When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Microsoft 365 security in the spotlight after Washington Post hack Paul Hill Neowin @ziks_99 · Jun 16, 2025 03:36 EDT The Washington Post has come under cyberattack which saw Microsoft email accounts of several journalists get compromised. The attack, which was discovered last Thursday, is believed to have been conducted by a foreign government due to the topics the journalists cover, including national security, economic policy, and China. Following the hack, the passwords on the affected accounts were reset to prevent access. The fact that a Microsoft work email account was potentially hacked strongly suggests The Washington Post utilizes Microsoft 365, which makes us question the security of Microsoft’s widely used enterprise services. Given that Microsoft 365 is very popular, it is a hot target for attackers. Microsoft's enterprise security offerings and challenges As the investigation into the cyberattack is still ongoing, just how attackers gained access to the accounts of the journalists is unknown, however, Microsoft 365 does have multiple layers of protection that ought to keep journalists safe. One of the security tools is Microsoft Defender for Office 365. If the hackers tried to gain access with malicious links, Defender provides protection against any malicious attachments, links, or email-based phishing attempts with the Advanced Threat Protection feature. Defender also helps to protect against malware that could be used to target journalists at The Washington Post. Another security measure in place is Entra ID which helps enterprises defend against identity-based attacks. Some key features of Entra ID include multi-factor authentication which protects accounts even if a password is compromised, and there are granular access policies that help to limit logins from outside certain locations, unknown devices, or limit which apps can be used. While Microsoft does offer plenty of security technologies with M365, hacks can still take place due to misconfiguration, user-error, or through the exploitation of zero-day vulnerabilities. Essentially, it requires efforts from both Microsoft and the customer to maintain security. Lessons for organizations using Microsoft 365 The incident over at The Washington Post serves as a stark reminder that all organizations, not just news organizations, should audit and strengthen their security setups. Some of the most important security measures you can put in place include mandatory multi-factor authentication (MFA) for all users, especially for privileged accounts; strong password rules such as using letters, numbers, and symbols; regular security awareness training; and installing any security updates in a timely manner. Many of the cyberattacks that we learn about from companies like Microsoft involve hackers taking advantage of the human in the equation, such as being tricked into sharing passwords or sharing sensitive information due to trickery on behalf of the hackers. This highlights that employee training is crucial in protecting systems and that Microsoft’s technologies, as advanced as they are, can’t mitigate all attacks 100 percent of the time. Tags Report a problem with article Follow @NeowinFeed

Last year, MACK Books published Architecture from Below, which anthologized writings by the French Brazilian architect, theorist, and painter Sérgio Ferro. (Douglas Spencer reviewed it for AN.) Now, MACK follows with Design and the Building Site and Complementary Essays, the second in the trilogy of books dedicated to Ferro’s scholarship. The following excerpt of the author’s 2023 preface to the English edition, which preserves its British phrasing, captures Ferro’s realization about the working conditions of construction sites in Brasília. The sentiment is likely relatable even today for young architects as they discover how drawings become buildings. Design and the Building Site and Complementary Essays will be released on May 22. If I remember correctly, it was in 1958 or 1959, when Rodrigo and I were second- or third year architecture students at FAUUSP, that my father, the real estate developer Armando Simone Pereira, commissioned us to design two large office buildings and eleven shops in Brasilia, which was then under construction. Of course, we were not adequately prepared for such an undertaking. Fortunately, Oscar Niemeyer and his team, who were responsible for overseeing the construction of the capital, had drawn up a detailed document determining the essential characteristics of all the private sector buildings. We followed these prescriptions to the letter, which saved us from disaster. Nowadays, it is hard to imagine the degree to which the construction of Brasilia inspired enthusiasm and professional pride in the country’s architects. And in the national imagination, the city’s establishment in the supposedly unpopulated hinterland evoked a re-founding of Brazil. Up until that point, the occupation of our immense territory had been reduced to a collection of arborescent communication routes, generally converging upon