Originally published at EasyDMARC Integrates With Pax8 Marketplace To Simplify Email Security For MSPs by Anush Yolyan. The integration will deliver simple, accessible, and streamlined email security for vulnerable inboxes Global, 4 November 2024 – US-based email security firm EasyDMARC has today announced its integration with Pax8 Marketplace, the leading cloud commerce marketplace. As one of the first DMARC solution providers on the Pax8 Marketplace, EasyDMARC is expanding its mission to protect inboxes from the rising threat of phishing attacks with a rigorous, user-friendly DMARC solution. The integration comes as Google highlights the impressive results of recently implemented email authentication measures for bulk senders: a 65% reduction in unauthenticated messages to Gmail users, a 50% increase in bulk senders following best security practices, and 265 billion fewer unauthenticated messages sent in 2024. With email being such a crucial communication channel for businesses, email authentication measures are an essential part of any business’s cybersecurity offering.  Key features of the integration include: Centralized billing With centralized billing, customers can now streamline their cloud services under a single pane of glass, simplifying the management and billing of their EasyDMARC solution. This consolidated approach enables partners to reduce administrative complexity and manage all cloud expenses through one interface, providing a seamless billing and support experience. Automated provisioning  Through automated provisioning, Pax8’s automation capabilities make deploying DMARC across client accounts quick and hassle-free. By eliminating manual configurations, this integration ensures that customers can implement email security solutions rapidly, allowing them to safeguard client inboxes without delay. Bundled offerings The bundled offerings available through Pax8 allow partners to enhance their service portfolios by combining EasyDMARC with complementary security solutions. By creating all-in-one security packages, partners can offer their clients more robust protection, addressing a broader range of security needs from a single, trusted platform. Gerasim Hovhannisyan, Co-Founder and CEO of EasyDMARC, said: “We’re thrilled to be working with Pax8  to provide MSPs with a streamlined, effective way to deliver top-tier email security to their clients, all within a platform that equips them with everything needed to stay secure.  As phishing attacks grow in frequency and sophistication, businesses can no longer afford to overlook the importance of email security. Email authentication is a vital defense against the evolving threat of phishing and is crucial in preserving the integrity of email communication. This integration is designed to allow businesses of all sizes to benefit from DMARC’s extensive capabilities.” Ryan Burton, Vice President of Marketplace Vendor Strategy, at Pax8 said:  “We’re delighted to welcome EasyDMARC to the Pax8 Marketplace as an enterprise-class DMARC solution provider. This integration gives MSPs the tools they need to meet the growing demand for email security, with simplified deployment, billing, and bundling benefits. With EasyDMARC’s technical capabilities and intelligence, MSPs can deliver robust protection against phishing threats without the technical hassle that often holds businesses back.” About EasyDMARC EasyDMARC is a cloud-native B2B SaaS solution that addresses email security and deliverability problems with just a few clicks. For Managed Service Providers seeking to increase their revenue, EasyDMARC presents an ideal solution. The email authentication platform streamlines domain management, providing capabilities such as organizational control, domain grouping, and access management. Additionally, EasyDMARC offers a comprehensive sales and marketing enablement program designed to boost DMARC sales. All of these features are available for MSPs on a scalable platform with a flexible pay-as-you-go pricing model. For more information on the EasyDMARC, visit: https://easydmarc.com/ About Pax8  Pax8 is the technology marketplace of the future, linking partners, vendors, and small to midsized businesses (SMBs) through AI-powered insights and comprehensive product support. With a global partner ecosystem of over 38,000 managed service providers, Pax8 empowers SMBs worldwide by providing software and services that unlock their growth potential and enhance their security. Committed to innovating cloud commerce at scale, Pax8 drives customer acquisition and solution consumption across its entire ecosystem. Find out more: https://www.pax8.com/en-us/ The post EasyDMARC Integrates With Pax8 Marketplace To Simplify Email Security For MSPs appeared first on EasyDMARC.

The Secure Government Email (SGE) Common Implementation Framework New Zealand’s government is introducing a comprehensive email security framework designed to protect official communications from phishing and domain spoofing. This new framework, which will be mandatory for all government agencies by October 2025, establishes clear technical standards to enhance email security and retire the outdated SEEMail service.  Key Takeaways All NZ government agencies must comply with new email security requirements by October 2025. The new framework strengthens trust and security in government communications by preventing spoofing and phishing. The framework mandates TLS 1.2+, SPF, DKIM, DMARC with p=reject, MTA-STS, and DLP controls. EasyDMARC simplifies compliance with our guided setup, monitoring, and automated reporting. Start a Free Trial What is the Secure Government Email Common Implementation Framework? The Secure Government Email (SGE) Common Implementation Framework is a new government-led initiative in New Zealand designed to standardize email security across all government agencies. Its main goal is to secure external email communication, reduce domain spoofing in phishing attacks, and replace the legacy SEEMail service. Why is New Zealand Implementing New Government Email Security Standards? The framework was developed by New Zealand’s Department of Internal Affairs (DIA) as part of its role in managing ICT Common Capabilities. It leverages modern email security controls via the Domain Name System (DNS) to enable the retirement of the legacy SEEMail service and provide: Encryption for transmission security Digital signing for message integrity Basic non-repudiation (by allowing only authorized senders) Domain spoofing protection These improvements apply to all emails, not just those routed through SEEMail, offering broader protection across agency communications. What Email Security Technologies Are Required by the New NZ SGE Framework? The SGE Framework outlines the following key technologies that agencies must implement: TLS 1.2 or higher with implicit TLS enforced TLS-RPT (TLS Reporting) SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) DMARC (Domain-based Message Authentication, Reporting, and Conformance) with reporting MTA-STS (Mail Transfer Agent Strict Transport Security) Data Loss Prevention controls These technologies work together to ensure encrypted email transmission, validate sender identity, prevent unauthorized use of domains, and reduce the risk of sensitive data leaks. Get in touch When Do NZ Government Agencies Need to Comply with this Framework? All New Zealand government agencies are expected to fully implement the Secure Government Email (SGE) Common Implementation Framework by October 2025. Agencies should begin their planning and deployment now to ensure full compliance by the deadline. The All of Government Secure Email Common Implementation Framework v1.0 What are the Mandated Requirements for Domains? Below are the exact requirements for all email-enabled domains under the new framework. ControlExact RequirementTLSMinimum TLS 1.2. TLS 1.1, 1.0, SSL, or clear-text not permitted.TLS-RPTAll email-sending domains must have TLS reporting enabled.SPFMust exist and end with -all.DKIMAll outbound email from every sending service must be DKIM-signed at the final hop.DMARCPolicy of p=reject on all email-enabled domains. adkim=s is recommended when not bulk-sending.MTA-STSEnabled and set to enforce.Implicit TLSMust be configured and enforced for every connection.Data Loss PreventionEnforce in line with the New Zealand Information Security Manual (NZISM) and Protective Security Requirements (PSR). Compliance Monitoring and Reporting The All of Government Service Delivery (AoGSD) team will be monitoring compliance with the framework. Monitoring will initially cover SPF, DMARC, and MTA-STS settings and will be expanded to include DKIM. Changes to these settings will be monitored, enabling reporting on email security compliance across all government agencies. Ongoing monitoring will highlight changes to domains, ensure new domains are set up with security in place, and monitor the implementation of future email security technologies.  