Email Security#
Reference of email authentication standards (SPF / DKIM / DMARC / BIMI / MTA-STS / TLS-RPT / DANE), secure email gateways, message-formatting standards, and the operator- focused defenses against phishing, BEC, and account takeover.
For broader cryptographic context, see Cryptographic Primitives. For identity providers + SSO, see Identity Providers (IdPs). For DNS, see DNS Providers.
Authentication standards#
Standard |
Notes |
|---|---|
SPF (RFC 7208) |
Sender Policy Framework; TXT record listing authorized sending IPs for the envelope-from domain; “v=spf1 … -all”. |
DKIM (RFC 6376) |
DomainKeys Identified Mail; cryptographic signature over selected headers + body; published key TXT record at <selector>._domainkey.<domain>. |
DMARC (RFC 7489) |
Domain-based Message Authentication, Reporting & Conformance; policy + alignment + reporting layered on SPF + DKIM; “v=DMARC1; p=none|quarantine|reject; rua=mailto:…”; new RFC drafts in 2024. |
ARC (RFC 8617) |
Authenticated Received Chain; preserves SPF/DKIM/DMARC results across forwarders + mailing lists. |
BIMI (Brand Indicato rs) |
Brand logo display in inbox; requires DMARC enforce + VMC (Verified Mark Certificate; CA-issued). |
MTA-STS (RFC 8461) |
SMTP MTA Strict Transport Security; HTTPS-published policy forcing TLS for inbound MTA. |
TLS-RPT (RFC 8460) |
SMTP TLS Reporting; reports of MTA-STS / DANE failures. |
DANE (RFC 7672) |
DNS-based Authentication of Named Entities; TLSA records for SMTP TLS pinning; needs DNSSEC. |
S/MIME |
X.509 + CMS; per-message E2EE (signature + encryption); enterprise default; key distribution via cert dir / X.509. |
PGP / OpenPGP |
RFC 9580 / 4880; web-of-trust or manual key exchange; legacy stronghold. |
Message format#
Standard |
Notes |
|---|---|
RFC 5322 |
Internet Message Format; the modern email RFC. |
RFC 5321 |
SMTP transport. |
RFC 822 / 2822 |
Earlier IMF spec. |
MIME (RFC 2045-2049) |
Multipurpose Internet Mail Extensions. |
HTML email |
Defacto inline HTML body. |
S/MIME message |
Encrypted / signed message envelope. |
PGP/MIME (RFC 3156) |
PGP message envelope. |
Maildir / Mbox |
Local storage formats. |
EML |
File extension for individual messages. |
PST / OST |
Microsoft Outlook offline storage. |
MSG |
Outlook single-message file. |
Protocols#
Protocol |
Notes |
|---|---|
SMTP / 25 / 587 / 465 |
Send. |
SMTP STARTTLS |
Opportunistic TLS upgrade. |
SMTP MTA-STS / DANE |
Enforced TLS. |
IMAP / 143 / 993 |
Mailbox access (multi-device). |
POP3 / 110 / 995 |
Mailbox download. |
MAPI |
Microsoft Exchange protocol; Outlook native. |
EWS |
Exchange Web Services; HTTP/SOAP. |
Microsoft Graph API |
Modern replacement for EWS. |
JMAP |
JSON Meta API Protocol; REST replacement for IMAP / SMTP. |
ActiveSync |
Mobile mailbox sync. |
ManageSieve / Sieve |
Mailbox-side filtering rules. |
Major email providers#
Provider |
Notes |
|---|---|
Microsoft 365 |
Exchange Online; the dominant enterprise platform. |
Google Workspace |
Gmail-derived enterprise. |
Apple iCloud Mail |
Consumer + family. |
Yahoo Mail / AOL |
Verizon Media now under AOL/Yahoo!. |
Proton Mail |
E2EE Swiss provider. |
Tutanota |
E2EE German provider. |
Fastmail |
IMAP-friendly Australian provider. |
Zoho Mail |
Indian SMB. |
mxroute / Migadu |
Indie hosts. |
Sendinblue / Brevo |
Transactional + marketing. |
Mailchimp / SendGrid |
Transactional. |
Postmark |
Transactional. |
SES |
AWS Simple Email Service. |
Mailgun |
Transactional. |
Postal |
OSS transactional MTA. |
Mailcow |
OSS Docker mail server. |
iRedMail |
OSS mail platform. |
Postfix + Dovecot |
The classic OSS stack. |
Exim |
Long-running OSS MTA. |
Sendmail |
The original; legacy. |
Secure email gateways#
Vendor |
Notes |
|---|---|
Proofpoint Email Protection |
Largest enterprise SEG; URL Defense + TAP. |
Mimecast |
UK-origin; strong DLP + archiving. |
