For many in the email security, infrastructure, and anti-abuse sectors, the Internet Corporation for Assigned Names and Numbers (ICANN) often feels like a distant, bureaucratic entity—a background operator managing the plumbing of the internet while others deal with the daily reality of malicious actors. However, as the industry convenes for ICANN86 in Seville, this perception is rapidly shifting. The policy decisions being hashed out this week are not merely administrative; they represent a fundamental evolution in how the internet will handle DNS abuse, privacy, and domain expansion for years to come.
We sat down with Russ Weinstein, who leads the global team supporting ICANN’s multistakeholder policy development, to cut through the jargon and identify why these meetings represent a critical pivot point for professionals tasked with keeping the global inbox clean.
The Three Pillars of ICANN86
The current agenda is dominated by three specific initiatives that directly impact how phishing campaigns are dismantled, how registration data is accessed, and how the DNS landscape will expand.
1. Moving from One-to-One to Portfolio-Level Takedowns
The most significant development at ICANN86 is the Policy Development Process (PDP) concerning "Associated Domain Checks." Currently, the industry relies on a reactive, granular model: a researcher reports a phishing domain, and the registrar investigates that single instance. If the report is validated, the domain is mitigated.
This model is fundamentally broken when faced with modern, high-volume automated phishing operations. As Weinstein notes, "It’s often not perpetrated by a single domain. It’s these networks of domains." When a threat actor registers hundreds of domains in a single campaign, the current one-to-one reporting burden places the industry in a perpetual state of "whack-a-mole."
The policy under development aims to shift the obligation from single-domain mitigation to portfolio-wide review. Under this proposed framework, a substantiated report of DNS abuse on one domain would trigger an obligation for the registrar to scan their portfolio for related, potentially malicious assets. The community is currently debating what constitutes an "associated" domain—whether it be shared DNS infrastructure, matching registration patterns, or common account identifiers like telephone numbers or email addresses.
By formalizing this, ICANN is essentially trying to elevate the gold-standard practices of proactive registrars into a baseline requirement for the entire industry. This is not just a procedural shift; it is a structural move designed to force registrars to take ownership of the malicious ecosystems they inadvertently host.
2. The Post-GDPR Registration Data Dilemma
The second major thread at ICANN86 concerns the "Whois" system’s successor in the post-GDPR era. Since the implementation of strict data privacy regulations, personal data in domain records is frequently redacted, creating a "black box" that has hindered many forensic investigators.
ICANN is dedicating twelve hours of sessions at ICANN86 to this issue, including a full-day workshop facilitated by external experts to bridge the gap between privacy advocates and security professionals. The core challenge is building a standardized, centralized request system that allows legitimate entities to access masked registration data without violating international privacy laws.
When asked if the post-GDPR era has effectively hobbled abuse mitigation, Weinstein offered a pragmatic perspective. "That was a big fear of the community, but the industry adapted really quickly," he said. The crux of his argument is that successful takedowns rely on evidence of misuse—such as email headers, forensic artifacts, or screenshots—rather than the identity of the registrant. By shifting the burden of investigation to the registrar—the party that holds the non-redacted account data—the community can effectively bypass the redaction hurdle.
3. The New gTLD Round: A Controlled Expansion
The third pillar is the implementation of the New gTLD Program, with the current application window closing on August 12, 2026. Unlike the 2012 round, which introduced over 1,200 new extensions with varying levels of security, this expansion is being approached with a "safety-first" mentality.
Weinstein emphasized that new registry operators are being held to significantly higher contractual obligations regarding abuse. The goal is to ensure that new namespaces are not just available, but resilient against exploitation from day one. For mailbox providers and filtering vendors, this suggests that while a new wave of TLDs is coming, the baseline for "bad neighborhood" management should theoretically be higher than it was in the past.
Chronology of the Policy Lifecycle
For those observing from the outside, it is essential to understand the timeline of these developments to align internal security strategies:
- Spring 2026: The New gTLD application window opened (April 30).
- August 12, 2026: Deadline for the current round of New gTLD applications.
- 2026–2027: Intensive consensus-building for Associated Domain Checks and Registration Data access.
- Early 2027: Submission of Associated Domain policies to the ICANN Board for final approval.
- Late 2027/Early 2028: Expected contractual enforcement of new DNS abuse policies.
- Late 2027 onwards: Launch and rollout of the new gTLDs, coupled with the new, stricter abuse-mitigation standards.
The Limits of ICANN’s Mandate
A recurring point of friction in the email industry is the expectation that ICANN acts as an enforcement agency for individual phishing reports. Weinstein was clear on the boundaries: ICANN is a technical infrastructure coordinator, not a takedown service.
Registrars generally have one blunt instrument at their disposal: the suspension of DNS resolution for an entire domain. This "on/off" switch is a powerful tool that carries significant risk of collateral damage, which is why evidentiary standards are so high. ICANN’s role is to ensure that when a registrar is presented with irrefutable evidence of abuse, they act. If they fail to do so, ICANN Compliance intervenes—a process that can, in extreme cases, result in the revocation of a registrar’s accreditation.
It is also vital to distinguish between "DNS abuse" and "content abuse." ICANN’s current scope for DNS abuse is strictly limited to malware, botnets, phishing, and pharming. Pure spam, while a massive burden on the email industry, remains outside of ICANN’s primary technical mandate.
Implications for the Email Community
The takeaway for the email security community is that the "downstream" relationship with ICANN is becoming more collaborative. The shift toward portfolio-level takedowns and the maturation of registration data access are direct responses to the frustrations of threat researchers and anti-abuse professionals.
As Weinstein noted, venues like M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group) and the APWG (Anti-Phishing Working Group) remain the most immediate venues for collaboration. However, the policy-making process at ICANN is no longer a closed-door affair. With free remote participation and a clear roadmap toward more robust, portfolio-aware abuse mitigation, the industry has an unprecedented opportunity to influence the rules that will define the digital landscape for the next decade.
The message from Seville is clear: the era of reactive, single-domain reporting is coming to an end. The future of domain security will be defined by visibility, accountability, and the ability to address threat networks rather than isolated actors. For those in the email industry, the calendar entry for ICANN is no longer a distraction—it is a necessity.
