JPAAWG held it’s 8th General Meeting in Kochi, Japan on the 4th and 5th of November, 2025. This was the tenth year that DMARC.org was able to provide information about email authentication to Japanese email professionals. The presentation included the following sections: Final steps of the IETF’s DMARC Working Group How DKIM replay attacks work […]
DMARC.org at 7th JPAAWG General Meeting
The seventh JPAAWG General Meeting was held in Sapporo, Japan on November 11th and 12th of 2024. Many attendees participated in person over both days of presentations and knowledge-sharing sessions, and additional participants accessed the sessions online. This year’s presentation covered dramatic changes around the IETF‘s DMARC Working Group, and updates on a new protocol, […]
New Authentication Protocol: DKIM2
Since late 2021 there has been an increase in the use of DKIM Replay Attacks. While the potential for DKIM Replay Attacks was noted in the original DKIM RFC, bad actors were finally using them in ways that caused real trouble for large mailbox operators. A number of proposals to address this threat were written […]
Most DKIM Keys Seen in 2021 Were 2K RSA
RFC 4871 required the use of a DKIM RSA key length of at least 1,024 bits “for long-lived keys,” but also required that verifiers continue to support shorter keys. And many shorter keys were in common use even five years later, when Google’s 512 bit DKIM key was cracked and used to send spoofed email […]
Can I Use DMARC If I Have Only Deployed SPF?
A question people asked repeatedly in 2016 was whether or not their organization could deploy DMARC if they only used SPF at present. They knew the recommendation is to use both DKIM and SPF, and were concerned that their organizations couldn’t benefit from DMARC without DKIM. The short answer is that you can use DMARC […]
United Kingdom Leading The Way In Email Security
The United Kingdom may have the most forward looking policies and deployment plans of any major government. Last week Chancellor of the Exchequer Philip Hammond announced a £1.9 billion national cyber security strategy that includes a broad series of measures, and will continue a series of improvements in email security that the UK government has […]
Australian Government Agency Recommends DMARC, DKIM, and SPF
In July the Australian Signals Directorate, part of the Department of Defence, and the Australian Cyber Security Centre issued a report for IT professionals titled, Malicious Email Mitigation Strategies. The report recommends the most effective methods of protecting organizations from email-borne attacks, and includes deploying DKIM, DMARC, and SPF. Furthermore it recommends using DMARC with […]
Common Problems With DMARC Records
It’s very common for any organization’s first attempt at a DMARC record to get the syntax or content wrong in some respect. This post will share some of the missteps and oddities seen while reviewing a dataset of captured Domain Name System (DNS) queries provided by Farsight Security. To be clear, all of the records […]
Eleven Commercial Email Gateways Support DMARC
Businesses and other organizations can protect themselves from certain classes of phishing attacks on their employees by using DMARC to filter incoming email messages. But whether the company is large or small, they usually don’t have the expertise or resources to build their own filtering solution. That’s why commercial email gateways that support DMARC are […]
Best Authentication Practices for Email Senders
Product managers and engineers from some of the world’s largest mailbox providers recently got together to explain coming changes in email authentication at an industry conference. While we can’t share all that was said, we did get permission to share their combined best practice recommendations, which will work as well for a small business as […]