Microsoft Defender for O365 |
Native MS; Safe Links + Safe Attachments. |
Google Advanced Protection |
Built into Workspace. |
Cisco Secure Email |
IronPort-derived. |
Trellix Email Security |
McAfee + FireEye merged. |
Trend Micro Email |
ScanMail / Cloud App Security. |
Barracuda |
SMB. |
SpamTitan |
SMB. |
Fortinet FortiMail |
SMB / mid. |
Sophos Email Security |
Synchronised with endpoint. |
Avanan / Check Point |
API-integrated email security; Office 365 / Gmail post-delivery. |
Abnormal Security |
ML-driven; account compromise + BEC focus. |
Tessian / Egress |
AI for outbound + insider risk. |
Material Security |
Phishing simulation + mailbox-level DLP. |
Sublime Security |
Detection-as-code; YAML-rule SEG. |
Vade / Hornetsecurity |
EU SMB. |
Coro |
SMB / mid SaaS. |
Phishing simulation / training#
Vendor |
Notes |
|---|---|
KnowBe4 |
Largest by volume; training + sim. |
Proofpoint Security A wareness |
Wombat-derived. |
Cofense (PhishMe) |
Sim + crowd-sourced reporting. |
Hoxhunt |
Behavior-based. |
Curricula |
Story-based. |
Microsoft Attack Sim |
ulation Training Built into Defender for O365. |
Gophish |
OSS phishing framework (research). |
Lucy Security |
Commercial sim. |
Wizer |
Free / paid sim. |
Hook Security |
Sim + training. |
Common attack classes#
Attack |
Notes |
|---|---|
Generic phishing |
Lookalike domains, brand impersonation; URL → cred capture. |
Spear phishing |
Targeted; reconnaissance-driven. |
Whaling |
Executive-targeting. |
BEC / EAC |
Business Email Compromise; CEO fraud, vendor fraud, payroll diversion. ~$2.7B ann. losses (FBI IC3 2023). |
EAC |
Email Account Compromise; legitimate mailbox abused. |
AiTM phishing |
Adversary-in-the-Middle; reverse-proxy (evilginx/Modlishka) captures session cookies post-MFA. |
Subdomain spoof |
Lookalike subdomains (gocgle.com, app1e.com) + IDN homoglyphs. |
SMTP smuggling |
Inbound parse-disagreement re: end-of-data; allow header manipulation past gateway. |
ARC abuse |
Forging ARC chain to maintain pass-through. |
Embedded malware |
ISO / LNK / OneNote / SVG / HTML smuggling. |
Conversation hijack |
Reply-thread takeover; legit signed conversation continued by attacker (Qakbot / IcedID). |
Quishing |
QR-code phishing. |
Vishing / smishing |
Voice / SMS variants; SS7 vulnerabilities. |
DMARC deployment notes#
Stage |
Notes |
|---|---|
|
List sending services; build SPF + DKIM for each. |
|
With rua= to collect aggregate XML reports. |
|
Use Dmarcian / EasyDMARC / Postmark DMARC monitor. |
|
Add to SPF / get DKIM keys per service. |
|
quarantine 1% → 10% → 25% → 100%. |
|
Inbound providers will bounce non-aligned. |
Ranges to publish:
SPF: -all (hard fail) or ~all (soft).
DKIM: rotate keys ≥ annually; 2048-bit RSA min.
DMARC: p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:reports@…
MTA-STS: enforce; max_age=86400.
TLS-RPT: rua=mailto:tlsrpt@…
Operator notes#
DMARC at p=reject is now table stakes, Yahoo / Google bulk-sender requirements (Feb 2024) effectively mandate DMARC + SPF + DKIM + ARC for >5k/day senders.
AiTM phishing defeats SMS / TOTP MFA, only FIDO2 / passkeys + token binding survive.
Inbound TLS is opportunistic by default, enforce with MTA-STS + TLS-RPT.
Forwarding breaks SPF, ARC + DKIM survive better; educate users about auto-forward risks.
Mailbox-rule attack, attackers create rules to hide replies to fraudulent emails; audit rules quarterly + alert on changes.
Salesforce / SaaS-app email senders, often the most forgotten DMARC alignment break.
BEC funds recovery window is < 72 hr, have an IR playbook with bank fraud-rec contacts pre-positioned.
PGP / S/MIME, niche; required for sensitive comms (sources, lawyers); usability still poor.
References#
EasyDMARC / Dmarcian / Postmark DMARC tools
RFC 7489 (DMARC) + draft-ietf-dmarc-dmarcbis
KrebsOnSecurity BEC coverage