Email security: SPF + DKIM + DMARC + ATP
Demonstrate that the organization has deployed and properly configured SPF, DKIM, DMARC, and ATP mechanisms to authenticate legitimate email, reject or quarantine spoofed messages, and protect users from advanced email-borne threats.
Description
What this control does
This control implements a layered email authentication and threat protection framework combining Sender Policy Framework (SPF) to authorize sending mail servers, DomainKeys Identified Mail (DKIM) to cryptographically sign messages, Domain-based Message Authentication Reporting and Conformance (DMARC) to enforce policy and provide reporting on authentication failures, and Advanced Threat Protection (ATP) to detect and block sophisticated phishing, malware, and impersonation attacks in real-time. Together, these technologies prevent domain spoofing, verify email integrity, provide visibility into abuse attempts, and block advanced threats before they reach user inboxes. Implementation reduces successful phishing attacks, protects brand reputation, and provides forensic data on email-based attack campaigns.
Control objective
What auditing this proves
Demonstrate that the organization has deployed and properly configured SPF, DKIM, DMARC, and ATP mechanisms to authenticate legitimate email, reject or quarantine spoofed messages, and protect users from advanced email-borne threats.
Associated risks
Risks this control addresses
- Attackers spoof the organization's domain to conduct phishing campaigns targeting customers, partners, or employees, damaging brand reputation and enabling credential theft
- Email-based ransomware or malware bypasses perimeter defenses and executes on endpoint systems due to lack of advanced content inspection
- Business email compromise (BEC) attacks impersonate executives or vendors to initiate fraudulent wire transfers or data exfiltration
- Lack of DMARC enforcement allows attackers to send fraudulent invoices or payment requests appearing to originate from legitimate company domains
- Credential harvesting phishing campaigns succeed because malicious emails are not blocked by advanced threat detection mechanisms
- Zero-day phishing threats using URL obfuscation, sandbox evasion, or time-delayed activation reach users before signature-based defenses are updated
- Absence of DMARC reporting prevents security teams from identifying unauthorized use of corporate domains and measuring email authentication effectiveness
Testing procedure
How an auditor verifies this control
- Obtain the list of all organizational domains used for email communication, including primary, subsidiary, and marketing domains
- Query DNS records for each domain to retrieve published SPF, DKIM, and DMARC records using command-line tools (dig, nslookup) or online DNS lookup services
- Analyze SPF records to verify all authorized mail servers and IP ranges are included, the record does not exceed 10 DNS lookups, and the policy ends with '-all' or '~all' directive
- Verify DKIM records are published for active signing selectors and validate the public key length meets minimum cryptographic standards (at least 1024-bit RSA or equivalent)
- Review DMARC policy configuration to confirm policy is set to 'quarantine' or 'reject' (not 'none'), aggregate (rua) and forensic (ruf) reporting addresses are configured, and percentage tag is set appropriately
- Access the email security gateway or Microsoft 365/Google Workspace admin console to review ATP configuration including safe links, safe attachments, anti-phishing policies, and impersonation protection settings
- Examine DMARC aggregate reports from the past 30 days to identify authentication failure patterns, unauthorized sending sources, and policy enforcement statistics
- Conduct test email transmissions from external services to verify SPF/DKIM/DMARC authentication results appear correctly in email headers and ATP policies trigger appropriately for simulated malicious content
Where this control is tested