Should compliance changes occur, such as an agency’s SPF record being changed from -all to ~all, this will be captured so that the AoGSD Security Team can investigate. They will then communicate directly with the agency to determine if an issue exists or if an error has occurred, reviewing each case individually. Deployment Checklist for NZ Government Compliance Enforce TLS 1.2 minimum, implicit TLS, MTA-STS & TLS-RPT SPF with -all DKIM on all outbound email DMARC p=reject  adkim=s where suitable For non-email/parked domains: SPF -all, empty DKIM, DMARC reject strict Compliance dashboard Inbound DMARC evaluation enforced DLP aligned with NZISM Start a Free Trial How EasyDMARC Can Help Government Agencies Comply EasyDMARC provides a comprehensive email security solution that simplifies the deployment and ongoing management of DNS-based email security protocols like SPF, DKIM, and DMARC with reporting. Our platform offers automated checks, real-time monitoring, and a guided setup to help government organizations quickly reach compliance. 1. TLS-RPT / MTA-STS audit EasyDMARC enables you to enable the Managed MTA-STS and TLS-RPT option with a single click. We provide the required DNS records and continuously monitor them for issues, delivering reports on TLS negotiation problems. This helps agencies ensure secure email transmission and quickly detect delivery or encryption failures. Note: In this screenshot, you can see how to deploy MTA-STS and TLS Reporting by adding just three CNAME records provided by EasyDMARC. It’s recommended to start in “testing” mode, evaluate the TLS-RPT reports, and then gradually switch your MTA-STS policy to “enforce”. The process is simple and takes just a few clicks. As shown above, EasyDMARC parses incoming TLS reports into a centralized dashboard, giving you clear visibility into delivery and encryption issues across all sending sources. 2. SPF with “-all”In the EasyDARC platform, you can run the SPF Record Generator to create a compliant record. Publish your v=spf1 record with “-all” to enforce a hard fail for unauthorized senders and prevent spoofed emails from passing SPF checks. This strengthens your domain’s protection against impersonation. Note: It is highly recommended to start adjusting your SPF record only after you begin receiving DMARC reports and identifying your legitimate email sources. As we’ll explain in more detail below, both SPF and DKIM should be adjusted after you gain visibility through reports. Making changes without proper visibility can lead to false positives, misconfigurations, and potential loss of legitimate emails. That’s why the first step should always be setting DMARC to p=none, receiving reports, analyzing them, and then gradually fixing any SPF or DKIM issues. 3. DKIM on all outbound email DKIM must be configured for all email sources sending emails on behalf of your domain. This is critical, as DKIM plays a bigger role than SPF when it comes to building domain reputation, surviving auto-forwarding, mailing lists, and other edge cases. As mentioned above, DMARC reports provide visibility into your email sources, allowing you to implement DKIM accordingly (see first screenshot). If you’re using third-party services like Google Workspace, Microsoft 365, or Mimecast, you’ll need to retrieve the public DKIM key from your provider’s admin interface (see second screenshot). EasyDMARC maintains a backend directory of over 1,400 email sources. We also give you detailed guidance on how to configure SPF and DKIM correctly for major ESPs.  Note: At the end of this article, you’ll find configuration links for well-known ESPs like Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid – helping you avoid common misconfigurations and get aligned with SGE requirements. If you’re using a dedicated MTA (e.g., Postfix), DKIM must be implemented manually. EasyDMARC’s DKIM Record Generator lets you generate both public and private keys for your server. The private key is stored on your MTA, while the public key must be published in your DNS (see third and fourth screenshots). 4. DMARC p=reject rollout As mentioned in previous points, DMARC reporting is the first and most important step on your DMARC enforcement journey. Always start with a p=none policy and configure RUA reports to be sent to EasyDMARC. Use the report insights to identify and fix SPF and DKIM alignment issues, then gradually move to p=quarantine and finally p=reject once all legitimate email sources have been authenticated.  This phased approach ensures full protection against domain spoofing without risking legitimate email delivery. 5. adkim Strict Alignment Check This strict alignment check is not always applicable, especially if you’re using third-party bulk ESPs, such as Sendgrid, that require you to set DKIM on a subdomain level. You can set adkim=s in your DMARC TXT record, or simply enable strict mode in EasyDMARC’s Managed DMARC settings. This ensures that only emails with a DKIM signature that exactly match your domain pass alignment, adding an extra layer of protection against domain spoofing. But only do this if you are NOT a bulk sender. 6. Securing Non-Email Enabled Domains The purpose of deploying email security to non-email-enabled domains, or parked domains, is to prevent messages being spoofed from that domain. This requirement remains even if the root-level domain has SP=reject set within its DMARC record. Under this new framework, you must bulk import and mark parked domains as “Parked.” Crucially, this requires adjusting SPF settings to an empty record, setting DMARC to p=reject, and ensuring an empty DKIM record is in place: • SPF record: “v=spf1 -all”. • Wildcard DKIM record with empty public key.• DMARC record: “v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:…”. EasyDMARC allows you to add and label parked domains for free. This is important because it helps you monitor any activity from these domains and ensure they remain protected with a strict DMARC policy of p=reject. 7. Compliance Dashboard Use EasyDMARC’s Domain Scanner to assess the security posture of each domain with a clear compliance score and risk level. The dashboard highlights configuration gaps and guides remediation steps, helping government agencies stay on track toward full compliance with the SGE Framework. 8. Inbound DMARC Evaluation Enforced You don’t need to apply any changes if you’re using Google Workspace, Microsoft 365, or other major mailbox providers. Most of them already enforce DMARC evaluation on incoming emails. However, some legacy Microsoft 365 setups may still quarantine emails that fail DMARC checks, even when the sending domain has a p=reject policy, instead of rejecting them. This behavior can be adjusted directly from your Microsoft Defender portal. Read more about this in our step-by-step guide on how to set up SPF, DKIM, and DMARC from Microsoft Defender. If you’re using a third-party mail provider that doesn’t enforce having a DMARC policy for incoming emails, which is rare, you’ll need to contact their support to request a configuration change. 9. Data Loss Prevention Aligned with NZISM The New Zealand Information Security Manual (NZISM) is the New Zealand Government’s manual on information assurance and information systems security. It includes guidance on data loss prevention (DLP), which must be followed to be aligned with the SEG. Need Help Setting up SPF and DKIM for your Email Provider? Setting up SPF and DKIM for different ESPs often requires specific configurations. Some providers require you to publish SPF and DKIM on a subdomain, while others only require DKIM, or have different formatting rules. We’ve simplified all these steps to help you avoid misconfigurations that could delay your DMARC enforcement, or worse, block legitimate emails from reaching your recipients. Below you’ll find comprehensive setup guides for Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid. You can also explore our full blog section that covers setup instructions for many other well-known ESPs. Remember, all this information is reflected in your DMARC aggregate reports. These reports give you live visibility into your outgoing email ecosystem, helping you analyze and fix any issues specific to a given provider. Here are our step-by-step guides for the most common platforms: Google Workspace Microsoft 365 These guides will help ensure your DNS records are configured correctly as part of the Secure Government Email (SGE) Framework rollout. Meet New Government Email Security Standards With EasyDMARC New Zealand’s SEG Framework sets a clear path for government agencies to enhance their email security by October 2025. With EasyDMARC, you can meet these technical requirements efficiently and with confidence. From protocol setup to continuous monitoring and compliance tracking, EasyDMARC streamlines the entire process, ensuring strong protection against spoofing, phishing, and data loss while simplifying your transition from SEEMail.

