Email Marketing

Beyond the Calendar: Why ICANN86 is a Turning Point for the Global Email Industry

For much of the email infrastructure and anti-abuse community, ICANN meetings have historically been relegated to the periphery—viewed as dense, bureaucratic affairs far removed from the day-to-day grind of filtering spam or mitigating phishing campaigns. However, the events of ICANN86, held this June at the FIBES in Seville, signal a definitive shift in that perspective. As the digital landscape faces an unprecedented surge in automated domain registration, the policy decisions currently under discussion in Seville are poised to rewrite the rules of engagement for how the internet handles malicious actors.

We spoke with Russ Weinstein, who leads the global team supporting ICANN’s multistakeholder policy development, to cut through the jargon. Whether you are an anti-abuse professional, a mailbox provider, or a threat researcher, the work currently underway at ICANN86 is not merely administrative; it is architectural. It will fundamentally shape how phishing domains are dismantled, who gains access to registration data, and how the expansion of top-level domains (TLDs) will impact your filtering logic for the next several years.


The Core Pillar: Shifting from One-to-One to Portfolio Mitigation

The most significant development at ICANN86 centers on the Policy Development Process (PDP) regarding "Associated Domain Checks." This represents a fundamental evolution in how the industry combats DNS abuse.

The Current Limitation

Under the rules that took effect in April 2024, the process for domain takedowns is largely reactive and granular. When a registrar or registry is presented with evidence that a specific domain is being utilized for DNS abuse, they are obligated to mitigate that single domain. The industry logic follows a one-report, one-domain, one-action model.

However, anyone involved in active threat intelligence knows this model is insufficient against modern cybercrime. Bad actors rarely operate in isolation; they register entire portfolios—often numbering in the hundreds—to rotate through campaigns as soon as one domain is flagged. "It’s often not perpetrated by a single domain," Weinstein explains. "It’s these networks of domains."

The "Associated Domain" Mandate

The policy currently under development seeks to bridge this gap. By moving from a one-to-one mitigation requirement to a one-to-many obligation, ICANN intends to force registrars to look across their own portfolios once an actionable report is verified. The community is currently debating the criteria for "association." Should shared DNS infrastructure, matching account registration signals (such as phone numbers or email addresses), or similar domain patterns trigger an automatic review of the entire account?

For the blocklist operators and abuse desks that have spent years playing "whack-a-mole" with individual domains, this represents the most important shift in recent memory. By shifting the burden of cross-referencing onto the registrar—the party that actually possesses the account data—ICANN is aiming to dismantle entire criminal networks rather than merely trimming the branches.

Future-Proofing: Bulk Registrations

Following this PDP, the community has queued a second effort focused on bulk registrations. While the Associated Domain Checks policy deals with mitigation, the bulk registration policy is proactive. It aims to establish standards for what a registrar must consider before approving a customer’s request to register a large volume of domains simultaneously. The GNSO has deliberately staggered these efforts to ensure full focus on the Associated Domain policy, with a target of consensus by 2027 and potential implementation by 2028.


Registration Data: Solving the Post-GDPR Puzzle

The second major thread of ICANN86 concerns the persistent, complex challenge of accessing domain registration data in the era of GDPR. Since privacy laws forced the redaction of personal data in Whois records, researchers and security professionals have struggled to gain the visibility necessary for effective investigations.

A Multistakeholder Approach

ICANN is treating this issue with high-level urgency, dedicating nearly twelve hours of intensive sessions at ICANN86 to the topic. This includes a full-day workshop led by an outside expert facilitator, designed to force diverse, often conflicting stakeholder groups—privacy advocates, intellectual property rights holders, and security researchers—to find common ground.

When asked whether GDPR served as the catastrophe for abuse mitigation many feared, Weinstein offered a measured, optimistic take. "That was a big fear of the community, but the industry adapted really quickly," he said. His reasoning is rooted in the reality of forensic evidence: successful takedowns never strictly depended on the personal identity of the registrant. They rely on evidence of misuse—email headers, screenshots, and technical indicators of compromise. ICANN’s compliance department has seen no decline in the efficacy of abuse reports, provided they are backed by technical evidence.


The New gTLD Round: Expanding the Namespace

The third pillar of the conference is the New gTLD Program, which has moved from the policy debate phase into the implementation phase. With the application window now open, the industry is bracing for a new wave of domain extensions.

The Deadline and the Challenge

The application window for new top-level domains opened on April 30, 2026, and is set to close on August 12, 2026. For organizations considering operating their own TLD, the window of opportunity is closing rapidly. Weinstein notes that becoming a TLD operator is not merely a business decision; it is a commitment to the "connected community," requiring a willingness to operate under contracts that evolve alongside community consensus.

Learning from 2012

The 2012 expansion of TLDs resulted in over 1,200 new extensions, which brought with it a significant increase in lookalike namespaces that bad actors exploited. Weinstein was candid about the lessons learned: "This time, we’re trying to prevent it a little better up front." The new round of gTLDs comes with significantly more stringent contractual obligations regarding abuse. For mailbox providers and filtering vendors, this is a critical detail: while a new wave of TLDs is expected in 2027, the "safety guardrails" are being baked into the registry contracts from day one.


Understanding ICANN’s Remit and Limitations

A recurring friction point in the email industry is the misconception that ICANN acts as a centralized "takedown desk." It is vital to clarify that ICANN is an organization of technical coordination, not an enforcement agency for content.

The Registrar’s Toolset

Weinstein emphasizes that registrars possess a "blunt instrument": the ability to suspend DNS resolution for an entire domain. This is an "all or nothing" action. Because of the severity of this power, registrars require clear, undeniable evidence of abuse. "They have one tool, and it’s on or off," Weinstein noted.

Consequently, if a registrar fails to act despite receiving valid evidence, ICANN’s Compliance department intervenes. However, it is essential to distinguish between the types of abuse:

  • In-Scope: Malware, botnets, phishing, and pharming (when used as a delivery mechanism).
  • Out-of-Scope: Pure spam. The industry continues to handle general spam via mailbox providers and reputation filtering, as this remains outside the core DNS infrastructure remit.

Implications for the Email Industry

The work being done at ICANN86 is fundamentally changing the trajectory of the internet ecosystem. By codifying what "good" registrars are already doing into a set of industry-wide, enforceable minimum requirements, ICANN is setting a new baseline for global internet hygiene.

For the anti-abuse professional, the takeaway is clear: the era of passive observation is over. As these policies take shape, the opportunities for collaboration between the security community and ICANN are growing. While venues like M3AAWG and the APWG remain the primary forums for operational collaboration, ICANN’s policy-making process is becoming increasingly accessible.

As we look toward 2027 and 2028, the impact of these decisions will manifest in reduced phishing volumes and more transparent accountability for domain registries. For those who operate downstream of these policies, paying attention to ICANN86 is no longer just a "calendar entry"—it is a professional necessity. The architecture of the internet is being reinforced, and the email industry is finally getting a seat at the table.

Session recordings, transcripts, and official documentation from ICANN86 are currently available on the ICANN website for those who wish to review the technical specifics of these ongoing policy developments.