July 8, 2026

Inbox wars: reply-all at dawn

DKIM2 and DMARCbis Have Landed

Email gets a big security glow-up — and the comments are already panicking

TLDR: A major email security upgrade just landed, aiming to stop fake messages and make forwarding less of a mess, with Stalwart claiming the first full implementation. Commenters are split between “finally, progress” and fears that more complexity will hand even more power to Google, Apple, and Microsoft.

Email’s invisible security plumbing just got a major makeover, and the internet’s reaction is basically: finally... but also, uh-oh. The big news is that two long-brewing upgrades to email verification have arrived, promising to make messages harder to fake, less likely to break when forwarded, and better at proving whether a bounce or warning is real. Stalwart says it’s the first mail server to fully support both, which earned it a polite golf clap from one commenter who linked to a prior discussion like a proud receipt-holder: “you’re among the first few who have done it”.

But the real party starts in the replies, where the mood swings wildly between relief and doomposting. One camp is thrilled that someone is finally fixing email’s ancient weak spots. The other camp hears “new rules” and immediately sees a future where normal people are locked out of using their own domains while Google, Apple, and Microsoft sit on the throne. One commenter groaned, “Aw hell. How many things do I have to set up”, while another basically translated the whole announcement into: “Cool, but how will the big three use this to make email impossible without them?”

Then came the classic security-world horror movie subplot: a commenter warning that the new email-rewriting system sounds like a “spammer/exploit vector waiting to happen.” So yes, this is one of those deeply nerdy protocol launches that somehow turned into a familiar internet drama: is this the fix email desperately needed, or the next layer of complexity that only giant companies can afford to survive?

Key Points

  • The article says DKIM2 redesigns DKIM so signatures form a verifiable chain of custody, allowing forwarding to preserve verification, preventing replayed messages from verifying, and enabling genuine bounces to be proven.
  • DMARCbis was published in May 2026 as RFC 9989, RFC 9990, and RFC 9991, and the article says it replaces the static Public Suffix List with a live DNS tree walk and removes ineffective tags.
  • Stalwart v0.16.12 is presented as the first mail server to fully implement both DKIM2 and DMARCbis.
  • The article explains that DKIM signs selected headers and the message body with a private key, while receivers fetch the public key from DNS to verify authorization and message integrity.
  • The article identifies two main DKIM1 problems: signatures are not bound to a recipient, enabling replay attacks, and message modifications by mailing lists, gateways, or forwarders can break signatures.

Hottest takes

"spammer/exploit vector waiting to happen" — jeroenhd
"Aw hell. How many things do I have to set up" — qurren
"make it impossible to use email except through them" — bigbuppo
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.