Email Security#

Reference of email authentication standards (SPF / DKIM / DMARC / BIMI / MTA-STS / TLS-RPT / DANE), secure email gateways, message-formatting standards, and the operator- focused defenses against phishing, BEC, and account takeover.

For broader cryptographic context, see Cryptographic Primitives. For identity providers + SSO, see Identity Providers (IdPs). For DNS, see DNS Providers.

Authentication standards#

Standard

Notes

SPF (RFC 7208)

Sender Policy Framework; TXT record listing authorized sending IPs for the envelope-from domain; “v=spf1 … -all”.

DKIM (RFC 6376)

DomainKeys Identified Mail; cryptographic signature over selected headers + body; published key TXT record at <selector>._domainkey.<domain>.

DMARC (RFC 7489)

Domain-based Message Authentication, Reporting & Conformance; policy + alignment + reporting layered on SPF + DKIM; “v=DMARC1; p=none|quarantine|reject; rua=mailto:…”; new RFC drafts in 2024.

ARC (RFC 8617)

Authenticated Received Chain; preserves SPF/DKIM/DMARC results across forwarders + mailing lists.

BIMI (Brand Indicato rs)

Brand logo display in inbox; requires DMARC enforce + VMC (Verified Mark Certificate; CA-issued).

MTA-STS (RFC 8461)

SMTP MTA Strict Transport Security; HTTPS-published policy forcing TLS for inbound MTA.

TLS-RPT (RFC 8460)

SMTP TLS Reporting; reports of MTA-STS / DANE failures.

DANE (RFC 7672)

DNS-based Authentication of Named Entities; TLSA records for SMTP TLS pinning; needs DNSSEC.

S/MIME

X.509 + CMS; per-message E2EE (signature + encryption); enterprise default; key distribution via cert dir / X.509.

PGP / OpenPGP

RFC 9580 / 4880; web-of-trust or manual key exchange; legacy stronghold.

Message format#

Standard

Notes

RFC 5322

Internet Message Format; the modern email RFC.

RFC 5321

SMTP transport.

RFC 822 / 2822

Earlier IMF spec.

MIME (RFC 2045-2049)

Multipurpose Internet Mail Extensions.

HTML email

Defacto inline HTML body.

S/MIME message

Encrypted / signed message envelope.

PGP/MIME (RFC 3156)

PGP message envelope.

Maildir / Mbox

Local storage formats.

EML

File extension for individual messages.

PST / OST

Microsoft Outlook offline storage.

MSG

Outlook single-message file.

Protocols#

Protocol

Notes

SMTP / 25 / 587 / 465

Send.

SMTP STARTTLS

Opportunistic TLS upgrade.

SMTP MTA-STS / DANE

Enforced TLS.

IMAP / 143 / 993

Mailbox access (multi-device).

POP3 / 110 / 995

Mailbox download.

MAPI

Microsoft Exchange protocol; Outlook native.

EWS

Exchange Web Services; HTTP/SOAP.

Microsoft Graph API

Modern replacement for EWS.

JMAP

JSON Meta API Protocol; REST replacement for IMAP / SMTP.

ActiveSync

Mobile mailbox sync.

ManageSieve / Sieve

Mailbox-side filtering rules.

Major email providers#

Provider

Notes

Microsoft 365

Exchange Online; the dominant enterprise platform.

Google Workspace

Gmail-derived enterprise.

Apple iCloud Mail

Consumer + family.

Yahoo Mail / AOL

Verizon Media now under AOL/Yahoo!.

Proton Mail

E2EE Swiss provider.

Tutanota

E2EE German provider.

Fastmail

IMAP-friendly Australian provider.

Zoho Mail

Indian SMB.

mxroute / Migadu

Indie hosts.

Sendinblue / Brevo

Transactional + marketing.

Mailchimp / SendGrid

Transactional.

Postmark

Transactional.

SES

AWS Simple Email Service.

Mailgun

Transactional.

Postal

OSS transactional MTA.

Mailcow

OSS Docker mail server.

iRedMail

OSS mail platform.

Postfix + Dovecot

The classic OSS stack.

Exim

Long-running OSS MTA.

Sendmail

The original; legacy.

Secure email gateways#

Vendor

Notes

Proofpoint Email Protection

Largest enterprise SEG; URL Defense + TAP.

Mimecast

UK-origin; strong DLP + archiving.

