Originally published at EasyDMARC Integrates With Pax8 Marketplace To Simplify Email Security For MSPs by Anush Yolyan. The integration will deliver simple, accessible, and streamlined email security for vulnerable inboxes Global, 4 November 2024 – US-based email security firm EasyDMARC has today announced its integration with Pax8 Marketplace, the leading cloud commerce marketplace. As one of the first DMARC solution providers on the Pax8 Marketplace, EasyDMARC is expanding its mission to protect inboxes from the rising threat of phishing attacks with a rigorous, user-friendly DMARC solution. The integration comes as Google highlights the impressive results of recently implemented email authentication measures for bulk senders: a 65% reduction in unauthenticated messages to Gmail users, a 50% increase in bulk senders following best security practices, and 265 billion fewer unauthenticated messages sent in 2024. With email being such a crucial communication channel for businesses, email authentication measures are an essential part of any business’s cybersecurity offering.  Key features of the integration include: Centralized billing With centralized billing, customers can now streamline their cloud services under a single pane of glass, simplifying the management and billing of their EasyDMARC solution. This consolidated approach enables partners to reduce administrative complexity and manage all cloud expenses through one interface, providing a seamless billing and support experience. Automated provisioning  Through automated provisioning, Pax8’s automation capabilities make deploying DMARC across client accounts quick and hassle-free. By eliminating manual configurations, this integration ensures that customers can implement email security solutions rapidly, allowing them to safeguard client inboxes without delay. Bundled offerings The bundled offerings available through Pax8 allow partners to enhance their service portfolios by combining EasyDMARC with complementary security solutions. By creating all-in-one security packages, partners can offer their clients more robust protection, addressing a broader range of security needs from a single, trusted platform. Gerasim Hovhannisyan, Co-Founder and CEO of EasyDMARC, said: “We’re thrilled to be working with Pax8  to provide MSPs with a streamlined, effective way to deliver top-tier email security to their clients, all within a platform that equips them with everything needed to stay secure.  As phishing attacks grow in frequency and sophistication, businesses can no longer afford to overlook the importance of email security. Email authentication is a vital defense against the evolving threat of phishing and is crucial in preserving the integrity of email communication. This integration is designed to allow businesses of all sizes to benefit from DMARC’s extensive capabilities.” Ryan Burton, Vice President of Marketplace Vendor Strategy, at Pax8 said:  “We’re delighted to welcome EasyDMARC to the Pax8 Marketplace as an enterprise-class DMARC solution provider. This integration gives MSPs the tools they need to meet the growing demand for email security, with simplified deployment, billing, and bundling benefits. With EasyDMARC’s technical capabilities and intelligence, MSPs can deliver robust protection against phishing threats without the technical hassle that often holds businesses back.” About EasyDMARC EasyDMARC is a cloud-native B2B SaaS solution that addresses email security and deliverability problems with just a few clicks. For Managed Service Providers seeking to increase their revenue, EasyDMARC presents an ideal solution. The email authentication platform streamlines domain management, providing capabilities such as organizational control, domain grouping, and access management. Additionally, EasyDMARC offers a comprehensive sales and marketing enablement program designed to boost DMARC sales. All of these features are available for MSPs on a scalable platform with a flexible pay-as-you-go pricing model. For more information on the EasyDMARC, visit: https://easydmarc.com/ About Pax8  Pax8 is the technology marketplace of the future, linking partners, vendors, and small to midsized businesses (SMBs) through AI-powered insights and comprehensive product support. With a global partner ecosystem of over 38,000 managed service providers, Pax8 empowers SMBs worldwide by providing software and services that unlock their growth potential and enhance their security. Committed to innovating cloud commerce at scale, Pax8 drives customer acquisition and solution consumption across its entire ecosystem. Find out more: https://www.pax8.com/en-us/ The post EasyDMARC Integrates With Pax8 Marketplace To Simplify Email Security For MSPs appeared first on EasyDMARC.

The Secure Government Email (SGE) Common Implementation Framework New Zealand’s government is introducing a comprehensive email security framework designed to protect official communications from phishing and domain spoofing. This new framework, which will be mandatory for all government agencies by October 2025, establishes clear technical standards to enhance email security and retire the outdated SEEMail service.  Key Takeaways All NZ government agencies must comply with new email security requirements by October 2025. The new framework strengthens trust and security in government communications by preventing spoofing and phishing. The framework mandates TLS 1.2+, SPF, DKIM, DMARC with p=reject, MTA-STS, and DLP controls. EasyDMARC simplifies compliance with our guided setup, monitoring, and automated reporting. Start a Free Trial What is the Secure Government Email Common Implementation Framework? The Secure Government Email (SGE) Common Implementation Framework is a new government-led initiative in New Zealand designed to standardize email security across all government agencies. Its main goal is to secure external email communication, reduce domain spoofing in phishing attacks, and replace the legacy SEEMail service. Why is New Zealand Implementing New Government Email Security Standards? The framework was developed by New Zealand’s Department of Internal Affairs (DIA) as part of its role in managing ICT Common Capabilities. It leverages modern email security controls via the Domain Name System (DNS) to enable the retirement of the legacy SEEMail service and provide: Encryption for transmission security Digital signing for message integrity Basic non-repudiation (by allowing only authorized senders) Domain spoofing protection These improvements apply to all emails, not just those routed through SEEMail, offering broader protection across agency communications. What Email Security Technologies Are Required by the New NZ SGE Framework? The SGE Framework outlines the following key technologies that agencies must implement: TLS 1.2 or higher with implicit TLS enforced TLS-RPT (TLS Reporting) SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) DMARC (Domain-based Message Authentication, Reporting, and Conformance) with reporting MTA-STS (Mail Transfer Agent Strict Transport Security) Data Loss Prevention controls These technologies work together to ensure encrypted email transmission, validate sender identity, prevent unauthorized use of domains, and reduce the risk of sensitive data leaks. Get in touch When Do NZ Government Agencies Need to Comply with this Framework? All New Zealand government agencies are expected to fully implement the Secure Government Email (SGE) Common Implementation Framework by October 2025. Agencies should begin their planning and deployment now to ensure full compliance by the deadline. The All of Government Secure Email Common Implementation Framework v1.0 What are the Mandated Requirements for Domains? Below are the exact requirements for all email-enabled domains under the new framework. ControlExact RequirementTLSMinimum TLS 1.2. TLS 1.1, 1.0, SSL, or clear-text not permitted.TLS-RPTAll email-sending domains must have TLS reporting enabled.SPFMust exist and end with -all.DKIMAll outbound email from every sending service must be DKIM-signed at the final hop.DMARCPolicy of p=reject on all email-enabled domains. adkim=s is recommended when not bulk-sending.MTA-STSEnabled and set to enforce.Implicit TLSMust be configured and enforced for every connection.Data Loss PreventionEnforce in line with the New Zealand Information Security Manual (NZISM) and Protective Security Requirements (PSR). Compliance Monitoring and Reporting The All of Government Service Delivery (AoGSD) team will be monitoring compliance with the framework. Monitoring will initially cover SPF, DMARC, and MTA-STS settings and will be expanded to include DKIM. Changes to these settings will be monitored, enabling reporting on email security compliance across all government agencies. Ongoing monitoring will highlight changes to domains, ensure new domains are set up with security in place, and monitor the implementation of future email security technologies.  