Dkim on Daily DMARC News

You Have a DMARC Record. Without Aggregate Reports, You Cannot See Who Is Spoofing You.

Tue, 23 Jun 2026 08:00:00 +0000

The EasyDMARC 2026 DMARC Adoption Report, drawn from an analysis of the top 1.8 million global domains, contains a finding that deserves more attention than it has received: more than 70 percent of DMARC-enabled domains have no aggregate reporting configured.

These organizations published a DMARC record. They are counted in the 52.1 percent adoption figure. But they added no rua= tag to receive aggregate reports, which means they have no way to see who is sending email that claims to come from their domain.

SVG Phishing Files Are Now the Third Most Common Malicious Email Attachment -- and DMARC Cannot Filter Them

Sat, 20 Jun 2026 08:00:00 +0000

On June 2, 2026, SANS Internet Storm Center handler Xavier Mertens published an analysis of a phishing wave that had been landing in his inbox for several consecutive days. The attachment on each message was an SVG file – a Scalable Vector Graphics image. Each email passed SPF, DKIM, and DMARC checks cleanly. The attachment opened in a browser without any security warning. The malicious payload executed the moment it was clicked.

Google Postmaster Tools v2 Added a Deliverability Analysis Checklist -- And the 0.3% Spam Rate Is Now a Kill Switch

Fri, 19 Jun 2026 08:00:00 +0000

For years, Google Postmaster Tools gave senders a reputation label – High, Medium, Low, or Bad – and left them to figure out what was causing the problem. The labels were opaque by design. You could watch your reputation slide from High to Medium and have no direct signal as to whether the culprit was your SPF configuration, your DKIM signing, your list quality, or something else entirely.

That model is gone. Google retired Postmaster Tools v1 in 2026, and in early June the company added a new Deliverability Analysis section to the Compliance Status page in v2. The new section replaces the reputation label system with an explicit compliance checklist. You can now see exactly which authentication requirement is failing, exactly where your spam rate sits relative to the thresholds that trigger enforcement, and exactly what is sending your mail to the spam folder or to outright rejection.

Ghost-Sender: Why DMARC Cannot Stop Spoofing When Exchange Online Is Misconfigured

Thu, 18 Jun 2026 08:00:00 +0000

In early June 2026, Swiss cybersecurity firm InfoGuard Labs disclosed a vulnerability they named Ghost-Sender: a misconfiguration in Microsoft Exchange Online that allows an attacker to deliver email impersonating any sender – internal or external – directly to a target organization’s inbox while bypassing SPF, DKIM, and DMARC authentication entirely.

Microsoft was notified on April 21, 2026. By May 29, 2026, the company’s Security Response Center had classified the issue as a known architectural limitation rather than a product vulnerability. No platform-level fix has been issued. The responsibility for remediation sits entirely with Exchange Online administrators.

Telecom Is Now the Number One Phishing Target. Here Is Why That Makes Email Authentication More Critical Than Ever.

Wed, 17 Jun 2026 08:00:00 +0000

The Anti-Phishing Working Group published its Q1 2026 Phishing Activity Trends Report in May 2026. The headline number is significant: 971,181 unique phishing attacks in the first three months of the year, up 13.8 percent from 853,244 in Q4 2025. But the number that deserves the most attention is not the total volume. It is the sector breakdown.

In Q3 2025, the telecom category accounted for 5.9 percent of all phishing attacks. By Q1 2026, that figure had reached 33 percent, making telecom the single most frequently attacked industry in the quarter. The APWG notes that this represents the largest single-sector concentration in its dataset since Q4 2023. URL-based phishing attacks specifically targeting telecom increased 75 percent between Q4 2025 and Q1 2026.

Google Filed a Lawsuit Over AI-Generated Phishing at Industrial Scale. Here Is What Every Domain Owner Should Do Now.

Tue, 16 Jun 2026 08:00:00 +0000

On June 12, 2026, Google filed a civil lawsuit against a China-based cybercrime network known as Outsider Enterprise. The complaint alleges that the group used Google’s own Gemini AI to generate phishing landing pages, then sent approximately 2.5 million fraudulent messages in a single two-week window in May 2026. The messages impersonated Google, YouTube, and the U.S. Postal Service. The operation generated roughly 55,000 spam complaints, left behind nearly 9,000 fake websites and more than one million fraudulent URLs, and is linked to the theft of approximately 3.87 million credit card numbers and an estimated $1.9 billion in losses dating back to July 2023.

Vendor Email Compromise Now Makes Up 61% of Business Email Fraud. DMARC Alone Won't Stop It.

Mon, 15 Jun 2026 08:00:00 +0000

Abnormal AI’s 2026 Attack Landscape Report, published in April, analyzed nearly 800,000 email attacks across more than 4,600 organizations during the second half of 2025. One finding in particular is worth pausing on: 61% of all business email compromise incidents in that dataset were vendor-related. The majority of BEC is no longer about impersonating a CEO. It is about impersonating a supplier.

That shift has direct consequences for how organizations think about email authentication – and about what DMARC can and cannot do.

Your Email Passed DMARC, SPF, and DKIM. The Phishing Link Inside Did Too.

Sat, 13 Jun 2026 08:00:00 +0000

A message arrives. The sender domain looks legitimate. The receiving mail server checks SPF: pass. It verifies the DKIM signature: pass. It evaluates the DMARC record against both results: pass. Every authentication gate that the email industry has spent two decades building waves the message through. The user clicks the link inside. Their credentials are compromised within minutes.