some river, following it up to the Atlantic Ocean. Through its ports, agricultural or extractive commodities produced by enslaved peoples or their substitutes passed towards the metropolises; goods were exchanged in the metropolises for more elaborate products, which took the opposite route. Our national identity was summed up in a few symbols, such as the anthem or the flag, and this scattering of paths pointing overseas. Brasilia would radically change this situation, or so we believed. It would create a central hub where the internal communication routes could converge, linking together hithertoseparate junctions, stimulating trade and economic progress in the country’s interior. It was as if, for the first time, we were taking care of ourselves. At the nucleus of this centripetal movement, architecture would embody the renaissance. And at the naval of the nucleus, the symbolic mandala of this utopia: the cathedral. Rodrigo and I got caught up in the euphoria. And perhaps more so than our colleagues, because we were taking part in the adventure with ‘our’ designs. The reality was very different — but we did not know that yet. At that time, architects in Brazil were responsible for verifying that the construction was in line with the design. We had already monitored some of our first building sites. But the construction company in charge of them, Osmar Souza e Silva’s CENPLA, specialized in the building sites of modernist architects from the so-called Escola Paulista led by Vilanova Artigas (which we aspired to be a part of, like the pretentious students we were). Osmar was very attentive to his clients and his workers, who formed a supportive and helpful team. He was even more careful with us, because he knew how inexperienced we were. I believe that the CENPLA was particularly important in São Paulo modernism: with its congeniality, it facilitated experimentation, but for the same reason, it deceived novices like us about the reality of other building sites. Consequently, Rodrigo and I travelled to Brasilia several times to check that the constructions followed ‘our’ designs and to resolve any issues. From the very first trip, our little bubble burst. Our building sites, like all the others in the future capital, bore no relation to Osmar’s. They were more like a branch of hell. A huge, muddy wasteland, in which a few cranes, pile drivers, tractors, and excavators dotted the mound of scaffolding occupied by thousands of skinny, seemingly exhausted wretches, who were nevertheless driven on by the shouts of master builders and foremen, in turn pressured by the imminence of the fateful inauguration date. Surrounding or huddled underneath the marquees of buildings under construction, entire families, equally skeletal and ragged, were waiting for some accident or death to open up a vacancy. In contact only with the master builders, and under close surveillance so we would not speak to the workers, we were not allowed to see what comrades who had worked on these sites later told us in prison: suicide abounded; escape was known to be futile in the unpopulated surroundings with no viable roads; fatal accidents were often caused by weakness due to chronic diarrhoea, brought on by rotten food that came from far away; outright theft took place in the calculation of wages and expenses in the contractor’s grocery store; camps were surrounded by law enforcement. I repeat this anecdote yet again not to invoke the benevolence of potential readers, but rather to point out the conditions that, in my opinion, allowed two students (Flávio Império joined us a little later) still in their professional infancy to quickly adopt positions that were contrary to the usual stance of architects. As the project was more Oscar Niemeyer’s than it was our own, we did not have the same emotional attachment that is understandably engendered between real authors and their designs. We had not yet been imbued with the charm and aura of the métier. And the only building sites we had visited thus far, Osmar’s, were incomparable to those we discovered in Brasilia. In short, our youthfulness and unpreparedness up against an unbearable situation made us react almost immediately to the profession’s satisfied doxa. Unprepared and young perhaps, but already with Marx by our side. Rodrigo and I joined the student cell of the Brazilian Communist Party during our first year at university. In itself, this did not help us much: the Party’s Marxism, revised in the interests of the USSR, was pitiful. Even high-level leaders rarely went beyond the first chapter of Capital. But at the end of the 1950s, the effervescence of the years to come was already nascent:  […] this extraordinary revival […] the rediscovery of Marxism and the great dialectical texts and traditions in the 1960s: an excitement that identifies a forgotten or repressed moment of the past as the new and subversive, and learns the dialectical grammar of a Hegel or an Adorno, a Marx or a Lukács, like a foreign language that has resources unavailable in our own. And what is more: the Chinese and Cuban revolutions, the war in