Email impersonation and business email compromise (BEC) form the starting point for over 90% of successful corporate network breaches.

Technical depth & operational guidance

Without correct DNS controls, any external server can send emails claiming to originate from your business domain, allowing attackers to target your clients, employees, and partners with highly convincing phishing campaigns.

Protecting your domain requires configuring a triad of DNS safeguards: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

SPF lists authorized mailing IP ranges. DKIM provides cryptographic signatures proving the email hasn't been altered. DMARC tells the receiving server how to handle messages that fail SPF/DKIM verification, with a final goal of 'reject' to completely block spoofed mails.

Key Advisory Takeaways

Audit SPF settings to ensure they end with '-all' rather than weak soft-fail '~all' configurations.
Deploy DKIM keys of at least 2048 bits for all corporate and third-party SaaS mailing systems.
Advance your DMARC policy from 'none' to 'quarantine' and ultimately 'reject' while reviewing reports.