Red Kong XIX Member Oct 11, 2020 13,560 This is assuming that the handheld can play PS4 games natively without any issues, so they are not included in the poll. Hardware leaker Kepler said it should be able to run PS5 games, even without a patch, but with a performance impact potentially.  Hero_of_the_Day Avenger Oct 27, 2017 19,958 Isn't the rumor that games don't require patches to run on it? That would imply that support isn't mandatory, but automatic.   Homura ▲ Legend ▲ Member Aug 20, 2019 7,232 As the post above said, the rumor is the PS5 portable will be able to run natively any and all PS4/PS5 games. Of course, some games might not work properly or require specific patches, but the idea is automatic compatibility.  shadowman16 Member Oct 25, 2017 42,292 Ideally you'd want stuff to pretty much work out of the box. The more you ask devs to do, the less I imagine will want to support it... Or suddenly games get parred down so that they can run on handhelds (which considering how people hated cross gen for that reason, they'd hate it here as well). I personally would just prefer a solution where its automatic. I dont really care about a Sony handheld, dont really want devs to be forced to support the thing (considering how shit Sony is at supporting its peripherals - like the Vita or PSVR2)  Modest_Modsoul Living the Dreams Member Oct 29, 2017 28,418 🤷‍♂️   setmymindforopensky Member Apr 20, 2025 67 a lot of games have performance modes. it should run a lot of the library even without any patching. if there's multiplat im sure itll default to the PS4 ver. im not sure what theyd do for something like GTA6 but itll have a series S version so its clearly scalable enough. im guessing PSTV situation. support it or not we dont care.  reksveks Member May 17, 2022 7,628 Think Kepler is personally assuming the goal of running without patches is a goal and one that won't happen just cause it's too late to force it. It's going to be an interesting solution to an interesting problem  Servbot24 The Fallen Oct 25, 2017 47,826 Obviously not. Pretty absurd question tbh.   RivalGT Member Dec 13, 2017 7,616 This one sounds like it requires a lot of work on Sony's end, I dont think developers will need to do much for games to work. Granted moving forward Sony is likely to make it easier for devs to have a more input on this portable mode. Things working out of the box is likely the goal, and thats what Sony needs if they want this to work, but devs having more input on this mode would be a plus I think.  Callibretto Member Oct 25, 2017 10,445 Indonesia shadowman16 said: Ideally you'd want stuff to pretty much work out of the box. The more you ask devs to do, the less I imagine will want to support it... Or suddenly games get parred down so that they can run on handhelds (which considering how people hated cross gen for that reason, they'd hate it here as well). I personally would just prefer a solution where its automatic. I dont really care about a Sony handheld, dont really want devs to be forced to support the thing (considering how shit Sony is at supporting its peripherals - like the Vita or PSVR2) Click to expand... Click to shrink... depend on the game imo, asking CD Project to somehow make Witcher 4 playable on handheld might be unreasonable. but any game that can run on Switch 2 should be playable on PSPortable without much issue   Pheonix1 Member Jun 22, 2024 716 Absolutely they will. Not sure why people think it would be hard, if they hand them.the right tools most ports won't take long anyhow.   skeezx Member Oct 27, 2017 23,994 guessing there will be a "portable approved" label with the respective games going forward, regardless whether it's a PS5 or PS6 game. and when the thing is released popular past titles will be retroactively approved by sony, and up to developers if they want to patch the bigger games to be portable friendly. i guess where things could get tricky/laborious for developers is whether every game going forward is required to screen for portable performance, as it's not a PC so the portable will likely disallow for running "non-approved" games at all  AmFreak Member Oct 26, 2017 3,245 They need to give people some form of guarantee that it will get games, otherwise they greatly diminish their potential success. The best way to do this is to make it another SKU of the contemporary console. And with (close to) everything already running at 60fps and progression slowing to a crawl it's far easier than it had been in the past.  Ruck Member Oct 25, 2017 3,105 I mean, what is the handheld? PS6? Or an actual second console? If the former, then yes, if the latter then no   TitanicFall Member Nov 12, 2017 9,340 Nah. It might be incentivized though. There's not much in it for devs if it's a cross buy situation.   Callibretto Member Oct 25, 2017 10,445 Indonesia imo, PS6 will remain their main console, focusing on high fidelity visuals that Switch 2 and portable PC won't be able to run without huge compromise. PSPortable will be secondary console, something like PSPortal, but this time able to play any games that Switch2 can reasonably run. and for the high end games that it can't run, it will use streaming, either from PS6 you own, or PS+ Premium subs  bleits Member Oct 14, 2023 373 They have to if they want to be taken seriously   Vic Damone Jr. Member Oct 27, 2017 20,534 Nope Sony doesn't mandate this stuff and it's why their second product always dies.   fiendcode Member Oct 26, 2017 26,514 I think it depends on what the device really is, if it's more of a "Portal 2" or a "Series SP" or something else entirely (PSP3?). Streaming might be enough for PS6 games along with incentivized PS5/4 patches but whatever SIE does they need to make sure their inhouse teams are ALL on board this time. That was a big part of PSP/Vita's downfall, that the biggest or most important PS Studios snubbed them and the teams that did show up with support are mostly closed and gone now.   Callibretto Member Oct 25, 2017 10,445 Indonesia bleits said: They have to if they want to be taken seriously Click to expand... Click to shrink... from the last interview with PS exec about Switch 2 spec, it seems clear that PS have no plan to abandon high end console spec to switch to mobile hardware like Switch 2 and Xbox Ally. PS consider their high fidelity visual as advantage and differentiator from Nintendo. so with PS6, their top studio will eventuall make games that just won't realistically run on handheld devices. so having a mandate where all PS6 games is playable on handheld is simply unrealistic imo  danm999 Member Oct 29, 2017 19,929 Sydney Incentives, not mandates.   NSESN ▲ Legend ▲ Member Oct 25, 2017 27,729 I think people are setting themselves for disappointment in regards for how powerful this thing will be   defaltoption Plug in a controller and enter the Konami code The Fallen Oct 27, 2017 12,485 Austin Depends on what they call it. If they call it anything related to ps6, expect very bad performance, and mandates If they call it ps5 portable, expect bad performance and no mandates as it will be handled on their end If they call it a ps portable expect it to have no support from Sony and get whatever it gets just be happy it functions till they abandon it.  Metnut Member Apr 7, 2025 30 Good question OP. I voted the middle one. I think anything that ships for PS5 will need to work for the handheld. Question is whether that works automatically or will need patches.  mute ▲ Legend ▲ Member Oct 25, 2017 29,807 I think that would require a level of commitment to a secondary piece of hardware that Sony hasn't shown in a long time.   Patison Member Oct 27, 2017 761 It's difficult to say without knowing what they're planning with this device exactly. If they're fully going Switch route (or PS Vita/PS TV route) or more like a Steam Deck, which will run launch games perfectly and then, as time goes on, some titles might start looking less than ideal or be unplayable at all. Or Series S/X, just the Series S being portable — that would be preferable but also limiting but also diminishing returns between generations so might be worth it etc. And if that device happens at all and its development won't be dropped soon is another question. Lots of unknowns, but I'm interested to see what Sony comes up with, as long as they'll have games to support it this time around.  Jammerz Member Apr 29, 2023 1,579 I think it will be optional support. However sony needs to support it with their first parties to set an example and making it as easy as possible for other devs to scale down. For sony first party games maybe use nixxes to scale down so their studios aren't bogged down.  Hamchan The Fallen Oct 25, 2017 6,000 I think 99.9% of games will be crossgen between PS5 and PS6 for the entire generation, just based on how this industry is going, so it might not be much of an issue for Sony to mandate.   Advance.Wars.Sgt. Member Jun 10, 2018 10,456 Honestly, I'd worry more about Sony's 1st party teams than 3rd party developers since they were notoriously adverse making software with a handheld power profile in mind.   overthewaves Member Sep 30, 2020 1,203 Wouldn't that hamstring the games for ps6? That's PlayStation players biggest fear they don't want a series S type situation right? They treat series S like a punching bag.   Neonvisions Member Oct 27, 2017 707 overthewaves said: Wouldn't that hamstring the games for ps6? That's PlayStation players biggest fear they don't want a series S type situation right? They treat series S like a punching bag. Click to expand... Click to shrink... How would that effect PS6? Are you suggesting that the Series S hamstrings games for the X?  Gwarm Member Nov 13, 2017 2,902 I'd be shocked if Sony released a device that let's you play games that haven't been patched or confirmed to run acceptably. Imagine if certain games just hard crashed the console? This is the company that wouldn't let you play certain Vita games on the PSTV even if they actually worked.   