Should compliance changes occur, such as an agency’s SPF record being changed from -all to ~all, this will be captured so that the AoGSD Security Team can investigate. They will then communicate directly with the agency to determine if an issue exists or if an error has occurred, reviewing each case individually. Deployment Checklist for NZ Government Compliance Enforce TLS 1.2 minimum, implicit TLS, MTA-STS & TLS-RPT SPF with -all DKIM on all outbound email DMARC p=reject  adkim=s where suitable For non-email/parked domains: SPF -all, empty DKIM, DMARC reject strict Compliance dashboard Inbound DMARC evaluation enforced DLP aligned with NZISM Start a Free Trial How EasyDMARC Can Help Government Agencies Comply EasyDMARC provides a comprehensive email security solution that simplifies the deployment and ongoing management of DNS-based email security protocols like SPF, DKIM, and DMARC with reporting. Our platform offers automated checks, real-time monitoring, and a guided setup to help government organizations quickly reach compliance. 1. TLS-RPT / MTA-STS audit EasyDMARC enables you to enable the Managed MTA-STS and TLS-RPT option with a single click. We provide the required DNS records and continuously monitor them for issues, delivering reports on TLS negotiation problems. This helps agencies ensure secure email transmission and quickly detect delivery or encryption failures. Note: In this screenshot, you can see how to deploy MTA-STS and TLS Reporting by adding just three CNAME records provided by EasyDMARC. It’s recommended to start in “testing” mode, evaluate the TLS-RPT reports, and then gradually switch your MTA-STS policy to “enforce”. The process is simple and takes just a few clicks. As shown above, EasyDMARC parses incoming TLS reports into a centralized dashboard, giving you clear visibility into delivery and encryption issues across all sending sources. 2. SPF with “-all”In the EasyDARC platform, you can run the SPF Record Generator to create a compliant record. Publish your v=spf1 record with “-all” to enforce a hard fail for unauthorized senders and prevent spoofed emails from passing SPF checks. This strengthens your domain’s protection against impersonation. Note: It is highly recommended to start adjusting your SPF record only after you begin receiving DMARC reports and identifying your legitimate email sources. As we’ll explain in more detail below, both SPF and DKIM should be adjusted after you gain visibility through reports. Making changes without proper visibility can lead to false positives, misconfigurations, and potential loss of legitimate emails. That’s why the first step should always be setting DMARC to p=none, receiving reports, analyzing them, and then gradually fixing any SPF or DKIM issues. 3. DKIM on all outbound email DKIM must be configured for all email sources sending emails on behalf of your domain. This is critical, as DKIM plays a bigger role than SPF when it comes to building domain reputation, surviving auto-forwarding, mailing lists, and other edge cases. As mentioned above, DMARC reports provide visibility into your email sources, allowing you to implement DKIM accordingly (see first screenshot). If you’re using third-party services like Google Workspace, Microsoft 365, or Mimecast, you’ll need to retrieve the public DKIM key from your provider’s admin interface (see second screenshot). EasyDMARC maintains a backend directory of over 1,400 email sources. We also give you detailed guidance on how to configure SPF and DKIM correctly for major ESPs.  Note: At the end of this article, you’ll find configuration links for well-known ESPs like Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid – helping you avoid common misconfigurations and get aligned with SGE requirements. If you’re using a dedicated MTA (e.g., Postfix), DKIM must be implemented manually. EasyDMARC’s DKIM Record Generator lets you generate both public and private keys for your server. The private key is stored on your MTA, while the public key must be published in your DNS (see third and fourth screenshots). 4. DMARC p=reject rollout As mentioned in previous points, DMARC reporting is the first and most important step on your DMARC enforcement journey. Always start with a p=none policy and configure RUA reports to be sent to EasyDMARC. Use the report insights to identify and fix SPF and DKIM alignment issues, then gradually move to p=quarantine and finally p=reject once all legitimate email sources have been authenticated.  This phased approach ensures full protection against domain spoofing without risking legitimate email delivery. 5. adkim Strict Alignment Check This strict alignment check is not always applicable, especially if you’re using third-party bulk ESPs, such as Sendgrid, that require you to set DKIM on a subdomain level. You can set adkim=s in your DMARC TXT record, or simply enable strict mode in EasyDMARC’s Managed DMARC settings. This ensures that only emails with a DKIM signature that exactly match your domain pass alignment, adding an extra layer of protection against domain spoofing. But only do this if you are NOT a bulk sender. 6. Securing Non-Email Enabled Domains The purpose of deploying email security to non-email-enabled domains, or parked domains, is to prevent messages being spoofed from that domain. This requirement remains even if the root-level domain has SP=reject set within its DMARC record. Under this new framework, you must bulk import and mark parked domains as “Parked.” Crucially, this requires adjusting SPF settings to an empty record, setting DMARC to p=reject, and ensuring an empty DKIM record is in place: • SPF record: “v=spf1 -all”. • Wildcard DKIM record with empty public key.• DMARC record: “v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:…”. EasyDMARC allows you to add and label parked domains for free. This is important because it helps you monitor any activity from these domains and ensure they remain protected with a strict DMARC policy of p=reject. 7. Compliance Dashboard Use EasyDMARC’s Domain Scanner to assess the security posture of each domain with a clear compliance score and risk level. The dashboard highlights configuration gaps and guides remediation steps, helping government agencies stay on track toward full compliance with the SGE Framework. 8. Inbound DMARC Evaluation Enforced You don’t need to apply any changes if you’re using Google Workspace, Microsoft 365, or other major mailbox providers. Most of them already enforce DMARC evaluation on incoming emails. However, some legacy Microsoft 365 setups may still quarantine emails that fail DMARC checks, even when the sending domain has a p=reject policy, instead of rejecting them. This behavior can be adjusted directly from your Microsoft Defender portal. Read more about this in our step-by-step guide on how to set up SPF, DKIM, and DMARC from Microsoft Defender. If you’re using a third-party mail provider that doesn’t enforce having a DMARC policy for incoming emails, which is rare, you’ll need to contact their support to request a configuration change. 9. Data Loss Prevention Aligned with NZISM The New Zealand Information Security Manual (NZISM) is the New Zealand Government’s manual on information assurance and information systems security. It includes guidance on data loss prevention (DLP), which must be followed to be aligned with the SEG. Need Help Setting up SPF and DKIM for your Email Provider? Setting up SPF and DKIM for different ESPs often requires specific configurations. Some providers require you to publish SPF and DKIM on a subdomain, while others only require DKIM, or have different formatting rules. We’ve simplified all these steps to help you avoid misconfigurations that could delay your DMARC enforcement, or worse, block legitimate emails from reaching your recipients. Below you’ll find comprehensive setup guides for Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid. You can also explore our full blog section that covers setup instructions for many other well-known ESPs. Remember, all this information is reflected in your DMARC aggregate reports. These reports give you live visibility into your outgoing email ecosystem, helping you analyze and fix any issues specific to a given provider. Here are our step-by-step guides for the most common platforms: Google Workspace Microsoft 365 These guides will help ensure your DNS records are configured correctly as part of the Secure Government Email (SGE) Framework rollout. Meet New Government Email Security Standards With EasyDMARC New Zealand’s SEG Framework sets a clear path for government agencies to enhance their email security by October 2025. With EasyDMARC, you can meet these technical requirements efficiently and with confidence. From protocol setup to continuous monitoring and compliance tracking, EasyDMARC streamlines the entire process, ensuring strong protection against spoofing, phishing, and data loss while simplifying your transition from SEEMail.

