• Apple’s A20 Rumored To Be Exclusive To The iPhone 18 Pro, iPhone 18 Pro Max And The Company’s Foldable Flagship, Will Leverage TSMC’s Advanced 2nm Process Combined With The Newer WMCM Packaging

    Menu

    Home
    News

    Hardware

    Gaming

    Mobile

    Finance
    Deals
    Reviews
    How To

    Wccftech

    Apple’s A20 Rumored To Be Exclusive To The iPhone 18 Pro, iPhone 18 Pro Max And The Company’s Foldable Flagship, Will Leverage TSMC’s Advanced 2nm Process Combined With The Newer WMCM Packaging

    Omar Sohail •
    Jun 16, 2025 at 02:00am EDT

    TSMC might have started accepting orders for its 2nm wafers, but the first chipsets fabricated on this cutting-edge lithography are not expected to arrive until late next year. As the majority of you are well aware, Apple likely pounced on the opportunity to be the first recipient of this technology, with its A20 rumored to be mass produced on the 2nm process. However, the same rumor claims that the Cupertino firm will employ the foundry giant’s WMCMpackaging, bringing in more benefits, but customers can only experience these if they intend on making the iPhone 18 Pro, iPhone 18 Pro Max, or Apple’s upcoming foldable flagship their daily driver.
    The latest rumor also claims that Apple will not be upping the RAM count on any iPhone model that will ship with the A20
    The efforts to bring WMCM packaging to the A20 will be highly beneficial for Apple because it will allow the latter to maintain the chipset’s footprint while having immense flexibility in combining different components. In short, multiple dies such as the CPU, GPU, memory, and other parts can be integrated at a wafer level, before being sliced into individual chips. This approach will help Apple to mass manufacture smaller chipsets that are considerably power-efficient, but also powerful at the same time, leading to an incredible ‘performance per watt’ metric.
    China Times reports that this A20 upgrade will arrive for the iPhone 18 Pro, the iPhone 18 Pro Max, and Apple’s foldable flagship, which the rumor refers to as the iPhone 18 Fold. TSMC’s production line specifically for WMCM chipsets will be located in Chiayi AP7, with an estimated monthly production capacity of 50,000 pieces by the end of 2026. Interestingly, the RAM count will not change from this year, with Apple said to retain the 12GB limit. We have reported about the iPhone 18 series shifting to TSMC’s WMCM packaging before, while also talking about a separate rumor claiming that the A20 will be 15 percent faster than the A19 at the same power draw.
    The rumor does not mention whether the less expensive iPhone 18 models will be treated to chipsets featuring WMCM packaging, or if Apple intends to save on design and production costs by sticking with the older Integrated Fan-Outpackaging. All of these answers will be provided in the fourth quarter of 2026, when the iPhone 18 family goes official, so stay tuned.
    News Source: China Times

    Subscribe to get an everyday digest of the latest technology news in your inbox

    Follow us on

    Topics

    Sections

    Company

    Some posts on wccftech.com may contain affiliate links. We are a participant in the Amazon Services LLC
    Associates Program, an affiliate advertising program designed to provide a means for sites to earn
    advertising fees by advertising and linking to amazon.com
    © 2025 WCCF TECH INC. 700 - 401 West Georgia Street, Vancouver, BC, Canada
    #apples #a20 #rumored #exclusive #iphone
    Apple’s A20 Rumored To Be Exclusive To The iPhone 18 Pro, iPhone 18 Pro Max And The Company’s Foldable Flagship, Will Leverage TSMC’s Advanced 2nm Process Combined With The Newer WMCM Packaging
    Menu Home News Hardware Gaming Mobile Finance Deals Reviews How To Wccftech Apple’s A20 Rumored To Be Exclusive To The iPhone 18 Pro, iPhone 18 Pro Max And The Company’s Foldable Flagship, Will Leverage TSMC’s Advanced 2nm Process Combined With The Newer WMCM Packaging Omar Sohail • Jun 16, 2025 at 02:00am EDT TSMC might have started accepting orders for its 2nm wafers, but the first chipsets fabricated on this cutting-edge lithography are not expected to arrive until late next year. As the majority of you are well aware, Apple likely pounced on the opportunity to be the first recipient of this technology, with its A20 rumored to be mass produced on the 2nm process. However, the same rumor claims that the Cupertino firm will employ the foundry giant’s WMCMpackaging, bringing in more benefits, but customers can only experience these if they intend on making the iPhone 18 Pro, iPhone 18 Pro Max, or Apple’s upcoming foldable flagship their daily driver. The latest rumor also claims that Apple will not be upping the RAM count on any iPhone model that will ship with the A20 The efforts to bring WMCM packaging to the A20 will be highly beneficial for Apple because it will allow the latter to maintain the chipset’s footprint while having immense flexibility in combining different components. In short, multiple dies such as the CPU, GPU, memory, and other parts can be integrated at a wafer level, before being sliced into individual chips. This approach will help Apple to mass manufacture smaller chipsets that are considerably power-efficient, but also powerful at the same time, leading to an incredible ‘performance per watt’ metric. China Times reports that this A20 upgrade will arrive for the iPhone 18 Pro, the iPhone 18 Pro Max, and Apple’s foldable flagship, which the rumor refers to as the iPhone 18 Fold. TSMC’s production line specifically for WMCM chipsets will be located in Chiayi AP7, with an estimated monthly production capacity of 50,000 pieces by the end of 2026. Interestingly, the RAM count will not change from this year, with Apple said to retain the 12GB limit. We have reported about the iPhone 18 series shifting to TSMC’s WMCM packaging before, while also talking about a separate rumor claiming that the A20 will be 15 percent faster than the A19 at the same power draw. The rumor does not mention whether the less expensive iPhone 18 models will be treated to chipsets featuring WMCM packaging, or if Apple intends to save on design and production costs by sticking with the older Integrated Fan-Outpackaging. All of these answers will be provided in the fourth quarter of 2026, when the iPhone 18 family goes official, so stay tuned. News Source: China Times Subscribe to get an everyday digest of the latest technology news in your inbox Follow us on Topics Sections Company Some posts on wccftech.com may contain affiliate links. We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com © 2025 WCCF TECH INC. 700 - 401 West Georgia Street, Vancouver, BC, Canada #apples #a20 #rumored #exclusive #iphone
    WCCFTECH.COM
    Apple’s A20 Rumored To Be Exclusive To The iPhone 18 Pro, iPhone 18 Pro Max And The Company’s Foldable Flagship, Will Leverage TSMC’s Advanced 2nm Process Combined With The Newer WMCM Packaging
    Menu Home News Hardware Gaming Mobile Finance Deals Reviews How To Wccftech Apple’s A20 Rumored To Be Exclusive To The iPhone 18 Pro, iPhone 18 Pro Max And The Company’s Foldable Flagship, Will Leverage TSMC’s Advanced 2nm Process Combined With The Newer WMCM Packaging Omar Sohail • Jun 16, 2025 at 02:00am EDT TSMC might have started accepting orders for its 2nm wafers, but the first chipsets fabricated on this cutting-edge lithography are not expected to arrive until late next year. As the majority of you are well aware, Apple likely pounced on the opportunity to be the first recipient of this technology, with its A20 rumored to be mass produced on the 2nm process. However, the same rumor claims that the Cupertino firm will employ the foundry giant’s WMCM (Wafer-Level Multi-Chip Module) packaging, bringing in more benefits, but customers can only experience these if they intend on making the iPhone 18 Pro, iPhone 18 Pro Max, or Apple’s upcoming foldable flagship their daily driver. The latest rumor also claims that Apple will not be upping the RAM count on any iPhone model that will ship with the A20 The efforts to bring WMCM packaging to the A20 will be highly beneficial for Apple because it will allow the latter to maintain the chipset’s footprint while having immense flexibility in combining different components. In short, multiple dies such as the CPU, GPU, memory, and other parts can be integrated at a wafer level, before being sliced into individual chips. This approach will help Apple to mass manufacture smaller chipsets that are considerably power-efficient, but also powerful at the same time, leading to an incredible ‘performance per watt’ metric. China Times reports that this A20 upgrade will arrive for the iPhone 18 Pro, the iPhone 18 Pro Max, and Apple’s foldable flagship, which the rumor refers to as the iPhone 18 Fold. TSMC’s production line specifically for WMCM chipsets will be located in Chiayi AP7, with an estimated monthly production capacity of 50,000 pieces by the end of 2026. Interestingly, the RAM count will not change from this year, with Apple said to retain the 12GB limit. We have reported about the iPhone 18 series shifting to TSMC’s WMCM packaging before, while also talking about a separate rumor claiming that the A20 will be 15 percent faster than the A19 at the same power draw. The rumor does not mention whether the less expensive iPhone 18 models will be treated to chipsets featuring WMCM packaging, or if Apple intends to save on design and production costs by sticking with the older Integrated Fan-Out (InFo) packaging. All of these answers will be provided in the fourth quarter of 2026, when the iPhone 18 family goes official, so stay tuned. News Source: China Times Subscribe to get an everyday digest of the latest technology news in your inbox Follow us on Topics Sections Company Some posts on wccftech.com may contain affiliate links. We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com © 2025 WCCF TECH INC. 700 - 401 West Georgia Street, Vancouver, BC, Canada
    Like
    Love
    Wow
    Angry
    Sad
    470
    2 Comentários 0 Compartilhamentos
  • Aspora gets $50M from Sequioa to build remittance and banking solutions for Indian diaspora

    India has been one of the top recipients of remittances in the world for more than a decade. Inward remittances jumped from billion in 2010-11 to billion in 2023-24, according to data from the country’s central bank. The bank projects that figure will reach billion in 2029.
    This means there is an increasing market for digitalized banking experiences for non-resident Indians, ranging from remittances to investing in different assets back home.
    Asporais trying to build a verticalized financial experience for the Indian diaspora by keeping convenience at the center. While a lot of financial products are in its future roadmap, the company currently focuses largely on remittances.
    “While multiple financial products for non-resident Indians exist, they don’t know about them because there is no digital journey for them. They possibly use the same banking app as residents, which makes it harder for them to discover products catered towards them,” Garg said.
    In the last year, the company has grown the volume of remittances by 6x — from million to billion in yearly volume processed.
    With this growth, the company has attracted a lot of investor interest. It raised million in Series A funding last December — which was previously unreported — led by Sequoia with participation from Greylock, Y Combinator, Hummingbird Ventures, and Global Founders Capital. The round pegged the company’s valuation at million. In the four months following, the company tripled its transaction volume, prompting investors to put in more money.
    The company announced today it has raised million in Series B funding, co-led by Sequoia and Greylock, with Hummingbird, Quantum Light Ventures, and Y Combinator also contributing to the round. The startup said this round values the company at million. The startup has raised over million in funding to date.

    Techcrunch event

    + on your TechCrunch All Stage pass
    Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections.

    + on your TechCrunch All Stage pass
    Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections.