bloopland33 Member Mar 4, 2020 3,845 I wonder if they'll just do the Steam Deck thing and do a compatibility badge. You can boot whatever software you want, but it might run at 5 fps and drain your battery. This would be in addition to whatever efforts they're doing to make things work out of the box, of course. But it's hard to imagine them mandating developers ship a PS6 profile and a PS6P profile for those heavier games 5-7 years from now… ….but it's also hard to imagine them shipping this PS6-gen device that doesn't play everything (depending on how they position it). So maybe they Steam Deck it  vivftp Member Oct 29, 2017 23,016 My guess, every PS6 game will be mandated to support it. PS5 games will support it natively for the simpler games and will require a patch as has been rumored to run on lesser specs I think next gen we get PS3 and Vita emulation so the PS6 and portable will be able to play games from PSN from every past PlayStation  Mocha Joe Member Jun 2, 2021 13,636 Really need to take the Steam Deck approach and don't make it a requirement. Just make it a complementary device where it is possible to play majority of the games available on PSN.   overthewaves Member Sep 30, 2020 1,203 Neonvisions said: How would that effect PS6? Are you suggesting that the Series S hamstrings games for the X? Click to expand... Click to shrink... I mean did you see the reaction here to the series S announcement lol. Everyone was saying it's gonna "hold back the generation".   reksveks Member May 17, 2022 7,628 Neonvisions said: How would that effect PS6? Are you suggesting that the Series S hamstrings games for the X? Click to expand... Click to shrink... Or the perception is that it does but the truth is that there is a lot of factors   Fabs Member Aug 22, 2019 2,827 I can't see the forcing handheld and pro support next gen.   level Member May 25, 2023 1,427 Definitely not Games already take too long to make. Extra time isn't something they'll want to reinforce to their developers.  gofreak Member Oct 26, 2017 8,411 I don't think support will be mandatory. I think they're bringing it into a reality where a growing portion of games can, or could, run without much change or effort on the developer's part on a next gen handheld. They'll lean on that natural trend rather than a policy - anything that is outside of that will just be streamable as now with the Portal.   Caiusto Member Oct 25, 2017 7,086 If they don't want to end up with another Vita yes they will.   mute ▲ Legend ▲ Member Oct 25, 2017 29,807 Advance.Wars.Sgt. said: Honestly, I'd worry more about Sony's 1st party teams than 3rd party developers since they were notoriously adverse making software with a handheld power profile in mind. Click to expand... Click to shrink... It does seem kinda unthinkable that Intergalactic would be made with a handheld in mind, for example.   AmFreak Member Oct 26, 2017 3,245 mute said: It does seem kinda unthinkable that Intergalactic would be made with a handheld in mind, for example. Click to expand... Click to shrink... Ratchet, Returnal, Cyberpunk, etc. also weren't made "with a handheld in mind".   Spoit Member Oct 28, 2017 5,599 Given how much of a pain the series S mandate has been, I don't see them binding even first party studios to it, especially ones that are trying to go for the cutting edge of tech. Since given AMDs timelines, is not going to be anywhere near a base PS5. I'm also skeptical of the claim that'll be able to play ps5 games without extensive patching.  Jawmuncher Crisis Dino Moderator Oct 25, 2017 45,166 Ibis Island No, I think the portable will handle portable stuff "automatically" for what it converts   knightmawk Member Dec 12, 2018 8,900 I expect they'll do everything they can to make sure no one has to think about it and it's as automatic as possible. It'll technically still be part of cert, but the goal will be for it to be rare that a game fails that part of cert and has to be sent back. That being said, I imagine there will be some games that still don't work and developers will be able to submit for that exception.  RivalGT Member Dec 13, 2017 7,616 I think the concept here is similar to how PS4 games play on PS5, the ones with patches I mean, the game will run with a different graphics preset then it would on PS4/ PS4 Pro, so in some cases this means higher resolution or higher frame rate cap. What Sony needs to work on their end is getting this to work without any patches from developers. Its the only way this can work.  Vexii Member Oct 31, 2017 3,103 UK if they don't mandate support, it'll just be a death knell for the format. I don't think they could get away with a dedicated handheld platform now when the Switch and Steam Deck exists   Mobius and Pet Octopus Member Oct 25, 2017 17,065 Just because a game can run on a handheld, doesn't mean that's all required for support. The UI alone likely requires changes for an optimal experience, sometimes necessary to be "playable". Small screen sizes usually needs changes.   SeanMN Member Oct 28, 2017 2,437 If PS6 games support is optional, that will create fragmentation of the platform and uncertain software support. If it's part of the PS6 family and support is mandatory, I can see there being concern that if would hold the generation back with a low capability sku. My thoughts are this should be a PS6 and support the same as the primary console. 

If we don’t lock them down, it will be too late. The official trailer and key art have been revealed for Alien: Earth, which hits FX and Hulu August 12. In the upcoming series, when the mysterious deep space research vessel USCSS Maginot crash-lands on Earth, Wendy and a ragtag group of tactical soldiers make a fateful discovery that puts them face-to-face with the planet’s greatest threat. The series stars Sydney Chandler as Wendy; Timothy Olyphant as Kirsh; Alex Lawther as Hermit; Samuel Blenkin as Boy Kavalier; Babou Ceesay as Morrow;  Adrian Edmondson as Atom Eins; David Rysdahl as Arthur Sylvia; Essie Davis as Dame Sylvia; Lily Newmark as Nibs; Erana James as Curly; Adarsh Gourav as Slightly; Jonathan Ajayi as Smee; Kit Young as Tootles; Diêm Camille as Siberian; Moe Bar-El as Rashidi; and Sandra Yi Sencindiver as Yutani. Noah Hawley is creator and executive producer. Ridley Scott, David W. Zucker, Joseph Iberti, Dana Gonzales, and Clayton Krueger also executive produce. FX Productions produces. VFX are created by Clear Angle Studios, Fin Design & Effects, MPC, Pixomondo, The Third Floor, Untold Studios, and Zoic Studios, with Jonathan Rothbart acting as visual effects supervisor. Check out the official trailer now: Source: FX Journalist, antique shop owner, aspiring gemologist—L'Wren brings a diverse perspective to animation, where every frame reflects her varied passions.

ILM teams with Ben Stiller and Apple TV+ to bring thousands of seamless visual effects shots to the hit drama’s second season. By Clayton Sandell There are mysterious and important secrets to be uncovered in the second season of the wildly popular Apple TV+ series Severance (2022-present). About 3,500 of them are hiding in plain sight. That’s roughly the number of visual effects shots helping tell the Severance story over 10 gripping episodes in the latest season, a collaborative effort led by Industrial Light & Magic. ILM’s Eric Leven served as the Severance season two production visual effects supervisor. We asked him to help pull back the curtain on some of the show’s impressive digital artistry that most viewers will probably never notice. “This is the first show I’ve ever done where it’s nothing but invisible effects,” Leven tells ILM.com. “It’s a really different calculus because nobody talks about them. And if you’ve done them well, they are invisible to the naked eye.” With so many season two shots to choose from, Leven helped us narrow down a list of his favorite visual effects sequences to five. (As a bonus, we’ll also dive into an iconic season finale shot featuring the Mr. Milchick-led marching band.) Before we dig in, a word of caution. This article contains plot spoilers for Severance. (And in case you’re already wondering: No, the goats are not computer-graphics.) Severance tells the story of Mark Scout (Adam Scott), department chief of the secretive Severed Floor located in the basement level of Lumon Industries, a multinational biotech corporation. Mark S., as he’s known to his co-workers, heads up Macrodata Refinement (MDR), a department where employees help categorize numbers without knowing the true purpose of their work.  