A curated index of external research, papers, and reports on email security, the systems around it, and the protocols underneath. We do not own these works. We link to the originals and credit the authors.
The field moves fast and the good writing is scattered. Some of it lives behind a vendor wall, some in IETF RFCs, some in academic PDFs, and some in essays that have been sitting on the open web for twenty-five years. This page collects the works we read and cite when we talk about email security.
Forty-six entries grouped into eight categories: phishing economics and business email compromise, email security history and current threats, AI in email attacks, email infrastructure and deliverability, privacy and non-custodial architecture, Bitcoin and Lightning and Cashu and micropayments, industry reports, and the attention cost of email itself. Each entry shows the title, the source, the year, a short faithful takeaway, and a direct link to the original.
Rythm did not write these works. We do not republish them. We do not summarize them in a way that lets anyone skip the source. When the takeaway sounds opinionated, it is reading the work honestly, not editorializing. Suggestions welcome at partners@rythm.xyz.
The FBI logs reported losses by category every year. Business email compromise sits in the top three by dollar loss every year. The 2024 edition documents tens of billions in cumulative BEC losses since 2013. The most-cited primary source for what email-based fraud actually costs.
IBM's annual study placing the average cost of a data breach at $4.88M in 2024. Phishing is consistently identified as a top-three initial attack vector. Useful for grounding email-security ROI discussions in audited numbers rather than vendor projections.
The longest-running breach analysis in the industry, drawn from tens of thousands of incidents. The 2024 edition shows that the human element (phishing, pretexting, error) factors into the majority of breaches. The annual frame for any honest conversation about breach root causes.
APWG tracks observed phishing site counts, brand-impersonation patterns, and attack-channel mix every quarter. The dataset shows phishing volume rising and channel mix shifting away from pure email toward SMS and voice. The most-cited longitudinal phishing dataset.
The foundational academic study on why people fall for phishing. The headline finding: 23 percent of participants were fooled by the best phishing site, and visual cues that defenders relied on (browser chrome, address bar) did not protect users. Twenty years on, the structural conclusions still hold.
Proofpoint's annual survey of email-based threats observed across its customer base. Useful as an industry barometer on phishing volume, BEC trends, and click-through rates by industry. Vendor framing applies, but the underlying telemetry is large-scale.
A claims-side view of where cyber losses actually happen. The 2024 report finds 56 percent of all 2023 claims were BEC or funds-transfer fraud originating in the email inbox, with average FTF claim severity over $278,000. Underwriter data has skin in the game because the carrier pays when a claim is real.
Microsoft's annual report drawing on telemetry from billions of endpoints and email accounts. The 2024 edition shows identity-based attacks (phishing, token theft, password spray) as the dominant category. Useful for sizing the problem against the largest mailbox provider on the planet.
Brian Krebs documents email-driven fraud in journalistic depth. Recurring beats include BEC operations, romance scams that move funds via email, and the Eastern European cybercrime ecosystem. The most-cited single source for narrative case studies of how email attacks actually work in the wild.
Spamhaus has been tracking spam infrastructure for over twenty-five years and runs the most-used IP blocklists on the internet. Their writing on snowshoe spam, hosting abuse, and botnet sources is the institutional memory of the spam-filtering era. A useful counterweight to the marketing claim that spam is a solved problem.
Doctorow has written extensively on enshittification of communication platforms and on email's role as the last open inbox channel. The argument running through his work: closed platforms capture senders and recipients, and the open standard is both email's weakness (spam) and its strength (no gatekeeper).
The original Bayesian-spam-filter essay. Paul Graham describes how a probabilistic content classifier can sort spam without explicit rules. The essay shaped two decades of spam filtering and is also a clear statement of the limits of probabilistic filters: they classify well on average and fail openly on the cases that matter most.
The follow-up essay describing how to tune a Bayesian spam filter in production. Reads as both a recipe and a cautionary tale: every refinement in the filter is met with adaptation from the spammers. The arms-race dynamic that motivated economic-friction approaches like Hashcash and, later, email paywalls.
