Domain 4 · 4.5 Enterprise Capabilities

4.5.5 Email Security

DMARC, DKIM, SPF, gateway.

13 min

Email security encompasses the technologies and policies designed to protect mail communications, ensuring the confidentiality, integrity, and availability (CIA) of message data while preventing spoofing and phishing.

Authentication and Validation Protocols Email authentication relies on three core DNS-based records to verify sender identity and prevent unauthorized domain usage. - SPF (Sender Policy Framework): A DNS record that lists every authorized IP address or hostname permitted to send email on behalf of a domain. When a mail server receives a message, it checks the SPF record to see if the sending server is on the "approved" list. - DKIM (DomainKeys Identified Mail): Provides a digital signature for the email header. It uses public-key cryptography to ensure the message content was not altered in transit (integrity) and verifies the sender's identity. - DMARC (Domain-based Message Authentication, Reporting, and Conformance): A framework that uses SPF and DKIM to tell receiving servers how to handle emails that fail authentication. Results can include none (monitor only), quarantine (send to spam), or reject (block the email entirely).

Email Gateways An Email Gateway (or Secure Email Gateway - SEG) acts as a checkpoint for all incoming and outgoing mail. - Spam Filtering: Automatically identifies and blocks unsolicited bulk messages or known malicious senders. - DLP (Data Loss Prevention): Scans outgoing emails for sensitive data like PII (Personally Identifiable Information), intellectual property, or financial records to prevent unauthorized data exfiltration. - Encryption: Automatically encrypts sensitive messages to maintain confidentiality if the recipient's system supports it (S/MIME or PGP). - Malware Inspection: Uses sandboxing to open suspicious attachments in a safe environment before they reach the user.

Strategic Implementation Securing email requires balancing the Security-Functionality-Resources triad. Excessive security (e.g., blocking all attachments) reduces functionality, while a lack of resources may limit the implementation of advanced gateway features. - Security Posture: Organizations must implement email policies as part of their overall security posture to mitigate risks from human negligence or vindictive actors. - External Entities: Security extends to partners and vendors; DMARC reporting helps organizations see if third parties are correctly authorized to send mail on their behalf.

Quick Recall - SPF: The "White List" of IP addresses authorized to send mail. - DKIM: The "Digital Signature" for message integrity. - DMARC: The "Instruction Manual" on what to do when SPF/DKIM fail. - Gateway: The "Bouncer" that filters spam and prevents data leaks (DLP). - Phishing: The primary threat email security seeks to mitigate via authentication.