Vietnam, guerrilla warfare of all kinds, national liberation movements, and a rare libertarian disposition in contemporary history, totally averse to fanaticism and respect for ideological apparatuses of (any) state or institution. Going against the grain was almost the norm. We were of course no more than contemporaries of our time. We were soon able to position ourselves from chapters 13, 14, and 15 of Capital, but only because we could constantly cross-reference Marx with our observations from well-contrasted building sites and do our own experimenting. As soon as we identified construction as manufacture, for example, thanks to the willingness and even encouragement of two friends and clients, Boris Fausto and Bernardo Issler, I was able to test both types of manufacture — organic and heterogeneous — on similar-sized projects taking place simultaneously, in order to find out which would be most convenient for the situation in Brazil, particularly in São Paulo. Despite the scientific shortcomings of these tests, they sufficed for us to select organic manufacture. Arquitetura Nova had defined its line of practice, studies, and research. There were other sources that were central to our theory and practice. Flávio Império was one of the founders of the Teatro de Arena, undoubtedly the vanguard of popular, militant theatre in Brazil. He won practically every set design award. He brought us his marvelous findings in spatial condensation and malleability, and in the creative diversion of techniques and material—appropriate devices for an underdeveloped country. This is what helped us pave the way to reformulating the reigning design paradigms.  We had to do what Flávio had done in the theatre: thoroughly rethink how to be an architect. Upend the perspective. The way we were taught was to start from a desired result; then others would take care of getting there, no matter how. We, on the other hand, set out to go down to the building site and accompany those carrying out the labor itself, those who actually build, the formally subsumed workers in manufacture who are increasingly deprived of the knowledge and know-how presupposed by this kind of subsumption. We should have been fostering the reconstitution of this knowledge and know-how—not so as to fulfil this assumption, but in order to reinvigorate the other side of this assumption according to Marx: the historical rebellion of the manufacture worker, especially the construction worker. We had to rekindle the demand that fueled this rebellion: total self-determination, and not just that of the manual operation as such. Our aim was above all political and ethical. Aesthetics only mattered by way of what it included—ethics. Instead of estética, we wrote est ética [this is ethics]. We wanted to make building sites into nests for the return of revolutionary syndicalism, which we ourselves had yet to discover. Sérgio Ferro, born in Brazil in 1938, studied architecture at FAUUSP, São Paulo. In the 1960s, he joined the Brazilian communist party and started, along with Rodrigo Lefevre and Flávio Império, the collective known as Arquitetura Nova. After being arrested by the military dictatorship that took power in Brazil in 1964, he moved to France as an exile. As a painter and a professor at the École Nationale Supérieure d’Architecture de Grenoble, where he founded the Dessin/Chantier laboratory, he engaged in extensive research which resulted in several publications, exhibitions, and awards in Brazil and in France, including the title of Chevalier des Arts et des Lettres in 1992. Following his retirement from teaching, Ferro continues to research, write, and paint.

With its first gameplay reveal during this year's Day of the Devs, indie developer Something We Made finally showed off the sequel to their inaugural title TOEM: A Photo Adventure from 2021. This charming photography adventure brought an easygoing monochrome adventure to hundreds of fans and left us wanting more. TOEM 2 opens with the same plucky character from the first title dropped into the world with little more than ambition and a trusty camera. While the first game focused on ascending the TOEM mountain, I didn't catch nary a whiff of the actual motivations and reasoning for the journey this time around. Instead, I was given free reign to meander around the idyllic village and solve a variety of problems for the townsfolk, from trying to retrieve a potion of liquid courage for a scaredy-cat knight to taking photos of three goats in order to permit a bridge troll to let me pass. In my twenty or so minutes of play, I was able to help solve the small-scale problems of four individuals and be rewarded with a stamp for my collection each time. The camera remains the player's best tool in the world of TOEM 2 with players not only able to use their photography skills to solve the plights of the ordinary person, but also a variety of attachments to use as tools in your adventure. The very first unlockable upgrade I earned for my camera was a hammer upgrade that let me smash through select stone blocks that hindered my progression. Using the hammer is just like the other attachments from the first TOEM: simply point and shoot (or in this case, tap on the rocks). It took a moment to realize that there's a small minigame to using the hammer with players having to tap out morse code with short and long taps in order to break those rocks. 