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools Paul Hill Neowin @ziks_99 · Jun 6, 2025 03:02 EDT Microsoft has just announced that it will be rolling out an extremely convenient feature for Microsoft 365 customers who use Word throughout this year. The Redmond giant said that you’ll now be able to use SharePoint’s native eSignature service directly in Microsoft Word. The new feature allows customers to request electronic signatures without converting the documents to a PDF or leaving the Word interface, significantly speeding up workflows. Microsoft’s integration of eSignatures also allows you to create eSignature templates which will speed up document approvals, eliminate physical signing steps, and help with compliance and security in the Microsoft 365 environment. This change has the potential to significantly improve the quality-of-life for those in work finding themselves adding lots of signatures to documents as they will no longer have to export PDFs from Word and apply the signature outside of Word. It’s also key to point out that this feature is integrated natively and is not an extension. The move is quite clever from Microsoft, if businesses were using third-party tools to sign their documents, they would no longer need to use these as it’s easier to do it in Word. Not only does it reduce reliance on other tools, it also makes Microsoft’s products more competitive against other office suites such as Google Workspace. Streamlined, secure, and compliant The new eSignature feature is tightly integrated into Word. It lets you insert signature fields seamlessly into documents and request other people’s signatures, all while remaining in Word. The eSignature feature can be accessed in Word by going to the Insert ribbon. When you send a signature request to someone from Word, the recipient will get an automatically generated PDF copy of the Word document to sign. The signed PDF will then be kept in the same SharePoint location as the original Word file. To ensure end-to-end security and compliance, the document never leaves the Microsoft 365 trust boundary. For anyone with a repetitive signing process, this integration allows you to turn Word documents into eSignature templates so they can be reused. Another feature that Microsoft has built in is audit trail and notifications. Both the senders and signers will get email notifications throughout the entire signing process. Additionally, you can view the activity history (audit trail) in the signed PDF to check who signed it and when. Finally, Microsoft said that administrators will be able to control how the feature is used in Word throughout the organization. They can decide to enable it for specific users via an Office group policy or limit it to particular SharePoint sites. The company said that SharePoint eSignature also lets admins log activities in the Purview Audit log. A key security measure included by Microsoft, which was mentioned above, was the Microsoft 365 trust boundary. By keeping documents in this boundary, Microsoft ensures that all organizations can use this feature without worry. The inclusion of automatic PDF creation is all a huge benefit to users as it will cut out the step of manual PDF creation. While creating a PDF isn’t complicated, it can be time consuming. The eSignature feature looks like a win-win-win for organizations that rely on digital signatures. Not only does it speed things along and remain secure, but it’s also packed with features like tracking, making it really useful and comprehensive. When and how your organization gets it SharePoint eSignature has started rolling out to Word on the M365 Beta and Current Channels in the United States, Canada, the United Kingdom, Europe, and Australia-Pacific. This phase of the rollout is expected to be completed by early July. People in the rest of the world will also be gaining this time-saving feature but it will not reach everyone right away, though Microsoft promises to reach everybody by the end of the year. To use the feature, it will need to be enabled by administrators. If you’re an admin who needs to enable this, just go to the M365 Admin Center and enable SharePoint eSignature, ensuring the Word checkbox is selected. Once the service is enabled, apply the “Allow the use of SharePoint eSignature for Microsoft Word” policy. The policy can be enabled via Intune, Group Policy manager, or the Cloud Policy service for Microsoft 365 Assuming the admins have given permission to use the feature, users will be able to access SharePoint eSignatures on Word Desktop using the Microsoft 365 Current Channel or Beta Channel. The main caveats include that the rollout is phased, so you might not get it right away, and it requires IT admins to enable the feature - in which case, it may never get enabled at all. Overall, this feature stands to benefit users who sign documents a lot as it can save huge amounts of time cumulatively. It’s also good for Microsoft who increase organizations’ dependence on Word. Tags Report a problem with article Follow @NeowinFeed

Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gateways(SEGs) are a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. Avanan (by Check Point) SPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow (MX records changed), actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules (e.g. treat “softfail” as “fail”). DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-Based (Integrated Cloud Email Security – ICES) Mode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policy (none, quarantine, reject) or apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inbound (and optionally outbound) emails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs (e.g., trusted senders or internal exceptions). Integration Methods Inline mode (more common and straightforward): Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure Email (formerly IronPort) Cisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance (ESA): You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server (e.g., Microsoft 365 or Google Workspace), so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss (DLP), to identify advanced threats (malware, phishing, BEC) originating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gateway (MX record) deployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content (Data Loss Prevention violations), malicious attachments, or suspicious links in outbound emails. Post-delivery remediation (TRAP): A key capability of the API model is Threat Response Auto-Pull (TRAP), which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration (MX Record/Smart Host): This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss (DLP), detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway (SEG), meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway Integration (MX Record change required) This is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email server (e.g., Microsoft 365, Google Workspace, etc.) to use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system (smart host settings), or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API Integration (Complementary to Gateway) Mimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gateway (smart host) setup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss (DLP), block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gateway (MX record) and API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration (MX Record / Smart Host) — Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP (blocking, encrypting, or quarantining sensitive content)  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API Integration (Complementary & Advanced Threat Focus) How it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server (e.g., Microsoft 365), SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email (formerly IronPort) – Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss (DLP), blocking spam and malware from internal accounts, stopping business email compromise (BEC) and impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration (MX Record / Smart Host) – Cisco Secure Email Gateway (ESA) How it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail server (e.g., Microsoft 365, Exchange) to smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLP (blocking, encrypting, quarantining sensitive content) Outbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365 (and potentially Google Workspace), continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.