    Boston, MA
    |
    July 15

    REGISTER NOW

    After pivoting from being Pipe.com for India, the company started by offering remittance for NRIs in the U.K. in 2023 and has expanded its presence in other markets, including Europe and the United Arab Emirates. It charges a flat fee for money transfer and offers a competitive rate. Now it also allows customers to invest in mutual funds in India. The startup markets its exchange rates as “Google rate” as customers often search for currency conversion rates, even though they may not reflect live rates.
    The startup is also set to launch in the U.S., one of the biggest remittance corridors to India, next month. Plus, it plans to open up shop in Canada, Singapore, and Australia by the fourth quarter of this year.
    Garg, who grew up in the UAE, said that remittances are just the start, and the company wants to build out more financial tools for NRIs.
    “We want to use remittances as a wedge and build all the financial solutions that the diaspora needs, including banking, investing, insurance, lending in the home country, and products that help them take care of their parents,” he told TechCrunch.
    He added that a large chunk of money that NRIs send home is for wealth creation rather than family sustenance. The startup said that 80% of its users are sending money to their own accounts back home.
    In the next few months, the company is launching a few products to offer more services. This month, it plans to launch a bill payment platform to let users pay for services like rent and utilities. Next month, it plans to launch fixed deposit accounts for non-resident Indians that allow them to park money in foreign currency. By the end of the year, it plans to launch a full-stack banking account for NRIs that typically takes days for users to open. While these accounts can help the diaspora maintain their tax status in India, a lot of people use a family member’s account because of the cumbersome process, and Aspora wants to simplify this.
    Apart from banking, the company also plans to launch a product that would help NRIs take care of their parents back home by offering regular medical checkups, emergency care coverage, and concierge services for other assistance.
    Besides global competitors like Remittly and Wise, the company also has India-based rivals like Abound, which was spun off from Times Internet.
    Sequoia’s Luciana Lixandru is confident that Aspora’s execution speed and verticalized solution will give it an edge.
    “Speed of execution, for me, is one of the main indicators in the early days of the future success of a company,” she told TechCrunch over a call. “Aspora moves fast, but it is also very deliberate in building corridor by corridor, which is very important in financial services.”
    #aspora #gets #50m #sequioa #build
    Aspora gets $50M from Sequioa to build remittance and banking solutions for Indian diaspora
    India has been one of the top recipients of remittances in the world for more than a decade. Inward remittances jumped from billion in 2010-11 to billion in 2023-24, according to data from the country’s central bank. The bank projects that figure will reach billion in 2029. This means there is an increasing market for digitalized banking experiences for non-resident Indians, ranging from remittances to investing in different assets back home. Asporais trying to build a verticalized financial experience for the Indian diaspora by keeping convenience at the center. While a lot of financial products are in its future roadmap, the company currently focuses largely on remittances. “While multiple financial products for non-resident Indians exist, they don’t know about them because there is no digital journey for them. They possibly use the same banking app as residents, which makes it harder for them to discover products catered towards them,” Garg said. In the last year, the company has grown the volume of remittances by 6x — from million to billion in yearly volume processed. With this growth, the company has attracted a lot of investor interest. It raised million in Series A funding last December — which was previously unreported — led by Sequoia with participation from Greylock, Y Combinator, Hummingbird Ventures, and Global Founders Capital. The round pegged the company’s valuation at million. In the four months following, the company tripled its transaction volume, prompting investors to put in more money. The company announced today it has raised million in Series B funding, co-led by Sequoia and Greylock, with Hummingbird, Quantum Light Ventures, and Y Combinator also contributing to the round. The startup said this round values the company at million. The startup has raised over million in funding to date. Techcrunch event + on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections. + on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections. Boston, MA | July 15 REGISTER NOW After pivoting from being Pipe.com for India, the company started by offering remittance for NRIs in the U.K. in 2023 and has expanded its presence in other markets, including Europe and the United Arab Emirates. It charges a flat fee for money transfer and offers a competitive rate. Now it also allows customers to invest in mutual funds in India. The startup markets its exchange rates as “Google rate” as customers often search for currency conversion rates, even though they may not reflect live rates. The startup is also set to launch in the U.S., one of the biggest remittance corridors to India, next month. Plus, it plans to open up shop in Canada, Singapore, and Australia by the fourth quarter of this year. Garg, who grew up in the UAE, said that remittances are just the start, and the company wants to build out more financial tools for NRIs. “We want to use remittances as a wedge and build all the financial solutions that the diaspora needs, including banking, investing, insurance, lending in the home country, and products that help them take care of their parents,” he told TechCrunch. He added that a large chunk of money that NRIs send home is for wealth creation rather than family sustenance. The startup said that 80% of its users are sending money to their own accounts back home. In the next few months, the company is launching a few products to offer more services. This month, it plans to launch a bill payment platform to let users pay for services like rent and utilities. Next month, it plans to launch fixed deposit accounts for non-resident Indians that allow them to park money in foreign currency. By the end of the year, it plans to launch a full-stack banking account for NRIs that typically takes days for users to open. While these accounts can help the diaspora maintain their tax status in India, a lot of people use a family member’s account because of the cumbersome process, and Aspora wants to simplify this. Apart from banking, the company also plans to launch a product that would help NRIs take care of their parents back home by offering regular medical checkups, emergency care coverage, and concierge services for other assistance. Besides global competitors like Remittly and Wise, the company also has India-based rivals like Abound, which was spun off from Times Internet. Sequoia’s Luciana Lixandru is confident that Aspora’s execution speed and verticalized solution will give it an edge. “Speed of execution, for me, is one of the main indicators in the early days of the future success of a company,” she told TechCrunch over a call. “Aspora moves fast, but it is also very deliberate in building corridor by corridor, which is very important in financial services.” #aspora #gets #50m #sequioa #build
    TECHCRUNCH.COM
    Aspora gets $50M from Sequioa to build remittance and banking solutions for Indian diaspora
    India has been one of the top recipients of remittances in the world for more than a decade. Inward remittances jumped from $55.6 billion in 2010-11 to $118.7 billion in 2023-24, according to data from the country’s central bank. The bank projects that figure will reach $160 billion in 2029. This means there is an increasing market for digitalized banking experiences for non-resident Indians(NRIs), ranging from remittances to investing in different assets back home. Aspora (formerly Vance) is trying to build a verticalized financial experience for the Indian diaspora by keeping convenience at the center. While a lot of financial products are in its future roadmap, the company currently focuses largely on remittances. “While multiple financial products for non-resident Indians exist, they don’t know about them because there is no digital journey for them. They possibly use the same banking app as residents, which makes it harder for them to discover products catered towards them,” Garg said. In the last year, the company has grown the volume of remittances by 6x — from $400 million to $2 billion in yearly volume processed. With this growth, the company has attracted a lot of investor interest. It raised $35 million in Series A funding last December — which was previously unreported — led by Sequoia with participation from Greylock, Y Combinator, Hummingbird Ventures, and Global Founders Capital. The round pegged the company’s valuation at $150 million. In the four months following, the company tripled its transaction volume, prompting investors to put in more money. The company announced today it has raised $50 million in Series B funding, co-led by Sequoia and Greylock, with Hummingbird, Quantum Light Ventures, and Y Combinator also contributing to the round. The startup said this round values the company at $500 million. The startup has raised over $99 million in funding to date. Techcrunch event Save $200+ on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections. Save $200+ on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections. Boston, MA | July 15 REGISTER NOW After pivoting from being Pipe.com for India, the company started by offering remittance for NRIs in the U.K. in 2023 and has expanded its presence in other markets, including Europe and the United Arab Emirates. It charges a flat fee for money transfer and offers a competitive rate. Now it also allows customers to invest in mutual funds in India. The startup markets its exchange rates as “Google rate” as customers often search for currency conversion rates, even though they may not reflect live rates. The startup is also set to launch in the U.S., one of the biggest remittance corridors to India, next month. Plus, it plans to open up shop in Canada, Singapore, and Australia by the fourth quarter of this year. Garg, who grew up in the UAE, said that remittances are just the start, and the company wants to build out more financial tools for NRIs. “We want to use remittances as a wedge and build all the financial solutions that the diaspora needs, including banking, investing, insurance, lending in the home country, and products that help them take care of their parents,” he told TechCrunch. He added that a large chunk of money that NRIs send home is for wealth creation rather than family sustenance. The startup said that 80% of its users are sending money to their own accounts back home. In the next few months, the company is launching a few products to offer more services. This month, it plans to launch a bill payment platform to let users pay for services like rent and utilities. Next month, it plans to launch fixed deposit accounts for non-resident Indians that allow them to park money in foreign currency. By the end of the year, it plans to launch a full-stack banking account for NRIs that typically takes days for users to open. While these accounts can help the diaspora maintain their tax status in India, a lot of people use a family member’s account because of the cumbersome process, and Aspora wants to simplify this. Apart from banking, the company also plans to launch a product that would help NRIs take care of their parents back home by offering regular medical checkups, emergency care coverage, and concierge services for other assistance. Besides global competitors like Remittly and Wise, the company also has India-based rivals like Abound, which was spun off from Times Internet. Sequoia’s Luciana Lixandru is confident that Aspora’s execution speed and verticalized solution will give it an edge. “Speed of execution, for me, is one of the main indicators in the early days of the future success of a company,” she told TechCrunch over a call. “Aspora moves fast, but it is also very deliberate in building corridor by corridor, which is very important in financial services.”
    Like
    Love
    Wow
    Sad
    Angry
    514
    2 Comentários 0 Compartilhamentos
  • OAQ Awards of Excellence winners announced

    Montreal City Hall – Beaupré Michaud and Associates, Architects in collaboration with MU Architecture, Montreal. Photo credit: Raphaël Thibodeau
    The Ordre des architectes du Québechas revealed the winners of its 2025 Awards of Excellence in Architecture.
    A total of eleven projects were recognized at a gala hosted by Jean-René Dufort at Espace St-Denis in Montreal.
    The Grand Prix d’excellence en architecture was awarded to the restoration of Montreal City Hall , a major project led by Beaupré Michaud et Associés, architects, and MU Architecture. This complex project successfully preserves the building’s historical qualities while transforming it into an exemplary place in terms of energy and ecology.  Guided by plans from the 1920s, the architects revived this building by equipping it with contemporary, efficient, more open, and more accessible features for residents. In addition to the heritage restoration, the team also reconciled old and contemporary technologies, energy efficiency, universal accessibility, and the reappropriation of spaces that had become dilapidated.
    The People’s Choice Award was presented to the Coop Milieu de l’île, designed by Pivot: Coopérative d’architecture. Located in Outremont, this 91-unit intergenerational housing cooperative was born from the initiative of a group of committed citizens looking to address the housing crisis by creating affordable, off-market housing. In the context of the housing crisis, the jury emphasized that this project, which is also the recipient of an Award of Excellence, designed by and for its residents, acts as a “breath of fresh air in Outremont.”
    Coop Milieu de l’île. Pivot: Architecture Cooperative, Montreal. Photo credit: Annie Fafard
    “The projects we evaluated this year were truly remarkable in their richness and diversity. The jury found in them everything that makes Quebec architecture so strong and unique: rigor, attention to detail, and respect for the context and built heritage. We saw emblematic projects, but also discreet gestures, almost invisible in the landscape. Some projects rehabilitated forgotten places, transformed historic buildings, or even imagined new spaces for collective living. All, in their own way, highlighted the powerful impact of built quality on our living environments,” said Gabrielle Nadeau, chair of the OAQ Awards of Excellence Jury.
    The jury for the 2025 Awards of Excellence in Architecture was chaired by Gabrielle Nadeau, principal design architect, COBE in Copenhagen. It also included architects Marianne Charbonneau of Agence Spatiale, Maxime-Alexis Frappier of ACDF, and Guillaume Martel-Trudel of Provencher-Roy. Élène Levasseur, director of research and education at Architecture sans frontières Québec, acted as the public representative.
    Through the Awards of Excellence in Architecture, presented annually, the Order aims to raise awareness among Quebecers of the multiple dimensions of architectural quality, in addition to promoting the role of the architects in the design of inspiring, sustainable and thoughtful senior living environments.
    The full list of winners include the following.

    Habitat Sélénite by _naturehumaine
    Habitat Sélénite – _naturehumaine, Eastman. Photo: Raphaël Thibodeau

    École secondaire du Bosquet by ABCP | Menkès Shooner Dagenais LeTourneux | Bilodeau Baril Leeming Architectes
    École secondaire du Bosquet – ABCP | Menkès Shooner Dagenais LeTourneux | Bilodeau Baril Leeming Architectes, Drummondville. Photo: Stéphane Brügger

    Bibliothèque Gabrielle-Roy by Saucier + Perrotte Architectes et GLCRM Architectes
    Bibliothèque Gabrielle-Roy – Saucier + Perrotte Architectes et GLCRM Architectes, Québec. Photo: Olivier Blouin

    Maison A by Atelier Pierre Thibault
    Maison A – Atelier Pierre Thibault, Saint-Nicolas. Photo: Maxime Brouillet

    Nouvel Hôtel de Ville de La Pêche by BGLA Architecture et Design Urbain
    Nouvel Hôtel de Ville de La Pêche – BGLA Architecture et Design Urbain, La Pêche. Photo: Stéphane Brügger / Dominique Laroche

    École du Zénith by Pelletier de Fontenay + Leclerc
    École du Zénith – Pelletier de Fontenay + Leclerc, Shefford. Photo: James Brittain / David Boyer

    Le Paquebot by _naturehumaine
    Le Paquebot – _naturehumaine, Montréal. Photo: Ronan Mézière

    Coopérative funéraire la Seigneurie by ultralocal architectes

    Coopérative funéraire la Seigneurie – ultralocal architectes, Québec. Photo credit: Paul Dussault
    Site d’observation des bélugas Putep’t-awt by atelier5 + mainstudio
    Site d’observation des bélugas Putep’t-awt – atelier5 + mainstudio, Cacouna. Photo: Stéphane Groleau

    The post OAQ Awards of Excellence winners announced appeared first on Canadian Architect.
    #oaq #awards #excellence #winners #announced
    OAQ Awards of Excellence winners announced
    Montreal City Hall – Beaupré Michaud and Associates, Architects in collaboration with MU Architecture, Montreal. Photo credit: Raphaël Thibodeau The Ordre des architectes du Québechas revealed the winners of its 2025 Awards of Excellence in Architecture. A total of eleven projects were recognized at a gala hosted by Jean-René Dufort at Espace St-Denis in Montreal. The Grand Prix d’excellence en architecture was awarded to the restoration of Montreal City Hall , a major project led by Beaupré Michaud et Associés, architects, and MU Architecture. This complex project successfully preserves the building’s historical qualities while transforming it into an exemplary place in terms of energy and ecology.  Guided by plans from the 1920s, the architects revived this building by equipping it with contemporary, efficient, more open, and more accessible features for residents. In addition to the heritage restoration, the team also reconciled old and contemporary technologies, energy efficiency, universal accessibility, and the reappropriation of spaces that had become dilapidated. The People’s Choice Award was presented to the Coop Milieu de l’île, designed by Pivot: Coopérative d’architecture. Located in Outremont, this 91-unit intergenerational housing cooperative was born from the initiative of a group of committed citizens looking to address the housing crisis by creating affordable, off-market housing. In the context of the housing crisis, the jury emphasized that this project, which is also the recipient of an Award of Excellence, designed by and for its residents, acts as a “breath of fresh air in Outremont.” Coop Milieu de l’île. Pivot: Architecture Cooperative, Montreal. Photo credit: Annie Fafard “The projects we evaluated this year were truly remarkable in their richness and diversity. The jury found in them everything that makes Quebec architecture so strong and unique: rigor, attention to detail, and respect for the context and built heritage. We saw emblematic projects, but also discreet gestures, almost invisible in the landscape. Some projects rehabilitated forgotten places, transformed historic buildings, or even imagined new spaces for collective living. All, in their own way, highlighted the powerful impact of built quality on our living environments,” said Gabrielle Nadeau, chair of the OAQ Awards of Excellence Jury. The jury for the 2025 Awards of Excellence in Architecture was chaired by Gabrielle Nadeau, principal design architect, COBE in Copenhagen. It also included architects Marianne Charbonneau of Agence Spatiale, Maxime-Alexis Frappier of ACDF, and Guillaume Martel-Trudel of Provencher-Roy. Élène Levasseur, director of research and education at Architecture sans frontières Québec, acted as the public representative. Through the Awards of Excellence in Architecture, presented annually, the Order aims to raise awareness among Quebecers of the multiple dimensions of architectural quality, in addition to promoting the role of the architects in the design of inspiring, sustainable and thoughtful senior living environments. The full list of winners include the following. Habitat Sélénite by _naturehumaine Habitat Sélénite – _naturehumaine, Eastman. Photo: Raphaël Thibodeau École secondaire du Bosquet by ABCP | Menkès Shooner Dagenais LeTourneux | Bilodeau Baril Leeming Architectes École secondaire du Bosquet – ABCP | Menkès Shooner Dagenais LeTourneux | Bilodeau Baril Leeming Architectes, Drummondville. Photo: Stéphane Brügger Bibliothèque Gabrielle-Roy by Saucier + Perrotte Architectes et GLCRM Architectes Bibliothèque Gabrielle-Roy – Saucier + Perrotte Architectes et GLCRM Architectes, Québec. Photo: Olivier Blouin Maison A by Atelier Pierre Thibault Maison A – Atelier Pierre Thibault, Saint-Nicolas. Photo: Maxime Brouillet Nouvel Hôtel de Ville de La Pêche by BGLA Architecture et Design Urbain Nouvel Hôtel de Ville de La Pêche – BGLA Architecture et Design Urbain, La Pêche. Photo: Stéphane Brügger / Dominique Laroche École du Zénith by Pelletier de Fontenay + Leclerc École du Zénith – Pelletier de Fontenay + Leclerc, Shefford. Photo: James Brittain / David Boyer Le Paquebot by _naturehumaine Le Paquebot – _naturehumaine, Montréal. Photo: Ronan Mézière Coopérative funéraire la Seigneurie by ultralocal architectes Coopérative funéraire la Seigneurie – ultralocal architectes, Québec. Photo credit: Paul Dussault Site d’observation des bélugas Putep’t-awt by atelier5 + mainstudio Site d’observation des bélugas Putep’t-awt – atelier5 + mainstudio, Cacouna. Photo: Stéphane Groleau The post OAQ Awards of Excellence winners announced appeared first on Canadian Architect. #oaq #awards #excellence #winners #announced
    WWW.CANADIANARCHITECT.COM
    OAQ Awards of Excellence winners announced
    Montreal City Hall – Beaupré Michaud and Associates, Architects in collaboration with MU Architecture, Montreal. Photo credit: Raphaël Thibodeau The Ordre des architectes du Québec (OAQ) has revealed the winners of its 2025 Awards of Excellence in Architecture. A total of eleven projects were recognized at a gala hosted by Jean-René Dufort at Espace St-Denis in Montreal. The Grand Prix d’excellence en architecture was awarded to the restoration of Montreal City Hall , a major project led by Beaupré Michaud et Associés, architects, and MU Architecture. This complex project successfully preserves the building’s historical qualities while transforming it into an exemplary place in terms of energy and ecology.  Guided by plans from the 1920s, the architects revived this building by equipping it with contemporary, efficient, more open, and more accessible features for residents. In addition to the heritage restoration, the team also reconciled old and contemporary technologies, energy efficiency, universal accessibility, and the reappropriation of spaces that had become dilapidated. The People’s Choice Award was presented to the Coop Milieu de l’île, designed by Pivot: Coopérative d’architecture. Located in Outremont, this 91-unit intergenerational housing cooperative was born from the initiative of a group of committed citizens looking to address the housing crisis by creating affordable, off-market housing. In the context of the housing crisis, the jury emphasized that this project, which is also the recipient of an Award of Excellence, designed by and for its residents, acts as a “breath of fresh air in Outremont.” Coop Milieu de l’île. Pivot: Architecture Cooperative, Montreal. Photo credit: Annie Fafard “The projects we evaluated this year were truly remarkable in their richness and diversity. The jury found in them everything that makes Quebec architecture so strong and unique: rigor, attention to detail, and respect for the context and built heritage. We saw emblematic projects, but also discreet gestures, almost invisible in the landscape. Some projects rehabilitated forgotten places, transformed historic buildings, or even imagined new spaces for collective living. All, in their own way, highlighted the powerful impact of built quality on our living environments,” said Gabrielle Nadeau, chair of the OAQ Awards of Excellence Jury. The jury for the 2025 Awards of Excellence in Architecture was chaired by Gabrielle Nadeau, principal design architect, COBE in Copenhagen. It also included architects Marianne Charbonneau of Agence Spatiale, Maxime-Alexis Frappier of ACDF, and Guillaume Martel-Trudel of Provencher-Roy. Élène Levasseur, director of research and education at Architecture sans frontières Québec, acted as the public representative. Through the Awards of Excellence in Architecture, presented annually, the Order aims to raise awareness among Quebecers of the multiple dimensions of architectural quality, in addition to promoting the role of the architects in the design of inspiring, sustainable and thoughtful senior living environments. The full list of winners include the following. Habitat Sélénite by _naturehumaine Habitat Sélénite – _naturehumaine, Eastman (Estrie). Photo: Raphaël Thibodeau École secondaire du Bosquet by ABCP | Menkès Shooner Dagenais LeTourneux | Bilodeau Baril Leeming Architectes École secondaire du Bosquet – ABCP | Menkès Shooner Dagenais LeTourneux | Bilodeau Baril Leeming Architectes, Drummondville (Centre-du-Québec). Photo: Stéphane Brügger Bibliothèque Gabrielle-Roy by Saucier + Perrotte Architectes et GLCRM Architectes Bibliothèque Gabrielle-Roy – Saucier + Perrotte Architectes et GLCRM Architectes, Québec (Capitale-Nationale). Photo: Olivier Blouin Maison A by Atelier Pierre Thibault Maison A – Atelier Pierre Thibault, Saint-Nicolas (Chaudière-Appalaches). Photo: Maxime Brouillet Nouvel Hôtel de Ville de La Pêche by BGLA Architecture et Design Urbain Nouvel Hôtel de Ville de La Pêche – BGLA Architecture et Design Urbain, La Pêche (Outaouais). Photo: Stéphane Brügger / Dominique Laroche École du Zénith by Pelletier de Fontenay + Leclerc École du Zénith – Pelletier de Fontenay + Leclerc, Shefford (Estrie). Photo: James Brittain / David Boyer Le Paquebot by _naturehumaine Le Paquebot – _naturehumaine, Montréal (Montréal). Photo: Ronan Mézière Coopérative funéraire la Seigneurie by ultralocal architectes Coopérative funéraire la Seigneurie – ultralocal architectes, Québec (Capitale-Nationale). Photo credit: Paul Dussault Site d’observation des bélugas Putep’t-awt by atelier5 + mainstudio Site d’observation des bélugas Putep’t-awt – atelier5 + mainstudio, Cacouna (Bas-Saint-Laurent). Photo: Stéphane Groleau The post OAQ Awards of Excellence winners announced appeared first on Canadian Architect.
    Like
    Love
    Wow
    Sad
    Angry
    520
    2 Comentários 0 Compartilhamentos
  • New Zealand’s Email Security Requirements for Government Organizations: What You Need to Know

