're doing is you've built a wizard that's making it much easier for me to adopt these three tools that already exist and helping me make my domain even more secure. You're guiding me towards, if there's like insecure DNS configuration, you're guiding me towards a more secure configuration, making it much easier for me to use. Exactly. And the coolest thing actually is usually people only think about these mechanisms when their domain is actually used to send emails, right? But as I said before, using these is also highly encouraged if your domain does not send emails, right? So, thousands of users have seen these warnings by now. Hey, we noticed you actually don't use your domain to send emails. Maybe it would make sense to configure these mechanisms in a restrictive way so nobody else can do it, right? So, this is actually, I think, the biggest impact we have here. Yeah, that's fantastic. And on the receiving end, it's also super important because HANES is protecting the sending emails. But on the receiving end, one of the things is for doing anti-spam, one of the things that we do is we check those DMARC scores. So, even if DMARC doesn't specifically say that we need to reject every email that doesn't pass DKIM or SPF, what we do is we know that it didn't pass. And even if we weren't instructed to automatically reject those emails, we know that they're probably spam. And so, we can start working on our anti-spam for not only the customer that used those records, but for all other customers because that's the way anti-spam works. When we see a spam message coming to one user, we know that all other users are probably also seeing this same spam behavior. And so, we can protect ourselves against that because we know that email is saying that it's coming from Cloudflare.com, but instead, it's coming from a server that doesn't belong to Cloudflare, that belongs to whatever other organization, or because a message says that it's signed, but the signature was broken. Someone tampered with the email body. And so, by knowing that, we know how to flag those emails and we know how to react to them. So, on the receiving end, it's also super, super useful when people have set those policies to start with. Wow. So, on the sending side and the receiving side. And what I love about this is that everyone uses email. I think half the world's population probably has at least one email address. And I think the impact that these two products have will be massive. How does it feel to be the builder, the product manager of products, which has such wide reach? I think you kind of get used to it at Cloudflare, right? I mean, we have millions of domains using our services and we really try to give as much as possible to our free users. So, whenever you start at Cloudflare, you always basically are building stuff for millions. How do I sign up for, is there a waitlist or can I go to the dashboard right now and see the DNS wizard? How does that work? So, the DNS wizard is rolled out over the next couple of weeks. We kind of rolled it out in stages. So, right now, there are already thousands of free users having access to this feature. Obviously, you can tell me your domain and I can enable it for you if you want to get access to that earlier. And the way we reach out to you is, what's your email address, Hannes? I'm going to put you on the spot over there. It's fine. It's just hannes.Cloudflare.com. So, you can email me and I can certainly set this on your domain. But eventually, every customer, everyone who's using Cloudflare DNS will have access. On any plan, free, pro, business, enterprise. That's great. That's awesome. Moving on to the next most exciting announcement, arguably, the one that garnered the most press this past week is our announcement, our Cloudflare R2. I don't want to steal your thunder, Greg. So, why don't you tell us? Take us to light. Yeah, sure. So, Cloudflare R2 is an S3 compatible object store that we announced with zero egress bandwidth charges and with charges for operations and storage that are significantly less than the other major cloud providers out there. I like how you just shrugged and said zero egress bandwidth fees, like it was no big deal. Yeah. I think the PM lesson from the past week is that people do not like egress charges. They tend to be pretty heavily marked up and cause a lot of pain for people. And so, we're kind of going right at that. Yeah. So, R2 is Cloudflare's blob storage option. And you're saying that traditionally cloud providers have charged for not just bandwidth storage size, but also storage operations. And these bandwidth egress fees are pretty exorbitant with some of the largest cloud providers that we know. But tell us a little more about R2 as a product and how are we able to pull this off without charging any bandwidth egress fees? Yeah. So, I think we look to build products at Cloudflare that we need internally. And so, we've obviously needed storage for a long time and we've had some solutions there. But we figured we needed to build something that really made sense for Cloudflare's network. The fact of the matter is when you're buying bandwidth, it's really a fixed cost where you say the size of the pipe you want, and then you get to utilize up to that amount of pipe, up to the size of the pipe. But there's no real marginal cost associated with sending a little bit more bandwidth across. And so, because of Cloudflare's scale and because of our network, we believe we're going to be able to drive bandwidth costs down in the future and already have significantly today. And if we remove this obstacle for our customers, they can build entirely new applications on top of the worker's runtime, on top of our edge. And so, it's really important for us that we get there. And we've worked to build on our network for a long time now and have a number of partnerships that I think really give us attractive rates on bandwidth. And so, we can offer this to customers in a way that other cloud providers just won't have chosen not to. And so, that's pretty exciting. Yeah, it is exciting. And so, to summarize what you're saying is we're able to do this because of the scale at which we operate. We have this distributed network that we've built over the last 10 years, 11 years. And we have alliances with a lot of cloud providers as well. Do you want to talk about the bandwidth alliance, which is an integral part of this announcement as well? Yeah, definitely. I mean, I want to