2 of 9 One puzzle I encountered was take a 3x3 cube of blocks and chisel away to make a matching sculpture to the quest giver. Rather than trying to memorize the layout or run back and forth between the source sculpture and what I was crafting, I stopped to take photos of each side of the cube and use those to remember the requested shape. The developers from Something We Made seemed surprised that this was a valid solution to their puzzle and it was nice to see the camera being used as a note taking device as well as the tool you'll use to take pictures of every animal around the landscape. New to TOEM 2 is also the addition of jumping, and in true platformer style, I had to test it out by jumping around on top of any short wall I could find and try to scale up the world. I couldn't find any unintended out-of-bounds areas, but I was at least able to find some climbable areas that would lead to new hats for the playable character. With jumping now on the menu, I wouldn't be surprised if the Honk attachment gets phased out for TOEM 2. Sadly, there's still a fair bit of time before TOEM 2 is ready to be in players' hands. Developer Something We Made and publisher popagenda have penciled in this quaint photographical adventure for 2026 across a slew of unannounced consoles as well as PC. Deal of the Day

Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gateways(SEGs) are a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. Avanan (by Check Point) SPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow (MX records changed), actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules (e.g. treat “softfail” as “fail”). DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-Based (Integrated Cloud Email Security – ICES) Mode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policy (none, quarantine, reject) or apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inbound (and optionally outbound) emails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs (e.g., trusted senders or internal exceptions). Integration Methods Inline mode (more common and straightforward): Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure Email (formerly IronPort) Cisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance (ESA): You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server (e.g., Microsoft 365 or Google Workspace), so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss (DLP), to identify advanced threats (malware, phishing, BEC) originating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gateway (MX record) deployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content (Data Loss Prevention violations), malicious attachments, or suspicious links in outbound emails. Post-delivery remediation (TRAP): A key capability of the API model is Threat Response Auto-Pull (TRAP), which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration (MX Record/Smart Host): This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss (DLP), detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway (SEG), meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway Integration (MX Record change required) This is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email server (e.g., Microsoft 365, Google Workspace, etc.) to use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system (smart host settings), or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API Integration (Complementary to Gateway) Mimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gateway (smart host) setup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss (DLP), block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gateway (MX record) and API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration (MX Record / Smart Host) — Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP (blocking, encrypting, or quarantining sensitive content)  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API Integration (Complementary & Advanced Threat Focus) How it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server (e.g., Microsoft 365), SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email (formerly IronPort) – Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss (DLP), blocking spam and malware from internal accounts, stopping business email compromise (BEC) and impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration (MX Record / Smart Host) – Cisco Secure Email Gateway (ESA) How it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail server (e.g., Microsoft 365, Exchange) to smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLP (blocking, encrypting, quarantining sensitive content) Outbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365 (and potentially Google Workspace), continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.