    The Secure Government EmailCommon Implementation Framework
    New Zealand’s government is introducing a comprehensive email security framework designed to protect official communications from phishing and domain spoofing. This new framework, which will be mandatory for all government agencies by October 2025, establishes clear technical standards to enhance email security and retire the outdated SEEMail service. 
    Key Takeaways

    All NZ government agencies must comply with new email security requirements by October 2025.
    The new framework strengthens trust and security in government communications by preventing spoofing and phishing.
    The framework mandates TLS 1.2+, SPF, DKIM, DMARC with p=reject, MTA-STS, and DLP controls.
    EasyDMARC simplifies compliance with our guided setup, monitoring, and automated reporting.

    Start a Free Trial

    What is the Secure Government Email Common Implementation Framework?
    The Secure Government EmailCommon Implementation Framework is a new government-led initiative in New Zealand designed to standardize email security across all government agencies. Its main goal is to secure external email communication, reduce domain spoofing in phishing attacks, and replace the legacy SEEMail service.
    Why is New Zealand Implementing New Government Email Security Standards?
    The framework was developed by New Zealand’s Department of Internal Affairsas part of its role in managing ICT Common Capabilities. It leverages modern email security controls via the Domain Name Systemto enable the retirement of the legacy SEEMail service and provide:

    Encryption for transmission security
    Digital signing for message integrity
    Basic non-repudiationDomain spoofing protection

    These improvements apply to all emails, not just those routed through SEEMail, offering broader protection across agency communications.
    What Email Security Technologies Are Required by the New NZ SGE Framework?
    The SGE Framework outlines the following key technologies that agencies must implement:

    TLS 1.2 or higher with implicit TLS enforced
    TLS-RPTSPFDKIMDMARCwith reporting
    MTA-STSData Loss Prevention controls

    These technologies work together to ensure encrypted email transmission, validate sender identity, prevent unauthorized use of domains, and reduce the risk of sensitive data leaks.

    Get in touch

    When Do NZ Government Agencies Need to Comply with this Framework?
    All New Zealand government agencies are expected to fully implement the Secure Government EmailCommon Implementation Framework by October 2025. Agencies should begin their planning and deployment now to ensure full compliance by the deadline.
    The All of Government Secure Email Common Implementation Framework v1.0
    What are the Mandated Requirements for Domains?
    Below are the exact requirements for all email-enabled domains under the new framework.
    ControlExact RequirementTLSMinimum TLS 1.2. TLS 1.1, 1.0, SSL, or clear-text not permitted.TLS-RPTAll email-sending domains must have TLS reporting enabled.SPFMust exist and end with -all.DKIMAll outbound email from every sending service must be DKIM-signed at the final hop.DMARCPolicy of p=reject on all email-enabled domains. adkim=s is recommended when not bulk-sending.MTA-STSEnabled and set to enforce.Implicit TLSMust be configured and enforced for every connection.Data Loss PreventionEnforce in line with the New Zealand Information Security Manualand Protective Security Requirements.
    Compliance Monitoring and Reporting
    The All of Government Service Deliveryteam will be monitoring compliance with the framework. Monitoring will initially cover SPF, DMARC, and MTA-STS settings and will be expanded to include DKIM. Changes to these settings will be monitored, enabling reporting on email security compliance across all government agencies. Ongoing monitoring will highlight changes to domains, ensure new domains are set up with security in place, and monitor the implementation of future email security technologies. 
    Should compliance changes occur, such as an agency’s SPF record being changed from -all to ~all, this will be captured so that the AoGSD Security Team can investigate. They will then communicate directly with the agency to determine if an issue exists or if an error has occurred, reviewing each case individually.
    Deployment Checklist for NZ Government Compliance

    Enforce TLS 1.2 minimum, implicit TLS, MTA-STS & TLS-RPT
    SPF with -all
    DKIM on all outbound email
    DMARC p=reject 
    adkim=s where suitable
    For non-email/parked domains: SPF -all, empty DKIM, DMARC reject strict
    Compliance dashboard
    Inbound DMARC evaluation enforced
    DLP aligned with NZISM

    Start a Free Trial

    How EasyDMARC Can Help Government Agencies Comply
    EasyDMARC provides a comprehensive email security solution that simplifies the deployment and ongoing management of DNS-based email security protocols like SPF, DKIM, and DMARC with reporting. Our platform offers automated checks, real-time monitoring, and a guided setup to help government organizations quickly reach compliance.
    1. TLS-RPT / MTA-STS audit
    EasyDMARC enables you to enable the Managed MTA-STS and TLS-RPT option with a single click. We provide the required DNS records and continuously monitor them for issues, delivering reports on TLS negotiation problems. This helps agencies ensure secure email transmission and quickly detect delivery or encryption failures.

    Note: In this screenshot, you can see how to deploy MTA-STS and TLS Reporting by adding just three CNAME records provided by EasyDMARC. It’s recommended to start in “testing” mode, evaluate the TLS-RPT reports, and then gradually switch your MTA-STS policy to “enforce”. The process is simple and takes just a few clicks.

    As shown above, EasyDMARC parses incoming TLS reports into a centralized dashboard, giving you clear visibility into delivery and encryption issues across all sending sources.
    2. SPF with “-all”In the EasyDARC platform, you can run the SPF Record Generator to create a compliant record. Publish your v=spf1 record with “-all” to enforce a hard fail for unauthorized senders and prevent spoofed emails from passing SPF checks. This strengthens your domain’s protection against impersonation.

    Note: It is highly recommended to start adjusting your SPF record only after you begin receiving DMARC reports and identifying your legitimate email sources. As we’ll explain in more detail below, both SPF and DKIM should be adjusted after you gain visibility through reports.
    Making changes without proper visibility can lead to false positives, misconfigurations, and potential loss of legitimate emails. That’s why the first step should always be setting DMARC to p=none, receiving reports, analyzing them, and then gradually fixing any SPF or DKIM issues.
    3. DKIM on all outbound email
    DKIM must be configured for all email sources sending emails on behalf of your domain. This is critical, as DKIM plays a bigger role than SPF when it comes to building domain reputation, surviving auto-forwarding, mailing lists, and other edge cases.
    As mentioned above, DMARC reports provide visibility into your email sources, allowing you to implement DKIM accordingly. If you’re using third-party services like Google Workspace, Microsoft 365, or Mimecast, you’ll need to retrieve the public DKIM key from your provider’s admin interface.
    EasyDMARC maintains a backend directory of over 1,400 email sources. We also give you detailed guidance on how to configure SPF and DKIM correctly for major ESPs. 
    Note: At the end of this article, you’ll find configuration links for well-known ESPs like Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid – helping you avoid common misconfigurations and get aligned with SGE requirements.
    If you’re using a dedicated MTA, DKIM must be implemented manually. EasyDMARC’s DKIM Record Generator lets you generate both public and private keys for your server. The private key is stored on your MTA, while the public key must be published in your DNS.

    4. DMARC p=reject rollout
    As mentioned in previous points, DMARC reporting is the first and most important step on your DMARC enforcement journey. Always start with a p=none policy and configure RUA reports to be sent to EasyDMARC. Use the report insights to identify and fix SPF and DKIM alignment issues, then gradually move to p=quarantine and finally p=reject once all legitimate email sources have been authenticated. 
    This phased approach ensures full protection against domain spoofing without risking legitimate email delivery.

    5. adkim Strict Alignment Check
    This strict alignment check is not always applicable, especially if you’re using third-party bulk ESPs, such as Sendgrid, that require you to set DKIM on a subdomain level. You can set adkim=s in your DMARC TXT record, or simply enable strict mode in EasyDMARC’s Managed DMARC settings. This ensures that only emails with a DKIM signature that exactly match your domain pass alignment, adding an extra layer of protection against domain spoofing. But only do this if you are NOT a bulk sender.

    6. Securing Non-Email Enabled Domains
    The purpose of deploying email security to non-email-enabled domains, or parked domains, is to prevent messages being spoofed from that domain. This requirement remains even if the root-level domain has SP=reject set within its DMARC record.
    Under this new framework, you must bulk import and mark parked domains as “Parked.” Crucially, this requires adjusting SPF settings to an empty record, setting DMARC to p=reject, and ensuring an empty DKIM record is in place: • SPF record: “v=spf1 -all”.
    • Wildcard DKIM record with empty public key.• DMARC record: “v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:…”.
    EasyDMARC allows you to add and label parked domains for free. This is important because it helps you monitor any activity from these domains and ensure they remain protected with a strict DMARC policy of p=reject.
    7. Compliance Dashboard
    Use EasyDMARC’s Domain Scanner to assess the security posture of each domain with a clear compliance score and risk level. The dashboard highlights configuration gaps and guides remediation steps, helping government agencies stay on track toward full compliance with the SGE Framework.

