Email Marketing

Beyond the DNS: Why ICANN86 is a Watershed Moment for the Global Email Industry

For much of the email infrastructure and anti-abuse community, ICANN meetings have long been viewed as peripheral—a series of bureaucratic sessions occurring in a different, albeit adjacent, ecosystem. However, the events of ICANN86, held in Seville from June 8–11, suggest that this detachment is no longer sustainable. As the digital landscape faces an unprecedented surge in sophisticated, large-scale cyber threats, the policy-making machinery of the Internet Corporation for Assigned Names and Numbers (ICANN) has shifted from a background concern to a central pillar of global threat mitigation.

Russ Weinstein, who leads the global team supporting ICANN’s multistakeholder policy development, argues that the work being finalized in Seville will fundamentally reshape the mechanics of the internet. For email security professionals, this means new protocols for domain takedowns, a clearer path through the post-GDPR regulatory maze, and a looming expansion of the Top-Level Domain (TLD) landscape.

The Shift Toward Portfolio-Level Mitigation

The most significant development at ICANN86 is the formalization of the "Associated Domain Checks" Policy Development Process (PDP). For years, the anti-abuse community has operated under a restrictive, one-to-one model: a researcher reports a single phishing domain, and the registrar or registry is obligated to investigate that specific domain.

As any seasoned threat researcher knows, this is a losing battle. Modern threat actors rarely rely on a single domain; they operate in sprawling, interconnected networks, often registering hundreds of domains simultaneously. The current system forces defenders to play a game of "whack-a-mole," where the time taken to report one domain is eclipsed by the rapid rotation of the attacker’s remaining infrastructure.

"It’s often not perpetrated by a single domain," Weinstein noted. "It’s these networks of domains."

The proposed policy represents a paradigm shift from one-to-one to one-to-many mitigation. Once implemented, an actionable abuse report on a single domain would trigger a mandatory requirement for the registrar to scan their broader portfolio for "associated" domains. The debate currently consuming the community is the definition of "associated." Is it shared DNS infrastructure? Is it identical registration patterns? Or is it linked through account-level identifiers like phone numbers and email addresses?

By codifying these best practices, ICANN is moving to elevate the standard of care across the entire registrar industry. If the current timeline holds, we can expect consensus to be reached within a year, with the resulting policies moving to the ICANN Board for approval in 2027.

Chronology of the Policy Lifecycle

The policy development lifecycle is intentionally deliberate, designed to ensure that the global internet community—comprised of diverse and often competing interests—reaches a consensus that is technically feasible and legally sound.

  • 2024 (April): New DNS abuse mitigation rules take effect, establishing the current baseline for registrar responsibilities.
  • 2025 (December): The Applicant Guidebook for the new gTLD round is published, setting the stage for a massive expansion of the internet’s address space.
  • 2026 (April–August): The application window for new gTLDs opens. This remains the most critical short-term window for potential registry operators.
  • 2026 (June): ICANN86 serves as the primary forum for hashing out the details of "Associated Domain Checks" and refining the post-GDPR data access model.
  • 2027 (Early): Expected board approval for the Associated Domain Checks policy.
  • 2027–2028: Contractual implementation of new policies, marking a new era of mandatory proactive abuse mitigation.

Following the Associated Domain Checks PDP, the community will pivot to address "bulk registrations." While currently queued behind the former, this work is equally vital to the preventative side of the industry. The GNSO (Generic Names Supporting Organization) has opted for a staggered approach, prioritizing the cleanup of existing malicious networks before tightening the gates for future mass registrations.

Resolving the GDPR Impasse: Data Access in a Privacy-First World

The legacy of the "Whois" system remains one of the most contentious issues in internet governance. Since the implementation of the GDPR and subsequent global privacy regulations, registration data has been largely redacted, creating a "black box" that has hindered many security investigators.

ICANN86 saw a renewed, intensive effort to bridge the gap between privacy protections and the legitimate needs of security professionals. With over twelve hours of dedicated sessions—including an intensive workshop led by an outside expert—the community is working toward a centralized request system. This system aims to provide a standardized, transparent, and efficient route for parties with legitimate, verifiable interests to request disclosure of registration data.

Despite the prevailing narrative that GDPR "broke" the internet’s investigative capabilities, Weinstein offers a more nuanced, optimistic perspective. He points out that, while the redaction of personal data is a hurdle, the fundamental requirement for takedowns has not changed. Registrars and registries have consistently remained responsive when provided with concrete evidence of misuse, such as email headers, forensic data, and screenshots. The burden is shifting: rather than expecting researchers to navigate the labyrinth of redacted data, the industry is moving toward a model where the registrar—who has the data—is empowered and obligated to act upon cross-domain evidence.

The Expansion of the TLD Space

The third pillar of the current ICANN agenda is the New gTLD Program. With the application window closing on August 12, 2026, organizations considering the operation of a TLD have little time to finalize their strategies.

However, for the anti-abuse community, the concern is not just the number of new extensions, but the quality of their governance. The 2012 round saw the introduction of over 1,200 new gTLDs, which provided a massive canvas for abuse. Weinstein acknowledges that the industry has learned hard lessons from that period.

In this new round, registry operators are facing significantly more robust contractual obligations regarding abuse. The goal is to ensure that these new namespaces are "secure by design." For mailbox providers and filtering vendors, this represents a significant shift: while the sheer volume of TLDs will increase, the baseline expectation for registry-level intervention is being raised, potentially reducing the burden on downstream filters.

Official Responses and the Reality of Remediation

A recurring theme in discussions with ICANN leadership is the clarification of their remit. There is a persistent misconception that ICANN acts as an "abuse desk" for the internet. Weinstein is clear: ICANN does not, and cannot, manage real-time takedowns.

ICANN’s authority is rooted in its contracts with gTLD registries and accredited registrars. These contracts provide the legal leverage to mandate action, but the execution of that action rests with the contracted parties. When a registrar sits on evidence and fails to act, ICANN’s compliance department intervenes. At the extreme end of the spectrum, this can result in the revocation of a registrar’s accreditation—a nuclear option that serves as a powerful deterrent.

Furthermore, it is critical to distinguish between the types of abuse that fall under the ICANN umbrella. ICANN’s current definition of DNS abuse is focused on malware, botnets, phishing, and pharming. "Spam as spam"—the traditional unsolicited bulk email—remains the domain of mailbox providers and the wider email security stack. ICANN is not a content moderator; it is the architect of the technical infrastructure that hosts that content.

Implications for the Future

For the email industry, the takeaway from ICANN86 is clear: the wall between "domain policy" and "email security" is crumbling. As these new policies take hold, the industry can expect:

  1. Increased Accountability: Registrars will be held to higher standards for detecting and mitigating entire networks of malicious domains, rather than reacting to individual reports.
  2. Standardized Access: The development of a centralized disclosure system will eventually replace the ad-hoc, inconsistent process of requesting registration data.
  3. Proactive Governance: The new gTLD round will be the first to feature systemic, contractual abuse-prevention measures, hopefully curbing the exploitation of new namespaces from their inception.

For professionals working in threat intelligence, blocklist management, and anti-abuse operations, ICANN86 demonstrates that the most effective way to address downstream threats is to participate in the upstream policy development process. The invitation is open, and the stakes have never been higher. By engaging with venues like M3AAWG, the APWG, and the ICANN process itself, the email industry can ensure that the future of the DNS is built with the security of the end-user in mind.