Mark and his team – Helly R. (Britt Lower), Dylan G. (Zach Cherry), and Irving B. (John Turturro), have all undergone a surgical procedure to “sever” their personal lives from their work lives. The chip embedded in their brains effectively creates two personalities that are sometimes at odds: an “Innie” during Lumon office hours and an “Outie” at home. “This is the first show I’ve ever done where it’s nothing but invisible effects. It’s a really different calculus because nobody talks about them. And if you’ve done them well, they are invisible to the naked eye.”Eric Leven 1. The Running Man (Episode 201: “Hello, Ms. Cobel”) The season one finale ends on a major cliffhanger. Mark S. learns that his Outie’s wife, Gemma – believed killed in a car crash years ago – is actually alive somewhere inside the Lumon complex. Season two opens with Mark S. arriving at the Severed Floor in a desperate search for Gemma, who he only knows as her Innie persona, Ms. Casey. The fast-paced sequence is designed to look like a single, two-minute shot. It begins with the camera making a series of rapid and elaborate moves around a frantic Mark S. as he steps out of the elevator, into the Severed Floor lobby, and begins running through the hallways. “The nice thing about that sequence was that everyone knew it was going to be difficult and challenging,” Leven says, adding that executive producer and Episode 201 director, Ben Stiller, began by mapping out the hallway run with his team. Leven recommended that a previsualization sequence – provided by The Third Floor – would help the filmmakers refine their plan before cameras rolled. “While prevising it, we didn’t worry about how we would actually photograph anything. It was just, ‘These are the visuals we want to capture,’” Leven says. “‘What does it look like for this guy to run down this hallway for two minutes? We’ll figure out how to shoot it later.’” The previs process helped determine how best to shoot the sequence, and also informed which parts of the soundstage set would have to be digitally replaced. The first shot was captured by a camera mounted on a Bolt X Cinebot motion-control arm provided by The Garage production company. The size of the motion-control setup, however, meant it could not fit in the confined space of an elevator or the existing hallways. “We couldn’t actually shoot in the elevator,” Leven says. “The whole elevator section of the set was removed and was replaced with computer graphics [CG].” In addition to the elevator, ILM artists replaced portions of the floor, furniture, and an entire lobby wall, even adding a reflection of Adam Scott into the elevator doors. As Scott begins running, he’s picked up by a second camera mounted on a more compact, stabilized gimbal that allows the operator to quickly run behind and sometimes in front of the actor as he darts down different hallways. ILM seamlessly combined the first two Mark S. plates in a 2D composite. “Part of that is the magic of the artists at ILM who are doing that blend. But I have to give credit to Adam Scott because he ran the same way in both cameras without really being instructed,” says Leven. “Lucky for us, he led with the same foot. He used the same arm. I remember seeing it on the set, and I did a quick-and-dirty blend right there and thought, ‘Oh my gosh, this is going to work.’ So it was really nice.” The action continues at a frenetic pace, ultimately combining ten different shots to complete the sequence. “We didn’t want the very standard sleight of hand that you’ve seen a lot where you do a wipe across the white hallway,” Leven explains. “We tried to vary that as much as possible because we didn’t want to give away the gag. So, there are times when the camera will wipe across a hallway, and it’s not a computer graphics wipe. We’d hide the wipe somewhere else.” A slightly more complicated illusion comes as the camera sweeps around Mark S. from back to front as he barrels down another long hallway. “There was no way to get the camera to spin around Mark while he is running because there’s physically not enough room for the camera there,” says Leven. To capture the shot, Adam Scott ran on a treadmill placed on a green screen stage as the camera maneuvered around him. At that point, the entire hallway environment is made with computer graphics. Artists even added a few extra frames of the actor to help connect one shot to the next, selling the illusion of a single continuous take. “We painted in a bit of Adam Scott running around the corner. So if you freeze and look through it, you’ll see a bit of his heel. He never completely clears the frame,” Leven points out. Leven says ILM also provided Ben Stiller with options when it came to digitally changing up the look of Lumon’s sterile hallways: sometimes adding extra doors, vents, or even switching door handles. “I think Ben was very excited about having this opportunity,” says Leven. “He had never had a complete, fully computer graphics version of these hallways before. And now he was able to do things that he was never able to do in season one.” (Credit: Apple TV+). 2. Let it Snow (Episode 204: “Woe’s Hollow”) The MDR team – Mark, Helly, Dylan, and Irving – unexpectedly find themselves in the snowy wilderness as part of a two-day Lumon Outdoor Retreat and Team-Building Occurrence, or ORTBO.  Exterior scenes were shot on location at Minnewaska State Park Preserve in New York. Throughout the ORTBO sequence, ILM performed substantial environment enhancements, making trees and landscapes appear far snowier than they were during the shoot. “It’s really nice to get the actors out there in the cold and see their breath,” Leven says. “It just wasn’t snowy during the shoot. Nearly every exterior shot was either replaced or enhanced with snow.” For a shot of Irving standing on a vast frozen lake, for example, virtually every element in the location plate – including an unfrozen lake, mountains, and trees behind actor John Turturro – was swapped out for a CG environment. Wide shots of a steep, rocky wall Irving must scale to reach his co-workers were also completely digital. Eventually, the MDR team discovers a waterfall that marks their arrival at a place called Woe’s Hollow. The location – the state park’s real-life Awosting Falls – also got extensive winter upgrades from ILM, including much more snow covering the ground and trees, an ice-covered pond, and hundreds of icicles clinging to the rocky walls. “To make it fit in the world of Severance, there’s a ton of work that has to happen,” Leven tells ILM.com. (Credit: Apple TV+). 3. Welcome to Lumon (Episode 202: “Goodbye, Mrs. Selvig” & Episode 203: “Who is Alive?”) The historic Bell Labs office complex, now known as Bell Works in Holmdel Township, New Jersey, stands in as the fictional Lumon Industries headquarters building. Exterior shots often underwent a significant digital metamorphosis, with artists transforming areas of green grass into snow-covered terrain, inserting a CG water tower, and rendering hundreds of 1980s-era cars to fill the parking lot. “We’re always adding cars, we’re always adding snow. We’re changing, subtly, the shape and the layout of the design,” says Leven. “We’re seeing new angles that we’ve never seen before. On the roof of Lumon, for example, the air conditioning units are specifically designed and created with computer graphics.” In real life, the complex is surrounded by dozens of houses, requiring the digital erasure of entire neighborhoods. “All of that is taken out,” Leven explains. “CG trees are put in, and new mountains are put in the background.” Episodes 202 and 203 feature several night scenes shot from outside the building looking in. In one sequence, a camera drone flying outside captured a long tracking shot of Helena Eagan (Helly R.’s Outie) making her way down a glass-enclosed walkway. The building’s atrium can be seen behind her, complete with a massive wall sculpture depicting company founder Kier Eagan. “We had to put the Kier sculpture in with the special lighting,” Leven reveals. “The entire atrium was computer graphics.” Artists completed the shot by adding CG reflections of the snowy parking lot to the side of the highly reflective building. “We have to replace what’s in the reflections because the real reflection is a parking lot with no snow or a parking lot with no cars,” explains Leven. “We’re often replacing all kinds of stuff that you wouldn’t think would need to be replaced.” Another nighttime scene shot from outside the building features Helena in a conference room overlooking the Lumon parking lot, which sits empty except for Mr. Milchick (Tramell Tillman) riding in on his motorcycle. “The top story, where she is standing, was practical,” says Leven, noting the shot was also captured using a drone hovering outside the window. “The second story below her was all computer graphics. Everything other than the building is computer graphics. They did shoot a motorcycle on location, getting as much practical reference as possible, but then it had to be digitally replaced after the fact to make it work with the rest of the shot.” (Credit: Apple TV+). 4. Time in Motion (Episode 207: “Chikhai Bardo”) Episode seven reveals that MDR’s progress is being monitored by four dopplegang-ish observers in a control room one floor below, revealed via a complex move that has the camera traveling downward through a mass of data cables. “They built an oversize cable run, and they shot with small probe lenses. Visual effects helped by blending several plates together,” explains Leven. “It was a collaboration between many different departments, which was really nice. Visual effects helped with stuff that just couldn’t be shot for real. For example, when the camera exits the thin holes of the metal grate at the bottom of the floor, that grate is computer graphics.” The sequence continues with a sweeping motion-control time-lapse shot that travels around the control-room observers in a spiral pattern, a feat pulled off with an ingenious mix of technical innovation and old-school sleight of hand. A previs sequence from The Third Floor laid out the camera move, but because the Bolt arm motion-control rig could only travel on a straight track and cover roughly one-quarter of the required distance, The Garage came up with a way to break the shot into multiple passes. The passes would later be stitched together into one seemingly uninterrupted movement. The symmetrical set design – including the four identical workstations – helped complete the illusion, along with a clever solution that kept the four actors in the correct position relative to the camera. “The camera would basically get to the end of the track,” Leven explains. “Then everybody would switch positions 90 degrees. Everyone would get out of their chairs and move. The camera would go back to one, and it would look like one continuous move around in a circle because the room is perfectly symmetrical, and everything in it is perfectly symmetrical. We were able to move the actors, and it looks like the camera was going all the way around the room.” The final motion-control move switches from time-lapse back to real time as the camera passes by a workstation and reveals Mr. Drummond (Ólafur Darri Ólafsson) and Dr. Mauer (Robby Benson) standing behind it. Leven notes that each pass was completed with just one take. 5. Mark vs. Mark (Episode 210: “Cold Harbor”) The Severance season two finale begins with an increasingly tense conversation between Innie Mark and Outie Mark, as the two personas use a handheld video camera to send recorded messages back and forth. Their encounter takes place at night in a Lumon birthing cabin equipped with a severance threshold that allows Mark S. to become Mark Scout each time he steps outside and onto the balcony. The cabin set was built on a soundstage at York Studios in the Bronx, New York. The balcony section consisted of the snowy floor, two chairs, and a railing, all surrounded by a blue screen background. Everything else was up to ILM to create. “It was nice to have Ben’s trust that we could just do it,” Leven remembers. “He said, ‘Hey, you’re just going to make this look great, right?’ We said, ‘Yeah, no problem.’” Artists filled in the scene with CG water, mountains, and moonlight to match the on-set lighting and of course, more snow. As Mark Scout steps onto the balcony, the camera pulls back to a wide shot, revealing the cabin’s full exterior. “They built a part of the exterior of the set. But everything other than the windows, even the railing, was digitally replaced,” Leven says. “It was nice to have Ben [Stiller’s] trust that we could just do it. He said, ‘Hey, you’re just going to make this look great, right?’ We said, ‘Yeah, no problem.’”Eric Leven Bonus: Marching Band Magic (Episode 210: “Cold Harbor”) Finally, our bonus visual effects shot appears roughly halfway through the season finale. To celebrate Mark S. completing the Cold Harbor file, Mr. Milchick orders up a marching band from Lumon’s Choreography and Merriment department. Band members pour into MDR, but Leven says roughly 15 to 20 shots required adding a few more digital duplicates. “They wanted it to look like MDR was filled with band members. And for several of the shots there were holes in there. It just didn’t feel full enough,” he says. In a shot featuring a God’s-eye view of MDR, band members hold dozens of white cards above their heads, forming a giant illustration of a smiling Mark S. with text that reads “100%.” “For the top shot, we had to find a different stage because the MDR ceiling is only about eight feet tall,” recalls Leven. “And Ben really pushed to have it done practically, which I think was the right call because you’ve already got the band members, you’ve made the costumes, you’ve got the instruments. Let’s find a place to shoot it.” To get the high shot, the production team set up on an empty soundstage, placing signature MDR-green carpet on the floor. A simple foam core mock-up of the team’s desks occupied the center of the frame, with the finished CG versions added later. Even without the restraints of the practical MDR walls and ceiling, the camera could only get enough height to capture about 30 band members in the shot. So the scene was digitally expanded, with artists adding more green carpet, CG walls, and about 50 more band members. “We painted in new band members, extracting what we could from the practical plate,” Leven says. “We moved them around; we added more, just to make it look as full as Ben wanted.” Every single white card in the shot, Leven points out, is completely digital. (Credit: Apple TV+). A Mysterious and Important Collaboration With fans now fiercely debating the many twists and turns of Severance season two, Leven is quick to credit ILM’s two main visual effects collaborators: east side effects and Mango FX INC, as well as ILM studios and artists around the globe, including San Francisco, Vancouver, Singapore, Sydney, and Mumbai. Leven also believes Severance ultimately benefited from a successful creative partnership between ILM and Ben Stiller. “This one clicked so well, and it really made a difference on the show,” Leven says. “I think we both had the same sort of visual shorthand in terms of what we wanted things to look like. One of the things I love about working with Ben is that he’s obviously grounded in reality. He wants to shoot as much stuff real as possible, but then sometimes there’s a shot that will either come to him late or he just knows is impractical to shoot. And he knows that ILM can deliver it.” — Clayton Sandell is a Star Wars author and enthusiast, TV storyteller, and a longtime fan of the creative people who keep Industrial Light & Magic and Skywalker Sound on the leading edge of visual effects and sound design. Follow him on Instagram (@claytonsandell) Bluesky (@claytonsandell.com) or X (@Clayton_Sandell).

Email authentication protocols like SPF, DKIM, and DMARC play a critical role in protecting domains from spoofing and phishing. However, when SEGs are introduced into the email path, the interaction with these protocols becomes more complex. Security gateways(SEGs) are a core part of many organizations’ email infrastructure. They act as intermediaries between the public internet and internal mail systems, inspecting, filtering, and routing messages. This blog examines how security gateways handle SPF, DKIM, and DMARC, with real-world examples from popular gateways such as Proofpoint, Mimecast, and Avanan. We’ll also cover best practices for maintaining authentication integrity and avoiding misconfigurations that can compromise email authentication or lead to false DMARC failures. Security gateways often sit at the boundary between your organization and the internet, managing both inbound and outbound email traffic. Their role affects how email authentication protocols behave. An inbound SEG examines emails coming into your organization. It checks SPF, DKIM, and DMARC to determine if the message is authentic and safe before passing it to your internal mail servers. An outbound SEG handles emails sent from your domain. It may modify headers, rewrite envelope addresses, or even apply DKIM signing. All of these can impact SPF,  DKIM, or DMARC validation on the recipient’s side. Understanding how SEGs influence these flows is crucial to maintaining proper authentication and avoiding unexpected DMARC failures. Inbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When an email comes into your organization, your security gateway is the first to inspect it. It checks whether the message is real, trustworthy, and properly authenticated. Let’s look at how different SEGs handle these checks. Avanan (by Check Point) SPF: Avanan verifies whether the sending server is authorized to send emails for the domain by checking the SPF record. DKIM: It verifies if the message was signed by the sending domain and if that signature is valid. DMARC: It uses the results of the SPF and DKIM check to evaluate DMARC. However, final enforcement usually depends on how DMARC is handled by Microsoft 365 or Gmail, as Avanan integrates directly with them. Avanan offers two methods of integration:1. API integration: Avanan connects via APIs, no change in MX, usually Monitor or Detect modes.2. Inline integration: Avanan is placed inline in the mail flow (MX records changed), actively blocking or remediating threats. Proofpoint Email Protection SPF: Proofpoint checks SPF to confirm the sender’s IP is authorized to send on behalf of the domain. You can set custom rules (e.g. treat “softfail” as “fail”). DKIM: It verifies DKIM signatures and shows clear pass/fail results in logs. DMARC: It fully evaluates DMARC by combining SPF and DKIM results with alignment checks. Administrators can configure how to handle messages that fail DMARC, such as rejecting, quarantining, or delivering them. Additionally, Proofpoint allows whitelisting specific senders you trust, even if their emails fail authentication checks. Integration Methods Inline Mode: In this traditional deployment, Proofpoint is positioned directly in the email flow by modifying MX records. Emails are routed through Proofpoint’s infrastructure, allowing it to inspect and filter messages before they reach the recipient’s inbox. This mode provides pre-delivery protection and is commonly used in on-premises or hybrid environments. API-Based (Integrated Cloud Email Security – ICES) Mode: Proofpoint offers API-based integration, particularly with cloud email platforms like Microsoft 365 and Google Workspace. In this mode, Proofpoint connects to the email platform via APIs, enabling it to monitor and remediate threats post-delivery without altering the email flow. This approach allows for rapid deployment and seamless integration with existing cloud email services. Mimecast SPF: Mimecast performs SPF checks to verify whether the sending server is authorized by the domain’s SPF record. Administrators can configure actions for SPF failures, including block, quarantine, permit, or tag with a warning. This gives flexibility in balancing security with business needs. DKIM: It validates DKIM signatures by checking that the message was correctly signed by the sending domain and that the content hasn’t been tampered with. If the signature fails, Mimecast can take actions based on your configured policies. DMARC: It fully evaluates DMARC by combining the results of SPF and DKIM with domain alignment checks. You can choose to honor the sending domain’s DMARC policy (none, quarantine, reject) or apply custom rules, for example, quarantining or tagging messages that fail DMARC regardless of the published policy. This allows more granular control for businesses that want to override external domain policies based on specific contexts. Integration Methods Inline Deployment: Mimecast is typically deployed as a cloud-based secure email gateway. Organizations update their domain’s MX records to point to Mimecast, so all inbound (and optionally outbound) emails pass through it first. This allows Mimecast to inspect, filter, and process emails before delivery, providing robust protection. API Integrations: Mimecast also offers API-based services through its Mimecast API platform, primarily for management, archival, continuity, and threat intelligence purposes. However, API-only email protection is not Mimecast’s core model. Instead, the APIs are used to enhance the