    8. Inbound DMARC Evaluation Enforced
    You don’t need to apply any changes if you’re using Google Workspace, Microsoft 365, or other major mailbox providers. Most of them already enforce DMARC evaluation on incoming emails.
    However, some legacy Microsoft 365 setups may still quarantine emails that fail DMARC checks, even when the sending domain has a p=reject policy, instead of rejecting them. This behavior can be adjusted directly from your Microsoft Defender portal. about this in our step-by-step guide on how to set up SPF, DKIM, and DMARC from Microsoft Defender.
    If you’re using a third-party mail provider that doesn’t enforce having a DMARC policy for incoming emails, which is rare, you’ll need to contact their support to request a configuration change.
    9. Data Loss Prevention Aligned with NZISM
    The New Zealand Information Security Manualis the New Zealand Government’s manual on information assurance and information systems security. It includes guidance on data loss prevention, which must be followed to be aligned with the SEG.
    Need Help Setting up SPF and DKIM for your Email Provider?
    Setting up SPF and DKIM for different ESPs often requires specific configurations. Some providers require you to publish SPF and DKIM on a subdomain, while others only require DKIM, or have different formatting rules. We’ve simplified all these steps to help you avoid misconfigurations that could delay your DMARC enforcement, or worse, block legitimate emails from reaching your recipients.
    Below you’ll find comprehensive setup guides for Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid. You can also explore our full blog section that covers setup instructions for many other well-known ESPs.
    Remember, all this information is reflected in your DMARC aggregate reports. These reports give you live visibility into your outgoing email ecosystem, helping you analyze and fix any issues specific to a given provider.
    Here are our step-by-step guides for the most common platforms:

    Google Workspace

    Microsoft 365

    These guides will help ensure your DNS records are configured correctly as part of the Secure Government EmailFramework rollout.
    Meet New Government Email Security Standards With EasyDMARC
    New Zealand’s SEG Framework sets a clear path for government agencies to enhance their email security by October 2025. With EasyDMARC, you can meet these technical requirements efficiently and with confidence. From protocol setup to continuous monitoring and compliance tracking, EasyDMARC streamlines the entire process, ensuring strong protection against spoofing, phishing, and data loss while simplifying your transition from SEEMail.
    #new #zealands #email #security #requirements
    New Zealand’s Email Security Requirements for Government Organizations: What You Need to Know
    The Secure Government EmailCommon Implementation Framework New Zealand’s government is introducing a comprehensive email security framework designed to protect official communications from phishing and domain spoofing. This new framework, which will be mandatory for all government agencies by October 2025, establishes clear technical standards to enhance email security and retire the outdated SEEMail service.  Key Takeaways All NZ government agencies must comply with new email security requirements by October 2025. The new framework strengthens trust and security in government communications by preventing spoofing and phishing. The framework mandates TLS 1.2+, SPF, DKIM, DMARC with p=reject, MTA-STS, and DLP controls. EasyDMARC simplifies compliance with our guided setup, monitoring, and automated reporting. Start a Free Trial What is the Secure Government Email Common Implementation Framework? The Secure Government EmailCommon Implementation Framework is a new government-led initiative in New Zealand designed to standardize email security across all government agencies. Its main goal is to secure external email communication, reduce domain spoofing in phishing attacks, and replace the legacy SEEMail service. Why is New Zealand Implementing New Government Email Security Standards? The framework was developed by New Zealand’s Department of Internal Affairsas part of its role in managing ICT Common Capabilities. It leverages modern email security controls via the Domain Name Systemto enable the retirement of the legacy SEEMail service and provide: Encryption for transmission security Digital signing for message integrity Basic non-repudiationDomain spoofing protection These improvements apply to all emails, not just those routed through SEEMail, offering broader protection across agency communications. What Email Security Technologies Are Required by the New NZ SGE Framework? The SGE Framework outlines the following key technologies that agencies must implement: TLS 1.2 or higher with implicit TLS enforced TLS-RPTSPFDKIMDMARCwith reporting MTA-STSData Loss Prevention controls These technologies work together to ensure encrypted email transmission, validate sender identity, prevent unauthorized use of domains, and reduce the risk of sensitive data leaks. Get in touch When Do NZ Government Agencies Need to Comply with this Framework? All New Zealand government agencies are expected to fully implement the Secure Government EmailCommon Implementation Framework by October 2025. Agencies should begin their planning and deployment now to ensure full compliance by the deadline. The All of Government Secure Email Common Implementation Framework v1.0 What are the Mandated Requirements for Domains? Below are the exact requirements for all email-enabled domains under the new framework. ControlExact RequirementTLSMinimum TLS 1.2. TLS 1.1, 1.0, SSL, or clear-text not permitted.TLS-RPTAll email-sending domains must have TLS reporting enabled.SPFMust exist and end with -all.DKIMAll outbound email from every sending service must be DKIM-signed at the final hop.DMARCPolicy of p=reject on all email-enabled domains. adkim=s is recommended when not bulk-sending.MTA-STSEnabled and set to enforce.Implicit TLSMust be configured and enforced for every connection.Data Loss PreventionEnforce in line with the New Zealand Information Security Manualand Protective Security Requirements. Compliance Monitoring and Reporting The All of Government Service Deliveryteam will be monitoring compliance with the framework. Monitoring will initially cover SPF, DMARC, and MTA-STS settings and will be expanded to include DKIM. Changes to these settings will be monitored, enabling reporting on email security compliance across all government agencies. Ongoing monitoring will highlight changes to domains, ensure new domains are set up with security in place, and monitor the implementation of future email security technologies.  Should compliance changes occur, such as an agency’s SPF record being changed from -all to ~all, this will be captured so that the AoGSD Security Team can investigate. They will then communicate directly with the agency to determine if an issue exists or if an error has occurred, reviewing each case individually. Deployment Checklist for NZ Government Compliance Enforce TLS 1.2 minimum, implicit TLS, MTA-STS & TLS-RPT SPF with -all DKIM on all outbound email DMARC p=reject  adkim=s where suitable For non-email/parked domains: SPF -all, empty DKIM, DMARC reject strict Compliance dashboard Inbound DMARC evaluation enforced DLP aligned with NZISM Start a Free Trial How EasyDMARC Can Help Government Agencies Comply EasyDMARC provides a comprehensive email security solution that simplifies the deployment and ongoing management of DNS-based email security protocols like SPF, DKIM, and DMARC with reporting. Our platform offers automated checks, real-time monitoring, and a guided setup to help government organizations quickly reach compliance. 1. TLS-RPT / MTA-STS audit EasyDMARC enables you to enable the Managed MTA-STS and TLS-RPT option with a single click. We provide the required DNS records and continuously monitor them for issues, delivering reports on TLS negotiation problems. This helps agencies ensure secure email transmission and quickly detect delivery or encryption failures. Note: In this screenshot, you can see how to deploy MTA-STS and TLS Reporting by adding just three CNAME records provided by EasyDMARC. It’s recommended to start in “testing” mode, evaluate the TLS-RPT reports, and then gradually switch your MTA-STS policy to “enforce”. The process is simple and takes just a few clicks. As shown above, EasyDMARC parses incoming TLS reports into a centralized dashboard, giving you clear visibility into delivery and encryption issues across all sending sources. 2. SPF with “-all”In the EasyDARC platform, you can run the SPF Record Generator to create a compliant record. Publish your v=spf1 record with “-all” to enforce a hard fail for unauthorized senders and prevent spoofed emails from passing SPF checks. This strengthens your domain’s protection against impersonation. Note: It is highly recommended to start adjusting your SPF record only after you begin receiving DMARC reports and identifying your legitimate email sources. As we’ll explain in more detail below, both SPF and DKIM should be adjusted after you gain visibility through reports. Making changes without proper visibility can lead to false positives, misconfigurations, and potential loss of legitimate emails. That’s why the first step should always be setting DMARC to p=none, receiving reports, analyzing them, and then gradually fixing any SPF or DKIM issues. 3. DKIM on all outbound email DKIM must be configured for all email sources sending emails on behalf of your domain. This is critical, as DKIM plays a bigger role than SPF when it comes to building domain reputation, surviving auto-forwarding, mailing lists, and other edge cases. As mentioned above, DMARC reports provide visibility into your email sources, allowing you to implement DKIM accordingly. If you’re using third-party services like Google Workspace, Microsoft 365, or Mimecast, you’ll need to retrieve the public DKIM key from your provider’s admin interface. EasyDMARC maintains a backend directory of over 1,400 email sources. We also give you detailed guidance on how to configure SPF and DKIM correctly for major ESPs.  Note: At the end of this article, you’ll find configuration links for well-known ESPs like Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid – helping you avoid common misconfigurations and get aligned with SGE requirements. If you’re using a dedicated MTA, DKIM must be implemented manually. EasyDMARC’s DKIM Record Generator lets you generate both public and private keys for your server. The private key is stored on your MTA, while the public key must be published in your DNS. 4. DMARC p=reject rollout As mentioned in previous points, DMARC reporting is the first and most important step on your DMARC enforcement journey. Always start with a p=none policy and configure RUA reports to be sent to EasyDMARC. Use the report insights to identify and fix SPF and DKIM alignment issues, then gradually move to p=quarantine and finally p=reject once all legitimate email sources have been authenticated.  This phased approach ensures full protection against domain spoofing without risking legitimate email delivery. 5. adkim Strict Alignment Check This strict alignment check is not always applicable, especially if you’re using third-party bulk ESPs, such as Sendgrid, that require you to set DKIM on a subdomain level. You can set adkim=s in your DMARC TXT record, or simply enable strict mode in EasyDMARC’s Managed DMARC settings. This ensures that only emails with a DKIM signature that exactly match your domain pass alignment, adding an extra layer of protection against domain spoofing. But only do this if you are NOT a bulk sender. 6. Securing Non-Email Enabled Domains The purpose of deploying email security to non-email-enabled domains, or parked domains, is to prevent messages being spoofed from that domain. This requirement remains even if the root-level domain has SP=reject set within its DMARC record. Under this new framework, you must bulk import and mark parked domains as “Parked.” Crucially, this requires adjusting SPF settings to an empty record, setting DMARC to p=reject, and ensuring an empty DKIM record is in place: • SPF record: “v=spf1 -all”. • Wildcard DKIM record with empty public key.• DMARC record: “v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:…”. EasyDMARC allows you to add and label parked domains for free. This is important because it helps you monitor any activity from these domains and ensure they remain protected with a strict DMARC policy of p=reject. 7. Compliance Dashboard Use EasyDMARC’s Domain Scanner to assess the security posture of each domain with a clear compliance score and risk level. The dashboard highlights configuration gaps and guides remediation steps, helping government agencies stay on track toward full compliance with the SGE Framework. 8. Inbound DMARC Evaluation Enforced You don’t need to apply any changes if you’re using Google Workspace, Microsoft 365, or other major mailbox providers. Most of them already enforce DMARC evaluation on incoming emails. However, some legacy Microsoft 365 setups may still quarantine emails that fail DMARC checks, even when the sending domain has a p=reject policy, instead of rejecting them. This behavior can be adjusted directly from your Microsoft Defender portal. about this in our step-by-step guide on how to set up SPF, DKIM, and DMARC from Microsoft Defender. If you’re using a third-party mail provider that doesn’t enforce having a DMARC policy for incoming emails, which is rare, you’ll need to contact their support to request a configuration change. 9. Data Loss Prevention Aligned with NZISM The New Zealand Information Security Manualis the New Zealand Government’s manual on information assurance and information systems security. It includes guidance on data loss prevention, which must be followed to be aligned with the SEG. Need Help Setting up SPF and DKIM for your Email Provider? Setting up SPF and DKIM for different ESPs often requires specific configurations. Some providers require you to publish SPF and DKIM on a subdomain, while others only require DKIM, or have different formatting rules. We’ve simplified all these steps to help you avoid misconfigurations that could delay your DMARC enforcement, or worse, block legitimate emails from reaching your recipients. Below you’ll find comprehensive setup guides for Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid. You can also explore our full blog section that covers setup instructions for many other well-known ESPs. Remember, all this information is reflected in your DMARC aggregate reports. These reports give you live visibility into your outgoing email ecosystem, helping you analyze and fix any issues specific to a given provider. Here are our step-by-step guides for the most common platforms: Google Workspace Microsoft 365 These guides will help ensure your DNS records are configured correctly as part of the Secure Government EmailFramework rollout. Meet New Government Email Security Standards With EasyDMARC New Zealand’s SEG Framework sets a clear path for government agencies to enhance their email security by October 2025. With EasyDMARC, you can meet these technical requirements efficiently and with confidence. From protocol setup to continuous monitoring and compliance tracking, EasyDMARC streamlines the entire process, ensuring strong protection against spoofing, phishing, and data loss while simplifying your transition from SEEMail. #new #zealands #email #security #requirements