Reading Time: 8 minutes Sometimes, even the slickest emails can land with a thud in the spam folder. The culprit? Your email sender reputation. Just like a bank checks your credit history before lending you money, mailbox providers (like Gmail, Yahoo, etc.) check your sender reputation before deciding whether to deliver your customer relationship emails to the inbox or banish them to spam. So buckle up, because here, we’re about to unpack everything you need to know about what an email domain reputation is and how to keep yours squeaky clean. Now, you’re probably wondering…   What is Email Sender Reputation? Email sender reputation, also known as email domain reputation, is a measure of your brand’s trustworthiness as an email sender. It’s based on factors like your sending history, email engagement, and complaint rates, influencing whether mailbox providers deliver your messages to recipients’ inboxes or junk folders. A solid sender reputation is the golden ticket to inbox placement. Without it, your carefully crafted automated email marketing campaigns might as well be shouting into the void. Mailbox providers are constantly on the lookout for spammers and shady senders, and your reputation is a key indicator of whether you’re one of the good guys. But how do they know that?   5 Factors That Influence Email Marketing Sender Reputation Your email sending reputation isn’t built overnight; it’s a result of consistent behavior and several critical factors. Let’s break down the big five: 1. Quality of Your Email List Building your email list is hard, we know. But honestly, validating it to ensure that all email addresses are real and belong to existing subscribers helps you maintain a positive sender reputation score with mailbox providers. This is why you should use a proper email validation API, as it can help you quickly check if the email addresses are legitimate. Your reputation score can suffer if you’re labeled as a bad email sender, with all the bounces you get from a bad email list. 2. Email Sending History Having an established history with a particular IP address can boost the legitimacy and reputation score of your emails, which means the sender, messages, and recipients are all coming from a legitimate place. Spammers will often change IP addresses and, therefore, cannot establish a long and reputable sending history with IPs. 3. Consistency and Volume of Emails The number of emails you send and your consistency in sending them are also indicators of your legitimacy and reputation. Sending two emails every other week, for example, shows stability and predictability in terms of your sending volume and activities. Mailbox providers and Internet Service Providers (ISPs) also examine your sending patterns and frequency to determine whether you’re still on the right track or have turned to spamming. 4. Email Open Rates or Engagement This is a metric that records subscriber activity or your email engagement, such as the open or click-through rates. It’s very significant because mailbox providers value their subscribers’ preferences. Your emails could be filtered out if there is a very low response rate or no interactions at all. 5. Emails Marked as ‘SPAM’ Mailbox providers would take a cue from their subscribers’ preferences whenever they receive emails. So, if your email messages are consistently marked as ‘Spam’, then this feedback would result in your emails being screened or placed in the Spam or Junk folder. And that’s not where you’d want your emails to hang out.   How to Check Email Sender Reputation You can verify your email domain reputation by monitoring key metrics and using reputation checking tools. Many email marketing software platforms (like MoEngage, for example) provide dashboards and analytics that help you monitor these crucial indicators. MoEngage goes a step further by offering insights and tools to help you proactively manage and improve your email deliverability, making it easier to spot and address potential reputation issues before they escalate. In fact, you can achieve an inbox placement rate of over 95%! Coming back to the topic, the platform indicates email domain reputation as High, Medium, Low, or Bad. More specifically, it lets you: Filter campaigns based on reputation while exporting their data. See historical trends in your domain reputation. View more information, such as when the reputation information was last updated. Analyze email marketing metrics, like open rates and click-through rates. How an Email Sender Reputation Score Works Your email sender reputation score is a dynamic rating that mailbox providers assign to your sending domain and IP address. This score isn’t a fixed number, but rather, a constantly evolving assessment based on your list quality, sending history, and other factors we’ve discussed above. Higher scores generally mean better inbox placement, while lower scores can lead to the dreaded spam folder. Different mailbox providers have their own algorithms for calculating this score, and the exact formulas are usually kept secret. However, the underlying principles revolve around your sending behavior and recipient engagement. How Can You Do a Domain Reputation Test and How Often Should You Do This? You can run an email domain reputation test using various software tools (we’ll get to some of the best ones in a sec!). These reputation checkers analyze your domain and IP address against known blacklists and provide insights into your current standing. Ideally, you should be monitoring your key metrics within your ESP regularly (daily or weekly) and perform a more comprehensive domain reputation test at least monthly, or more frequently if you’re experiencing deliverability issues. Consistent monitoring helps you catch problems early and maintain a healthy reputation.   3 Best Email Domain Reputation Checkers Alright, let’s talk tools. While your ESP often provides built-in deliverability insights, these external domain reputation checkers can offer another layer of perspective. Let’s jump right in! 1. MoEngage Okay, we might be a little biased, but hear us out. MoEngage is more than just an email marketing platform; it’s a powerhouse for cross-channel customer engagement. Its robust analytics and deliverability features give you a clear view of your email performance, helping you proactively manage your email sender reputation. MoEngage stands out because it integrates domain reputation monitoring with tools to improve engagement and personalize your campaigns, leading to better deliverability in the long run. Unlike some standalone domain reputation checkers, MoEngage provides actionable insights within your workflow. How Pricing Works: MoEngage offers customized pricing plans based on your specific needs and scale. Contact the sales team for a personalized quote. Best For: Brands looking for an integrated customer engagement platform (CEP) with robust email deliverability management capabilities. 2. Spamhaus Project The Spamhaus Project allows you to track spam, malware, phishing, and other cybersecurity threats. ISPs and email servers filter out unwanted and harmful content using Spamhaus’s DNS-based blocklists (DNSBLs). How Pricing Works: Spamhaus provides its blacklist data and lookup tools for free to most users, as part of their mission to combat spam. Best For: Quickly checking if your domain or IP is on major spam blacklists. 3. MxToolbox You can use MxToolbox to check if your domain is mentioned on any email blocklists. It scans your domain for mail servers, DNS records, web servers, and any problems. While comprehensive in its checks, this domain reputation checker doesn’t provide the same level of integrated deliverability management and analytics that a platform like MoEngage offers. How Pricing Works: MxToolbox offers both free tools and paid subscription plans with more advanced features, with pricing starting from around $85 per month. Best For: Performing a broad check across numerous email blacklists.   How to Improve Your Email Domain Reputation So, your domain email reputation doesn’t look as shiny as you’d like? No worries! Here are concrete steps you can take to improve it. Think of it as spring cleaning for your email sending practices. 1. Manage a Clean Email List Email list management is foundational. Regularly prune inactive subscribers, remove bounced addresses, and promptly honor unsubscribe requests. Implement a double opt-in process to ensure subscribers genuinely want to hear from you. A clean, engaged email list signals to mailbox providers that you’re sending to interested recipients, and reduces bounce rates and spam complaints. It’s crucial for a positive email sender reputation score. 2. Send Confirmation Emails with Double Opt-Ins Include double opt-ins where you send automated confirmation emails to subscribers. This helps you distinguish valid email addresses from nonexistent ones. Basically, protecting your email sender reputation is easy when you adhere to best practices. Ensuring that your email messages are engaging and interesting helps you get more clicks and open rates. Attracting more interaction to your email messages sends a signal to mailbox providers that you have a legitimate and professional organization. Increasing the positive activities and reviews will help build and solidify your branding strategy, sending a message that is relatable and understood by your subscribers. 3. Pause Violating Campaigns Notice a sudden spike in bounces or spam complaints after a particular email marketing campaign? Pause the campaign immediately to investigate the cause. Ideally, you should not send transactional and non-transactional emails from the same domain (domain/IP set). If the compliance requirements are met, there is no need to pause transactional emails. However, you should pause all one-time emails. Continuing to send problematic emails will only further damage your email sending reputation. Addressing the issue swiftly demonstrates responsibility to mailbox providers. 