Email security

Email security is becoming more and more important, because email is still one of the main ways attackers try to get access to organizations.

Attackers know that email can be a very direct route to sensitive data, systems, and sometimes even privileged access. This often happens through users who are not aware of the risks, or who accidentally click something, share information, or approve access they should not.

To reduce the most basic risks, I’ve created a dedicated category with essential email security settings that should be applied to every domain we own. This also includes domains that are not actively used for sending or receiving email, because attackers can still abuse those domains for spoofing or impersonation.

In the pages in this category, I dive into how to configure different security mechanisms to enhance your email security, get the lowest amount of possible messages marked as spam and minimize the risk of your domain(s) being spoofed in various attacks happening every minute of the day.

Check you domains’ email security posture

To check your domains’ email security posture based on configurations, I have made the DNS MEGAtool where you get an overview of the configuration within seconds.

Use the DNS MEGAtool

Configure on any domain

The underlying security mechanisms must be configured on any domain you own in my opinion. Most companies have various stale/stand-by domains. Even there you should configure at least the basics. This will help you prevent spoofing and similar attacks.

1. SPF record

On all your domains, make sure you use an SPF record with a Hardfail policy active. If having stale/stand-by domains, configure the following:

v=spf1 -all

This says that no entity is trusted to send through your domain. Without this record, every entity on the internet is possibly trusted as you did not release any list of trusted senders. This depends on the configuration of recipients.

To configure SPF records for active domains, refer to my SPF guide:

SPF record configuration guide

2. DMARC record

On all your domains, make sure you use an DMARC record with a reject policy active. If having stale/stand-by domains, configure the following:

v=DMARC1; p=reject;

This will ensure that your domain is not available for spoofing anymore, as you released a policy that says: “If this domain is being used outside of my SPF and DKIM mechanisms, reject the email messages”.

To configure DMARC records for active domains, refer to my DMARC guide:

DMARC record configuration guide

Configure on sending/receiving domains

These records only have to be configured on domains where you send and receive email messages. They are all related to sending and receiving email messages.

3. DKIM record

Configure DKIM records for every service that sends email on your domain. Refer to my setup guide on to how to configure this and how DKIM helps you preventing man in the middle attacks by email.

DKIM record configuration guide

4. TLS-RPT record

Configure a TLS-RPT record to receive TLS deliverability reports by senders to your domain to detect possible email deliverability problems before they cost you customers and possible projects.

TLS-RPT record configuration guide

5. MTA-STS record

Configure a MTA-STS record including policy to

MTA-STS record configuration guide

6. SMTP DANE (supported services only)

If using Microsoft 365, configure SMTP DANE to further increase email security by leveraging the DNSSEC protocol.

SMTP DANE record configuration guide