    EASYDMARC.COM
    New Zealand’s Email Security Requirements for Government Organizations: What You Need to Know
    The Secure Government Email (SGE) Common Implementation Framework New Zealand’s government is introducing a comprehensive email security framework designed to protect official communications from phishing and domain spoofing. This new framework, which will be mandatory for all government agencies by October 2025, establishes clear technical standards to enhance email security and retire the outdated SEEMail service.  Key Takeaways All NZ government agencies must comply with new email security requirements by October 2025. The new framework strengthens trust and security in government communications by preventing spoofing and phishing. The framework mandates TLS 1.2+, SPF, DKIM, DMARC with p=reject, MTA-STS, and DLP controls. EasyDMARC simplifies compliance with our guided setup, monitoring, and automated reporting. Start a Free Trial What is the Secure Government Email Common Implementation Framework? The Secure Government Email (SGE) Common Implementation Framework is a new government-led initiative in New Zealand designed to standardize email security across all government agencies. Its main goal is to secure external email communication, reduce domain spoofing in phishing attacks, and replace the legacy SEEMail service. Why is New Zealand Implementing New Government Email Security Standards? The framework was developed by New Zealand’s Department of Internal Affairs (DIA) as part of its role in managing ICT Common Capabilities. It leverages modern email security controls via the Domain Name System (DNS) to enable the retirement of the legacy SEEMail service and provide: Encryption for transmission security Digital signing for message integrity Basic non-repudiation (by allowing only authorized senders) Domain spoofing protection These improvements apply to all emails, not just those routed through SEEMail, offering broader protection across agency communications. What Email Security Technologies Are Required by the New NZ SGE Framework? The SGE Framework outlines the following key technologies that agencies must implement: TLS 1.2 or higher with implicit TLS enforced TLS-RPT (TLS Reporting) SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) DMARC (Domain-based Message Authentication, Reporting, and Conformance) with reporting MTA-STS (Mail Transfer Agent Strict Transport Security) Data Loss Prevention controls These technologies work together to ensure encrypted email transmission, validate sender identity, prevent unauthorized use of domains, and reduce the risk of sensitive data leaks. Get in touch When Do NZ Government Agencies Need to Comply with this Framework? All New Zealand government agencies are expected to fully implement the Secure Government Email (SGE) Common Implementation Framework by October 2025. Agencies should begin their planning and deployment now to ensure full compliance by the deadline. The All of Government Secure Email Common Implementation Framework v1.0 What are the Mandated Requirements for Domains? Below are the exact requirements for all email-enabled domains under the new framework. ControlExact RequirementTLSMinimum TLS 1.2. TLS 1.1, 1.0, SSL, or clear-text not permitted.TLS-RPTAll email-sending domains must have TLS reporting enabled.SPFMust exist and end with -all.DKIMAll outbound email from every sending service must be DKIM-signed at the final hop.DMARCPolicy of p=reject on all email-enabled domains. adkim=s is recommended when not bulk-sending.MTA-STSEnabled and set to enforce.Implicit TLSMust be configured and enforced for every connection.Data Loss PreventionEnforce in line with the New Zealand Information Security Manual (NZISM) and Protective Security Requirements (PSR). Compliance Monitoring and Reporting The All of Government Service Delivery (AoGSD) team will be monitoring compliance with the framework. Monitoring will initially cover SPF, DMARC, and MTA-STS settings and will be expanded to include DKIM. Changes to these settings will be monitored, enabling reporting on email security compliance across all government agencies. Ongoing monitoring will highlight changes to domains, ensure new domains are set up with security in place, and monitor the implementation of future email security technologies.  Should compliance changes occur, such as an agency’s SPF record being changed from -all to ~all, this will be captured so that the AoGSD Security Team can investigate. They will then communicate directly with the agency to determine if an issue exists or if an error has occurred, reviewing each case individually. Deployment Checklist for NZ Government Compliance Enforce TLS 1.2 minimum, implicit TLS, MTA-STS & TLS-RPT SPF with -all DKIM on all outbound email DMARC p=reject  adkim=s where suitable For non-email/parked domains: SPF -all, empty DKIM, DMARC reject strict Compliance dashboard Inbound DMARC evaluation enforced DLP aligned with NZISM Start a Free Trial How EasyDMARC Can Help Government Agencies Comply EasyDMARC provides a comprehensive email security solution that simplifies the deployment and ongoing management of DNS-based email security protocols like SPF, DKIM, and DMARC with reporting. Our platform offers automated checks, real-time monitoring, and a guided setup to help government organizations quickly reach compliance. 1. TLS-RPT / MTA-STS audit EasyDMARC enables you to enable the Managed MTA-STS and TLS-RPT option with a single click. We provide the required DNS records and continuously monitor them for issues, delivering reports on TLS negotiation problems. This helps agencies ensure secure email transmission and quickly detect delivery or encryption failures. Note: In this screenshot, you can see how to deploy MTA-STS and TLS Reporting by adding just three CNAME records provided by EasyDMARC. It’s recommended to start in “testing” mode, evaluate the TLS-RPT reports, and then gradually switch your MTA-STS policy to “enforce”. The process is simple and takes just a few clicks. As shown above, EasyDMARC parses incoming TLS reports into a centralized dashboard, giving you clear visibility into delivery and encryption issues across all sending sources. 2. SPF with “-all”In the EasyDARC platform, you can run the SPF Record Generator to create a compliant record. Publish your v=spf1 record with “-all” to enforce a hard fail for unauthorized senders and prevent spoofed emails from passing SPF checks. This strengthens your domain’s protection against impersonation. Note: It is highly recommended to start adjusting your SPF record only after you begin receiving DMARC reports and identifying your legitimate email sources. As we’ll explain in more detail below, both SPF and DKIM should be adjusted after you gain visibility through reports. Making changes without proper visibility can lead to false positives, misconfigurations, and potential loss of legitimate emails. That’s why the first step should always be setting DMARC to p=none, receiving reports, analyzing them, and then gradually fixing any SPF or DKIM issues. 3. DKIM on all outbound email DKIM must be configured for all email sources sending emails on behalf of your domain. This is critical, as DKIM plays a bigger role than SPF when it comes to building domain reputation, surviving auto-forwarding, mailing lists, and other edge cases. As mentioned above, DMARC reports provide visibility into your email sources, allowing you to implement DKIM accordingly (see first screenshot). If you’re using third-party services like Google Workspace, Microsoft 365, or Mimecast, you’ll need to retrieve the public DKIM key from your provider’s admin interface (see second screenshot). EasyDMARC maintains a backend directory of over 1,400 email sources. We also give you detailed guidance on how to configure SPF and DKIM correctly for major ESPs.  Note: At the end of this article, you’ll find configuration links for well-known ESPs like Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid – helping you avoid common misconfigurations and get aligned with SGE requirements. If you’re using a dedicated MTA (e.g., Postfix), DKIM must be implemented manually. EasyDMARC’s DKIM Record Generator lets you generate both public and private keys for your server. The private key is stored on your MTA, while the public key must be published in your DNS (see third and fourth screenshots). 4. DMARC p=reject rollout As mentioned in previous points, DMARC reporting is the first and most important step on your DMARC enforcement journey. Always start with a p=none policy and configure RUA reports to be sent to EasyDMARC. Use the report insights to identify and fix SPF and DKIM alignment issues, then gradually move to p=quarantine and finally p=reject once all legitimate email sources have been authenticated.  This phased approach ensures full protection against domain spoofing without risking legitimate email delivery. 5. adkim Strict Alignment Check This strict alignment check is not always applicable, especially if you’re using third-party bulk ESPs, such as Sendgrid, that require you to set DKIM on a subdomain level. You can set adkim=s in your DMARC TXT record, or simply enable strict mode in EasyDMARC’s Managed DMARC settings. This ensures that only emails with a DKIM signature that exactly match your domain pass alignment, adding an extra layer of protection against domain spoofing. But only do this if you are NOT a bulk sender. 6. Securing Non-Email Enabled Domains The purpose of deploying email security to non-email-enabled domains, or parked domains, is to prevent messages being spoofed from that domain. This requirement remains even if the root-level domain has SP=reject set within its DMARC record. Under this new framework, you must bulk import and mark parked domains as “Parked.” Crucially, this requires adjusting SPF settings to an empty record, setting DMARC to p=reject, and ensuring an empty DKIM record is in place: • SPF record: “v=spf1 -all”. • Wildcard DKIM record with empty public key.• DMARC record: “v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:…”. EasyDMARC allows you to add and label parked domains for free. This is important because it helps you monitor any activity from these domains and ensure they remain protected with a strict DMARC policy of p=reject. 7. Compliance Dashboard Use EasyDMARC’s Domain Scanner to assess the security posture of each domain with a clear compliance score and risk level. The dashboard highlights configuration gaps and guides remediation steps, helping government agencies stay on track toward full compliance with the SGE Framework. 8. Inbound DMARC Evaluation Enforced You don’t need to apply any changes if you’re using Google Workspace, Microsoft 365, or other major mailbox providers. Most of them already enforce DMARC evaluation on incoming emails. However, some legacy Microsoft 365 setups may still quarantine emails that fail DMARC checks, even when the sending domain has a p=reject policy, instead of rejecting them. This behavior can be adjusted directly from your Microsoft Defender portal. Read more about this in our step-by-step guide on how to set up SPF, DKIM, and DMARC from Microsoft Defender. If you’re using a third-party mail provider that doesn’t enforce having a DMARC policy for incoming emails, which is rare, you’ll need to contact their support to request a configuration change. 9. Data Loss Prevention Aligned with NZISM The New Zealand Information Security Manual (NZISM) is the New Zealand Government’s manual on information assurance and information systems security. It includes guidance on data loss prevention (DLP), which must be followed to be aligned with the SEG. Need Help Setting up SPF and DKIM for your Email Provider? Setting up SPF and DKIM for different ESPs often requires specific configurations. Some providers require you to publish SPF and DKIM on a subdomain, while others only require DKIM, or have different formatting rules. We’ve simplified all these steps to help you avoid misconfigurations that could delay your DMARC enforcement, or worse, block legitimate emails from reaching your recipients. Below you’ll find comprehensive setup guides for Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid. You can also explore our full blog section that covers setup instructions for many other well-known ESPs. Remember, all this information is reflected in your DMARC aggregate reports. These reports give you live visibility into your outgoing email ecosystem, helping you analyze and fix any issues specific to a given provider. Here are our step-by-step guides for the most common platforms: Google Workspace Microsoft 365 These guides will help ensure your DNS records are configured correctly as part of the Secure Government Email (SGE) Framework rollout. Meet New Government Email Security Standards With EasyDMARC New Zealand’s SEG Framework sets a clear path for government agencies to enhance their email security by October 2025. With EasyDMARC, you can meet these technical requirements efficiently and with confidence. From protocol setup to continuous monitoring and compliance tracking, EasyDMARC streamlines the entire process, ensuring strong protection against spoofing, phishing, and data loss while simplifying your transition from SEEMail.
    0 Comentários 0 Compartilhamentos
  • CERT Director Greg Touhill: To Lead Is to Serve