4. Correct the Mistakes Once you’ve paused a problematic campaign, take the time to understand what went wrong. Did you use a purchased list? Was the content or subject line misleading? (In which case, you need to have a list of the best email subject lines handy). Identify the root cause and implement corrective measures so it doesn’t happen again. Showing that you learn from your mistakes helps rebuild trust with mailbox providers over time. Then, raise a ticket to Gmail or other ESP explaining the cause behind the reputation issues, your changes, and the next steps you plan to follow. Have checkpoints to detect issues immediately, so you can always stay on top of them. 5. Use Subdomains for Sending Emails Establish a subdomain you’re going to use only for sending emails to customers. That’s because if anything goes wrong, the subdomain will take the hit directly, while mildly affecting your company’s main registered domain. It’s like a backup. Also, hopefully, your customers will remember and recognize your subdomain with time. So even if your emails do land in the spam folder, customers might mark them as ‘Not spam’. Yay! 6. Resume and Ramp Up Your Email Frequency After addressing the issues and making necessary changes, don’t be afraid to resume sending. But take baby steps. Resume your transactional emails first. Don’t send transactional and promotional emails from the same domains and IPs. If you already have, separate them while correcting your email setup. Next, resume your personalized event-triggered campaigns. Then, slowly send one-time campaigns to email openers and clickers (such as emails that have been opened 5 times in the last 60 days). Send at a lower RPM and send only 2-3 campaigns per week. After the email domain reputation improves, gradually increase the overall sending frequency and volume (it could take 6-8 weeks). When emailing non-engaged customers, slowly raise your email frequency to prevent sudden volume spikes from triggering spam filters. This careful approach communicates to mailbox providers that you are a responsible sender. 7. Customize Your Sending Patterns Avoid sending all your emails at the same time to everyone on your list. Segment your audience and tailor your sending schedules based on their engagement and time zones. This shows mailbox providers that you’re sending relevant content to the right customers at the right time, improving engagement and your overall email marketing domain reputation. Create lifecycle campaigns to engage your customers. Use dynamic segments, so inactive customers get dropped off automatically. Implement personalization across every aspect of your email.   Maintaining Email Domain Reputation with MoEngage Maintaining a stellar email domain reputation is an ongoing effort, but it doesn’t have to be complicated. Hundreds of B2C brands trust MoEngage to provide the insights and tools they need to monitor deliverability, understand audience engagement, and proactively manage their sending practices. By leveraging the platform’s analytics and segmentation capabilities, our customers can be sure their emails consistently land in the inbox, where they belong. Ready to take control of your email deliverability and build a rock-solid email sender reputation? Explore MoEngage’s comprehensive email marketing solutions. Or better yet, request a demo to see MoEngage’s email solutions in action today. The post How to Check and Fix Your Email Sender Reputation appeared first on MoEngage.

The Trump administration’s recent decision to bar international students from attending Harvard University was less a policy decision than an act of war. The White House had hoped its opening salvo against the nation’s oldest university would yield the kind of immediate capitulation offered by Columbia University. When Harvard chose to fight back instead, Trump decided to hit the university where it hurts most. The administration’s actions are illegal and were immediately stayed by a federal judge. But that won’t prevent real harm to students and higher learning. While Harvard has a famously selective undergraduate college, most of the university’s students are in graduate or professional school, and more than a third of those older students arrive from other countries. Overall, more than a quarter of Harvard’s 25,000 students come from outside the United States, a percentage that has steadily grown over time. The proportion of Harvard’s international students has increased 38 percent since 2006. Even if the courts continue to block this move, it will be difficult for anyone to study there knowing they might be deported or imprisoned by a hostile regime — even if they’re the future queen of Belgium. And an exodus of international students will end up harming universities far beyond Harvard, as well as American research and innovation itself. The question looming over higher education is whether the international student ban is merely the next escalation of the Trump administration’s apocalyptic campaign against a handful of elite institutions (as seen by the administration’s announcement Tuesday that it would cancel its remaining federal contracts with Harvard) — or the beginning of a broader attempt to apply “America First” protectionist principles to one the nation’s most valuable and successful export goods: higher learning. The rapid growth of international college students in the 21st century represents exactly the kind of global cooperation the isolationists in the White House would love to destroy. International students helped buoy American universities after the Great RecessionIn recent decades, international enrollment has shaped, and in some places transformed, higher learning across the country. According to the State Department, the number of annual F-1 student visas issued to international students nearly tripled from 216,000 in 2003 to 644,000 in 2015. And while many nations sent more students to America during that time, the story of international college enrollment over the last two decades has been dominated by a single country: the People’s Republic of China. In 1997, roughly 12,000 F-1 visas were issued to Chinese students; this was only a third of the number issued to the two biggest student senders that year, South Korea and Japan. Chinese enrollment started to accelerate in the early aughts and then exploded: 114,000 by 2010; 190,000 in 2012; and a peak of 274,000 in 2015. The change was driven by profound social and economic shifts within China. Mao Zedong’s Cultural Revolution essentially shut down university enrollment for a decade. When it ended in 1976, there was a huge backlog of college students who graduated in the 1980s into the economic liberalization of Deng Xiaoping. Many of them prospered and had children — often only one — who came of age in the early 2000s. Attending an American university was a status marker and an opportunity to become a global citizen. At the same time, many colleges were newly hungry for international enrollment. The Great Recession savaged college finances. State governments slashed funding for public universities while families had less money to pay tuition at private colleges. Public universities offer lower prices to state residents and private schools typically discount their sticker-price tuition by more than 50 percent through grants and scholarships. But those rules only apply to Americans. Recruiting so-called full-pay international students became a key strategy for shoring up the bottom line. Colleges weren’t always judicious in managing the influx of students from overseas. Purdue University enrolled so many Chinese students so quickly that in 2013 one of them noted that a main benefit of traveling 7,000 miles to West Lafayette, Indiana, was improving his language skills — by talking to students from other regions of China. That same year, an administrator at a second-tier private college in Philadelphia told me that the college tried to keep enrollment from any one country below a certain threshold “or else we’d have to build them a student center or something.” While federal law prohibits colleges from paying recruiters based on the number of students they sign up, this, too, only applies within American borders. International students sometimes pay middlemen large sums to help them navigate the huge and varied global college landscape. While many are legitimate, some are prone to falsehoods and fraud. At the same time, colleges also used the new influx of students to expand course offerings, build strong connections overseas, and diversify their academic communities. One of the great educational benefits of going to college is learning among people from different experiences and backgrounds. There has likely never been a better place to do that than an American college campus in the 21st century. The most talented international students helped drive American economic productivity and research supremacy to new heights. F-1 visas declined sharply in 2016, in part because of an administrative change that allowed Chinese students to receive five-year visas instead of reapplying every year. But the market itself was also shifting. The Chinese government invested enormous sums to build the capacity of its own national research universities, giving students better options to stay home. Geopolitical tensions were growing, and American voters chose to elect a rabidly xenophobic president in Donald Trump. Covid radically depressed international enrollment in 2020, but even after the recovery, Chinese F-1 visas in 2023 were only a third of the 2015 peak. Colleges managed by recruiting students from other countries to take their place. India crossed 100,000 student visa for the first time in 2022. At the turn of the century, fewer than 1,000 Vietnamese students studied in America. Today, Vietnam is our fourth-largest source of international students, more than Japan, Mexico, Germany, or Brazil. Enrollment from Ghana has quintupled in the last 10 years.A catastrophe for American science and innovationIf the Trump administration expands its scorched-earth student visa strategy beyond Harvard, it won’t just be the liberal enclaves and snooty college towns that suffer. Communities across the country will feel the hurt, urban and rural, in red states and blue. Some colleges might tip into bankruptcy. Others will make fewer hires and produce fewer graduates for local employers. Even