With Halon Protect 26.2, we’re strengthening email protection for evolving threats, standards, and infrastructure requirements. This release updates the existing DMARC module with support for the new RFC 9989 specification, as well as adding support for post-quantum crypto algorithms. It also introduces advanced malware detection for deeper file analysis, alongside builds for Ubuntu 26.04, RHEL 10 and Arm CPUs.
Together, these updates continue to advance Halon Protect as a platform where security, compliance, and operational flexibility work hand in hand.
Let's take a closer look.
RFC 9989 support in the DMARC module
Email authentication standards do not stand still, and neither does our
DMARC module.
With Halon Protect 26.2, it gains support for RFC 9989, the updated DMARC specification previously known as DMARCbis. At a high level, the update changes organizational domain discovery to use a DNS tree walk, introduces a cleaner testing mode, and adds support for new policy tags while deprecating seldom-used ones.
We released the update just three weeks after the RFC was formally published, making Halon Protect one of the earliest platforms to offer native support for this new standard. The module defaults to RFC 7489 behavior, so existing deployments are unaffected. Enabling RFC 9989 validation remains optional for operators who want to move to the updated specification on their own terms.
We have analyzed DMARC records in the wild, and the behavioral changes RFC 9989 could introduce are not significant in practice. The updated module is ready to enable in production, and we will continue to monitor adoption as the standard matures. DMARC aggregate and failure reporting via the new RFC 9990 and RFC 9991 specifications is already on the roadmap. Staying at the forefront with evolving email standards is part of keeping email protection effective and adaptable, and RFC 9989 is just one example of that commitment.
Support for Ubuntu 26.04, RHEL 10 and Arm-based CPUs
Arm-based CPUs are increasingly used in server environments because they can deliver good performance with lower power usage and heat generation. Starting with Halon Protect 26.2, we’re now building the Halon Protect components for Arm. This not only allows you to run Halon on competitively priced Arm servers, but also eliminates the need for emulation when you develop or test locally on your Arm-powered laptop with for example Docker Desktop.
Finally, we have started building for the latest long-term support (LTS) versions of Ubuntu and Red Hat Enterprise Linux (and compatibles, like Rocky).
Post quantum cryptography (PQC) algorithms
Most email between servers is encrypted in transit with TLS, negotiated opportunistically or enforced with DANE or MTA-STS. The security of that connection rests on a key exchange, which future quantum computers might break. This matters well before quantum computers actually arrive. An attacker can record encrypted traffic now and decrypt it later, once the capability exists. This is the "harvest now, decrypt later" problem, and it applies to any email carrying information that still has value years from now: account notifications, financial and healthcare messages, anything tied to a long-lived identity.
Halon Protect 26.2 addresses this by adding support for post-quantum key exchange algorithms, including X25519MLKEM768 hybrid key exchange which can be enabled in configuration or dynamically using HSL. When the receiving server supports it, Halon Protect will use PQC, with fallback to classical key exchange options where needed. It runs the classical X25519 exchange and the post-quantum ML-KEM-768 mechanism (NIST's FIPS 203 standard, previously known as Kyber) together and derives the session key from both. The connection stays secure as long as either one holds: if a quantum computer breaks X25519, ML-KEM-768 still protects the session; if a future weakness is found in ML-KEM, X25519 still does. You don't trade away any of today's security to gain tomorrow's.
Adoption of post-quantum key exchange has moved quickly on the web, where browsers and large CDNs already negotiate X25519MLKEM768 on most connections. In email transport, adoption is still early. Adding it now means Halon Protect operators are ready as the industry catches up, and can give a concrete answer when security and procurement teams ask where they stand on post-quantum readiness.
Advanced malware detection
Signature-based anti-virus catches known threats well, but obfuscated attachments and unknown or disguised file types can slip through until a signature exists. Halon Protect 26.2 addresses that gap with a new optional module providing real-time analysis of known and unknown threats. It combines behavioral analysis, software emulation to unwind obfuscation, and deep structural scrutiny across 150+ specialized mini-engines. It operates in milliseconds, scales to millions of files per day, and maintains a low false positive rate.
This makes deep file analysis practical at scale, especially in environments where traditional sandboxes are too slow or too resource-intensive to deploy. Attachments receive a risk rating and structured JSON report that Halon policy script can act on directly: reject, quarantine, or route the most suspicious files for full sandbox analysis downstream. Contact us if you would like to evaluate advanced malware detection in your environment.
Getting started
Halon Protect 26.2 is now available through the normal software repository. If you'd like help enabling RFC 9989 DMARC validation, advanced malware detection, or planning an upgrade, reach out to your Halon representative or request a demo.
Get started today
Halon Protect 26.2 is available now. Want to see how Halon Protect can support your email security strategy beyond this release? Schedule a call with us to explore how Halon Protect helps service providers and enterprises build more flexible, secure, and scalable email infrastructure.