    Greg Touhill, director of the Software Engineering’s Institute’sComputer Emergency Response Teamdivision is an atypical technology leader. For one thing, he’s been in tech and other leadership positions that span the US Air Force, the US government, the private sector and now SEI’s CERT. More importantly, he’s been a major force in the cybersecurity realm, making the world a safer place and even saving lives. Touhill earned a bachelor’s degree from the Pennsylvania State University, a master’s degree from the University of Southern California, a master’s degree from the Air War College, was a senior executive fellow at the Harvard University Kennedy School of Government and completed executive education studies at the University of North Carolina. “I was a student intern at Carnegie Mellon, but I was going to college at Penn State and studying chemical engineering. As an Air Force ROTC scholarship recipient, I knew I was going to become an Air Force officer but soon realized that I didn’t necessarily want to be a chemical engineer in the Air Force,” says Touhill. “Because I passed all the mathematics, physics, and engineering courses, I ended up becoming a communications, electronics, and computer systems officer in the Air Force. I spent 30 years, one month and three days on active duty in the United States Air Force, eventually retiring as a brigadier general and having done many different types of jobs that were available to me within and even beyond my career field.” Related:Specifically, he was an operational commander at the squadron, group, and wing levels. For example, as a colonel, Touhill served as director of command, control, communications and computersfor the United States Central Command Forces, then he was appointed chief information officer and director, communications and information at Air Mobility Command. Later, he served as commander, 81st Training Wing at Kessler Air Force Base where he was promoted to brigadier general and commanded over 12,500 personnel. After that, he served as the senior defense officer and US defense attaché at the US Embassy in Kuwait, before concluding his military career as the chief information officer and director, C4 systems at the US Transportation Command, one of 10 US combatant commands, where he and his team were awarded the NSA Rowlett Award for the best cybersecurity program in the government. While in the Air Force, Touhill received numerous awards and decorations including the Bronze Star medal and the Air Force Science and Engineering Award. He is the only three-time recipient of the USAF C4 Professionalism Award. Related:Greg Touhill“I got to serve at major combatant commands, work with coalition partners from many different countries and represented the US as part of a diplomatic mission to Kuwait for two years as the senior defense official at a time when America was withdrawing forces out of Iraq. I also led the negotiation of a new bilateral defense agreement with the Kuwaitis,” says Touhill. “Then I was recruited to continue my service and was asked to serve as the deputy assistant secretary of cybersecurity and communications at the Department of Homeland Security, where I ran the operations of what is now known as the Cybersecurity and Infrastructure Security Agency. I was there at a pivotal moment because we were building up the capacity of that organization and setting the stage for it to become its own agency.” While at DHS, there were many noteworthy breaches including the infamous US Office of People Managementbreach. Those events led to Obama’s visit to the National Cybersecurity and Communications Integration Center.  “I got to brief the president on the state of cybersecurity, what we had seen with the OPM breach and some other deficiencies,” says Touhill. “I was on the federal CIO council as the cybersecurity advisor to that since I’d been a federal CIO before and I got to conclude my federal career by being the first United States government chief information security officer. From there, I pivoted to industry, but I also got to return to Carnegie Mellon as a faculty member at Carnegie Mellon’s Heinz College, where I've been teaching since January 2017.” Related:Touhill has been involved in three startups, two of which were successfully acquired. He also served on three Fortune 100 advisory boards and on the Information Systems Audit and Control Association board, eventually becoming its chair for a term during the seven years he served there. Touhill just celebrated his fourth year at CERT, which he considers the pinnacle of the cybersecurity profession and everything he’s done to date. “Over my career I've led teams that have done major software builds in the national security space. I've also been the guy who's pulled cables and set up routers, hubs and switches, and I've been a system administrator. I've done everything that I could do from the keyboard up all the way up to the White House,” says Touhill. “For 40 years, the Software Engineering Institute has been leading the world in secure by design, cybersecurity, software engineering, artificial intelligence and engineering, pioneering best practices, and figuring out how to make the world a safer more secure and trustworthy place. I’ve had a hand in the making of today’s modern military and government information technology environment, beginning as a 22-year-old lieutenant, and hope to inspire the next generation to do even better.” What ‘Success’ Means Many people would be satisfied with their careers as a brigadier general, a tech leader, the White House’s first anything, or working at CERT, let alone running it. Touhill has spent his entire career making the world a safer place, so it’s not surprising that he considers his greatest achievement saving lives. “In the Middle East and Iraq, convoys were being attacked with improvised explosive devices. There were also ‘direct fire’ attacks where people are firing weapons at you and indirect fire attacks where you could be in the line of fire,” says Touhill. “The convoys were using SINCGARS line-of-site walkie-talkies for communications that are most effective when the ground is flat, and Iraq is not flat. As a result, our troops were at risk of not having reliable communications while under attack. As my team brainstormed options to remedy the situation, one of my guys found some technology, about the size of an iPhone, that could covert a radio signal, which is basically a waveform, into a digital pulse I could put on a dedicated network to support the convoy missions.” For million, Touhill and his team quickly architected, tested, and fielded the Radio over IP networkthat had a 99% reliability rate anywhere in Iraq. Better still, convoys could communicate over the network using any radios. That solution saved a minimum of six lives. In one case, the hospital doctor said if the patient had arrived five minutes later, he would have died. Sage Advice Anyone who has ever spent time in the military or in a military family knows that soldiers are very well disciplined, or they wash out. Other traits include being physically fit, mentally fit, and achieving balance in life, though that’s difficult to achieve in combat. Still, it’s a necessity. “I served three and a half years down range in combat operations. My experience taught me you could be doing 20-hour days for a year or two on end. If you haven’t built a good foundation of being disciplined and fit, it impacts your ability to maintain presence in times of stress, and CISOs work in stressful situations,” says Touhill. “Staying fit also fortifies you for the long haul, so you don’t get burned out as fast.” Another necessary skill is the ability to work well with others.  “Cybersecurity is an interdisciplinary practice. One of the great joys I have as CERT director is the wide range of experts in many different fields that include software engineers, computer engineers, computer scientists, data scientists, mathematicians and physicists,” says Touhill. “I have folks who have business degrees and others who have philosophy degrees. It's really a rich community of interests all coming together towards that common goal of making the world a safer, more secure and more trusted place in the cyber domain. We’re are kind of like the cyber neighborhood watch for the whole world.” He also says that money isn’t everything, having taken a pay cut to go from being an Air Force brigadier general to the deputy assistant secretary of the Department of Homeland Security . “You’ll always do well if you pick the job that matters most. That’s what I did, and I’ve been rewarded every step,” says Touhill.  The biggest challenge he sees is the complexity of cyber systems and software, which can have second, third, and fourth order effects.  “Complexity raises the cost of the attack surface, increases the attack surface, raises the number of vulnerabilities and exploits human weaknesses,” says Touhill. “The No. 1 thing we need to be paying attention to is privacy when it comes to AI because AI can unearth and discover knowledge from data we already have. While it gives us greater insights at greater velocities, we need to be careful that we take precautions to better protect our privacy, civil rights and civil liberties.” 
    #cert #director #greg #touhill #lead
    CERT Director Greg Touhill: To Lead Is to Serve
    Greg Touhill, director of the Software Engineering’s Institute’sComputer Emergency Response Teamdivision is an atypical technology leader. For one thing, he’s been in tech and other leadership positions that span the US Air Force, the US government, the private sector and now SEI’s CERT. More importantly, he’s been a major force in the cybersecurity realm, making the world a safer place and even saving lives. Touhill earned a bachelor’s degree from the Pennsylvania State University, a master’s degree from the University of Southern California, a master’s degree from the Air War College, was a senior executive fellow at the Harvard University Kennedy School of Government and completed executive education studies at the University of North Carolina. “I was a student intern at Carnegie Mellon, but I was going to college at Penn State and studying chemical engineering. As an Air Force ROTC scholarship recipient, I knew I was going to become an Air Force officer but soon realized that I didn’t necessarily want to be a chemical engineer in the Air Force,” says Touhill. “Because I passed all the mathematics, physics, and engineering courses, I ended up becoming a communications, electronics, and computer systems officer in the Air Force. I spent 30 years, one month and three days on active duty in the United States Air Force, eventually retiring as a brigadier general and having done many different types of jobs that were available to me within and even beyond my career field.” Related:Specifically, he was an operational commander at the squadron, group, and wing levels. For example, as a colonel, Touhill served as director of command, control, communications and computersfor the United States Central Command Forces, then he was appointed chief information officer and director, communications and information at Air Mobility Command. Later, he served as commander, 81st Training Wing at Kessler Air Force Base where he was promoted to brigadier general and commanded over 12,500 personnel. After that, he served as the senior defense officer and US defense attaché at the US Embassy in Kuwait, before concluding his military career as the chief information officer and director, C4 systems at the US Transportation Command, one of 10 US combatant commands, where he and his team were awarded the NSA Rowlett Award for the best cybersecurity program in the government. While in the Air Force, Touhill received numerous awards and decorations including the Bronze Star medal and the Air Force Science and Engineering Award. He is the only three-time recipient of the USAF C4 Professionalism Award. Related:Greg Touhill“I got to serve at major combatant commands, work with coalition partners from many different countries and represented the US as part of a diplomatic mission to Kuwait for two years as the senior defense official at a time when America was withdrawing forces out of Iraq. I also led the negotiation of a new bilateral defense agreement with the Kuwaitis,” says Touhill. “Then I was recruited to continue my service and was asked to serve as the deputy assistant secretary of cybersecurity and communications at the Department of Homeland Security, where I ran the operations of what is now known as the Cybersecurity and Infrastructure Security Agency. I was there at a pivotal moment because we were building up the capacity of that organization and setting the stage for it to become its own agency.” While at DHS, there were many noteworthy breaches including the infamous US Office of People Managementbreach. Those events led to Obama’s visit to the National Cybersecurity and Communications Integration Center.  “I got to brief the president on the state of cybersecurity, what we had seen with the OPM breach and some other deficiencies,” says Touhill. “I was on the federal CIO council as the cybersecurity advisor to that since I’d been a federal CIO before and I got to conclude my federal career by being the first United States government chief information security officer. From there, I pivoted to industry, but I also got to return to Carnegie Mellon as a faculty member at Carnegie Mellon’s Heinz College, where I've been teaching since January 2017.” Related:Touhill has been involved in three startups, two of which were successfully acquired. He also served on three Fortune 100 advisory boards and on the Information Systems Audit and Control Association board, eventually becoming its chair for a term during the seven years he served there. Touhill just celebrated his fourth year at CERT, which he considers the pinnacle of the cybersecurity profession and everything he’s done to date. “Over my career I've led teams that have done major software builds in the national security space. I've also been the guy who's pulled cables and set up routers, hubs and switches, and I've been a system administrator. I've done everything that I could do from the keyboard up all the way up to the White House,” says Touhill. “For 40 years, the Software Engineering Institute has been leading the world in secure by design, cybersecurity, software engineering, artificial intelligence and engineering, pioneering best practices, and figuring out how to make the world a safer more secure and trustworthy place. I’ve had a hand in the making of today’s modern military and government information technology environment, beginning as a 22-year-old lieutenant, and hope to inspire the next generation to do even better.” What ‘Success’ Means Many people would be satisfied with their careers as a brigadier general, a tech leader, the White House’s first anything, or working at CERT, let alone running it. Touhill has spent his entire career making the world a safer place, so it’s not surprising that he considers his greatest achievement saving lives. “In the Middle East and Iraq, convoys were being attacked with improvised explosive devices. There were also ‘direct fire’ attacks where people are firing weapons at you and indirect fire attacks where you could be in the line of fire,” says Touhill. “The convoys were using SINCGARS line-of-site walkie-talkies for communications that are most effective when the ground is flat, and Iraq is not flat. As a result, our troops were at risk of not having reliable communications while under attack. As my team brainstormed options to remedy the situation, one of my guys found some technology, about the size of an iPhone, that could covert a radio signal, which is basically a waveform, into a digital pulse I could put on a dedicated network to support the convoy missions.” For million, Touhill and his team quickly architected, tested, and fielded the Radio over IP networkthat had a 99% reliability rate anywhere in Iraq. Better still, convoys could communicate over the network using any radios. That solution saved a minimum of six lives. In one case, the hospital doctor said if the patient had arrived five minutes later, he would have died. Sage Advice Anyone who has ever spent time in the military or in a military family knows that soldiers are very well disciplined, or they wash out. Other traits include being physically fit, mentally fit, and achieving balance in life, though that’s difficult to achieve in combat. Still, it’s a necessity. “I served three and a half years down range in combat operations. My experience taught me you could be doing 20-hour days for a year or two on end. If you haven’t built a good foundation of being disciplined and fit, it impacts your ability to maintain presence in times of stress, and CISOs work in stressful situations,” says Touhill. “Staying fit also fortifies you for the long haul, so you don’t get burned out as fast.” Another necessary skill is the ability to work well with others.  “Cybersecurity is an interdisciplinary practice. One of the great joys I have as CERT director is the wide range of experts in many different fields that include software engineers, computer engineers, computer scientists, data scientists, mathematicians and physicists,” says Touhill. “I have folks who have business degrees and others who have philosophy degrees. It's really a rich community of interests all coming together towards that common goal of making the world a safer, more secure and more trusted place in the cyber domain. We’re are kind of like the cyber neighborhood watch for the whole world.” He also says that money isn’t everything, having taken a pay cut to go from being an Air Force brigadier general to the deputy assistant secretary of the Department of Homeland Security . “You’ll always do well if you pick the job that matters most. That’s what I did, and I’ve been rewarded every step,” says Touhill.  The biggest challenge he sees is the complexity of cyber systems and software, which can have second, third, and fourth order effects.  “Complexity raises the cost of the attack surface, increases the attack surface, raises the number of vulnerabilities and exploits human weaknesses,” says Touhill. “The No. 1 thing we need to be paying attention to is privacy when it comes to AI because AI can unearth and discover knowledge from data we already have. While it gives us greater insights at greater velocities, we need to be careful that we take precautions to better protect our privacy, civil rights and civil liberties.”  #cert #director #greg #touhill #lead
    WWW.INFORMATIONWEEK.COM
    CERT Director Greg Touhill: To Lead Is to Serve
    Greg Touhill, director of the Software Engineering’s Institute’s (SEI’s) Computer Emergency Response Team (CERT) division is an atypical technology leader. For one thing, he’s been in tech and other leadership positions that span the US Air Force, the US government, the private sector and now SEI’s CERT. More importantly, he’s been a major force in the cybersecurity realm, making the world a safer place and even saving lives. Touhill earned a bachelor’s degree from the Pennsylvania State University, a master’s degree from the University of Southern California, a master’s degree from the Air War College, was a senior executive fellow at the Harvard University Kennedy School of Government and completed executive education studies at the University of North Carolina. “I was a student intern at Carnegie Mellon, but I was going to college at Penn State and studying chemical engineering. As an Air Force ROTC scholarship recipient, I knew I was going to become an Air Force officer but soon realized that I didn’t necessarily want to be a chemical engineer in the Air Force,” says Touhill. “Because I passed all the mathematics, physics, and engineering courses, I ended up becoming a communications, electronics, and computer systems officer in the Air Force. I spent 30 years, one month and three days on active duty in the United States Air Force, eventually retiring as a brigadier general and having done many different types of jobs that were available to me within and even beyond my career field.” Related:Specifically, he was an operational commander at the squadron, group, and wing levels. For example, as a colonel, Touhill served as director of command, control, communications and computers (C4) for the United States Central Command Forces, then he was appointed chief information officer and director, communications and information at Air Mobility Command. Later, he served as commander, 81st Training Wing at Kessler Air Force Base where he was promoted to brigadier general and commanded over 12,500 personnel. After that, he served as the senior defense officer and US defense attaché at the US Embassy in Kuwait, before concluding his military career as the chief information officer and director, C4 systems at the US Transportation Command, one of 10 US combatant commands, where he and his team were awarded the NSA Rowlett Award for the best cybersecurity program in the government. While in the Air Force, Touhill received numerous awards and decorations including the Bronze Star medal and the Air Force Science and Engineering Award. He is the only three-time recipient of the USAF C4 Professionalism Award. Related:Greg Touhill“I got to serve at major combatant commands, work with coalition partners from many different countries and represented the US as part of a diplomatic mission to Kuwait for two years as the senior defense official at a time when America was withdrawing forces out of Iraq. I also led the negotiation of a new bilateral defense agreement with the Kuwaitis,” says Touhill. “Then I was recruited to continue my service and was asked to serve as the deputy assistant secretary of cybersecurity and communications at the Department of Homeland Security, where I ran the operations of what is now known as the Cybersecurity and Infrastructure Security Agency. I was there at a pivotal moment because we were building up the capacity of that organization and setting the stage for it to become its own agency.” While at DHS, there were many noteworthy breaches including the infamous US Office of People Management (OPM) breach. Those events led to Obama’s visit to the National Cybersecurity and Communications Integration Center.  “I got to brief the president on the state of cybersecurity, what we had seen with the OPM breach and some other deficiencies,” says Touhill. “I was on the federal CIO council as the cybersecurity advisor to that since I’d been a federal CIO before and I got to conclude my federal career by being the first United States government chief information security officer. From there, I pivoted to industry, but I also got to return to Carnegie Mellon as a faculty member at Carnegie Mellon’s Heinz College, where I've been teaching since January 2017.” Related:Touhill has been involved in three startups, two of which were successfully acquired. He also served on three Fortune 100 advisory boards and on the Information Systems Audit and Control Association board, eventually becoming its chair for a term during the seven years he served there. Touhill just celebrated his fourth year at CERT, which he considers the pinnacle of the cybersecurity profession and everything he’s done to date. “Over my career I've led teams that have done major software builds in the national security space. I've also been the guy who's pulled cables and set up routers, hubs and switches, and I've been a system administrator. I've done everything that I could do from the keyboard up all the way up to the White House,” says Touhill. “For 40 years, the Software Engineering Institute has been leading the world in secure by design, cybersecurity, software engineering, artificial intelligence and engineering, pioneering best practices, and figuring out how to make the world a safer more secure and trustworthy place. I’ve had a hand in the making of today’s modern military and government information technology environment, beginning as a 22-year-old lieutenant, and hope to inspire the next generation to do even better.” What ‘Success’ Means Many people would be satisfied with their careers as a brigadier general, a tech leader, the White House’s first anything, or working at CERT, let alone running it. Touhill has spent his entire career making the world a safer place, so it’s not surprising that he considers his greatest achievement saving lives. “In the Middle East and Iraq, convoys were being attacked with improvised explosive devices. There were also ‘direct fire’ attacks where people are firing weapons at you and indirect fire attacks where you could be in the line of fire,” says Touhill. “The convoys were using SINCGARS line-of-site walkie-talkies for communications that are most effective when the ground is flat, and Iraq is not flat. As a result, our troops were at risk of not having reliable communications while under attack. As my team brainstormed options to remedy the situation, one of my guys found some technology, about the size of an iPhone, that could covert a radio signal, which is basically a waveform, into a digital pulse I could put on a dedicated network to support the convoy missions.” For $11 million, Touhill and his team quickly architected, tested, and fielded the Radio over IP network (aka “Ripper Net”) that had a 99% reliability rate anywhere in Iraq. Better still, convoys could communicate over the network using any radios. That solution saved a minimum of six lives. In one case, the hospital doctor said if the patient had arrived five minutes later, he would have died. Sage Advice Anyone who has ever spent time in the military or in a military family knows that soldiers are very well disciplined, or they wash out. Other traits include being physically fit, mentally fit, and achieving balance in life, though that’s difficult to achieve in combat. Still, it’s a necessity. “I served three and a half years down range in combat operations. My experience taught me you could be doing 20-hour days for a year or two on end. If you haven’t built a good foundation of being disciplined and fit, it impacts your ability to maintain presence in times of stress, and CISOs work in stressful situations,” says Touhill. “Staying fit also fortifies you for the long haul, so you don’t get burned out as fast.” Another necessary skill is the ability to work well with others.  “Cybersecurity is an interdisciplinary practice. One of the great joys I have as CERT director is the wide range of experts in many different fields that include software engineers, computer engineers, computer scientists, data scientists, mathematicians and physicists,” says Touhill. “I have folks who have business degrees and others who have philosophy degrees. It's really a rich community of interests all coming together towards that common goal of making the world a safer, more secure and more trusted place in the cyber domain. We’re are kind of like the cyber neighborhood watch for the whole world.” He also says that money isn’t everything, having taken a pay cut to go from being an Air Force brigadier general to the deputy assistant secretary of the Department of Homeland Security . “You’ll always do well if you pick the job that matters most. That’s what I did, and I’ve been rewarded every step,” says Touhill.  The biggest challenge he sees is the complexity of cyber systems and software, which can have second, third, and fourth order effects.  “Complexity raises the cost of the attack surface, increases the attack surface, raises the number of vulnerabilities and exploits human weaknesses,” says Touhill. “The No. 1 thing we need to be paying attention to is privacy when it comes to AI because AI can unearth and discover knowledge from data we already have. While it gives us greater insights at greater velocities, we need to be careful that we take precautions to better protect our privacy, civil rights and civil liberties.” 
    0 Comentários 0 Compartilhamentos
  • Recipients of Public Awareness Sponsorship Program announced