CISA publishes ongoing alerts on email-based fraud campaigns targeting US infrastructure and small businesses. Alerts include technical indicators, recommended mitigations, and observed dollar losses. Useful when a story or product claim needs grounding in a federal advisory.
Hoxhunt runs simulated phishing at scale and publishes performance data on AI-written versus human-written lures. Their research finds that AI-generated phishing now outperforms human-crafted attempts in click-through rate against many populations. The data behind the AI phishing is better claim.
Keepnet documents how attackers are using LLMs to localize, personalize, and scale phishing across languages. Their reports include click-through comparisons by language and by lure quality. A working data source for the case that content-based defenses are losing ground.
IBM researchers measured how quickly an LLM could generate phishing emails versus a human red team. The LLM produced viable phishing in five prompts. The human team took sixteen hours. The cost asymmetry is the headline: AI lowers the cost of creating convincing lures by orders of magnitude.
StrongestLayer's research on AI-generated phishing reports a click-through rate of 54 percent on AI-written lures versus 12 percent on traditional phishing in their test populations. The methodology is available in the report. A data point cited often when the category talks about AI phishing efficacy.
OpenAI's ongoing reporting on how state-affiliated actors and criminal groups use the model. Includes specific case studies of phishing, social-engineering content generation, and translation of lures across languages. A primary source on the supply side of AI-assisted email fraud.
The DMARC standard. Defines how a domain owner publishes a policy that mailbox providers should apply when SPF or DKIM authentication fails. The reference for any conversation about sender authentication and the limits of authentication as a phishing defense.
The SPF standard. Defines how a domain owner lists the IPs allowed to send mail on its behalf. The first of the three sender-authentication standards that together form the modern anti-spoofing baseline. SPF alone does not stop spoofing in forwarded mail, which is one reason DMARC exists.
The DKIM standard. Defines how a domain owner cryptographically signs outbound mail so receivers can verify it was authorized. DKIM is the part of the authentication trio that survives forwarding. Together with SPF and DMARC, the three RFCs are the technical floor for sender authentication.
M3AAWG is the industry working group of mailbox providers, ISPs, and senders. Their published guidance on SPF, DKIM, DMARC, BIMI, and ARC is the operational reference used by the people who actually run the largest email systems. The closest thing the industry has to a shared rulebook.
Google's sender requirements for getting mail accepted into Gmail at scale. As of 2024, bulk senders must publish DMARC, support one-click unsubscribe, and stay below a 0.3 percent spam-rate threshold. The de-facto standard that other providers track.
Bruce Schneier's long-running essays on cryptographic systems, privacy, and the asymmetries between users and platforms. His writing on email metadata, mass surveillance, and the limits of voluntary privacy is the canonical introduction for non-specialists.
EFF's practical guide to keeping email and other communications private. Covers threat modeling, end-to-end encryption, and the operational hygiene that keeps an inbox from leaking. The clearest framing of what privacy actually requires at the user level.
Zimmermann's 1999 essay on why he built PGP and why end-to-end email encryption mattered enough to risk a federal investigation. The piece is also an early articulation of the non-custodial principle: software that does not require the user to trust the developer with the keys.
The Tor onion-routing design and the operational history of running a non-custodial privacy network at scale. Useful as a parallel reference for anyone thinking about how non-custodial systems get built, attacked, and sustained over decades.
The Signal protocol papers describe how forward secrecy, double-ratchet key agreement, and sealed-sender metadata minimization combine into a usable end-to-end encrypted messaging system. The architectural reference for non-custodial communication that a normal person can actually use.
The original Lightning Network whitepaper. Defines how payment channels and HTLCs combine into a network that can settle instant micropayments at fractions of a cent. The technical foundation for any modern email-payment design that needs to be both fast and cheap.
The Bitcoin whitepaper. The base layer that Lightning sits on, and the original case for digital cash that does not require a trusted intermediary. Read it for the design principles, not for the price commentary that fills the rest of the internet.