ZDNET's key takeaways The Eufy E28 robot vacuum, mop, and spot cleaner combination is available for $999.The mop performs better than more expensive flagships, and the water tank system doubles as a portable spot cleaner with a self-cleaning hose.Unplugging the spot cleaner also unplugs the charging station, and the spot cleaner requires you to brush it to scrub. more buying choices The Eufy E28 Omni robot vacuum and mop just hit its lowest price ever at $850, a total of $450 off with an on-page Amazon coupon.Robot vacuum manufacturers are constantly trying to outdo one another. One company develops a detachable cordless vacuum for the robot's dock, and the next makes the robot's dustbin a detachable cordless vacuum. Now, Eufy is upping the ante with the first robot vacuum to also have a detachable spot cleaner for carpet and upholstery. Also: Finally, I found a robot and handheld vacuum combo that's ideal for apartment dwellersThe Eufy Omni E28 is a robot vacuum and mop with a portable spot cleaner for carpets and upholstery. You can run your robot vacuum as you would any other, but you can also pick up the top with a built-in retractable handle and do some deep cleaning on carpets, rugs, or upholstery. I've been testing this robot vacuum over the past couple of weeks, and I'm happy to report on its performance.  details View at Amazon Essentially, the deep cleaner you carry is the Omni station's clean and dirty water tank, so it's where the robot autonomously sources clean water for its mop when it's at the dock. The deep cleaner has a handle for spot-cleaning with a hose, so you can set it down near where you want to clean and plug it in without holding it as you clean. Aside from detachable cordless vacuums, a mop roller system is another big thing for robot vacuums; many makers, including SwitchBot, Yeedi, and Ecovacs, are moving away from detachable rotating mop pads and using mop rollers instead. Eufy's also done this before with the flagship S1 Pro.  Maria Diaz/ZDNETThe Omni E28 also has a mop roller, which looks similar to the S1 Pro but not identical. The Eufy Omni S1 Pro is unequivocally the best mopping robot vacuum I've ever tested, so I was excited to test the new Omni E28, which features a very similar system. Thankfully, the Omni E28 didn't disappoint. The large mop roller covers the length of the vacuum's width and leaves no streaks behind during mopping. Streaky floors are one of my biggest pet peeves when testing robot vacuum and mop combinations, and they're a more common occurrence than I'd like. Also: My favorite indoor security camera has no subscription fees and is on sale right nowEufy is also launching an E25 robot vacuum, which features the same HydroJet self-cleaning mop system as the E28. The robot's mop roller is continuously scraped clean as it spins, and it keeps clean and dirty water in separate tanks within its body, so it only mops with clean water. The mop also exerts more downward pressure to ensure deep cleaning than the S1 Pro, with 1.5kg (3.3 lbs) instead of 1kg.  Maria Diaz/ZDNETHowever, continuously spraying the roller with clean water inside the robot keeps it moist. Scraping off the dirt and wringing out the dirty water as the roller spins ensures your floors are clean instead of streaky or filmy. The Eufy Omni E28, like the S1 Pro, is the closest thing to a manual mopping result you can get from a robot vacuum and mop. Also: I love a vacuum and mop to clean dry and wet messes, especially when it's on saleThe E28 and E25 robot vacuums have 20,000Pa of suction power and anti-tangle technology, including a DuoSpiral double roller brush to remove pet hair and avoid entanglements. The robots are self-emptying robot vacuums with a self-washing mop roller. The only difference is the portable spot cleaner, which only the E28 has. The Eufy Omni E28 robot vacuum and mop has dual brush rollers and a roller mop. Maria Diaz/ZDNETThe spot cleaner proved to be very effective. It's heavy, like most spot cleaners when full of water, but it has a retractable handle on top that makes it easy to carry around. You also don't have to press any buttons or move anything to release it; just unplug it, pull the retractable handle, and go. I didn't like that the spot cleaner powers the base station, so if you take it somewhere else in your home to clean, the robot's charging station is left without power until you return it. This is fine for quick cleanups, but it can be annoying when a forgetful house member takes the spot cleaner upstairs and leaves it in a room for two days after they're done (totally not me). Also: This simple Amazon tablet became one of my biggest smart home upgrades yet (and it's on sale)The spot cleaner has a self-cleaning hose attached, but no other attachments. The hose ends in a static brush head that sprays clean water, which you use to clean messes on soft surfaces, like carpets, rugs, and upholstery. Since it isn't motorized, you must manually brush the rug or fabric with the brush head to scrub it clean. Once you're done, you just have to press a button along one end of the brush head to make the spot cleaner cycle clean water through the hose without spilling, cleaning the hose for you.  