Monitor Your Email Reputation and Certificates in Prometheus

Generator Labs Prometheus exporter GitHub repository

If your team already runs Prometheus, you can now pull Generator Labs monitoring data directly into your metrics stack. The Generator Labs Prometheus exporter exposes blacklist listing status and SSL certificate expiry as standard Prometheus metrics, making it straightforward to build Grafana dashboards or set up alerting rules alongside the rest of your infrastructure.

What It Exports

The exporter surfaces metrics for both products:

  • Blacklist monitoring: active listing status per host, listing counts by source type, last check timestamps
  • Certificate monitoring: days until expiration per monitor, active error status, chain and hostname validation results

These map cleanly to Grafana panels: a certificate expiry countdown per domain, a listing status heatmap across your host inventory, or a single alert rule that fires when any host gets listed or any cert drops below 14 days.

Installation

Three options are available depending on your environment:

Pre-built binary: download from the GitHub releases page and run directly. No dependencies.

Docker:

docker run -e GENERATOR_LABS_ACCOUNT_SID=your_sid \
           -e GENERATOR_LABS_AUTH_TOKEN=your_token \
           -p 9090:9090 \
           ghcr.io/generator-labs/prometheus-exporter:latest

Build from source: requires Go 1.21 or later.

Configuration

The exporter takes two credentials: your Account SID and API token from your Generator Labs account settings. Supply them as flags (--account-sid, --auth-token) or the environment variables above. The metrics endpoint is exposed on port 9090 by default.

Add a scrape config to your prometheus.yml:

scrape_configs:
  - job_name: 'generator-labs'
    static_configs:
      - targets: ['localhost:9090']

Full setup guide on GitHub.

QUIC in PHP, Built on OpenSSL’s Native Stack

I have spent the last while building php-quic, a PHP extension that exposes raw QUIC transport, both client and server, with first-class access to QUIC streams. The thing I am most happy about is what is not in it: no ngtcp2, no quiche, no Rust, no FFI. It is built directly on OpenSSL 3.5’s native QUIC stack, so the only dependency is an OpenSSL you very likely already have.

Why Bother

QUIC has been the transport under HTTP/3 for a few years now, and it is creeping into other protocols too: DNS-over-QUIC, SMB, and a growing list of custom things people are building when they want streams, TLS, and congestion control without standing up TCP plus a separate TLS layer. PHP had no real way to speak it. If you wanted QUIC you reached for a C library with its own TLS stack bolted on, wrapped it in FFI or a custom extension, and inherited a second copy of all the certificate and crypto logic you already trust OpenSSL to handle.

The reason this is suddenly worth doing is OpenSSL 3.5. It ships a native QUIC implementation, client and server, that reuses the same TLS engine everything else in your stack already uses. That removes the entire argument for pulling in a Rust or C QUIC library just to get a handshake. So php-quic is thin on purpose: it is a binding to a transport that is already there, not a reimplementation of QUIC.

What It Actually Does

It gives you the transport and gets out of the way. You get connections, you get streams, you get the event-loop primitive to multiplex them. What you do not get is protocol framing. HTTP/3, DNS-over-QUIC, or whatever you are building on top, that is yours to write. I made that split deliberately. The transport is the hard, fiddly, easy-to-get-wrong part, and the framing is the part that differs for every protocol.

The API is small. Three classes and a poll function:

  • Quic\Connection: a client connection, with openStream(), acceptStream(), close(), and certificate and crypto inspection.
  • Quic\Listener: the server side, bind a host and port and accept() connections.
  • Quic\Stream: the actual data path, with write(), read(), end(), and reset(). Bidirectional or unidirectional.
  • Quic\poll(): the event-loop primitive for non-blocking, multiplexed I/O across many streams.

A client connection is about as short as you would hope:

$conn = new Quic\Connection('cloudflare-quic.com', 443, ['alpn' => 'h3']);
$control = $conn->openStream(false);
$control->write("\x00\x04\x00");

That opens a QUIC connection, negotiates the h3 ALPN, and opens a unidirectional control stream. Everything past that first byte is HTTP/3 framing that you write yourself.

