About this program
SPF, DKIM, DMARC, DNSSEC and recursive-resolver hardening — the basics of internet plumbing you probably forgot to check.
Risks addressed
- Critical Attackers spoof corporate domain in phishing campaigns
- High DNS hijack redirects users to attacker infrastructure
- Medium Internal devices resolve known-bad domains
- Medium Lookalike domain registered without detection
Controls (6)
-
SPF record published and aligned
HighSPF record published and aligned
How to test + evidence
Testing procedure: dig TXT for each sending domain; confirm SPF exists with -all (hard fail).
Evidence to collect: dig output.
-
DKIM signing on all sending streams
HighDKIM signing on all sending streams
How to test + evidence
Testing procedure: Confirm every outbound mail stream signs with a valid DKIM selector + key length >= 2048.
Evidence to collect: DKIM key export.
-
DMARC policy at p=quarantine or stricter
CriticalDMARC policy at p=quarantine or stricter
How to test + evidence
Testing procedure: dig TXT _dmarc.<domain>; expect p=quarantine or p=reject with reporting addresses.
Evidence to collect: dig output + DMARC report sample.
-
DNSSEC enabled on primary domains
MediumDNSSEC enabled on primary domains
How to test + evidence
Testing procedure: Use a DNSSEC checker; verify chain of trust on apex domain.
Evidence to collect: DNSSEC validation screenshot.
-
Recursive resolvers hardened
MediumRecursive resolvers hardened
How to test + evidence
Testing procedure: Internal resolvers block known-bad domains (Quad9 / Cloudflare / NCSC PDNS).
Evidence to collect: Resolver config or PDNS contract.
-
Lookalike-domain monitoring
LowLookalike-domain monitoring
How to test + evidence
Testing procedure: Monitoring tool alerts on registration of similar domains.
Evidence to collect: Tool config + sample alert.