inline deployment, not replace it. Barracuda Email Security Gateway SPF: Barracuda checks the sender’s IP against the domain’s published SPF record. If the check fails, you can configure the system to block, quarantine, tag, or allow the message, depending on your policy preferences. DKIM: It validates whether the incoming message includes a valid DKIM signature. The outcome is logged and used to inform further policy decisions or DMARC evaluations. DMARC: It combines SPF and DKIM results, checks for domain alignment, and applies the DMARC policy defined by the sender. Administrators can also choose to override the DMARC policy, allowing messages to pass or be treated differently based on organizational needs (e.g., trusted senders or internal exceptions). Integration Methods Inline mode (more common and straightforward): Barracuda Email Security Gateway is commonly deployed inline by updating your domain’s MX records to point to Barracuda’s cloud or on-premises gateway. This ensures that all inbound emails pass through Barracuda first for filtering and SPF, DKIM, and DMARC validation before being delivered to your mail servers. Deployment Behind the Corporate Firewall: Alternatively, Barracuda can be deployed in transparent or bridge mode without modifying MX records. In this setup, the gateway is placed inline at the network level, such as behind a firewall, and intercepts mail traffic transparently. This method is typically used in complex on-premises environments where changing DNS records is not feasible. Cisco Secure Email (formerly IronPort) Cisco Secure Email acts as an inline gateway for inbound email, usually requiring your domain’s MX records to point to the Cisco Email Security Appliance or cloud service. SPF: Cisco Secure Email verifies whether the sending server is authorized in the sender domain’s SPF record. Administrators can set detailed policies on how to handle SPF failures. DKIM: It validates the DKIM signature on incoming emails and logs whether the signature is valid or has failed. DMARC: It evaluates DMARC by combining SPF and DKIM results along with domain alignment checks. Admins can configure specific actions, such as quarantine, reject, or tag, based on different failure scenarios or trusted sender exceptions. Integration methods On-premises Email Security Appliance (ESA): You deploy Cisco’s hardware or virtual appliance inline, updating MX records to route mail through it for filtering. Cisco Cloud Email Security: Cisco offers a cloud-based email security service where MX records are pointed to Cisco’s cloud infrastructure, which filters and processes inbound mail. Cisco Secure Email also offers advanced, rule-based filtering capabilities and integrates with Cisco’s broader threat protection ecosystem, enabling comprehensive inbound email security. Outbound Handling of SPF, DKIM, and DMARC by Common Security Gateways When your organization sends emails, security gateways can play an active role in processing and authenticating those messages. Depending on the configuration, a gateway might rewrite headers, re-sign messages, or route them through different IPs – all actions that can help or hurt the authentication process. Let’s look at how major SEGs handle outbound email flow. Avanan – Outbound Handling and Integration Methods Outbound Logic Avanan analyzes outbound emails primarily to detect data loss, malware, and policy violations. In API-based integration, emails are sent directly by the original mail server (e.g., Microsoft 365 or Google Workspace), so SPF and DKIM signatures remain intact. Avanan does not alter the message or reroute traffic, which helps maintain full DMARC alignment and domain reputation. Integration Methods 1. API Integration: Connects to Microsoft 365 or Google Workspace via API. No MX changes are needed. Emails are scanned after they are sent, with no modification to SPF, DKIM, or the delivery path.  How it works: Microsoft Graph API or Google Workspace APIs are used to monitor and intervene in outbound emails. Protection level: Despite no MX changes, it can offer inline-like protection, meaning it can block, quarantine, or encrypt emails before they are delivered externally. SPF/DKIM/DMARC impact: Preserves original headers and signatures since mail is sent directly from Microsoft/Google servers. 2. Inline Integration: Requires changing MX records to route email through Avanan. In this mode, Avanan can intercept and inspect outbound emails before delivery. Depending on the configuration, this may affect SPF or DKIM if not properly handled. How it works: Requires adding Avanan’s Protection level: Traditional inline security with full visibility and control, including encryption, DLP, policy enforcement, and advanced threat protection. SPF/DKIM/DMARC impact: SPF configuration is needed by adding Avanan’s include mechanism to the sending domain’s SPF record. The DKIM record of the original sending source is preserved. For configurations, you can refer to the steps in this blog. Proofpoint – Outbound Handling and Integration Methods Outbound Logic Proofpoint analyzes outbound emails to detect and prevent data loss (DLP), to identify advanced threats (malware, phishing, BEC) originating from compromised internal accounts, and to ensure compliance. Their API integration provides crucial visibility and powerful remediation capabilities, while their traditional gateway (MX record) deployment delivers true inline, pre-delivery blocking for outbound traffic. Integration methods 1. API Integration: No MX record changes are required for this deployment method. Integration is done with Microsoft 365 or Google Workspace. How it works: Through its API integration, Proofpoint gains deep visibility into outbound emails and provides layered security and response features, including: Detect and alert: Identifies sensitive content (Data Loss Prevention violations), malicious attachments, or suspicious links in outbound emails. Post-delivery remediation (TRAP): A key capability of the API model is Threat Response Auto-Pull (TRAP), which enables Proofpoint to automatically recall, quarantine, or delete emails after delivery. This is particularly useful for internally sent messages or those forwarded to other users. Enhanced visibility: Aggregates message metadata and logs into Proofpoint’s threat intelligence platform, giving security teams a centralized view of outbound risks and user behavior. Protection level: API-based integration provides strong post-delivery detection and response, as well as visibility into DLP incidents and suspicious behavior.  SPF/DKIM/DMARC impact: Proofpoint does not alter SPF, DKIM, or DMARC because emails are sent directly through Microsoft or Google servers. Since Proofpoint’s servers are not involved in the actual sending process, the original authentication headers remain intact. 2. Gateway Integration (MX Record/Smart Host): This method requires updating MX records or routing outbound mail through Proofpoint via a smart host. How it works: Proofpoint acts as an inline gateway, inspecting emails before delivery. Inbound mail is filtered via MX changes; outbound mail is relayed through Proofpoint’s servers. Threat and DLP filtering: Scans outbound messages for sensitive content, malware, and policy violations. Real-time enforcement: Blocks, encrypts, or quarantines emails before they’re delivered. Policy controls: Applies rules based on content, recipient, or behavior. Protection level: Provides strong, real-time protection for outbound traffic with pre-delivery enforcement, DLP, and encryption. SPF/DKIM/DMARC impact: Proofpoint becomes the sending server: SPF: You need to configure ProofPoint’s SPF. DKIM: Can sign messages; requires DKIM setup. DMARC: DMARC passes if SPF and DKIM are set up properly. Please refer to this article to configure SPF and DKIM for ProofPoint. Mimecast – Outbound Handling and Integration Methods Outbound Logic Mimecast inspects outbound emails to prevent data loss (DLP), detect internal threats such as malware and impersonation, and ensure regulatory compliance. It primarily functions as a Secure Email Gateway (SEG), meaning it sits directly in the outbound email flow. While Mimecast offers APIs, its core outbound protection is built around this inline gateway model. Integration Methods 1. Gateway Integration (MX Record change required) This is Mimecast’s primary method for outbound email protection. Organizations route their outbound traffic through Mimecast by configuring their email server (e.g., Microsoft 365, Google Workspace, etc.) to use Mimecast as a smart host. This enables Mimecast to inspect and enforce policies on all outgoing emails in real time. How it works: Updating outbound routing in your email system (smart host settings), or Using Mimecast SMTP relay to direct messages through their infrastructure. Mimecast then scans, filters, and applies policies before the email reaches the final recipient. Protection level: Advanced DLP: Identifies and prevents sensitive data leaks. Impersonation and Threat Protection: Blocks malware, phishing, and abuse from compromised internal accounts. Email Encryption and Secure Messaging: Applies encryption policies or routes messages via secure portals. Regulatory Compliance: Enforces outbound compliance rules based on content, recipient, or metadata. SPF/DKIM/DMARC impact: SPF: Your SPF record must include Mimecast’s SPF mechanism based on your region to avoid SPF failures. DKIM: A new DKIM record should be configured to make sure your emails are DKIM signed when routing through Mimecast. DMARC: With correct SPF and DKIM setup, Mimecast ensures DMARC alignment, maintaining your domain’s sending reputation. Please refer to the steps in this detailed article to set up SPF and DKIM for Mimecast. 