Email Security Complete Guide: Phishing Defense, SPF, DKIM & DMARC 2024

Key Takeaways

SPF specifies authorized mail servers
DKIM cryptographically signs emails
DMARC enforces SPF + DKIM policy
90%+ of attacks start with email

1. Email Threats
2. SPF Records
3. DKIM Signing
4. DMARC Policy
5. Email Gateways
6. User Training
7. BEC Defense
8. Security Checklist

1. Email Security Threats

Phishing: Credential theft, malware delivery
BEC: Business Email Compromise ($2.4B annual losses)
Spoofing: Impersonating trusted senders
Malware: Attachments, macros, links

2. SPF (Sender Policy Framework)

SPF Record Examples

# Basic SPF record
example.com TXT "v=spf1 mx a ip4:192.168.1.1 include:_spf.google.com -all"

# Breakdown:
# v=spf1        - Version
# mx            - Allow MX servers
# a             - Allow domain's A record
# ip4:x.x.x.x   - Allow specific IP
# include:      - Include another domain's SPF
# -all          - Strict fail for others
# ~all          - Soft fail (for testing)

# Check SPF
dig TXT example.com
nslookup -type=txt example.com

3. DKIM (DomainKeys Identified Mail)

# DKIM adds cryptographic signature
# Header: DKIM-Signature

# DNS record (public key)
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0..."

# Selector = key identifier
# Allows key rotation without breaking delivery

# Verify DKIM
dig TXT selector._domainkey.example.com

4. DMARC Policy

# DMARC tells receivers what to do when SPF/DKIM fail

# DNS record
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"

# Policy options:
# p=none     - Monitor only (start here)
# p=quarantine - Send to spam
# p=reject   - Block failed emails

# Reporting:
# rua= aggregate reports
# ruf= forensic reports (individual failures)

# Rollout strategy:
# 1. p=none with reporting (weeks)
# 2. p=quarantine pct=10 (gradual)
# 3. p=reject (full enforcement)

5. Secure Email Gateways

Filtering: Spam, malware, phishing
Sandboxing: Detonate attachments
URL rewriting: Check links at click time
Impersonation protection: Flag lookalikes
Solutions: Proofpoint, Mimecast, Microsoft Defender

6. Security Awareness Training

✅ Regular phishing simulations
✅ Report suspicious emails easily (button)
✅ Training on red flags (urgency, sender mismatch)
✅ Test with realistic scenarios
✅ Positive reinforcement, not punishment

7. BEC (Business Email Compromise)

# BEC defenses:
# - External email banners/warnings
# - Executive impersonation detection
# - Domain lookalike monitoring
# - Out-of-band verification for wire transfers
# - Payment change request procedures

# Warning banner example:
⚠️ EXTERNAL EMAIL: This email originated from outside the organization.
Do not click links or open attachments unless you recognize the sender.

8. Email Security Checklist

☐ SPF record with -all
☐ DKIM signing enabled
☐ DMARC policy (start p=none, move to reject)
☐ Secure email gateway deployed
☐ External email warnings
☐ Phishing simulation program
☐ Easy report-phishing button
☐ BEC payment verification procedures

FAQ

How long does DMARC take to implement fully?

Typically 3-6 months. Start with p=none, collect reports, identify legitimate senders, gradually move to quarantine then reject. Don't rush—blocking legitimate email is worse than no DMARC.

Phishing Guide Social Engineering DNS Security