David Chaum's 1982 paper that defined blind digital signatures and the ecash design pattern. The basis for Cashu and every modern bearer-token system that wants the issuer to be unable to link issuance to redemption. Forty years old and still the right primitive for private digital cash.
The open Cashu protocol spec, kept as a set of numbered NUT documents. NUT-04 covers minting, NUT-05 covers melting, NUT-06 covers mint info. The reference for any team building on Cashu and the source for the technical claims about how Rythm settles cover-charge payments.
Adam Back's 2002 paper on Hashcash, the proof-of-work scheme proposed as an anti-spam stamp on every email. Hashcash never reached deployment because it would have raised the cost for legitimate senders too. The historical context for why an explicit, recipient-paid cover charge replaced computational stamps as the structural answer to spam economics.
Clay Shirky's 2000 essay on why classical micropayments failed. The argument: the cognitive cost of every should-I-pay decision exceeds the financial cost being charged. The essay is the prior art for why a sender-paid cover charge (where the recipient pays nothing and the sender decides once per outbound list) works where per-page paywalls did not.
Andrew Odlyzko's 2003 paper analyzing why classical micropayments fail. The non-technological barriers (cognitive friction on every decision, user resistance, the existing financial framework) get more attention than the technical ones. The conclusion most relevant to email cover charges: small payments only succeed when the friction is hidden, the price is set once, and the use is repeated. Email cover charges fit all three.
Cisco Talos publishes ongoing analyses of email-borne malware, ransomware delivery, and BEC infrastructure. Telemetry comes from one of the largest network-security footprints in the industry. Useful when an argument needs a citation that is not Microsoft or Google but still represents very large-scale email observation.
IBM X-Force's annual report on the threat landscape, with an extended chapter on initial access vectors. Phishing and stolen credentials remain the top two paths into a target environment. Pairs well with the IBM Cost of a Data Breach Report for cost and frequency together.
Mimecast's annual State of Email Security drawn from a survey of IT decision-makers. The 2024 edition documents rising AI-driven phishing concern and increased BEC frequency at small and mid-market firms. Useful as a buyer-side complement to the supply-side reporting from carriers.
Barracuda's annual reporting tracks brand-impersonation phishing, conversation-hijacking attacks, and the rise of multi-step attacks that begin with a single innocuous email. The reports include specific dollar costs by company size, useful when sizing the problem for a small business audience.
Sophos's annual analysis combines email threat data with endpoint and ransomware telemetry. Useful when an argument needs to connect the email got in to what happened next. The Active Adversary chapter walks the post-compromise stage that email-only reports skip.
Cybersecurity Ventures projects cybercrime costs annually. Their headline number ($10.5 trillion projected by 2025) gets cited often, including in policy documents. Use carefully: the figure is a projection rather than a measurement, and the methodology is summary-level. Useful for industry context when treated as such.
Cal Newport's book and ongoing essays on the cognitive cost of fragmented attention. His specific argument on email: a constantly-checked inbox prevents the long, undisturbed work blocks that produce most professional value. Useful for any audience that already feels the inbox cost but wants the framework.
Newport's follow-up book arguing that the hyperactive hive mind of constant email is not just personally costly but organizationally wasteful. Includes case studies of teams that moved coordination off email and recovered measurable productivity. The closest thing to a popular reference for the case that less email is more output.
Microsoft's annual survey of how knowledge workers spend their time. The 2024 edition reports that workers spend roughly two hours a day on email and meetings combined that they describe as low-value. The data point behind any cost-of-triage calculation.
Adam Grant's research on creative output and how attention allocation affects it. The relevant thread for email: high-output creators tend to compartmentalize inbound communication rather than process it continuously. A useful contrarian voice for audiences that have internalized the always-on inbox as a productivity virtue.
If a foundational paper is missing, or a recent report should join this index, send it our way. Email partners@rythm.xyz with the title, author, source, year, link, and a sentence on why it belongs. The founder reviews suggestions personally.
We add entries on rolling basis. We do not pay for placement. We link to the original publisher; we do not republish.
Keep your existing Gmail or Outlook. Cancel anytime.
Annual on Lightning includes one bonus month. See full pricing.