A Concrete Example: DNS-over-QUIC

DNS-over-QUIC is a clean fit for QUIC: one query per bidirectional stream, a two-octet length prefix, done. With php-quic the transport part collapses to a few lines:

$conn = new Quic\Connection('dns.adguard-dns.com', 853, ['alpn' => 'doq']);
$stream = $conn->openStream();
$stream->write(pack('n', strlen($query)) . $query, true);

The true on the write sends the FIN with the data, which is exactly what DoQ wants: one query, stream half-closed, read the response back. That is the whole transport. If you want to see DNS-over-QUIC running against a real resolver without any of this, mrdns.com has the diagnostic tooling.

Non-Blocking by Default

QUIC multiplexes many streams over one connection, so a blocking read-one-thing-at-a-time model throws away the entire point. The poll() primitive lets you wait on a set of streams and act on whichever is ready:

Quic\poll([[$stream, Quic\POLL_READ | Quic\POLL_ERROR]], 1.0);
$chunk = $stream->read(65535);

That is enough to drive a real event loop, and on the server side a Quic\Listener can fan out across processes with SO_REUSEPORT so you scale horizontally without a load balancer in front doing connection-aware routing.

Requirements and Install

You need PHP 8.4 or newer (8.5 on Windows) and OpenSSL 3.5.0 or newer built with the native QUIC stack. The OpenSSL version is the real gate here, since 3.5 is recent. The easy path is PIE:

pie install mikepultz/php-quic

Or build it the usual way and add extension=quic to your php.ini:

phpize
./configure --with-quic
make && make test
sudo make install

What It Does Not Do Yet

I would rather be honest about the edges than oversell this. A few QUIC features are not in the first cut: no unreliable datagrams (RFC 9221), no 0-RTT early data, and no connection migration. There is also a small per-stream memory retention, on the order of 300 bytes, that matters only on very long-lived connections opening enormous numbers of streams. None of these block the protocols I built it for, but if your use case depends on datagrams or 0-RTT, know that going in.

Try It

The code is on GitHub under BSD-3-Clause. If you have wanted to speak QUIC from PHP, whether that is HTTP/3, DoQ, or something of your own, I would genuinely like to hear what you build with it and where the API gets in your way. Issues and pull requests welcome.

Monitoring Your Email Reputation with Microsoft Smart Network Data Services

Standard blacklist monitoring tells you whether your sending IPs appear on public RBLs. It doesn’t tell you how Microsoft specifically views your mail. That’s a separate reputation system, and it matters a lot: Outlook.com, Hotmail, and MSN together represent a significant share of consumer email. Generator Labs now integrates directly with Microsoft Smart Network Data Services (SNDS) inside your blacklist monitoring dashboard.

What SNDS Provides

SNDS is a free Microsoft program that gives senders data about mail flowing from their IP addresses into Microsoft’s mail infrastructure. The metrics it returns include:

  • Message volume from each IP
  • Spam complaint rate
  • Spam trap hits
  • Overall IP status (Green / Yellow / Red)
  • Filter result breakdown

A Red status from SNDS means Microsoft is actively blocking or heavily filtering mail from that IP. Yellow is a warning that reputation is declining. Most teams only discover this when customers start reporting missing mail.

Why It’s Worth Monitoring Separately

SNDS status doesn’t always correlate with your RBL status. You can be clean on every public blocklist and still have a Yellow or Red SNDS rating because of complaint rates, trap hits, or sending patterns that Microsoft’s filters flag specifically. The inverse is also true: an SNDS Green rating doesn’t mean you’re clean on all public RBLs.

Treating SNDS as a separate signal, alongside your regular blacklist monitoring, gives you a more complete picture of your sending reputation and catches Microsoft-specific issues before they escalate.