before the visa ban, the government of Norway set aside money to lure away American scholars whose research has been devastated by deep Trump administration cuts to scientific research. Other countries are sure to follow. And if international students stop coming to the US, it will be a catastrophe for American leadership in science and technology. World-class research universities are magnets for global talent. Cambridge, Massachusetts, is a worldwide center of medical breakthroughs because Harvard and its neighbor MIT attract some of the smartest people in the world, who often stay in the United States to found new companies and conduct research. The same dynamic drives technology innovation around Stanford and UC Berkeley in Silicon Valley, and in university towns nationwide. If you or a loved one benefited from a new cancer treatment, there’s a good chance the person who saved your life came to America on the kind of student visa the Trump administration is trying to destroy. Like printing the global reserve currency or having a good relationship with Canada, getting the pick of international students is one of those incredibly valuable things that Americans won’t fully appreciate until someone is stupid enough to throw it away. In 2021, JD Vance told a group of movement conservatives that “we have to honestly and aggressively attack the universities in this country.” The administration has more than made good on his word, in part because the electorate is rapidly reorganizing around education attainment, with college graduates clustering in the Democratic party and nongraduates moving to the Republican side. Trump and his minions see elite colleges and universities as enemy fortresses in the culture wars, training grounds for the opposition that must be razed and broken.Modern colleges look like the future that MAGA forces most fear. Visitors to campus today see students from scores of global communities, speaking multiple languages and practicing different cultural traditions. Places where people from other countries are welcome, and no single race, nationality, or religion reigns supreme. People like JD Vance are so terrified by this vision that they would rather destroy America’s world-leading higher education system and terrorize hundreds of thousands of people who are in this country legally and only want to learn. See More:

Save this picture!Algae Curtain / EcoLogicStudio. Image © ecoLogicStudio"The limits of our design language are the limits of our design thinking". Patrik Schumacher's statement subtly hints at a shift occurring in the built environment, moving beyond technological integration to embrace intelligence in the spaces and cities we occupy. The future proposes a possibility of buildings serving functions beyond housing human activity to actively participate in shaping urban life.The architecture profession has long been enamored with "smart" buildings - structures that collect and process data through sensor networks and automated systems. Smart cities were heralded to improve quality of life as well as the sustainability and efficiency of city operations using technology. While smart buildings and cities are still at a far reach, these advancements only mark the beginning of a much more impactful application of technology in the built environment. Being smart is about collecting data. Being intelligent is about interpreting that data and acting autonomously upon it. Save this picture!The next generation of intelligent buildings will focus on both externalities and the integration of advanced interior systems to improve energy efficiency, sustainability, and security. Exterior innovations like walls with rotatable units that automatically respond to real-time environmental data, optimizing ventilation and insulation without human intervention are one application. Related Article The Future of Work: Sentient Workplaces for Employee Wellbeing Kinetic architectural elements, integrated with artificial intelligence, create responsive exteriors that breathe and adapt. Networked photovoltaic glass systems may share surplus energy across buildings, establishing efficient microgrids that transform individual structures into nodes within larger urban systems.Interior spaces are experiencing a similar evolution through platforms like Honeywell's Advance Control for Buildings, which integrates cybersecurity, accelerated network speeds, and autonomous decision-making capabilities. Such systems simultaneously optimize HVAC, lighting, and security subsystems through real-time adjustments that respond to environmental shifts and occupant behavior patterns. Advanced security incorporates deep learning-powered facial recognition, while sophisticated voice controls distinguish between human commands and background noise with high accuracy.Kas Oosterhuis envisions architecture where building components become senders and receivers of real-time information, creating communicative networks: "People communicate. Buildings communicate. People communicate with people. People communicate with buildings. Buildings communicate with buildings." This swarm architecture represents an open-source, real-time system where all elements participate in continuous information exchange.Save this picture!Save this picture!While these projects are impressive, they also bring critical issues about autonomy and control to light. How much decision-making authority should we delegate to our buildings? Should structures make choices for us or simply offer informed suggestions based on learned patterns?Beyond buildings, intelligent systems can remodel urban management through AI and machine learning applications. Solutions that monitor and predict pedestrian traffic patterns in public spaces are being explored. For instance, Carlo Ratti's collaboration with Google's Sidewalk Labs hints at the possibility of the streetscape seamlessly adapting to people's needs with a prototype of a modular and reconfigurable paving system in Toronto. The Dynamic Street features a series of hexagonal modular pavers which can be picked up and replaced within hours or even minutes in order to swiftly change the function of the road without creating disruptions on the street. Sidewalk Labs also developed technologies like Delve, a machine-learning tool for designing cities, and focused on sustainability through initiatives like Mesa, a building-automation system.Cities are becoming their own sensors at elemental levels, with physical fabric automated to monitor performance and use continuously. Digital skins overlay these material systems, enabling populations to navigate urban complexity in real-time—locating services, finding acquaintances, and identifying transportation options.The implications extend beyond immediate utility. Remote sensing capabilities offer insights into urban growth patterns, long-term usage trends, and global-scale problems that individual real-time operations cannot detect. This creates enormous opportunities for urban design that acknowledges the city as a self-organizing system, moving beyond traditional top-down planning toward bottom-up growth enabled by embedded information systems.Save this picture!Save this picture!While artificial intelligence dominates discussions of intelligent architecture, parallel developments are emerging through non-human biological intelligence. Researchers are discovering the profound capabilities of living organisms - bacteria, fungi, algae - that have evolved sophisticated strategies over millions of years. Micro-organisms possess intelligence that often eludes human comprehension, yet their exceptional properties offer transformative potential for urban design.EcoLogicStudio's work with the H.O.R.T.U.S. series exemplifies this biological turn in intelligent architecture. The acronym—Hydro Organism Responsive To Urban Stimuli—describes photosynthetic sculptures and urban structures that create artificial habitats for cyanobacteria integrated within the built environment. These living systems function not merely as decorative elements but as active metabolic participants, absorbing emissions from building systems while producing biomass and oxygen through photosynthesis. The PhotoSynthetica Tower project, unveiled at Tokyo's Mori Art Museum, materializes this vision as a complex synthetic organism where bacteria, autonomous farming machines, and various forms of animal intelligence become bio-citizens alongside humans. The future of intelligent architecture lies not in replacing human decision-making but in creating sophisticated feedback loops between human and non-human intelligence. The synthesis recognizes that our knowledge remains incomplete in any age, particularly as new developments push us from lifestyles constraining us to single places toward embracing multiple locations and experiences.Save this picture!The built environment's role in emerging technologies extends far beyond operational efficiency or cost savings. Intelligent buildings can serve as active participants in sustainability targets, wellness strategies, and broader urban resilience planning. The possibility of intelligent architecture challenges the industry to expand our design language. The question facing the profession is not whether intelligence will permeate the built environment. Rather, architects must gauge how well-positioned we are to design for this intelligence, manage its implications, and partner with our buildings as collaborators in shaping the human experience.This article is part of the ArchDaily Topics: What Is Future Intelligence?, proudly presented by Gendo, an AI co-pilot for Architects. Our mission at Gendo is to help architects produce concept images 100X faster by focusing on the core of the design process. We have built a cutting-edge AI tool in collaboration with architects from some of the most renowned firms, such as Zaha Hadid, KPF, and David Chipperfield.Every month, we explore a topic in-depth through articles, interviews, news, and architecture projects. We invite you to learn more about our ArchDaily Topics. And, as always, at ArchDaily we welcome the contributions of our readers; if you want to submit an article or project, contact us.

