Hosts: EasyDMARC & Authentic Web
Speakers:
- Courtney Austin – VP of Marketing, EasyDMARC
- Peter LaMantia – CEO, Authentic Web
- Sean (Authentic Web)
- Hofet (EasyDMARC)
Opening Remarks
Courtney:
Hi everyone, welcome and thanks for joining us today.
We’ll get underway in just a moment as more people log in. My name is Courtney Austin, Vice President of Marketing here at EasyDMARC. Thank you for being on time and joining early.
Today’s webinar should last about forty‑five minutes, including time for Q&A at the end. You can submit questions using the Q&A button at the bottom of your screen.
Once everyone is in, we’ll get started.
(brief pause)
Okay, looks like the numbers are coming up. Peter, you all set?
Peter:
I am—very excited.
Courtney:
Perfect. We know virtual sessions are great, but both EasyDMARC and Authentic Web have plenty of live events coming up as well, so be sure to check our websites for conference schedules.
All right, it’s two minutes past the hour, so let’s get started.
Introduction and Agenda
Courtney:
Thank you all for joining us.
I’m honored to co‑host this session with Authentic Web as we explore how to move from a reactive to a proactive DNS and email‑security posture.
Cybersecurity is no longer about reacting to incidents—it’s about taking preventive action. The best defense is a strong offense.
We’ll cover:
- Moving from reactive to proactive security
- Compliance and regulatory expectations
- Hidden DNS and email vulnerabilities
- How to detect security gaps before an attack
The webinar will include perspectives from both companies and a lot of practical insight.
Speaker Introductions
Courtney:
A quick round of introductions.
I’ve been in cybersecurity for about 15–20 years and in networking software for another decade. The key to success in this industry is listening closely to customers, understanding their challenges, and being authentic—something that aligns perfectly with our partners at Authentic Web.
Hofet (EasyDMARC):
I’ve been with EasyDMARC for about five years, helping enterprises secure their outbound email infrastructure—everything from authentication to DMARC deployment. I assist teams in building stronger protection around their mailing ecosystems.
Peter LaMantia (Authentic Web):
Thanks, Hofet. It’s great to work with the EasyDMARC team. We complement each other really well when helping clients strengthen their security.
I founded Authentic Web in 2013. Before that, I was president of a registrar within a Fortune 1000 organization—we owned about a thousand domains, and managing them was chaotic. We didn’t know what was in our zones, had no change control, and lacked visibility.
That challenge led me to build technology enabling enterprises to secure and manage their domains and DNS easily, with automation and visibility.
Sean (Authentic Web):
I’ve been with Authentic Web for two years, focusing on DNS security and corporate domain‑management practices. Before that, I spent over twenty‑five years managing large‑scale DNS, email, and hosting infrastructures—literally millions of records. Helping companies protect that layer is critical.
Courtney:
Great, thank you all. It’s always interesting getting perspectives from different geographies—Asia, Europe, and North America. Let’s jump in.
Reactive vs Proactive Security
Courtney:
Cybersecurity shouldn’t be reactive. It should be a proactive strategy—anticipating risk before something happens. In sports we say, “The best defense is a good offense,” and that applies perfectly here.
Peter, what do you see among customers when it comes to making that shift?
Peter:
The core issue is visibility and control. Many enterprises still manage domains and DNS through multiple providers, creating silos. Without unified oversight, establishing change controls is near impossible.
Cleaning up DNS manually is overwhelming, so it doesn’t happen. Teams can’t see vulnerabilities clearly—and that’s what keeps them reactive instead of proactive.
Sean:
Exactly. DNS and email are the front doors of security. Breaches often start there—through phishing or misconfigured records. Attackers exploit what’s public and exposed. Securing the perimeter at the DNS and email layer is the first step.
Hofet:
From the email side, companies often contact us after an incident—usually after phishing or credential theft. We’ve seen financial institutions where the majority of outbound traffic wasn’t even legitimate. Being proactive avoids that.
Compliance and DNS Security
Courtney:
Let’s talk about compliance. It’s a big deal globally, especially for regulated industries. Peter, could you expand on that?
Peter:
Absolutely. Every major security framework requires auditable control and monitoring of critical infrastructure—and DNS is critical infrastructure.
If you’re signing compliance attestations without covering DNS, you’re exposed. When incidents happen, liability follows, along with brand damage.
You must treat the DNS layer as essential to maintaining compliance and security posture.
Sean:
As someone who had to sign compliance certifications, I can tell you: frameworks like SOC 2 or ISO exist for a reason. Following them isn’t just about passing audits—it’s about practicing good security hygiene. Ignoring DNS leaves a massive gap.
Email Security and Regulatory Shifts
Courtney:
Hofet, I know major changes are coming in email security as well. Could you walk us through those?
Hofet:
Sure. Over a year ago, Yahoo and Google announced new requirements for bulk senders—enforcing SPF, DKIM, and DMARC alignment. They’re not demanding enforcement yet, but that push encouraged many organizations to start implementing DMARC.