Setup

Go to RBL Monitoring > SNDS in the portal and add your SNDS access key. Microsoft issues one key per registered IP range. Once connected, Generator Labs pulls your SNDS data automatically and surfaces status changes alongside your other monitoring results.

Setup instructions are in the SNDS documentation.

What Migrating My AWS Fleet to Graviton Taught Me

Over the last while I have moved everything I run on AWS to Graviton, the ARM CPUs AWS designs in house: the EC2 instances behind my services and the ECS containers that make up most of the actual workload. The short version is that it was worth it, the bill went down, and almost nothing about how I write or run code had to change. The longer version has a few sharp edges worth writing down, plus some genuinely interesting silicon arriving now in Graviton5.

Why ARM in the Cloud

The pitch is not “ARM is faster,” it is price/performance. For the same dollar you generally get more useful work out of a Graviton instance than the equivalent Intel or AMD one, and AWS prices the instances lower on top of that. Set expectations correctly, though: a single Graviton core will not smoke a top-bin x86 core on a single-threaded benchmark. The win shows up across a fleet of web servers, API workers, queue consumers, and databases: more cores per dollar and steady throughput under real concurrent load. If you are chasing the lowest latency on one hot thread, measure first.

ARM vs Intel vs AMD in Practice

  • Graviton is my default: best price/performance for general compute, web tiers, microservices, and most databases, at the lowest cost and power.
  • AMD is the value x86 option when something genuinely needs x86 but not Intel specifically.
  • Intel is a deliberate choice for AVX-512, Intel-specific acceleration, or vendors that only certify on Intel. It is the priciest of the three.

What actually decides it is rarely the chip and almost always the software. If everything you run is open source or built from your own source, ARM is a non issue. The moment a proprietary, x86 only binary shows up, that workload stays on x86 until the vendor ships an ARM build. So the real question per service is not “is ARM fast enough,” it is “does every binary in this container have an arm64 version.”

What Actually Bit Me

None of these were dealbreakers, but I wish I had batched them up front instead of finding them one service at a time.

The first one is the biggest mindset shift: your images must be multi-arch. Your base images, every layer, and your own build all need linux/arm64. I moved to docker buildx and publish multi-arch manifests so one tag resolves correctly wherever it runs:

docker buildx build \
    --platform linux/amd64,linux/arm64 \
    -t myrepo/myservice:latest --push .

Then ECS has to be told which architecture to use. The task definition’s runtimePlatform defaults to x86, so set it to ARM64 and run on Graviton capacity or Fargate:

"runtimePlatform": {
    "cpuArchitecture": "ARM64",
    "operatingSystemFamily": "LINUX"
}

When a service misbehaves after the switch, the first thing I check is whether the published tag actually contains both architectures. This one-liner saves a lot of guessing:

docker buildx imagetools inspect myrepo/myservice:latest
# look for linux/amd64 and linux/arm64 in the platform list

The rest are smaller traps worth knowing up front:

  • Emulated CI is slow. Building arm64 on an x86 runner means QEMU, which is painful for anything compiled. You no longer have to: GitHub-hosted native arm64 runners are generally available, free for public repositories and now offered for private ones too, so the pipeline builds on real ARM hardware instead of emulating it.
  • Native dependencies are the long tail. Interpreted code moves for free; compiled extensions (native npm modules, Python wheels, cgo, old vendored binaries) each need an arm64 build.
  • Check your sidecars. Logging, metrics, and security agents need arm64 images too. The mainstream ones have them, but a sidecar that silently fails to start will ruin your afternoon.
  • Managed services are the easy win. RDS, ElastiCache, and Lambda offer Graviton with no code change. Start there to build confidence.

