If you recall (or don't ;) ) this thread, my (lengthy) argument was that all the so-called email anti-forgery technologies have been neatly undercut by pervasive security problems, and thus the overall effect of deploying them has been to make the email forgery problem much worse than it was before they existed. Some of you agreed, some disagreed, and so on. The usual. ;) Well. Here we are most of a year later and attackers have figured out how to exploit this exact problem, at scale. For example: Zendesk: Zendesk ticket systems hijacked in massive global spam wave https://www.bleepingcomputer.com/news/security/zendesk-ticket-systems-hijack... Microsoft: Crims compromised energy firms' Microsoft accounts, sent 600 phishing emails https://www.theregister.com/2026/01/22/crims_compromised_energy_firms_micros... Nordstrom: Nordstrom's email system abused to send crypto scams to customers https://www.bleepingcomputer.com/news/security/nordstroms-email-system-abuse... and Zendesk again: Zendesk spam wave returns, floods users with 'Activate account' emails https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-flo... and Microsoft again: There's a rash of scam spam coming from a real Microsoft address https://arstechnica.com/information-technology/2026/01/theres-a-rash-of-scam... These can't possibly be the only instances: I suspect they're just the ones that have been reported in the press and that I've happened to notice. No doubt many more have happened, are happening, and will happen without coming to the attention of tech journalists. Or perhaps anyone -- if they're sufficiently well-executed. This is likely to increase exponentially, because that's what these kinds of problems always do. This is bad enough already, but there's a way it could -- and probably will -- get much worse. Everyone who's paying attention knows that attackers are using AI/LLM products/services in attacks -- and they're doing quite well, because the sociopaths at the AI/LLM companies can't be bothered to build in any guardrails. This capability combined with DKIM/SPF/et.al. enables automated spear-phishing at scale. It won't be necessary for a human to spend the time to conduct stylometric analysis of someone's outbound email corpus: given access to that person's email account, they can have an AI do that. And then they can send outbound messages from that person's email account to their contact list -- messages which mimic that person's style, formatting, punctuation, everything -- all of which will of course be dutifully certifed as authentic by DKIM/SPF/et.al. And dutifully presented as such to recipients by their MUA. Imagine what happens if that person is an investment advisor for high net worth individuals. Imagine what happens if that person is a political official. Imagine what happens [...] I doubt this will stay a hypothetical for very long. It's time to recognize that all these email anti-forgery technologies are not just worthless security theater; they're *worse* than worthless because they certify as authentic messages that are increasingly NOT authentic. ---rsk