These pictures were taken three minutes apart. The left (before) shows yogurt stains on an ottoman. I sprayed a liquid spot cleaner and went over it with the brush and water; the results are on the right (after). Maria Diaz/ZDNETThere's no separate detergent tank for the spot cleaner, though you could add some detergent directly into the clean water tank. I recommend using just water in the clean water tank and spraying your preferred carpet or upholstery cleaning solution directly on the stains to pre-treat them. You can then scrub the mess clean with the Eufy E28 brush and rinse out the detergent. ZDNET's buying adviceThe Eufy Omni E28 is designed to solve a big problem for many US customers: the need for regular floor cleanings and the ability to quickly clean up messes on soft surfaces in a single device. This device isn't meant to replace your existing carpet cleaner, but it's perfect for consumers who may need a spot cleaner and are also in the market for one of the best robot vacuum and mops available.Also: Spring cleaning takes me no time with my favorite smart home devicesI'm not a fan of fully carpeted living spaces, but my home has carpeted bedrooms, one of which we use as our TV room. With three young kids who have movie nights and play time in that TV room, its carpet unfortunately sees a lot of spills. I was in the market for a spot cleaner for a while, but decided to buy a full carpet cleaner instead, which I use to clean our carpets at least once every quarter.  The E28 cleaned up the soy sauce stains comparably to the larger carpet cleaner. Maria Diaz/ZDNETBut there are always little messes in between -- whether it's spilled ketchup on the carpet, a muddy shoeprint on the entryway rug, or yogurt on the fabric ottoman. So I appreciate having the Eufy Omni E28's spot cleaner always handy. Instead of dragging out a heavy carpet cleaning machine and filling it with water to clean a 6-inch in diameter spill, I can just unplug and grab the E28, clean the mess, and return it to the dock with little work on my end. It's also priced quite well for a first-of-its-kind device with a flagship-level robot vacuum and mop. The Eufy Omni E28 robot vacuum, mop, and spot cleaning combination is now available on Eufy's website and Amazon for $1,000. The Eufy E25 robot vacuum and mop without the spot cleaner will be available in June for $900. When will this deal expire? While many sales events feature deals for a specific length of time, deals are on a limited-time basis, making them subject to expire at any time. ZDNET remains committed to finding, sharing, and updating the best offers to help you maximize your savings so you can feel as confident in your purchases as we feel in our recommendations. Our ZDNET team of experts constantly monitors the deals we feature to keep our stories up-to-date. If you missed out on this deal, don't worry -- we're always sourcing new savings opportunities at ZDNET.com. Show more Featured

Despite its appearance as just another arcady sandbox game, Deliver At All Costs is shockingly story-minded. So much so, that its constant focus on narrative might deter those just looking for some dumb fun. And after seeing the narrative through to the end, I wouldn’t blame them, given how hard the game tries to be a grand tapestry of storytelling excellence. The adventure is structured into three acts, each with a unique town to explore and complete missions in. One act even features a time skip accompanied by a moment of no return. So even if you just want to ignore story and focus on acing deliveries and causing mayhem in the streets, you still have to go through some cutscenes and narrative progression to unlock the next towns and side missions.   "The majority of the side content in Deliver At All Costs isn’t very enticing." Not that the side missions are worth doing anyway. The majority of side content in Deliver At All Costs isn’t very enticing. The rewards aren’t worth it and the fetch quest design doesn’t warrant the effort. I’d only recommend going out of your way for the side content if you’re already keen on exploring the various maps. The treasure chests and small boxes hidden throughout the game give cash that is used on materials for vehicle upgrades; however, a majority of upgrades can be purchased from the main story mission rewards anyway. I expected to have fun with the vehicle upgrades, but ended up sorely disappointed in their limited application. This is because upgrades cannot be used outside of curated story missions; bummer. Not that the crane attachment or extreme hauling capacity upgrade aren’t fun to play with; they are rather fun, but exclusively used for their particular missions. Again, if you’re expected a zany vehicular sandbox with a lot of options and unlockables, Deliver At All Costs isn’t that. The reason I keep associating the game with sandbox playability is due to its map design. It has an old-school 2D Grand Theft Auto style of isometric driving. In between story missions, you’re given the leisure to roam around town freely. All of your driving and running around is done through a top-down isometric camera angle that gives the environments a nice diorama look to them, and what’s more, you can move the camera between two different angles in case it’s difficult to see something. "Speaking of scenery, there’s a surprising amount