Graviton5: What Changed

While I was mid migration, AWS moved the goalposts. The lineage shows the trajectory:

Gen Cores Microarch ISA Clock Memory
Graviton2 64 Neoverse N1 Armv8.2-A 2.5 GHz DDR4
Graviton3 64 Neoverse V1 Armv8.4-A 2.6 GHz DDR5-4800
Graviton4 96 Neoverse V2 Armv9.0-A 2.8 GHz DDR5-5600
Graviton5 192 Neoverse V3 Armv9.2-A 3.3 GHz DDR5-8800

Graviton5, announced in December 2025 with M9g instances reaching general availability in mid 2026, is a bigger step than the version bump suggests. It doubles Graviton4 to 192 Neoverse V3 cores, built on a 3nm process as four chiplets of 48 cores each with up to ~420 GB/s between chiplets. It carries 192 MB of L3 cache (around five times the prior generation), 2 MB of L2 per core, DDR5-8800, and PCIe Gen6. It also ships a new Nitro Isolation Engine, which AWS describes as a formally verified hypervisor: the VM isolation property is mathematically proven, not just tested.

AWS quotes roughly 25% better compute than Graviton4 per core, with up to ~35% on web apps, up to ~35% on ML inference, and ~30% on databases from improved branch prediction. Take vendor percentages with the usual grain of salt and benchmark your own workload, but the architecture behind them is real. For densely packed container fleets the per core number matters less than doubling the cores while growing cache and memory bandwidth. The general purpose M9g and M9gd are out now; the compute optimized C9g and memory optimized R9g are the variants I am waiting on, since most of my fleet maps to those shapes.

Is It Worth It

For me, clearly yes. If your stack is containers and managed services built from source or mainstream images, the migration is mostly mechanical: make images multi-arch, set the architecture on your tasks, fix the native dependency stragglers. Start with managed services for an easy win, then move containers one service at a time so you can roll back cleanly. The one piece of advice I would give my past self: audit dependencies and sidecars for arm64 support before flipping anything. Ninety percent of the work is trivial. The other ten percent is one unmaintained binary you forgot about, and it is much nicer to find it on a spreadsheet than in a failing deployment.

SPF, DMARC, and rDNS Checks Are Now Built Into Blacklist Monitoring

Generator Labs email deliverability checks tab showing all 13 available checks

Getting listed on an RBL is one way mail stops delivering. There’s a longer list of DNS misconfigurations that cause mail to land in spam or get silently rejected, and most monitoring tools don’t catch them. Generator Labs has added 13 email deliverability checks directly into blacklist monitoring profiles, running alongside your RBL checks and feeding into the same alert pipeline.

What Gets Checked

IP-based checks (for IPv4 and IPv6 hosts):

  • Reverse DNS (rDNS): the IP has a PTR record
  • Forward-Confirmed rDNS (FCrDNS): the PTR resolves forward back to the original IP
  • Generic PTR Pattern: the PTR doesn’t look like a dynamic or consumer hostname
  • PTR Format: the PTR has at least two labels and a valid alpha TLD

Domain-based checks (for URIBL and URI hosts):

  • MX Health: MX records exist and at least one target resolves
  • SPF Record: domain publishes a valid SPF record
  • SPF Strict: SPF uses an enforcing policy (-all or ~all)
  • SPF Lookup Limit: SPF stays within RFC 7208’s 10-lookup cap
  • DMARC Record: domain publishes a valid DMARC record
  • DMARC Strict: DMARC uses an enforcing policy (p=quarantine or p=reject)
  • TLS-RPT Record: domain publishes a TLS Reporting record
  • MTA-STS Policy: domain publishes a valid MTA-STS policy
  • BIMI Record: domain publishes a valid BIMI record

How to Enable

All 13 checks are opt-in. Go to RBL Monitoring > Monitoring Profiles > Data Sources, click the Email Deliverability tab, and enable the ones you want. None of them run unless you explicitly turn them on.

The recommended approach is a dedicated profile for your mail-sending hosts so deliverability alerts don’t mix with RBL alerts from non-mail infrastructure. Failures trigger the same notifications and webhooks as blacklist listings, so they drop straight into your existing incident workflow.

Full documentation is at docs.generatorlabs.com/email-deliverability.