be clear. There are other companies with large networks like ours as well. They just are choosing not to make the bandwidth actually priced fairly. So, they're choosing to kind of leave that as a huge profit center for themselves. And that's fine. It's just not our approach. We would rather developers be able to build entirely new applications versus kind of squeezing them for every last penny. On a similar note, the bandwidth alliance is a partnership with a large number of third -party cloud providers. Azure is in there. GCP is in there. Backblaze, DigitalOcean, a whole list of others that I'm forgetting now and not including. But it's basically an agreement between those parties to zero rate or heavily discount egress traffic across them. And again, the goal there is that developers can use the best tool for the job. So, if I want to go and use Backblaze's storage offering because that's better priced or works better for my use case, I don't have to worry about paying $0.09 a gigabyte for egress just to be able to go do that. And that really lets these products compete on their actual merits. So, you're actually able to use a storage service that is the best for your use case versus kind of being locked in to the cloud provider that you're stuck on. And that's the vision for the future that we have, is this ability to go across multiple different services to be able... I used to work at MongoDB to be able to go, hey, I would love to have a MongoDB Atlas cluster and stream my data into there, possibly out of R2 and then stream my data somewhere else, run a data stacks cluster as well, be able to have this interoperability. You can really access all these different services that are the best fit for your current application. And the bandwidth allows the start of that, but I think having access to object storage from Cloudflare's network is the next step. Where do you want all that data to sit if you're going to be migrating across all these different services? Probably in the middle, probably somewhere that can egress it quickly and at low cost. So, that's why I think this announcement is really exciting. It enables this future where developers are able to use open tools and use the tools that fit them best without having their data locked in. And I think that's why we saw so much positive reaction to the announcement. Yeah, a lot of positive reaction, a lot of press around this. How's it priced? Speaking of egress bandwidth fees and costs and being cheaper than other providers? Yeah, definitely. I think there's three points to hit on here. Typical storage provider solutions charge on egress bandwidth, stored data, and number of operations. And so, what we've said is that we're on the stored data front, we're going to be charging a cent and a half per gigabyte, which is about 30 % less than most of the other major cloud providers. We've also zero rated the egress. Egress tends to be a huge issue because egress starts at around $0.09 a gigabyte. So, if you're paying $0.02 a gigabyte for storage and $0.09 a gigabyte for egress, you're paying four times the cost to store something for a month to actually just take it out of the cloud provider. So, that was really the core of the announcement was the zero egress rating. And then we're still working on figuring out what our pricing is going to be for operations. We have to operate the system a little bit. Operations vary based on how frequently people are requesting things and the amount of work your system has to actually do to provide those requests. So, what we've said is for infrequent access, we won't charge for operations. Some threshold around like one operation a second or something like that, one to 10 operations a second. And then down the road, we'll announce pricing for read and write operations as you scale up. And that's another really big compelling part of this announcement is I think there are providers today who have low cost egress, not necessarily zero, but relatively low cost for their object storage. What we want is to be able to have people sort of start at a low request rate and go all the way up through to build major applications on top of R2 and not have any issues, not have to migrate their data eventually, not have performance or reliability problems. So, getting the performance reliability of one of those major cloud provider solutions at the lower cost without really having to do anything. I like that. I like the sound of that a lot. Speaking of performance and reliability, why is this product called R2? Is it just a reference to R2V2 from Star Wars? It's actually not a reference to R2. It's a reference to the fact that it is S3 minus the thing that everyone hates, which is the US fees. And then from there, we sort of riffed on what the two R's stand for, but I don't know if there's an official answer. I like it. I like it a lot. I think in the blog you say redundancy and resiliency or ridiculously reliable. There's lots of R words we could say are part of it. So, I'll keep making them up as we do more blog posts. Yeah. Finally, how does one sign up for R2? Yeah. So, R2 is in really heavy development right now. We're getting close to where we need to be to be in an open beta. So, we have a signup form to express interest. That's really the best way right now to let us know that you'd like to be a part. And then we'll be announcing an open beta soon. Cool. Thank you so much, Greg. We have about one minute left before we have to wrap it up. And I wanted to take that time to first of all, thank you all for taking the time and coming and talking to us and talking through all of your announcements. And for those watching, there's a string of other launches and announcements that we've made in this past week. Everything ranging from real-time web communications platform to live streaming, and also announcing Cloudflare in office buildings and real estate buildings like WeWorks, et cetera. And then today, we will be announcing some interesting additions to Web 3.0 as well, where we're announcing the private beta of Ethereum and IPFS gateways, which have been in development with the research team at Cloudflare for a really long time. And now we're making available to the world. Cloudflare is entering email. Cloudflare is releasing a new blob storage product, all fun and exciting stuff. Thank you so much for building this. And thank you so much for telling us everything about the exciting stuff that you're doing here at Cloudflare.