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More We’re seeing AI evolve fast. It’s no longer just about building a single, super-smart model. The real power, and the exciting frontier, lies in getting multiple specialized AI agents to work together. Think of them as a team of expert colleagues, each with their own skills — one analyzes data, another interacts with customers, a third manages logistics, and so on. Getting this team to collaborate seamlessly, as envisioned by various industry discussions and enabled by modern platforms, is where the magic happens. But let’s be real: Coordinating a bunch of independent, sometimes quirky, AI agents is hard. It’s not just building cool individual agents; it’s the messy middle bit — the orchestration — that can make or break the system. When you have agents that are relying on each other, acting asynchronously and potentially failing independently, you’re not just building software; you’re conducting a complex orchestra. This is where solid architectural blueprints come in. We need patterns designed for reliability and scale right from the start. The knotty problem of agent collaboration Why is orchestrating multi-agent systems such a challenge? Well, for starters: They’re independent: Unlike functions being called in a program, agents often have their own internal loops, goals and states. They don’t just wait patiently for instructions. Communication gets complicated: It’s not just Agent A talking to Agent B. Agent A might broadcast info Agent C and D care about, while Agent B is waiting for a signal from E before telling F something. They need to have a shared brain (state): How do they all agree on the “truth” of what’s happening? If Agent A updates a record, how does Agent B know about it reliably and quickly? Stale or conflicting information is a killer. Failure is inevitable: An agent crashes. A message gets lost. An external service call times out. When one part of the system falls over, you don’t want the whole thing grinding to a halt or, worse, doing the wrong thing. Consistency can be difficult: How do you ensure that a complex, multi-step process involving several agents actually reaches a valid final state? This isn’t easy when operations are distributed and asynchronous. Simply put, the combinatorial complexity explodes as you add more agents and interactions. Without a solid plan, debugging becomes a nightmare, and the system feels fragile. Picking your orchestration playbook How you decide agents coordinate their work is perhaps the most fundamental architectural choice. Here are a few frameworks: The conductor (hierarchical): This is like a traditional symphony orchestra. You have a main orchestrator (the conductor) that dictates the flow, tells specific agents (musicians) when to perform their piece, and brings it all together. This allows for: Clear workflows, execution that is easy to trace, straightforward control; it is simpler for smaller or less dynamic systems. Watch out for: The conductor can become a bottleneck or a single point of failure. This scenario is less flexible if you need agents to react dynamically or work without constant oversight. The jazz ensemble (federated/decentralized): Here, agents coordinate more directly with each other based on shared signals or rules, much like musicians in a jazz band improvising based on cues from each other and a common theme. There might be shared resources or event streams, but no central boss micro-managing every note. This allows for: Resilience (if one musician stops, the others can often continue), scalability, adaptability to changing conditions, more emergent behaviors. What to consider: It can be harder to understand the overall flow, debugging is tricky (“Why did that agent do that then?”) and ensuring global consistency requires careful design. Many real-world multi-agent systems (MAS) end up being a hybrid — perhaps a high-level orchestrator sets the stage; then groups of agents within that structure coordinate decentrally. For agents to collaborate effectively, they often need a shared view of the world, or at least the parts relevant to their task. This could be the current status of a customer order, a shared knowledge base of product information or the collective progress towards a goal. Keeping this “collective brain” consistent and accessible across distributed agents is tough. Architectural patterns we lean on: The central library (centralized knowledge base): A single, authoritative place (like a database or a dedicated knowledge service) where all shared information lives. Agents check books out (read) and return them (write). Pro: Single source of truth, easier to enforce consistency. Con: Can get hammered with requests, potentially slowing things down or becoming a choke point. Must be seriously robust and scalable. Distributed notes (distributed cache): Agents keep local copies of frequently needed info for speed, backed by the central library. Pro: Faster reads. Con: How do you know if your copy is up-to-date? Cache invalidation and consistency become significant architectural puzzles. Shouting updates (message passing): Instead of agents constantly asking the library, the library (or other agents) shouts out “Hey, this piece of info changed!” via messages. Agents listen for updates they care about and update their own notes. Pro: Agents are decoupled, which is good for event-driven patterns. Con: Ensuring everyone gets the message and handles it correctly adds complexity. What if a message is lost? The right choice depends on how critical up-to-the-second consistency is, versus how much performance you need. Building for when stuff goes wrong (error handling and recovery) It’s not if an agent fails, it’s when. Your architecture needs to anticipate this. Think about: Watchdogs (supervision): This means having components whose job it is to simply watch other agents. If an agent goes quiet or starts acting weird, the watchdog can try restarting it or alerting the system. Try again, but be smart (retries and idempotency): If an agent’s action fails, it should often just try again. But, this only works if the action is idempotent. That means doing it five times has the exact same result as doing it once (like setting a value, not incrementing it). If actions aren’t idempotent, retries can cause chaos. Cleaning up messes (compensation): If Agent A did something successfully, but Agent B (a later step in the process) failed, you might need to “undo” Agent A’s work. Patterns like Sagas help coordinate these multi-step, compensable workflows. Knowing where you were (workflow state): Keeping a persistent log of the overall process helps. If the system goes down mid-workflow, it can pick up from the last known good step rather than starting over. Building firewalls (circuit breakers and bulkheads): These patterns prevent a failure in one agent or service from overloading or crashing others, containing the damage. Making sure the job gets done right (consistent task execution) Even with individual agent reliability, you need confidence that the entire collaborative task finishes correctly. Consider: Atomic-ish operations: While true ACID transactions are hard with distributed agents, you can design workflows to behave as close to atomically as possible using patterns like Sagas. The unchanging logbook (event sourcing): Record every significant action and state change as an event in an immutable log. This gives you a perfect history, makes state reconstruction easy, and is great for auditing and debugging. Agreeing on reality (consensus): For critical