2. API Integration (Complementary to Gateway) Mimecast’s APIs complement the main gateway by providing automation, reporting, and management tools rather than handling live outbound mail flow. They allow you to manage policies, export logs, search archived emails, and sync users. APIs enhance visibility and operational tasks but do not provide real-time filtering or blocking of outbound messages. Since APIs don’t process live mail, they have no direct effect on SPF, DKIM, or DMARC; those depend on your gateway (smart host) setup. Barracuda – Outbound Handling and Integration Methods Outbound Logic Barracuda analyzes outbound emails to prevent data loss (DLP), block malware, stop phishing/impersonation attempts from compromised internal accounts, and ensure compliance. Barracuda offers flexible deployment options, including both traditional gateway (MX record) and API-based integrations. While both contribute to outbound security, their roles are distinct. Integration Methods 1. Gateway Integration (MX Record / Smart Host) — Primary Inline Security How it works: All outbound emails pass through Barracuda’s security stack for real-time inspection, threat blocking, and policy enforcement before delivery. Protection level: Comprehensive DLP (blocking, encrypting, or quarantining sensitive content)  Outbound spam and virus filtering  Enforcement of compliance and content policies This approach offers a high level of control and immediate threat mitigation on outbound mail flow. SPF/DKIM/DMARC impact: SPF: Update SPF records to include Barracuda’s sending IPs or SPF include mechanism. DKIM: Currently, no explicit setup is needed; DKIM of the main sending source is preserved. Refer to this article for more comprehensive guidance on Barracuda SEG configuration. 2. API Integration (Complementary & Advanced Threat Focus) How it works: The API accesses cloud email environments to analyze historical and real-time data, learning normal communication patterns to detect anomalies in outbound emails. It also supports post-delivery remediation, enabling the removal of malicious emails from internal mailboxes after sending. Protection level: Advanced AI-driven detection and near real-time blocking of outbound threats, plus strong post-delivery cleanup capabilities. SPF/DKIM/DMARC impact: Since mail is sent directly by the original mail server (e.g., Microsoft 365), SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. Cisco Secure Email (formerly IronPort) – Outbound Handling and Integration Methods Outbound Logic Cisco Secure Email protects outbound email by preventing data loss (DLP), blocking spam and malware from internal accounts, stopping business email compromise (BEC) and impersonation attacks, and ensuring compliance. Cisco provides both traditional gateway appliances/cloud gateways and modern API-based solutions for layered outbound security. Integration Methods 1. Gateway Integration (MX Record / Smart Host) – Cisco Secure Email Gateway (ESA) How it works: Organizations update MX records to route mail through the Cisco Secure Email Gateway or configure their mail server (e.g., Microsoft 365, Exchange) to smart host outbound email via the gateway. All outbound mail is inspected and policies enforced before delivery. Protection level: Granular DLP (blocking, encrypting, quarantining sensitive content) Outbound spam and malware filtering to protect IP reputation Email encryption for sensitive outbound messages Comprehensive content and attachment policy enforcement SPF: Check this article for comprehensive guidance on Cisco SPF settings. DKIM: Refer to this article for detailed guidance on Cisco DKIM settings. 2. API Integration – Cisco Secure Email Threat Defense How it works: Integrates directly via API with Microsoft 365 (and potentially Google Workspace), continuously monitoring email metadata, content, and user behavior across inbound, outbound, and internal messages. Leverages Cisco’s threat intelligence and AI to detect anomalous outbound activity linked to BEC, account takeover, and phishing. Post-Delivery Remediation: Automates the removal or quarantine of malicious or policy-violating emails from mailboxes even after sending. Protection level: Advanced, AI-driven detection of sophisticated outbound threats with real-time monitoring and automated remediation. Complements gateway filtering by adding cloud-native visibility and swift post-send action. SPF/DKIM/DMARC impact: Since emails are sent directly by the original mail server, SPF and DKIM signatures remain intact, preserving DMARC alignment and domain reputation. If you have any questions or need assistance, feel free to reach out to EasyDMARC technical support.

A significant cyber breach at His Majesty’s Revenue and Customs (HMRC) that saw scammers cheat the public purse out of approximately £47m has been met with dismay from security experts thanks to the sheer simplicity of the attack, which originated via account takeover attempts on legitimate taxpayers. HMRC disclosed the breach to a Treasury Select Committee this week, revealing that hackers accessed the online accounts of about 100,000 people via phishing attacks and managed to claim a significant amount of money in tax rebates before being stopped. It is understood that those individuals affected have been contacted by HMRC – they have not personally lost any money and are not themselves in any trouble. Arrests in the case have already been made. During proceedings, HMRC also came in for criticism by the committee’s chair Meg Hillier, who had learned about the via an earlier news report on the matter, over the length of time taken to come clean over the incident. With phishing emails sent to unwitting taxpayers identified as the initial attack vector for the scammers, HMRC might feel relieved that it has dodged full blame for the incident. But according to Will Richmond-Coggan, a partner specialising in data and cyber disputes at law firm Freeths, even though the tax office had gone to pains to stress its own systems were never actually compromised, the incident underscored just how widespread the consequences of cyber attacks can be – snowballing from simple origins into a multimillion pound loss. “It is clear from HMRC's explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks,” said Richmond-Coggan. “Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax.” Meanwhile, Gerasim Hovhannisyan, CEO of EasyDMARC, an email security provider, pointed out that phishing against both private individuals and businesses and other organisations had long ago moved beyond the domain of scammers chancing their luck. While this type of scattergun fraud remains a potent threat, particularly to consumers who may not be informed about cyber security matters – the scale of the HMRC phish surely suggests a targeted operation, likely using carefully crafted email purporting to represent HMRC itself, designed to lure self-assessment taxpayers into handing over their accounts. Not only that, but generative artificial intelligence (GenAI) means targeted phishing operations have become exponentially more dangerous in a very short space of time, added Hovhannisyan. “[It] has made [phishing] scalable, polished, and dangerously convincing, often indistinguishable from legitimate communication. And while many organisations have strengthened their security perimeters, email remains the most consistently exploited and underestimated attack vector,” he said. “These scams exploit human trust, using urgency, authority, and increasingly realistic impersonation tactics. If HMRC can be phished, anyone can.” Added Hovhannisyan: “What’s more alarming is that the Treasury Select Committee only learned of the breach through the news. When £47m is stolen through impersonation, institutions can’t afford to stay quiet. Delayed disclosure erodes trust, stalls response, and gives attackers room to manoeuvre.” Once again a service’s end-users have turned out to be the source of a cyber attack and as such, whether they are internal or – as in this case – external, are often considered an organisation’s first line of defence. However, it is not always wise to take this approach, and for an organisation like HMRC daily engaging with members of the public, it is also not really possible. Security education is a difficult proposition at the best of times and although the UK’s National Cyber Security Centre (NCSC) provides extensive advice and guidance on spotting and dealing with phishing emails for consumers – it also operates a phishing reporting service that as of April 2025 has received over 41 million scam reports – bodies like HMRC cannot rely on everybody having visited the NCSC’s website. As such, Mike Britton, chief information officer (CIO) at Abnormal AI, a specialist in phishing, social engineering and account takeover prevention, argued that HMRC could and should have done more from a technical perspective. “Governments will always be a high tier target for cyber criminals due to the valuable information they hold. In fact, attacks against this sector are rising,” he said. “In this case, it looks like criminals utilised account take over to conduct fraud. To combat this, multifactor authentication (MFA) is key, but as attacks grow more sophisticated, further steps must be taken.” Britton said organisations like HMRC really needed to consider adopting more layered security strategies, not only including MFA but also incorporating wider visibility and unified controls across its IT systems. Account takeover attacks such as the ones seen in this incident can unfold quickly, he added, so its cyber function should also be equipped with the tools to identify and remediate compromised accounts on the fly. Read more about trends in phishing Quishing, meaning QR code phishing, is an offputting term for an on-the-rise attack method. Learn how to defend against it. A healthy dose of judicious skepticism is crucial to preventing phishing attacks, said David Fine, supervisory special agent at the FBI, during a presentation at a HIMSS event. Exchange admins got a boost from Microsoft when it improved how it handles DMARC authentication failures to help organisations fight back from email-based attacks on their users.