Email security gateway (DMARC, SPF, DKIM)
Demonstrate that the organization has properly configured and enforces SPF, DKIM, and DMARC records for all sending domains, with active monitoring of authentication failures and appropriate rejection policies for unauthenticated messages.
Description
What this control does
Email security gateway controls use authentication protocols—SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance)—to validate that incoming email originates from authorized sources and to instruct receiving servers on handling unauthenticated messages. SPF validates sending IP addresses against published DNS records, DKIM cryptographically signs message headers, and DMARC ties these together with enforcement policies (none, quarantine, reject) and reporting mechanisms. These controls reduce phishing, spoofing, and business email compromise by preventing attackers from impersonating organizational domains.
Control objective
What auditing this proves
Demonstrate that the organization has properly configured and enforces SPF, DKIM, and DMARC records for all sending domains, with active monitoring of authentication failures and appropriate rejection policies for unauthenticated messages.
Associated risks
Risks this control addresses
- Attackers spoof the organization's email domain to conduct phishing attacks against customers, partners, or internal users
- Business email compromise (BEC) attacks succeed by impersonating executives or trusted vendors without cryptographic validation
- Malicious emails bypass filtering because receiving gateways cannot verify sender authenticity in the absence of published authentication records
- Legitimate emails from the organization are rejected or marked as spam by recipient servers due to missing or misconfigured authentication records
- Domain reputation is damaged when spoofed emails originating from lookalike domains or compromised infrastructure appear to come from the organization
- Lack of DMARC aggregate and forensic reports prevents detection of unauthorized use of organizational domains or misconfigured mail servers
- Overly permissive SPF records (using '+all' or excessive include statements) allow unauthorized mail servers to send authenticated email
Testing procedure
How an auditor verifies this control
- Obtain a list of all organizational domains and subdomains used for sending email, including production, staging, and third-party services authorized to send on behalf of the organization.
- Query DNS records for each domain to retrieve published SPF, DKIM, and DMARC records using command-line tools (dig, nslookup) or online DNS lookup services.
- Review SPF records to verify all authorized sending IP addresses and mail servers are explicitly listed, and confirm the record terminates with '-all' or '~all' rather than permissive '+all' or '?all' qualifiers.
- Verify DKIM public keys are published in DNS and obtain sample signed emails from organizational mail servers to confirm headers contain valid DKIM-Signature fields with matching selectors.
- Examine DMARC policy records to confirm the 'p=' tag is set to 'quarantine' or 'reject' (not 'none' for production domains), and that 'rua=' and 'ruf=' tags direct aggregate and forensic reports to monitored addresses.
- Review DMARC aggregate reports (XML files received at rua addresses) for a representative period to identify authentication failures, unauthorized sending sources, and alignment issues between SPF/DKIM and the From domain.
- Send test emails from an external address spoofing the organization's domain to an internal mailbox and verify the messages are rejected or quarantined based on the published DMARC policy.
- Interview email administrators to confirm processes exist for reviewing DMARC reports, updating SPF records when mail servers change, rotating DKIM keys, and onboarding third-party senders.