DMARCPulse
Get started — free

Blog

News, tips and insights about email security.

TanStack Supply-Chain Attack: How Email Vectors Put Organizations Like OpenAI at Risk

TanStack Supply-Chain Attack: How Email Vectors Put Organizations Like OpenAI at Risk

What Happened? In May 2026, attackers compromised the TanStack ecosystem — a widely used JavaScript library — to inject malware into the development…

Read more
Ghostwriter Phishing Against Ukrainian Government: When DMARC Says "All Clear" But Shouldn't

Ghostwriter Phishing Against Ukrainian Government: When DMARC Says "All Clear" But Shouldn't

The Attack That DMARC Cannot Stop In May 2026, it emerged that Ghostwriter — a long-running threat actor widely attributed to Belarus — had been running…

Read more
NIS2 Compliance Report at the Click of a Button

NIS2 Compliance Report at the Click of a Button

NIS2 is live — and so is the pressure to prove it Since NIS2 was transposed into national law, IT teams across Europe have been wrestling with a practical…

Read more
External Destination Verification: Why Your DMARC Reports Disappear Without a Trace

External Destination Verification: Why Your DMARC Reports Disappear Without a Trace

What Is External Destination Verification? When you configure DMARC to send aggregate reports to an external email address — meaning a domain other than your…

Read more
DMARCbis: What the DMARC Specification Update Means for Your Organisation

DMARCbis: What the DMARC Specification Update Means for Your Organisation

DMARC grows up RFC 7489, published in 2015, has been the backbone of email authentication for nearly a decade.

Read more
Why your DMARC report shows 46% fail — and why only 3% of it matters

Why your DMARC report shows 46% fail — and why only 3% of it matters

Red report, green delivery — how does that add up? You open your DMARC aggregate report and see 46% SPF fail. First instinct: something is broken, or someone i…

Read more
The undelegated subdomain trap — why p=reject alone is not enough
Email Security DMARC Subdomain Spoofing DNS

The Undelegated Subdomain Trap: Why p=reject Alone Is Not Enough

p=reject and still spoofed for two weeks via a non-existent subdomain. Why sp= is necessary but not sufficient — and why the wildcard DMARC record fails.

Read more
Hosted DMARC Mailbox — reports via <alias>@in.dmarcpulse.io without your own inbox
Release DMARC Hosted Mailbox Microsoft 365 Update

DMARCPulse May 2026 Update: Hosted Mailbox, App-Only and Honest SPF

Three improvements shipped: hosted DMARC report address, Microsoft-365 App-Only auth without your own certificate, new Aligned column with real DMARC numbers.

Read more
NIS2 and email authentication: DMARC, SPF, and MTA-STS mapped to §30 BSIG
NIS2 Compliance DMARC SPF MTA-STS BSIG

NIS2 is in force — what it means for DMARC, SPF, and MTA-STS

Since 6 Dec 2025, NIS2 in Germany requires 29,500 firms to take technical cyber-risk measures. Email auth is part of it — management is personally liable.

Read more
Robinhood incident: SPF, DKIM, DMARC and BIMI all passed — but the email was phishing
Email Security DMARC BIMI Phishing Application Security Incident Analysis

Robinhood phished its own customers with perfect email authentication — what actually broke

April 2026: Robinhood customers got phishing from Robinhood servers — valid SPF, DKIM, DMARC and BIMI. Defect: HTML injection in a transactional template.

Read more