Email-Authentication on Daily DMARC News

You Have a DMARC Record. Without Aggregate Reports, You Cannot See Who Is Spoofing You.

Tue, 23 Jun 2026 08:00:00 +0000

The EasyDMARC 2026 DMARC Adoption Report, drawn from an analysis of the top 1.8 million global domains, contains a finding that deserves more attention than it has received: more than 70 percent of DMARC-enabled domains have no aggregate reporting configured.

These organizations published a DMARC record. They are counted in the 52.1 percent adoption figure. But they added no rua= tag to receive aggregate reports, which means they have no way to see who is sending email that claims to come from their domain.

DMARC Passes, Attack Succeeds -- Barracuda's Red Team Exposes the 5-Minute AI Email Compromise

Mon, 22 Jun 2026 08:00:00 +0000

On June 17, 2026, the Barracuda Networks security red team published a simulation that traced an AI-powered email attack from the first phishing message to full endpoint compromise and persistent attacker access. The entire chain took under five minutes.

The simulation was not a contrived edge case. It used commercially available tools and realistic attack techniques observed in active campaigns. The target environment ran standard enterprise defenses. The result was a three-stage kill chain that bypassed multifactor authentication, established long-term persistence on the endpoint, and did so starting from a phishing email that would not alarm an experienced user on visual inspection.

SVG Phishing Files Are Now the Third Most Common Malicious Email Attachment -- and DMARC Cannot Filter Them

Sat, 20 Jun 2026 08:00:00 +0000

On June 2, 2026, SANS Internet Storm Center handler Xavier Mertens published an analysis of a phishing wave that had been landing in his inbox for several consecutive days. The attachment on each message was an SVG file – a Scalable Vector Graphics image. Each email passed SPF, DKIM, and DMARC checks cleanly. The attachment opened in a browser without any security warning. The malicious payload executed the moment it was clicked.

Telecom Is Now the Number One Phishing Target. Here Is Why That Makes Email Authentication More Critical Than Ever.

Wed, 17 Jun 2026 08:00:00 +0000

The Anti-Phishing Working Group published its Q1 2026 Phishing Activity Trends Report in May 2026. The headline number is significant: 971,181 unique phishing attacks in the first three months of the year, up 13.8 percent from 853,244 in Q4 2025. But the number that deserves the most attention is not the total volume. It is the sector breakdown.

In Q3 2025, the telecom category accounted for 5.9 percent of all phishing attacks. By Q1 2026, that figure had reached 33 percent, making telecom the single most frequently attacked industry in the quarter. The APWG notes that this represents the largest single-sector concentration in its dataset since Q4 2023. URL-based phishing attacks specifically targeting telecom increased 75 percent between Q4 2025 and Q1 2026.

Lululemon's A$702,900 Spam Fine Is a Warning to Every Email Marketer Hiding Promotions in Order Confirmations

Sun, 14 Jun 2026 08:00:00 +0000

The fine arrived in March 2026, and for many email marketing teams it landed with the quiet weight of a case study they already recognized. Lululemon Athletica Australia paid A$702,900 to Australia’s communications regulator, the ACMA, after sending more than 370,000 emails that carried commercial content without an unsubscribe link.

The emails in question were not newsletters or promotional blasts. They were order confirmations, shipping notifications, and delivery updates – messages that most marketing operations teams would classify as transactional and move on from. But they also contained promotional links and sales material. That combination is what triggered the penalty.

Your Email Passed DMARC, SPF, and DKIM. The Phishing Link Inside Did Too.

Sat, 13 Jun 2026 08:00:00 +0000

A message arrives. The sender domain looks legitimate. The receiving mail server checks SPF: pass. It verifies the DKIM signature: pass. It evaluates the DMARC record against both results: pass. Every authentication gate that the email industry has spent two decades building waves the message through. The user clicks the link inside. Their credentials are compromised within minutes.

This is not a theoretical scenario. Security researchers at CyberCheck360 documented exactly this attack pattern in detail, tracking campaigns where attackers registered fresh domains for as little as $12, hosted pixel-perfect credential-harvesting replicas of Microsoft 365 login pages, and sent email from those domains with valid SPF records and legitimate DKIM signatures. The messages did not fail authentication. They were not designed to. The authentication infrastructure worked exactly as it was designed to – and that is precisely the problem.