This is not a theoretical scenario. Security researchers at CyberCheck360 documented exactly this attack pattern in detail, tracking campaigns where attackers registered fresh domains for as little as $12, hosted pixel-perfect credential-harvesting replicas of Microsoft 365 login pages, and sent email from those domains with valid SPF records and legitimate DKIM signatures. The messages did not fail authentication. They were not designed to. The authentication infrastructure worked exactly as it was designed to – and that is precisely the problem.

Inside the Direct Send Exploit: Attackers Are Using Microsoft 365 to Impersonate Your Own Employees

Tue, 09 Jun 2026 08:00:00 +0000

A phishing campaign uncovered by Varonis Threat Labs targeted more than 70 organizations – predominantly in the United States – by exploiting a legitimate Microsoft 365 feature in a way most security teams had not anticipated. The attack required no stolen credentials, no compromised account, and no software vulnerability in the traditional sense. It required a predictable endpoint, permissive mail routing, and an incomplete understanding of how Microsoft 365 processes mail that arrives through its own infrastructure.

The End of ARC: What the IETF's Move to Retire RFC 8617 Means for Your Forwarded Mail

Sun, 31 May 2026 08:00:00 +0000

On April 22, 2026, the IETF DMARC working group published draft-ietf-dmarc-arc-to-historic-00, calling for RFC 8617 to be reclassified as a Historic standard. The working group had been rechartered less than a week earlier, on April 16, 2026, with a specific mandate to produce a status-change document for ARC by November 2026.

The experiment that was ARC is, in the IETF’s formal language, over.

That matters to anyone running a DMARC policy at p=quarantine or p=reject. ARC was the mechanism that was supposed to keep legitimate forwarded mail from breaking when it hit your enforcement policy. Understanding what is being retired, why it did not work, and what is coming next tells you exactly what you need to do today.

SMB1001:2026 Makes DMARC Enforcement Mandatory for Small Businesses — Here Is What That Means

Wed, 27 May 2026 08:00:00 +0000

For years, DMARC enforcement felt like an enterprise problem. Large organizations had the IT staff to navigate DNS configuration, aggregate reporting, and the careful source-discovery work required to move from p=none to p=reject without disrupting legitimate mail. Smaller organizations sat at p=none indefinitely, technically compliant with the minimum requirements from Google and Microsoft, but practically unprotected.

That picture is changing. The 2026 edition of the SMB1001 international cybersecurity standard — published by Dynamic Standards International and certifiable from January 2026 — now mandates DMARC enforcement for small and medium businesses seeking Gold certification. It is the first major international cybersecurity standard designed specifically for SMBs to draw a hard line between monitoring and protection.

The 45-Point Inbox Gap: Why DMARC Is Now the Most Important Lever in Email Marketing

Tue, 26 May 2026 08:00:00 +0000

Email marketing returns between $36 and $42 for every dollar spent in 2026. No other marketing channel comes close: paid search returns roughly $2, social advertising $2.80, display ads $1.35. The gap is so large that it defies easy explanation, but one part of it is straightforward. Email reaches people in a place they check every day, and it reaches them directly. When it works, it is the most efficient channel in the stack.

Cloudflare Analyzed 450 Million Emails: 46% Failed DMARC — and That Is Not Even the Biggest Problem

Mon, 25 May 2026 08:00:00 +0000

Cloudflare published its 2026 Threat Intelligence Report in March, and the email security chapter deserves more attention than it received in the broader coverage of the report. The headline finding that nation-state actors and cybercriminals are shifting from breaking into systems to simply logging in with stolen credentials is real and well-documented. What got less coverage is how those credentials are being stolen in the first place — and what the authentication data behind 450 million analyzed emails reveals about the state of email security across the internet.

QR Code Phishing Surged 146% in Q1 2026: What DMARC Can and Cannot Stop

Sun, 24 May 2026 08:00:00 +0000

Microsoft Threat Intelligence published its Q1 2026 email threat landscape report on April 30. The headline figure was 8.3 billion email-based phishing threats detected in the first three months of the year. Monthly volumes ran from 2.9 billion in January to 2.6 billion in March, which sounds like a decline until you read what was actually growing inside those numbers.

QR code phishing, a technique security researchers call quishing, grew 146% over the quarter, rising from 7.6 million attacks in January to 18.7 million in March. It was the fastest-growing attack vector tracked in the report. In March alone, QR codes embedded directly in email bodies rather than inside attachments surged 336%. CAPTCHA-gated phishing more than doubled in the same month.

BEC Stole $2.77 Billion Last Year. DMARC Enforcement Would Have Closed the Door.

Sat, 23 May 2026 08:00:00 +0000

The FBI’s Internet Crime Complaint Center received 21,442 Business Email Compromise reports in 2024. The total losses across those incidents came to $2.77 billion. That works out to an average loss of approximately $129,000 per incident, and those are only the cases where victims filed a report. The actual figure is almost certainly higher.

Cumulative BEC losses tracked by the FBI over the past decade now exceed $55.5 billion. No other category of cybercrime generates financial losses on that scale at that level of consistency, year after year.

Gmail Is Now Two Filters: Why DMARC Gets You In and Gemini Decides If You're Seen

Fri, 22 May 2026 08:00:00 +0000

On January 8, 2026, Google announced that Gmail was entering the Gemini era. The announcement marked something more consequential than a feature release: it formalized the existence of a second filter in Gmail’s inbox, one that operates independently of spam detection and evaluates not whether your email is legitimate, but whether a specific recipient is likely to care about it.

For senders who spent the last two years focused on meeting Gmail’s authentication requirements and staying below the 0.10% spam complaint threshold, the announcement introduced an entirely new problem to solve.