Welcome to the Anti-Phishing Hall of Fame

Email is the cockroach of communication technologies — it never dies, and it always finds a way in.

Over the years, the industry threw every standard it could at the problem:

✉️ SPF (Sender Policy Framework) – Checks if the sending server is allowed to send mail for a domain.
✉️ DKIM (DomainKeys Identified Mail) – Uses a cryptographic signature to verify message integrity.
✉️ DMARC (Domain-based Message Authentication, Reporting & Conformance) – Aligns SPF and DKIM and tells the receiving server what to do when things don’t match.
✉️ MTA-STS (Mail Transfer Agent Strict Transport Security) – Forces encryption during mail delivery.
✉️ DNSSEC (DNS Security Extensions) – Secures DNS records from tampering.
✉️ DANE (DNS-based Authentication of Named Entities) – Adds TLS authentication via DNSSEC.

Sounds secure, right?

What Actually Happens in the Wild

🔸 SPF breaks when email forwarding happens. Oops.
🔸 DKIM fails if the email gets modified by a mail server. Happens more often than you'd think.
🔸 DMARC is ignored unless you publish a strict policy. And then you break legitimate messages.
🔸 MTA-STS adoption is low. And optional. And easy to misconfigure.
🔸 DNSSEC requires everyone in the DNS chain to be perfect. Which they’re not.
🔸 DANE? Still waiting for it to be supported by more than five people and a toaster in Norway.

Why Attackers Still Win

Despite all these standards:

✔ Phishing still works.
✔ Spoofed domains still get through.
✔ Executives still click on malicious invoices.
✔ Attackers don’t care about your DNS policies.

Because these controls are only effective when correctly implemented, globally adopted, and flawlessly maintained.

Which never happens.

Why Organizations Struggle

✅ Poor understanding. Most admins still Google “SPF syntax” every time.
✅ Fear of breaking email. One wrong TXT record and your CEO stops getting calendar invites.
✅ Fragmented adoption. Everyone implements a different subset.
✅ No central enforcement. It’s trust-based. And trust is fragile.

What You Can Actually Do

✔ Use all the standards—but monitor them.
✔ Deploy DMARC in monitor mode first, then tighten.
✔ Combine with user training — because humans still fall for fake PDFs.
✔ Validate your configurations regularly.
✔ Assume your email will be spoofed anyway, and plan accordingly.

Conclusion: The Email Standards Arms Race

The truth is, we’ve created a layered defense system for email where every layer depends on every other one not falling apart.

Yes, use DNSSEC, SPF, DKIM, DMARC, MTA-STS and friends.

Just don’t confuse having them with actually being secure.

Read more at Security-Management.org – while your MX records still resolve.