At the same time, the PCI DSS framework added similar recommendations. Some governments now even require enforced DMARC for financial institutions.
The key is doing it right—implementing proper reporting and alignment, not just adding an empty record. Without reporting, you can’t monitor what’s really happening or prevent abuse.
When properly deployed, DMARC strengthens authentication, improves deliverability, and reduces the risk of impersonation attacks.
DNS Vulnerabilities and Hidden Risks
Courtney:
Let’s turn to DNS vulnerabilities. Peter, could you explain the main ones you see?
Peter:
Sure. The numbers are staggering. Almost every enterprise we audit has DNS exposures—from orphaned IPs and dangling CNAMEs to insecure redirects.
The DNS is public; anyone can view your configuration. Bad actors use the same tools we do—they find weaknesses and exploit them.
Having multiple providers and poor visibility makes it difficult to identify these issues internally. Teams must modernize and centralize to stay protected.
Sean:
Right. Dangling CNAMEs and orphaned IPs are two of the biggest problems. They occur when old projects end, but DNS records remain active. Attackers can repurpose those endpoints to impersonate your brand.
Insecure redirects are another risk. If any step in a redirect chain isn’t HTTPS, attackers can perform man‑in‑the‑middle attacks to steal data or credentials.
Missing or weak SPF and DMARC records, and domains without an SOA record (known as lame delegations), also open the door to hijacking.
Courtney:
And across industries?
Peter:
It’s everywhere—retail, financial, healthcare, government. In healthcare audits we’ve done, nearly all organizations shared the same issues—limited SPF coverage and multiple unmanaged DNS providers. It’s a universal challenge.
Shifting to Best Practices
Courtney:
So how do companies move from reactive to proactive? What does “good” look like?
Peter:
It starts with audits and monitoring. You need to know when changes happen and whether those changes introduce risk.
Remove orphaned or dangling records, enforce strict HTTPS from origin to endpoint, ensure SOA records are established, and achieve 100% SPF/DMARC coverage.
Finally, manage everything from a single pane of glass—domains, DNS, and certificates together. That’s how IT and security teams can align.
Sean:
Visibility is key. Once‑a‑month reviews aren’t enough. Continuous monitoring ensures any new exposure is caught immediately. You can’t fix what you can’t see.
Email Vulnerabilities
Courtney:
Hofet, can you walk us through common email misconfigurations?
Hofet:
Definitely. Common issues include:
- DMARC records missing reporting tags
- SPF records using outdated “+all” syntax, allowing any sender to pass SPF
- Forgotten domains listed in SPF “include” mechanisms that now belong to others
- Weak DKIM keys or unused length tags that allow message tampering
Another frequent mistake is setting DMARC to “reject” only on the root domain while leaving all subdomains unprotected.
Best practices include enabling DMARC reporting, cleaning up SPF syntax with automated tools, rotating DKIM keys every three to six months, and inheriting DMARC policies from the root domain unless ownership is decentralized.
Steps to Move Forward
Courtney:
To wrap up, here’s a quick roadmap for building a proactive security posture:
- Prioritize DNS and email security across the organization—get executive buy‑in.
- Audit your current environment thoroughly.
- Detect and Define: identify exposures and establish clear security policies.
- Modernize: move from manual processes to automated systems that ensure continuous visibility and compliance.
Peter:
Exactly. DNS is often called a “black box,” but it doesn’t have to be. It’s not a matter of if you’ll be targeted—it’s already happening. You need tools that help you discover, investigate, resolve, and verify vulnerabilities continuously.
Sean:
I like to think of DNS and email as the front door to your digital house. Many companies are busy locking cabinets in the kitchen but forget to lock the front door. That’s where attacks usually start.
Hofet:
And from the email side—be proactive. Don’t wait for an incident. Implement authentication protocols properly and monitor them continuously.
Closing Remarks
Courtney:
We’re almost out of time, but before we wrap up:
If you’d like an audit, contact us and we’ll run one for you so you can see your exposure firsthand.
Hofet:
For those interested in deeper learning, the EasyDMARC Academy is launching updated training modules soon covering DMARC, SPF, and DNS fundamentals.
Courtney:
Perfect. Thank you, Peter, Sean, and Hofet—and thank you to everyone who joined us.
We’ll send out the recording afterward so you can share it internally.
On behalf of EasyDMARC and Authentic Web, thanks again for your time and participation. Stay secure and have a great rest of the week.
Webinar Transcript: From Reactive to Proactive DNS and Email Security
Hosts: EasyDMARC & Authentic Web
Speakers – Courtney Austin, Peter LaMantia, Hofet, and Sean
Opening
Courtney:
Hi everyone and welcome. We’ll start in just a moment while people log in.
I’m Courtney Austin, VP of Marketing at EasyDMARC. Thanks for joining right on time. Today’s session will run about forty‑five minutes including Q&A.
You can post questions at any time using the Q&A button below.
Peter, you ready?