of activity going on while you’re driving around delivering stuff." All the unique shops and landmarks of this diorama give off a classic vibe well. Oh, and the soundtrack fits the setting wonderfully. Lounge jazz and instrumental surfer rock accompany your deliveries, and it rarely gets repetitive. Tying it into GTA even more is the radio, with infrequent broadcasts that add flavor lore to the setting. Each town has multiple districts, each with their own theme, which helps vary up the scenery just that much more. Speaking of scenery, there’s a surprising amount of activity going on while you’re driving around delivering stuff. NPCs go about their business, birds glide across the sky, and plenty of vehicle traffic accompany the streets. In fact, there’s often a tad too much activity. Streets are so packed with cars and people that collisions are unavoidable. "NPCs roam the streets and become aggressive when threatened." I like how populated the game is, but it’s tuned a bit too high, getting in the way of enjoyability a lot of the time. Perhaps, it would have been better balanced to up the street traffic the further you get into the game, especially since the towns progress from rural to metropolitan through the course of the narrative. At the very least, there’s an attractive mini-map with well designed labels and indicators. Navigation is aided with helpful arrows showing the way to a mission destination too. But you aren’t merely delivering parcels to a destination in a given time limit; there’s a variety of ways the game mixes up its missions. Part of the game’s initial draw is its physics-based driving, which manifests in hilarious ways. One of the first missions tasks you with delivering a truck full of rotted watermelons. The first step is to bring them to a sanitizer, then you paint them so they look presentable, all while avoiding traffic and trying not to knock them over as they roll around in the back of the truck. It’s one of the enjoyable missions in the game, and one that demonstrates the physics gameplay best. I like how the missions get progressively more wacky and clever as you progress too. You even become a UFO hunter during one late-game job. It’s just too bad the very high traffic and wonky controls hamper the overall experience. "I like how the missions get progressively more wacky and clever as you progress." The driving controls are rather simple. Just aim in the direction you want to drive and hold the accelerate button. It’s the high sensitivity of the acceleration and the hard braking and turning that contribute to a somewhat frustrating experience. The high traffic just further compounds the controls to make for a somewhat clunky driving experience. Vehicles don’t differ in how they drive either, though you really only have the one truck for a large majority of the game anyway, so it doesn’t really make a difference. And the cars aren’t great to look at either. Heck, nothing looks particularly nice in the game, especially the characters. Facial animations are frankly bad and the bland art style doesn’t make up for the graphical shortcomings. What’s worse is there’s still some pretty substantial load times in-between regions, which hurts the flow of the open-world. But the element that gets hurt from graphics the most is the mixed story. It’s hard to take the drama seriously when its presented so poorly. There’s an attempt at cinematic camera angles during cutscenes, but textures are featureless and close-ups of people’s faces are serious PS1 quality stuff. Thankfully, a handful of characters are quite likable despite what their low poly models suggest. Winston’s delivery mates have surprising depth and a good amount of backstory. And Winston himself is a fully fledged personality and someone you can imagine working with. "Winston’s delivery mates have surprising depth and a good amount of backstory." Characters like Norman are instantly likeable while Winston’s arch-nemesis and hardline boss, Donovon, is perfectly punchable. I’m also impressed with a majority of the dialogue writing. Characters speak with a down-to-earth tone and level of informality that makes them realistic, even if they look like untextured Unity assets. Going back to where I started the review, the game goes surprisingly hard on the story axis, but it doesn’t fully land for me. The wacky yet earnest tone is great, but the execution of the plot doesn’t wrap up in a satisfying way. Winston’s mysterious past and the true motives of the delivery company’s executives had so much potential for an intriguing narrative thread. But alas, the finale just kinda falls flat without the payoff that the game was teasing. "The game goes surprisingly hard on the story front, but it didn’t fully land for me." As a whole, Delivery At All Costs delivers a zany and fun, though frustrating, isometric delivery experience with a story that tries a bit too hard. I can easily see this game being a cult classic, but for a majority of gamers, it won’t deliver a truly stunning experience. If you’re looking for a game with a wacky and inventive premise that experiments a bit, and don’t mind gameplay and graphics from three generations ago, give Deliver At All Costs a try and it might just deliver. This game was reviewed on the PlayStation 5.