decisions, you might need agents to agree before proceeding. This can involve simple voting mechanisms or more complex distributed consensus algorithms if trust or coordination is particularly challenging. Checking the work (validation): Build steps into your workflow to validate the output or state after an agent completes its task. If something looks wrong, trigger a reconciliation or correction process. The best architecture needs the right foundation. The post office (message queues/brokers like Kafka or RabbitMQ): This is absolutely essential for decoupling agents. They send messages to the queue; agents interested in those messages pick them up. This enables asynchronous communication, handles traffic spikes and is key for resilient distributed systems. The shared filing cabinet (knowledge stores/databases): This is where your shared state lives. Choose the right type (relational, NoSQL, graph) based on your data structure and access patterns. This must be performant and highly available. The X-ray machine (observability platforms): Logs, metrics, tracing – you need these. Debugging distributed systems is notoriously hard. Being able to see exactly what every agent was doing, when and how they were interacting is non-negotiable. The directory (agent registry): How do agents find each other or discover the services they need? A central registry helps manage this complexity. The playground (containerization and orchestration like Kubernetes): This is how you actually deploy, manage and scale all those individual agent instances reliably. How do agents chat? (Communication protocol choices) The way agents talk impacts everything from performance to how tightly coupled they are. Your standard phone call (REST/HTTP): This is simple, works everywhere and good for basic request/response. But it can feel a bit chatty and can be less efficient for high volume or complex data structures. The structured conference call (gRPC): This uses efficient data formats, supports different call types including streaming and is type-safe. It is great for performance but requires defining service contracts. The bulletin board (message queues — protocols like AMQP, MQTT): Agents post messages to topics; other agents subscribe to topics they care about. This is asynchronous, highly scalable and completely decouples senders from receivers. Direct line (RPC — less common): Agents call functions directly on other agents. This is fast, but creates very tight coupling — agent need to know exactly who they’re calling and where they are. Choose the protocol that fits the interaction pattern. Is it a direct request? A broadcast event? A stream of data? Putting it all together Building reliable, scalable multi-agent systems isn’t about finding a magic bullet; it’s about making smart architectural choices based on your specific needs. Will you lean more hierarchical for control or federated for resilience? How will you manage that crucial shared state? What’s your plan for when (not if) an agent goes down? What infrastructure pieces are non-negotiable? It’s complex, yes, but by focusing on these architectural blueprints — orchestrating interactions, managing shared knowledge, planning for failure, ensuring consistency and building on a solid infrastructure foundation — you can tame the complexity and build the robust, intelligent systems that will drive the next wave of enterprise AI. Nikhil Gupta is the AI product management leader/staff product manager at Atlassian. Daily insights on business use cases with VB Daily If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI. Read our Privacy Policy Thanks for subscribing. Check out more VB newsletters here. An error occured.

Microsoft, in partnership with the U.S. Department of Justice (DOJ), took a major step in dismantling one of the most prolific cybercrime tools currently in circulation. Microsoft’s Digital Crimes Unit (DCU) collaborated with the DOJ, Europol, and several global cybersecurity firms to disrupt the Lumma Stealer malware network — a malware-as-a-service (MaaS) platform implicated in hundreds of thousands of digital breaches worldwide. According to Microsoft, Lumma Stealer infected over 394,000 Windows machines between March and mid-May 2025. The malware has been a favored tool amongst cybercriminals for stealing login credentials and sensitive financial information including cryptocurrency wallets. It’s been used for extortion campaigns against schools, hospitals, and infrastructure providers. According to the DOJ website, “the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.” Recommended Videos With a court order from the U.S. District Court for the Northern Districts of Georgia, Microsoft took down roughly 2,300 malicious domains associated with Lumma’s infrastructure. The DOJ simultaneously took down five critical LummaC2 domains, which acted as command-and-control centers for cybercriminals deploying the malware. These domains now redirect to a government seizure notice. International assistance came from Europol’s European Cybercrime Centre (EC3) and Japan’s JC3, who coordinated efforts to block regional servers. Cybersecurity firms like Bitsight, Cloudflare, ESET, Lumen, CleanDNS, and GMO Registry assisted in identifying and dismantling web infrastructure. Inside the Lumma operation Lumma, also known as LummaC2, has been operating since 2022, possibly earlier, and makes its info-stealing malware available for sale through encrypted forums and Telegram channels. The malware is designed for ease of use and is often bundled with obfuscation tools to help it bypass antivirus software. Distribution techniques include spear-phishing emails, spoofed brand websites, and malicious online ads known as “malvertising.” Cybersecurity researchers say Lumma is particularly dangerous because it allows criminals to rapidly scale attacks. Buyers can customize payloads, track stolen data, and even get customer support via a dedicated user panel. Microsoft Threat Intelligence previously linked Lumma to notorious Octo Tempest gang, also known as “Scattered Spider.” In one phishing campaign earlier this year, hackers were able to spoof Booking.com and used Lumma to harvest financial credentials from unsuspecting victims. Who’s behind it? Authorities believe the developer of Lumma goes by the alias “Shamel” and operates out of Russia. In a 2023 interview, Shamel claimed to have 400 active clients and even bragged about branding Lumma with a dove logo and the slogan: “Making money with us is just as easy.” Long-term disruption, not a knockout Image used with permission by copyright holder While the takedown is significant, experts warn that Lumma and tools like it are rarely eradicated for good. Still, Microsoft and the DOJ say these actions severely hinder and disrupt criminal operations by cutting off their infrastructure and revenue streams. Microsoft will use the seized domains as sinkholes to gather intelligence and further protect victims. This situation highlights the need for international cooperation in cybercrime enforcement. DOJ officials emphasized the value of public-private partnerships, while the FBI noted that court-authorized disruptions remain a critical tool in the government’s cybersecurity playbook. As Microsoft’s DCU continues its work, this Lumma crackdown sets a strong precedent for what can be accomplished when industry and government specialists collaborate to eliminate threats. As more of these organizations are uncovered and disrupted, remember to protect yourself by changing your passwords frequently and avoid clicking links from unknown senders.