DKIM Replay

I mentioned in a previous post that DKIM and SPF have known vulnerabilities. The main weakness with DKIM is that you can replay the messages. By design DKIM signed messages are replay-able meaning that under certain conditions you can send a DKIM signed message from A to B then B can replay the unmodified messages to C (or any number of recipients) and the signature will still validate. This works because DKIM does not sign the return-path message header or concern itself with message delivery at all. After all DKIM was always about content signing. ...

July 5, 2026 · 2 min · Ken O'Driscoll

Plans to put ARC out to pasture

RFC 8619 was published in July 2019 with the status of Experimental and describes the Authenticated Received Chain (ARC) protocol. On 16 April 2026 the DMARC Working Group (who originated ARC) voted to re-charter the group for the sole purpose of changing the status of the RFC to Historic and declaring the ARC experiment concluded. I was one of those who voted in favor. The WG has six months to agree on actually doing this. If successful then there will be no further updates to the specification and deployment will not be recommended. ...

June 24, 2026 · 3 min · Ken O'Driscoll

DKIM2 is (probably) on the way, and sooner than you think

The DKIM Working Group are developing a spiritual successor to DKIM. They have named it DKIM2 but it is more of its own thing than an iterative new version of the original DKIM protocol. As of now (June 2026) it is still going through the drafting process so there is no RFC or stable specification to develop against. Ideas are still being stress tested and edge cases considered. The latest Internet-Draft can be viewed here and there is also an explanatory website operated by the WG here. ...

June 22, 2026 · 2 min · Ken O'Driscoll

DMARC is closer to becoming a standard

The original DMARC specification was published back in March 2015 as RFC 7489 and had a status of “Informational”. A new revision published in May 2026 breaks the specification into multiple RFCs and has a status of “Proposed standard”. This is the first step to becoming an Internet Standard. The new DMARC RFCs: RFC 9989 - core protocol specification RFC 9990 - aggregate reporting specification RFC 9991 - failure reporting specification In the approximately ten years between these two revisions the specification has been refined but not radically altered. The updated specification is fully backward compatible with the previous one. ...

June 22, 2026 · 1 min · Ken O'Driscoll