Microsoft Defender for O365

Native MS; Safe Links + Safe Attachments.

Google Advanced Protection

Built into Workspace.

Cisco Secure Email

IronPort-derived.

Trellix Email Security

McAfee + FireEye merged.

Trend Micro Email

ScanMail / Cloud App Security.

Barracuda

SMB.

SpamTitan

SMB.

Fortinet FortiMail

SMB / mid.

Sophos Email Security

Synchronised with endpoint.

Avanan / Check Point

API-integrated email security; Office 365 / Gmail post-delivery.

Abnormal Security

ML-driven; account compromise + BEC focus.

Tessian / Egress

AI for outbound + insider risk.

Material Security

Phishing simulation + mailbox-level DLP.

Sublime Security

Detection-as-code; YAML-rule SEG.

Vade / Hornetsecurity

EU SMB.

Coro

SMB / mid SaaS.

Phishing simulation / training#

Vendor

Notes

KnowBe4

Largest by volume; training + sim.

Proofpoint Security A wareness

Wombat-derived.

Cofense (PhishMe)

Sim + crowd-sourced reporting.

Hoxhunt

Behavior-based.

Curricula

Story-based.

Microsoft Attack Sim

ulation Training Built into Defender for O365.

Gophish

OSS phishing framework (research).

Lucy Security

Commercial sim.

Wizer

Free / paid sim.

Hook Security

Sim + training.

Common attack classes#

Attack

Notes

Generic phishing

Lookalike domains, brand impersonation; URL → cred capture.

Spear phishing

Targeted; reconnaissance-driven.

Whaling

Executive-targeting.

BEC / EAC

Business Email Compromise; CEO fraud, vendor fraud, payroll diversion. ~$2.7B ann. losses (FBI IC3 2023).

EAC

Email Account Compromise; legitimate mailbox abused.

AiTM phishing

Adversary-in-the-Middle; reverse-proxy (evilginx/Modlishka) captures session cookies post-MFA.

Subdomain spoof

Lookalike subdomains (gocgle.com, app1e.com) + IDN homoglyphs.

SMTP smuggling

Inbound parse-disagreement re: end-of-data; allow header manipulation past gateway.

ARC abuse

Forging ARC chain to maintain pass-through.

Embedded malware

ISO / LNK / OneNote / SVG / HTML smuggling.

Conversation hijack

Reply-thread takeover; legit signed conversation continued by attacker (Qakbot / IcedID).

Quishing

QR-code phishing.

Vishing / smishing

Voice / SMS variants; SS7 vulnerabilities.

DMARC deployment notes#

Stage

Notes

  1. Inventory

List sending services; build SPF + DKIM for each.

  1. Publish p=none

With rua= to collect aggregate XML reports.

  1. Analyze reports

Use Dmarcian / EasyDMARC / Postmark DMARC monitor.

  1. Fix legitimate

Add to SPF / get DKIM keys per service.

  1. Move to p=quarantine

quarantine 1% → 10% → 25% → 100%.

  1. Move to p=reject

Inbound providers will bounce non-aligned.

Ranges to publish:

  • SPF: -all (hard fail) or ~all (soft).

  • DKIM: rotate keys ≥ annually; 2048-bit RSA min.

  • DMARC: p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:reports@…

  • MTA-STS: enforce; max_age=86400.

  • TLS-RPT: rua=mailto:tlsrpt@…

Operator notes#

  • DMARC at p=reject is now table stakes, Yahoo / Google bulk-sender requirements (Feb 2024) effectively mandate DMARC + SPF + DKIM + ARC for >5k/day senders.

  • AiTM phishing defeats SMS / TOTP MFA, only FIDO2 / passkeys + token binding survive.

  • Inbound TLS is opportunistic by default, enforce with MTA-STS + TLS-RPT.

  • Forwarding breaks SPF, ARC + DKIM survive better; educate users about auto-forward risks.

  • Mailbox-rule attack, attackers create rules to hide replies to fraudulent emails; audit rules quarterly + alert on changes.

  • Salesforce / SaaS-app email senders, often the most forgotten DMARC alignment break.

  • BEC funds recovery window is < 72 hr, have an IR playbook with bank fraud-rec contacts pre-positioned.

  • PGP / S/MIME, niche; required for sensitive comms (sources, lawyers); usability still poor.

References#