Email Security

Authentication Stack (DMARC / DKIM / SPF)

SPF   → Which servers are allowed to send email for this domain
DKIM  → Cryptographic signature proving the email wasn't tampered with
DMARC → Policy that combines SPF + DKIM and tells receivers what to do on failure

SPF (Sender Policy Framework)

• DNS TXT record listing authorized mail servers for a domain
• Prevents spoofing by verifying the sending server’s IP

v=spf1 include:_spf.google.com ~all

DKIM (DomainKeys Identified Mail) — RFC 6376

• Adds a cryptographic signature to outgoing email headers
• Receiver verifies the signature using the public key in DNS
• Protects integrity and sender authenticity

DMARC (Domain-based Message Authentication, Reporting & Conformance)

• Builds on SPF + DKIM — defines what to do when checks fail

p=none     → Monitor only (no enforcement)
p=quarantine → Send to spam
p=reject   → Block the message entirely

S/MIME (Secure/Multipurpose Internet Mail Extensions)

• Encrypts email content and adds a digital signature
• Ensures confidentiality, integrity, and authenticity
• Requires certificates issued by a trusted CA

Email Gateway

Acts as a relay/filter between the internet and your internal mail server.

Functions:
- Inbound spam / phishing filtering
- Outbound DLP scanning
- Malware attachment scanning
- SPF / DKIM / DMARC enforcement
- TLS enforcement for encrypted delivery

DLP for Email

Monitors outbound email for sensitive data:

• Credit card numbers, SSNs, PHI
• Classified document fingerprints
• Can block, quarantine, or alert on policy violations

Common Email Threats

Quick Checks

# Verify SPF record
dig TXT yourdomain.com | grep "v=spf1"

# Verify DKIM selector
dig TXT selector._domainkey.yourdomain.com

# Verify DMARC policy
dig TXT _dmarc.yourdomain.com

# Check email headers for auth results
Received-SPF: pass
DKIM-Signature: ...
Authentication-Results: dmarc=pass