The Fortune 500 Locked the Door. The Inc. 5000 Left It Wide Open.

Fri, 12 Jun 2026 08:00:00 +0000

A DMARC record is not the same as DMARC protection. That distinction has been clear to anyone who works in email authentication for years, but EasyDMARC’s 2026 DMARC Adoption and Enforcement Report, drawn from an analysis of 1.8 million domains across the Fortune 500 and Inc. 5000, makes the gap impossible to dismiss. Of the 938,000 domains that have published a DMARC record, only about 9 percent – roughly 159,000 domains – combine an enforcement policy with aggregate reporting. The other 91 percent have a record. They do not have protection.

Google's June 2026 Fraud Advisory: AI Voice Cloning Is Now the Primary BEC Weapon as DMARC Blocks Email Spoofing

Thu, 11 Jun 2026 08:00:00 +0000

When DMARC enforcement was weak, the easiest path into an organization’s finances ran through email. A spoofed message from “cfo@company.com” landed in the inbox, the employee wired the money, and the attack was complete. Google and Microsoft hardened those entry points. DMARC with p=reject closed the spoofing window. Now, according to Google’s June 2026 Fraud and Scams Advisory, attackers have found a new path – and it does not go through email at all.

Half of DMARC Domains Still Offer Zero Protection as AI Impersonation Hits 2.5 Billion Attacks

Wed, 10 Jun 2026 08:00:00 +0000

Having a DMARC record and actually using it to stop spoofed email are, it turns out, very different things. Valimail’s 2026 State of DMARC Report documents that gap with unusual precision: DMARC awareness – the percentage of domains that have published any DMARC record at all – has reached 78%. Enforcement – the percentage that have set that policy to quarantine or reject, meaning it actually does something to stop spoofed mail – sits at just 42%.

Inside the Direct Send Exploit: Attackers Are Using Microsoft 365 to Impersonate Your Own Employees

Tue, 09 Jun 2026 08:00:00 +0000

A phishing campaign uncovered by Varonis Threat Labs targeted more than 70 organizations – predominantly in the United States – by exploiting a legitimate Microsoft 365 feature in a way most security teams had not anticipated. The attack required no stolen credentials, no compromised account, and no software vulnerability in the traditional sense. It required a predictable endpoint, permissive mail routing, and an incomplete understanding of how Microsoft 365 processes mail that arrives through its own infrastructure.

93% of Global Airlines Cannot Stop Email Fraud -- and Summer Travel Season Just Started

Mon, 08 Jun 2026 08:00:00 +0000

Peak summer travel season is underway. Hundreds of millions of travelers will book flights, check confirmations, respond to upgrade offers, and receive baggage notifications over the coming weeks. Every one of those emails is a surface that attackers can exploit – and the airline industry has done less to protect that surface than almost any other major sector.

Proofpoint’s analysis of the 296 member airlines of the International Air Transport Association (IATA) found that 61 percent have no published DMARC record at all – the foundational DNS record that lets receiving mail servers verify whether an email claiming to come from an airline’s domain was actually sent by that airline.

SMB1001:2026 Makes DMARC Enforcement Mandatory for Small Businesses — Here Is What That Means

Wed, 27 May 2026 08:00:00 +0000

For years, DMARC enforcement felt like an enterprise problem. Large organizations had the IT staff to navigate DNS configuration, aggregate reporting, and the careful source-discovery work required to move from p=none to p=reject without disrupting legitimate mail. Smaller organizations sat at p=none indefinitely, technically compliant with the minimum requirements from Google and Microsoft, but practically unprotected.

That picture is changing. The 2026 edition of the SMB1001 international cybersecurity standard — published by Dynamic Standards International and certifiable from January 2026 — now mandates DMARC enforcement for small and medium businesses seeking Gold certification. It is the first major international cybersecurity standard designed specifically for SMBs to draw a hard line between monitoring and protection.

The 45-Point Inbox Gap: Why DMARC Is Now the Most Important Lever in Email Marketing

Tue, 26 May 2026 08:00:00 +0000

Email marketing returns between $36 and $42 for every dollar spent in 2026. No other marketing channel comes close: paid search returns roughly $2, social advertising $2.80, display ads $1.35. The gap is so large that it defies easy explanation, but one part of it is straightforward. Email reaches people in a place they check every day, and it reaches them directly. When it works, it is the most efficient channel in the stack.