    The latest recipients of the OAA’s Public Awareness Sponsorship program, held twice a year, have been announced.
    Under its five-year strategic plan, the OAA has identified public education as a key pillar with the goal to advance the public’s understanding and recognition that architecture is integral to the quality of life and well-being of society. As a result, the OAA offers Public Awareness Funding in amounts from to to applicants working to expand an awareness of the value of architecture in their communities.
    The Communications and Public Education Committeehas agreed to fund the following applicants.

    Toronto Public Space Committee and Cyan Station – To the Loo! Toronto Toilet Design Challenge
    The “To the Loo! Toronto Toilet Design Challenge” is a global call to reimagine public washrooms as vital elements of the urban landscape. A joint effort by the Toronto Public Space Committee and Cyan Station, the initiative emphasizes accessibility, public health, and innovative design. Featuring a summer 2025 public event and exhibition, the challenge invites architects, designers, and engaged citizens to explore creative solutions that transform how we experience these essential public spaces.
    Heritage Ottawa – 2025 Heritage Ottawa Walking Tours
    Heritage Ottawa is an advocate for the preservation and appreciation of Ottawa’s built heritage. For more than 50 years, its signature guided Walking Tours, offered in both English and French, have attracted diverse audiences and have highlighted the city’s architectural and cultural history.
    Kelvin Kung – Designing Dignity: Community-Driven Insights for Better Palliative and Long-Term Care Spaces
    “Designing Dignity: Community-Driven Insights for Better Palliative and Long-Term Care Spaces” focuses on enhancing the quality of life for aging populations by reimagining care spaces through thoughtful architectural design. By leveraging online engagement tools, AI-driven analysis, and stakeholder input, this initiative will develop data-driven reports and recommendations for the public, policymakers, and design professionals. The project aims to raise awareness about architecture’s crucial role in shaping compassionate care spaces, empowering communities to advocate for better design and influence future policies and practices.
    McEwen School of Architecture, Laurentian University – Archi-North Summer Camp
    Archi·North Summer Camp, offered by Laurentian University’s McEwen School of Architecture, is a bilingual and tricultural program designed for Northern Ontario high school students entering Grades 11 and 12. The week-long, immersive camp aims to provide an affordable introduction to architectural design through hands-on experience in drafting, model-making, and digital tools with an emphasis on sustainable materials. Led by faculty and recent graduates, the Sudbury-based camp encourages youth to be agents of change and reimagine their own communities.
    Moses Structural Engineers Inc. – TimberFever 2025
    Now in its 11th year, TimberFever 2025, presented by Moses Structural Engineers, is a hands-on design-build competition that brings together architecture and engineering students from Canadian and U.S. universities to collaborate, create, and innovate. Under the guidance of professional mentors, carpenters, and industry leaders, participants tackle real-world challenges like affordable housing and climate resilience while refining both design and construction skills.
    RAW Design – Architectural and Design Summer Camp, “Diversity in Design”
    RAW Design’s “Diversity in Design” Summer Camp introduces underrepresented high school students to the architecture profession through an immersive, hands-on experience. Now in its fifth year, this free week-long mentorship program fosters creativity, critical thinking, and teamwork with activities like model-making, workshops, and urban exploration led by architects and volunteers.
    Urban Minds – 1UP Fellowship 2025-2026
    Urban Minds’ 1UP Fellowship 2025-2026 aims to empower high school students across Ontario to become urban changemakers through mentorship and hands-on projects. The Fellowship features two streams: the Design-Builders Stream, where students launch school chapters to tackle community design challenges, and the Learners Stream, which introduces students to city-building topics through structured learning activities.

    The next deadline for submissions is September 15, 2025.
    For more information, click here.
    The post Recipients of Public Awareness Sponsorship Program announced appeared first on Canadian Architect.
    #recipients #public #awareness #sponsorship #program
    Recipients of Public Awareness Sponsorship Program announced
    The latest recipients of the OAA’s Public Awareness Sponsorship program, held twice a year, have been announced. Under its five-year strategic plan, the OAA has identified public education as a key pillar with the goal to advance the public’s understanding and recognition that architecture is integral to the quality of life and well-being of society. As a result, the OAA offers Public Awareness Funding in amounts from to to applicants working to expand an awareness of the value of architecture in their communities. The Communications and Public Education Committeehas agreed to fund the following applicants. Toronto Public Space Committee and Cyan Station – To the Loo! Toronto Toilet Design Challenge The “To the Loo! Toronto Toilet Design Challenge” is a global call to reimagine public washrooms as vital elements of the urban landscape. A joint effort by the Toronto Public Space Committee and Cyan Station, the initiative emphasizes accessibility, public health, and innovative design. Featuring a summer 2025 public event and exhibition, the challenge invites architects, designers, and engaged citizens to explore creative solutions that transform how we experience these essential public spaces. Heritage Ottawa – 2025 Heritage Ottawa Walking Tours Heritage Ottawa is an advocate for the preservation and appreciation of Ottawa’s built heritage. For more than 50 years, its signature guided Walking Tours, offered in both English and French, have attracted diverse audiences and have highlighted the city’s architectural and cultural history. Kelvin Kung – Designing Dignity: Community-Driven Insights for Better Palliative and Long-Term Care Spaces “Designing Dignity: Community-Driven Insights for Better Palliative and Long-Term Care Spaces” focuses on enhancing the quality of life for aging populations by reimagining care spaces through thoughtful architectural design. By leveraging online engagement tools, AI-driven analysis, and stakeholder input, this initiative will develop data-driven reports and recommendations for the public, policymakers, and design professionals. The project aims to raise awareness about architecture’s crucial role in shaping compassionate care spaces, empowering communities to advocate for better design and influence future policies and practices. McEwen School of Architecture, Laurentian University – Archi-North Summer Camp Archi·North Summer Camp, offered by Laurentian University’s McEwen School of Architecture, is a bilingual and tricultural program designed for Northern Ontario high school students entering Grades 11 and 12. The week-long, immersive camp aims to provide an affordable introduction to architectural design through hands-on experience in drafting, model-making, and digital tools with an emphasis on sustainable materials. Led by faculty and recent graduates, the Sudbury-based camp encourages youth to be agents of change and reimagine their own communities. Moses Structural Engineers Inc. – TimberFever 2025 Now in its 11th year, TimberFever 2025, presented by Moses Structural Engineers, is a hands-on design-build competition that brings together architecture and engineering students from Canadian and U.S. universities to collaborate, create, and innovate. Under the guidance of professional mentors, carpenters, and industry leaders, participants tackle real-world challenges like affordable housing and climate resilience while refining both design and construction skills. RAW Design – Architectural and Design Summer Camp, “Diversity in Design” RAW Design’s “Diversity in Design” Summer Camp introduces underrepresented high school students to the architecture profession through an immersive, hands-on experience. Now in its fifth year, this free week-long mentorship program fosters creativity, critical thinking, and teamwork with activities like model-making, workshops, and urban exploration led by architects and volunteers. Urban Minds – 1UP Fellowship 2025-2026 Urban Minds’ 1UP Fellowship 2025-2026 aims to empower high school students across Ontario to become urban changemakers through mentorship and hands-on projects. The Fellowship features two streams: the Design-Builders Stream, where students launch school chapters to tackle community design challenges, and the Learners Stream, which introduces students to city-building topics through structured learning activities. The next deadline for submissions is September 15, 2025. For more information, click here. The post Recipients of Public Awareness Sponsorship Program announced appeared first on Canadian Architect. #recipients #public #awareness #sponsorship #program
    WWW.CANADIANARCHITECT.COM
    Recipients of Public Awareness Sponsorship Program announced
    The latest recipients of the OAA’s Public Awareness Sponsorship program, held twice a year, have been announced. Under its five-year strategic plan, the OAA has identified public education as a key pillar with the goal to advance the public’s understanding and recognition that architecture is integral to the quality of life and well-being of society. As a result, the OAA offers Public Awareness Funding in amounts from $500 to $10,000 to applicants working to expand an awareness of the value of architecture in their communities. The Communications and Public Education Committee (CPEC) has agreed to fund the following applicants. Toronto Public Space Committee and Cyan Station – To the Loo! Toronto Toilet Design Challenge The “To the Loo! Toronto Toilet Design Challenge” is a global call to reimagine public washrooms as vital elements of the urban landscape. A joint effort by the Toronto Public Space Committee and Cyan Station, the initiative emphasizes accessibility, public health, and innovative design. Featuring a summer 2025 public event and exhibition, the challenge invites architects, designers, and engaged citizens to explore creative solutions that transform how we experience these essential public spaces. Heritage Ottawa – 2025 Heritage Ottawa Walking Tours Heritage Ottawa is an advocate for the preservation and appreciation of Ottawa’s built heritage. For more than 50 years, its signature guided Walking Tours, offered in both English and French, have attracted diverse audiences and have highlighted the city’s architectural and cultural history. Kelvin Kung – Designing Dignity: Community-Driven Insights for Better Palliative and Long-Term Care Spaces “Designing Dignity: Community-Driven Insights for Better Palliative and Long-Term Care Spaces” focuses on enhancing the quality of life for aging populations by reimagining care spaces through thoughtful architectural design. By leveraging online engagement tools, AI-driven analysis, and stakeholder input, this initiative will develop data-driven reports and recommendations for the public, policymakers, and design professionals. The project aims to raise awareness about architecture’s crucial role in shaping compassionate care spaces, empowering communities to advocate for better design and influence future policies and practices. McEwen School of Architecture, Laurentian University – Archi-North Summer Camp Archi·North Summer Camp, offered by Laurentian University’s McEwen School of Architecture, is a bilingual and tricultural program designed for Northern Ontario high school students entering Grades 11 and 12. The week-long, immersive camp aims to provide an affordable introduction to architectural design through hands-on experience in drafting, model-making, and digital tools with an emphasis on sustainable materials. Led by faculty and recent graduates, the Sudbury-based camp encourages youth to be agents of change and reimagine their own communities. Moses Structural Engineers Inc. – TimberFever 2025 Now in its 11th year, TimberFever 2025, presented by Moses Structural Engineers, is a hands-on design-build competition that brings together architecture and engineering students from Canadian and U.S. universities to collaborate, create, and innovate. Under the guidance of professional mentors, carpenters, and industry leaders, participants tackle real-world challenges like affordable housing and climate resilience while refining both design and construction skills. RAW Design – Architectural and Design Summer Camp, “Diversity in Design” RAW Design’s “Diversity in Design” Summer Camp introduces underrepresented high school students to the architecture profession through an immersive, hands-on experience. Now in its fifth year, this free week-long mentorship program fosters creativity, critical thinking, and teamwork with activities like model-making, workshops, and urban exploration led by architects and volunteers. Urban Minds – 1UP Fellowship 2025-2026 Urban Minds’ 1UP Fellowship 2025-2026 aims to empower high school students across Ontario to become urban changemakers through mentorship and hands-on projects. The Fellowship features two streams: the Design-Builders Stream, where students launch school chapters to tackle community design challenges, and the Learners Stream, which introduces students to city-building topics through structured learning activities. The next deadline for submissions is September 15, 2025. For more information, click here. The post Recipients of Public Awareness Sponsorship Program announced appeared first on Canadian Architect.
    0 Comentários 0 Compartilhamentos
  • Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools

    Paul Hill

    Neowin
    @ziks_99 ·

    Jun 6, 2025 03:02 EDT

    Microsoft has just announced that it will be rolling out an extremely convenient feature for Microsoft 365 customers who use Word throughout this year. The Redmond giant said that you’ll now be able to use SharePoint’s native eSignature service directly in Microsoft Word.
    The new feature allows customers to request electronic signatures without converting the documents to a PDF or leaving the Word interface, significantly speeding up workflows.
    Microsoft’s integration of eSignatures also allows you to create eSignature templates which will speed up document approvals, eliminate physical signing steps, and help with compliance and security in the Microsoft 365 environment.

    This change has the potential to significantly improve the quality-of-life for those in work finding themselves adding lots of signatures to documents as they will no longer have to export PDFs from Word and apply the signature outside of Word. It’s also key to point out that this feature is integrated natively and is not an extension.
    The move is quite clever from Microsoft, if businesses were using third-party tools to sign their documents, they would no longer need to use these as it’s easier to do it in Word. Not only does it reduce reliance on other tools, it also makes Microsoft’s products more competitive against other office suites such as Google Workspace.
    Streamlined, secure, and compliant
    The new eSignature feature is tightly integrated into Word. It lets you insert signature fields seamlessly into documents and request other people’s signatures, all while remaining in Word. The eSignature feature can be accessed in Word by going to the Insert ribbon.
    When you send a signature request to someone from Word, the recipient will get an automatically generated PDF copy of the Word document to sign. The signed PDF will then be kept in the same SharePoint location as the original Word file. To ensure end-to-end security and compliance, the document never leaves the Microsoft 365 trust boundary.
    For anyone with a repetitive signing process, this integration allows you to turn Word documents into eSignature templates so they can be reused.
    Another feature that Microsoft has built in is audit trail and notifications. Both the senders and signers will get email notifications throughout the entire signing process. Additionally, you can view the activity historyin the signed PDF to check who signed it and when.
    Finally, Microsoft said that administrators will be able to control how the feature is used in Word throughout the organization. They can decide to enable it for specific users via an Office group policy or limit it to particular SharePoint sites. The company said that SharePoint eSignature also lets admins log activities in the Purview Audit log.
    A key security measure included by Microsoft, which was mentioned above, was the Microsoft 365 trust boundary. By keeping documents in this boundary, Microsoft ensures that all organizations can use this feature without worry.
    The inclusion of automatic PDF creation is all a huge benefit to users as it will cut out the step of manual PDF creation. While creating a PDF isn’t complicated, it can be time consuming.
    The eSignature feature looks like a win-win-win for organizations that rely on digital signatures. Not only does it speed things along and remain secure, but it’s also packed with features like tracking, making it really useful and comprehensive.
    When and how your organization gets it
    SharePoint eSignature has started rolling out to Word on the M365 Beta and Current Channels in the United States, Canada, the United Kingdom, Europe, and Australia-Pacific. This phase of the rollout is expected to be completed by early July.
    People in the rest of the world will also be gaining this time-saving feature but it will not reach everyone right away, though Microsoft promises to reach everybody by the end of the year.
    To use the feature, it will need to be enabled by administrators. If you’re an admin who needs to enable this, just go to the M365 Admin Center and enable SharePoint eSignature, ensuring the Word checkbox is selected. Once the service is enabled, apply the “Allow the use of SharePoint eSignature for Microsoft Word” policy. The policy can be enabled via Intune, Group Policy manager, or the Cloud Policy service for Microsoft 365
    Assuming the admins have given permission to use the feature, users will be able to access SharePoint eSignatures on Word Desktop using the Microsoft 365 Current Channel or Beta Channel.
    The main caveats include that the rollout is phased, so you might not get it right away, and it requires IT admins to enable the feature - in which case, it may never get enabled at all.
    Overall, this feature stands to benefit users who sign documents a lot as it can save huge amounts of time cumulatively. It’s also good for Microsoft who increase organizations’ dependence on Word.