Peter: Absolutely, really excited.
Courtney: Great. Both EasyDMARC and Authentic Web have field events coming up, but today we’re virtual.
Okay, we’re two minutes past the hour—let’s start.
Purpose and Agenda
Courtney:
Thanks again for joining.
We’re here with Authentic Web to discuss how to move from a reactive to a proactive DNS and email‑security posture.
The best defense is a solid offense.
Today’s topics:
- Why proactive security matters
- DNS and email compliance
- Hidden vulnerabilities and detection methods
- Practical, real‑world fixes
Introductions
Courtney:
A quick intro from everyone.
I’ve spent about two decades in cybersecurity and networking; my focus is listening to customers and being genuine in every conversation—very fitting when partnering with Authentic Web.
Hofet:
I’ve been with EasyDMARC for five years helping enterprises secure outbound email and deploy DMARC.
Peter:
I founded Authentic Web in 2013. Before that, as president of a registrar within a Fortune 1000, I learned firsthand how chaotic domain and DNS management can be. We built technology to give large and mid‑sized companies control, visibility, and automation over critical DNS infrastructure.
Sean:
I joined Authentic Web two years ago after twenty‑five years running enterprise‑class DNS, hosting, and email systems at scale. Helping organizations secure that foundation is what drives me.
Reactive vs Proactive
Courtney:
Cybersecurity should be proactive. Prepare before the attack.
Peter, what are you hearing from enterprises?
Peter:
The biggest issue is visibility. When domains and DNS are scattered across countless providers, nobody has full change control. Manual cleanup is nearly impossible, so exposures remain.
Sean:
Exactly. DNS and email are the entry points for most breaches. Secure your perimeter first—the rest of the stack depends on it.
Hofet:
From EasyDMARC’s perspective, most organizations come to us after a phishing or spoofing incident. It’s painful, but completely avoidable with proactive measures.
Compliance
Courtney:
Compliance has become essential. Peter?
Peter:
Every security framework demands auditability and monitoring of critical infrastructure. DNS is that infrastructure. If you can’t see or log changes, you’re non‑compliant.
An incident will bring real financial and reputational damage.
Sean:
Having managed SOC 2 and ISO certifications, I can confirm—it’s not paperwork. These frameworks exist to prevent the very breaches we all fear.
Email Security Changes
Hofet:
Yahoo and Google now require bulk senders to implement SPF, DKIM, and DMARC. PCI DSS and several governments are aligning with those standards.
Too many firms created partial setups—adding DMARC without reporting. Without reports you can’t see abuse.
Done correctly, authentication improves both deliverability and protection from impersonation.
DNS Vulnerabilities
Peter:
The volume of DNS exposures we find is astonishing.
Common issues: dangling CNAMEs, orphaned IPs, insecure redirects, missing SPF/DMARC, and lame delegations (no SOA records).
Attackers can see all of this because DNS is public.
Sean:
Those misconfigurations let criminals hijack traffic or insert themselves between users and trusted sites.
Even companies that patch relentlessly often forget to fix DNS—the true frontline.
Courtney:
Any industry differences?
Peter:
Not really. Healthcare, retail, banking—all face the same gaps: multiple providers, no unified visibility, inconsistent SPF coverage.
Best Practices
Peter:
Start with an audit and continuous monitoring.
Remove stale entries, enforce HTTPS end‑to‑end, ensure every zone has an SOA, and reach 100 percent SPF/DMARC coverage.
Manage everything through one interface so IT and Infosec share the same view.
Sean:
Monthly reviews at minimum, but ideally every change triggers an alert. You can’t fix what you can’t see.
Common Email Weaknesses
Hofet:
Frequent mistakes include:
- Missing DMARC reporting tags
- SPF using the deprecated “+all” syntax
- Old domains still listed in SPF “include” rules
- Weak or un‑rotated DKIM keys
- Root domains protected but subdomains left open
Best practice: enable reporting, use automated tools to validate syntax, rotate keys every 3–6 months, and let one global DMARC policy cascade to subdomains.
Four Steps to Proactive Security
- Prioritize it—get executive sponsorship.
- Audit DNS and email configurations.
- Detect & Define gaps and policy.
- Modernize—replace manual work with automated monitoring that enforces compliance.
Peter: DNS isn’t mysterious, but it’s unforgiving. Attackers already know your weaknesses; you need the tools to discover and fix them fast.
Sean: Think of DNS and email as the front door. Too many businesses are busy locking the kitchen cupboards instead.
Hofet: Be proactive. Implement correctly, monitor continuously.
Closing
Courtney:
If you’d like a free audit, reach out and we’ll show you exactly where you’re exposed.
Hofet: Keep an eye on the EasyDMARC Academy—updated training modules on DMARC and DNS are coming soon.
Courtney:
Thank you to everyone who joined us and to our speakers, Peter, Sean, and Hofet.
We’ll send the recording right after this session.
On behalf of Authentic Web and EasyDMARC, stay secure and have a great week.
