Email Security

Technical controls to dramatically reduce risk.

Ian Gress
April 09, 2025

Your business depends on trust. Many emails sent or received is critical, until it becomes a vulnerability. Cybercriminals exploit misconfigurations, not always brute force. This newsletter delivers technical controls—specific, actionable, and proven—to secure your email system. SPF, DKIM, DMARC, and MTA-STS form the core. Let’s implement them with precision.

The Threat Landscape

Consider a logistics company in Texas, 2023. A spoofed email, impersonating the CEO, instructed a $300,000 transfer. The finance team complied; the funds vanished. Analysis revealed no SPF or DMARC records—nothing to block the forgery.

Verizon’s 2024 Data Breach Investigations Report identifies email as the entry point in 68% of breaches. Your email system is a target. The following controls mitigate that risk.

SPF: Sender Policy Framework

SPF uses a DNS TXT record to specify authorized email senders for your domain, preventing spoofing.

Implementation: Identify all legitimate sending sources—mail servers, marketing platforms (e.g., Mailchimp), transactional services (e.g., SendGrid).

Create a TXT record to include legitimate sending sources.
This is generally done through the vendor you purchased your domain from (e.g., GoDaddy, NameCheap, etc.)

Action: Validate the record with MXToolbox SPF Checker. Test with an email. Transition to -all for hard fails once stable.

In the example below, the ~all denotes a soft failure for unauthorized senders.

 v=spf1 include:_spf.google.com include:sendgrid.net ~all

Real-World Example: A UK retailer deployed SPF in 2022, reducing phishing attempts by 40% within weeks as receiving servers rejected unauthenticated emails.

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to emails, verifying authenticity and integrity.

Implementation: Generate a key pair in your email provider (e.g., Google Workspace, ProtonMail, Microsoft, etc.).

Publish the public key as a DNS TXT record.
Enable signing on your mail server.

Action: Send a test email. Use dmarcian’s Inspector to confirm the signature in the header. Ensure alignment with your domain.

selector1._domainkey TXT v=DKIM1; k=rsa; p=[public_key]

Here’s a good diagram showing how it works at a high level:

DMARC: Domain-based Message Authentication, Reporting, and Conformance

DMARC integrates SPF and DKIM, enforcing a policy for handling unauthenticated emails.

Implementation:

Add a DNS TXT record and publish (similar to steps above…different syntax)
The value for “p” (policy) quarantines non-compliant emails and provides aggregate reports. Begin with p=none for monitoring, then quarantine, and finally advance to reject.

Action: Analyze reports with a tool like dmarkian’s Inspector. Refine sender configurations and escalate policy enforcement.

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Real-World Example: A Fortune 100 software company implemented DMARC across its email domains to combat phishing and spoofing attacks targeting its customers.

MTA-STS: SMTP TLS Reporting

MTA-STS enforces TLS encryption for email transmission, preventing interception.

Implementation: Host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

Configure a DNS A or CNAME record for mta-sts.[domain] to direct traffic to the HTTPS-enabled web server hosting the MTA-STS policy file.
Establish a TXT or CNAME record at mta-sts.[domain] to signal MTA-STS usage, ensuring the ID value is refreshed whenever the policy is modified.
Deploy an HTTPS-enabled web server with a valid SSL/TLS certificate for the mta-sts subdomain.
(Optional/Recommended) Activate SMTP TLS Reporting by adding a TXT or CNAME record at smtp._tls.[domain], configuring the mode to Testing for initial monitoring.

I suggest configuring your domain(s) for MTA-STS by establishing the two DNS records outlined above and crafting an MTA-STS policy file with the Mode set to Testing. This approach prevents disruptions to your email flow until you verify that all MTA-STS components are functioning properly.

Action: Verify enforcement with CheckTLS. Monitor server logs for TLS compliance and adjust as needed.

Real-World Example: In 2022, Microsoft announced the integration of MTA-STS into Exchange Online and has since successfully validated hundreds of thousands of connections to protected domains.

Strategic Implementation

Securing email is a systematic process. Each control reinforces the others.

The Texas company suffered from inaction; you can avoid that fate.

Begin with SPF—access your DNS provider, configure the record, and validate it. Next, deploy DKIM, followed by DMARC, and finally MTA-STS.

Incremental progress ensures stability and effectiveness.

Next Steps

Start with SPF. Log into your DNS console, enter the TXT record, and test it. Observe the outcome. You’re not merely configuring settings—you’re asserting control. This approach prioritizes precision over panic. The framework is established, and the evidence is compelling. The decision rests with you.

As a small business owner myself, I had to research these settings and configurations, learn how to implement them, and lead by example (it’s a security consulting business after all). Feel free to find me at Marathon Security Consulting if you want tailored guidance.

Thanks for reading and stay safe out there!

Security Mentor - Marathon Security Consulting

Elevate the Cybersecurity Skills of Your Staff with our Security Mentor Service!

Need security but don’t have a budget for dedicated staff?

Our Security Mentor Service offers personalized guidance, expert insights, and individualized sessions to build your security internally. Reducing risk and saving money on contractors and managed services by empowering you or your staff.

Start today and unlock potential, boost security, and provide value to your team!