    Tags

    Report a problem with article

    Follow @NeowinFeed
    #microsoft #word #gets #sharepoint #esignature
    Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools
    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools Paul Hill Neowin @ziks_99 · Jun 6, 2025 03:02 EDT Microsoft has just announced that it will be rolling out an extremely convenient feature for Microsoft 365 customers who use Word throughout this year. The Redmond giant said that you’ll now be able to use SharePoint’s native eSignature service directly in Microsoft Word. The new feature allows customers to request electronic signatures without converting the documents to a PDF or leaving the Word interface, significantly speeding up workflows. Microsoft’s integration of eSignatures also allows you to create eSignature templates which will speed up document approvals, eliminate physical signing steps, and help with compliance and security in the Microsoft 365 environment. This change has the potential to significantly improve the quality-of-life for those in work finding themselves adding lots of signatures to documents as they will no longer have to export PDFs from Word and apply the signature outside of Word. It’s also key to point out that this feature is integrated natively and is not an extension. The move is quite clever from Microsoft, if businesses were using third-party tools to sign their documents, they would no longer need to use these as it’s easier to do it in Word. Not only does it reduce reliance on other tools, it also makes Microsoft’s products more competitive against other office suites such as Google Workspace. Streamlined, secure, and compliant The new eSignature feature is tightly integrated into Word. It lets you insert signature fields seamlessly into documents and request other people’s signatures, all while remaining in Word. The eSignature feature can be accessed in Word by going to the Insert ribbon. When you send a signature request to someone from Word, the recipient will get an automatically generated PDF copy of the Word document to sign. The signed PDF will then be kept in the same SharePoint location as the original Word file. To ensure end-to-end security and compliance, the document never leaves the Microsoft 365 trust boundary. For anyone with a repetitive signing process, this integration allows you to turn Word documents into eSignature templates so they can be reused. Another feature that Microsoft has built in is audit trail and notifications. Both the senders and signers will get email notifications throughout the entire signing process. Additionally, you can view the activity historyin the signed PDF to check who signed it and when. Finally, Microsoft said that administrators will be able to control how the feature is used in Word throughout the organization. They can decide to enable it for specific users via an Office group policy or limit it to particular SharePoint sites. The company said that SharePoint eSignature also lets admins log activities in the Purview Audit log. A key security measure included by Microsoft, which was mentioned above, was the Microsoft 365 trust boundary. By keeping documents in this boundary, Microsoft ensures that all organizations can use this feature without worry. The inclusion of automatic PDF creation is all a huge benefit to users as it will cut out the step of manual PDF creation. While creating a PDF isn’t complicated, it can be time consuming. The eSignature feature looks like a win-win-win for organizations that rely on digital signatures. Not only does it speed things along and remain secure, but it’s also packed with features like tracking, making it really useful and comprehensive. When and how your organization gets it SharePoint eSignature has started rolling out to Word on the M365 Beta and Current Channels in the United States, Canada, the United Kingdom, Europe, and Australia-Pacific. This phase of the rollout is expected to be completed by early July. People in the rest of the world will also be gaining this time-saving feature but it will not reach everyone right away, though Microsoft promises to reach everybody by the end of the year. To use the feature, it will need to be enabled by administrators. If you’re an admin who needs to enable this, just go to the M365 Admin Center and enable SharePoint eSignature, ensuring the Word checkbox is selected. Once the service is enabled, apply the “Allow the use of SharePoint eSignature for Microsoft Word” policy. The policy can be enabled via Intune, Group Policy manager, or the Cloud Policy service for Microsoft 365 Assuming the admins have given permission to use the feature, users will be able to access SharePoint eSignatures on Word Desktop using the Microsoft 365 Current Channel or Beta Channel. The main caveats include that the rollout is phased, so you might not get it right away, and it requires IT admins to enable the feature - in which case, it may never get enabled at all. Overall, this feature stands to benefit users who sign documents a lot as it can save huge amounts of time cumulatively. It’s also good for Microsoft who increase organizations’ dependence on Word. Tags Report a problem with article Follow @NeowinFeed #microsoft #word #gets #sharepoint #esignature
    WWW.NEOWIN.NET
    Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools
    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools Paul Hill Neowin @ziks_99 · Jun 6, 2025 03:02 EDT Microsoft has just announced that it will be rolling out an extremely convenient feature for Microsoft 365 customers who use Word throughout this year. The Redmond giant said that you’ll now be able to use SharePoint’s native eSignature service directly in Microsoft Word. The new feature allows customers to request electronic signatures without converting the documents to a PDF or leaving the Word interface, significantly speeding up workflows. Microsoft’s integration of eSignatures also allows you to create eSignature templates which will speed up document approvals, eliminate physical signing steps, and help with compliance and security in the Microsoft 365 environment. This change has the potential to significantly improve the quality-of-life for those in work finding themselves adding lots of signatures to documents as they will no longer have to export PDFs from Word and apply the signature outside of Word. It’s also key to point out that this feature is integrated natively and is not an extension. The move is quite clever from Microsoft, if businesses were using third-party tools to sign their documents, they would no longer need to use these as it’s easier to do it in Word. Not only does it reduce reliance on other tools, it also makes Microsoft’s products more competitive against other office suites such as Google Workspace. Streamlined, secure, and compliant The new eSignature feature is tightly integrated into Word. It lets you insert signature fields seamlessly into documents and request other people’s signatures, all while remaining in Word. The eSignature feature can be accessed in Word by going to the Insert ribbon. When you send a signature request to someone from Word, the recipient will get an automatically generated PDF copy of the Word document to sign. The signed PDF will then be kept in the same SharePoint location as the original Word file. To ensure end-to-end security and compliance, the document never leaves the Microsoft 365 trust boundary. For anyone with a repetitive signing process, this integration allows you to turn Word documents into eSignature templates so they can be reused. Another feature that Microsoft has built in is audit trail and notifications. Both the senders and signers will get email notifications throughout the entire signing process. Additionally, you can view the activity history (audit trail) in the signed PDF to check who signed it and when. Finally, Microsoft said that administrators will be able to control how the feature is used in Word throughout the organization. They can decide to enable it for specific users via an Office group policy or limit it to particular SharePoint sites. The company said that SharePoint eSignature also lets admins log activities in the Purview Audit log. A key security measure included by Microsoft, which was mentioned above, was the Microsoft 365 trust boundary. By keeping documents in this boundary, Microsoft ensures that all organizations can use this feature without worry. The inclusion of automatic PDF creation is all a huge benefit to users as it will cut out the step of manual PDF creation. While creating a PDF isn’t complicated, it can be time consuming. The eSignature feature looks like a win-win-win for organizations that rely on digital signatures. Not only does it speed things along and remain secure, but it’s also packed with features like tracking, making it really useful and comprehensive. When and how your organization gets it SharePoint eSignature has started rolling out to Word on the M365 Beta and Current Channels in the United States, Canada, the United Kingdom, Europe, and Australia-Pacific. This phase of the rollout is expected to be completed by early July. People in the rest of the world will also be gaining this time-saving feature but it will not reach everyone right away, though Microsoft promises to reach everybody by the end of the year. To use the feature, it will need to be enabled by administrators. If you’re an admin who needs to enable this, just go to the M365 Admin Center and enable SharePoint eSignature, ensuring the Word checkbox is selected. Once the service is enabled, apply the “Allow the use of SharePoint eSignature for Microsoft Word” policy. The policy can be enabled via Intune, Group Policy manager, or the Cloud Policy service for Microsoft 365 Assuming the admins have given permission to use the feature, users will be able to access SharePoint eSignatures on Word Desktop using the Microsoft 365 Current Channel or Beta Channel. The main caveats include that the rollout is phased, so you might not get it right away, and it requires IT admins to enable the feature - in which case, it may never get enabled at all. Overall, this feature stands to benefit users who sign documents a lot as it can save huge amounts of time cumulatively. It’s also good for Microsoft who increase organizations’ dependence on Word. Tags Report a problem with article Follow @NeowinFeed
    Like
    Love
    Wow
    Sad
    Angry
    305
    5 Comentários 0 Compartilhamentos
  • Understanding the Relationship Between Security Gateways and DMARC

    Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex.
    Security gatewaysare a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages.
    This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures.
    Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave.
    An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers.
    An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side.

    Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures.
    Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways
    When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks.
    AvananSPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record.
    DKIM: It verifies if the message was signed by the sending domain and if that signature is valid.
    DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them.

    Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow, actively blocking or remediating threats.
    Proofpoint Email Protection

    SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules.
    DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs.
    DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks.

    Integration Methods

    Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments.
    API-BasedMode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services.

    Mimecast

    SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs.
    DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies.
    DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policyor apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts.

    Integration Methods

    Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inboundemails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection.
    API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it.

    Barracuda Email Security Gateway
    SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences.
    DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations.
    DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs.
    Integration Methods

    Inline mode: Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers.
    Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible.

    Cisco Secure EmailCisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service.
    SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures.
    DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed.
    DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions.
    Integration methods

    On-premises Email Security Appliance: You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering.
    Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail.

    Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security.
    Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways
    When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow.
    Avanan – Outbound Handling and Integration Methods
    Outbound Logic
    Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server, so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation.
    Integration Methods
    1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path. 

    How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails.
    Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally.
    SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers.

    2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled.

    How it works: Requires adding Avanan’s
    Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection.
    SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved.

    For configurations, you can refer to the steps in this blog.
    Proofpoint – Outbound Handling and Integration Methods
    Outbound Logic
    Proofpoint analyzes outbound emails to detect and prevent data loss, to identify advanced threatsoriginating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gatewaydeployment delivers true inline, pre-delivery blocking for outbound traffic.
    Integration methods
    1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace.

    How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including:

    Detect and alert: Identifies sensitive content, malicious attachments, or suspicious links in outbound emails.
    Post-delivery remediation: A key capability of the API model is Threat Response Auto-Pull, which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users.
    Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior.

    Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior. 
    SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact.

    2. Gateway Integration: This method requires updating MX records or routing outbound mail through Proofpoint via a smart host.

    How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers.
    Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations.
    Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered.
    Policy controls: Applies rules based on content, recipient, or behavior.
    Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption.
    SPF/DKIM/DMARC impact: Proofpoint becomes the sending server:

    SPF: You need to configure ProofPoint’s SPF.
    DKIM: Can sign messages; requires DKIM setup.
    DMARC: DMARC passes if SPF and DKIM are set up properly.

    Please refer to this article to configure SPF and DKIM for ProofPoint.
    Mimecast – Outbound Handling and Integration Methods
    Outbound Logic
    Mimecast inspects outbound emails to prevent data loss, detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway, meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model.
    Integration Methods
    1. Gateway IntegrationThis is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email serverto use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time.

    How it works:
    Updating outbound routing in your email system, or
    Using Mimecast SMTP relay to direct messages through their infrastructure.
    Mimecast then scans, filters, and applies policies before the email reaches the final recipient.

    Protection level:
    Advanced DLP: Identifies and prevents sensitive data leaks.
    Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts.
    Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals.

    Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata.
    SPF/DKIM/DMARC impact:

    SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures.
    DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast.
    DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast.

    2. API IntegrationMimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users.
    APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gatewaysetup.
    Barracuda – Outbound Handling and Integration Methods
    Outbound Logic
    Barracuda analyzes outbound emails to prevent data loss, block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gatewayand API-based integrations. While both contribute to outbound security, their roles are distinct.
    Integration Methods
    1. Gateway Integration— Primary Inline Security

    How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery.
    Protection level:

    Comprehensive DLP 
    Outbound spam and virus filtering 
    Enforcement of compliance and content policies

    This approach offers a high level of control and immediate threat mitigation on outbound mail flow.

    SPF/DKIM/DMARC impact:

    SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism.
    DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved.

    Refer to this article for more comprehensive guidance on Barracuda SEG configuration.
    2. API IntegrationHow it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending.
    Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities.
    SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation.

    Cisco Secure Email– Outbound Handling and Integration Methods
    Outbound Logic
    Cisco Secure Email protects outbound email by preventing data loss, blocking spam and malware from internal accounts, stopping business email compromiseand impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security.
    Integration Methods
    1. Gateway Integration– Cisco Secure Email GatewayHow it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail serverto smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery.
    Protection level:

    Granular DLPOutbound spam and malware filtering to protect IP reputation
    Email encryption for sensitive outbound messages
    Comprehensive content and attachment policy enforcement

    SPF: Check this article for comprehensive guidance on Cisco SPF settings.
    DKIM: Refer to this article for detailed guidance on Cisco DKIM settings.

    2. API Integration – Cisco Secure Email Threat Defense

    How it works: Integrates directly via API with Microsoft 365, continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing.
    Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending.
    Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action.
    SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation.

    If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.
    #understanding #relationship #between #security #gateways
    Understanding the Relationship Between Security Gateways and DMARC
    Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gatewaysare a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. AvananSPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow, actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules. DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-BasedMode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policyor apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inboundemails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs. Integration Methods Inline mode: Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure EmailCisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance: You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server, so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss, to identify advanced threatsoriginating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gatewaydeployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content, malicious attachments, or suspicious links in outbound emails. Post-delivery remediation: A key capability of the API model is Threat Response Auto-Pull, which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration: This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss, detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway, meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway IntegrationThis is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email serverto use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system, or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API IntegrationMimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gatewaysetup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss, block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gatewayand API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration— Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API IntegrationHow it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email– Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss, blocking spam and malware from internal accounts, stopping business email compromiseand impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration– Cisco Secure Email GatewayHow it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail serverto smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLPOutbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365, continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support. #understanding #relationship #between #security #gateways
    EASYDMARC.COM
    Understanding the Relationship Between Security Gateways and DMARC
    Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gateways(SEGs) are a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. Avanan (by Check Point) SPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow (MX records changed), actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules (e.g. treat “softfail” as “fail”). DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-Based (Integrated Cloud Email Security – ICES) Mode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policy (none, quarantine, reject) or apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inbound (and optionally outbound) emails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs (e.g., trusted senders or internal exceptions). Integration Methods Inline mode (more common and straightforward): Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure Email (formerly IronPort) Cisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance (ESA): You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server (e.g., Microsoft 365 or Google Workspace), so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss (DLP), to identify advanced threats (malware, phishing, BEC) originating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gateway (MX record) deployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content (Data Loss Prevention violations), malicious attachments, or suspicious links in outbound emails. Post-delivery remediation (TRAP): A key capability of the API model is Threat Response Auto-Pull (TRAP), which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration (MX Record/Smart Host): This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss (DLP), detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway (SEG), meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway Integration (MX Record change required) This is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email server (e.g., Microsoft 365, Google Workspace, etc.) to use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system (smart host settings), or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API Integration (Complementary to Gateway) Mimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gateway (smart host) setup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss (DLP), block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gateway (MX record) and API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration (MX Record / Smart Host) — Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP (blocking, encrypting, or quarantining sensitive content)  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API Integration (Complementary & Advanced Threat Focus) How it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server (e.g., Microsoft 365), SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email (formerly IronPort) – Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss (DLP), blocking spam and malware from internal accounts, stopping business email compromise (BEC) and impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration (MX Record / Smart Host) – Cisco Secure Email Gateway (ESA) How it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail server (e.g., Microsoft 365, Exchange) to smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLP (blocking, encrypting, quarantining sensitive content) Outbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365 (and potentially Google Workspace), continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.
    Like
    Love
    Wow
    Sad
    Angry
    398
    0 Comentários 0 Compartilhamentos