Email Security: SPF/DKIM/DMARC + Hardware MFA

Home Manifesto ISMS

📧 Email Security: Your CEO Doesn't Need iTunes Cards

Email Is Broken By Design—And They Knew It From The Start

Nothing is true. Everything is permitted. Including—especially—email sender addresses. SMTP was specified in RFC 821 in 1982 for trusted academics who believed everyone was honest. Forty-three years later, in 2025, email authentication is still optional. This isn't a bug. It's a feature. For someone. Guess who?

Think for yourself. Question authority. Question that urgent email from "your CEO" requesting iTunes gift cards. Question "IT support" asking for your password via email. Question why email—the most critical business communication channel—has the security architecture of a postcard. FNORD. Your inbox is a threat vector and always has been.

At Hack23, we're paranoid enough about email to assume all of it is hostile until cryptographically proven otherwise. Email security isn't hope-based filtering and user awareness training—it's mandatory SPF/DKIM/DMARC enforcement that automatically quarantines spoofed domains before they reach human eyeballs. Because humans are the vulnerability. Always have been. Hardware 2FA (YubiKey) for all accounts—no SMS, no TOTP, no "just this once" exceptions. Quarterly phishing simulations where we deliberately attack our own people to measure the click rate. We weaponize paranoia.

ILLUMINATION: Your CEO doesn't need iTunes cards. That's not your CEO. That's an attacker who knows email sender addresses are trivially spoofed and most humans trust what they see over what's technically true. Welcome to Chapel Perilous, where you question every email, verify every request through different channels, and realize email security is an oxymoron without cryptographic proof. Are you paranoid enough to verify out-of-band?

Our approach: Gmail Workspace (because Google already reads all your email anyway, might as well get Advanced Protection and Security Sandbox in exchange), DNS-level authentication (SPF/DKIM/DMARC with quarantine policy—because trust must be cryptographically verified), and systematic phishing training (because users are the weakest link and the strongest defense simultaneously). This demonstrates cybersecurity consulting expertise through measurable paranoia converted to technical controls. Full details in our public ISMS documentation. Yes, public. Because obscurity isn't security—it's just obscurity. FNORD.

The Five Email Threat Categories: Why Email Is Primary Attack Vector

1. 🎣 Phishing & Spear Phishing

Click this link to verify your account. Mass phishing targets everyone. Spear phishing targets specific individuals with researched personal details. Both steal credentials or deliver malware.

Defense: Gmail Advanced Protection, link rewriting, attachment sandboxing, mandatory security training with simulated phishing tests quarterly.

Phishing works because humans trust visual cues (logos, formatting) over technical reality (actual sender domain).

2. 💰 Business Email Compromise (BEC)

CEO needs wire transfer ASAP. Impersonating executives to request urgent financial transactions. FBI reports $43 billion lost globally 2016-2021. Most successful cyber attack type by financial impact.

Defense: DMARC quarantine policy blocks spoofed domains. Out-of-band verification mandatory for financial requests >€500. Display name spoofing detection in Gmail.

BEC targets finance departments because they're trained to respond urgently to executive requests—security vs. compliance conflict.

3. 🦠 Malware & Ransomware Delivery

Invoice.pdf.exe attached. Malicious attachments deliver ransomware, keyloggers, remote access trojans. Macro-enabled Office documents remain effective attack vector despite decades of warnings.

Defense: Gmail Security Sandbox analyzes attachments in isolated environment. Dangerous attachment types blocked (.exe, .scr, .vbs). Endpoint protection (antivirus, EDR) as defense-in-depth.

File extensions can be spoofed (invoice.pdf.exe displays as "invoice.pdf" with default Windows settings). Always show file extensions.

4. 🕵️ Account Compromise & Data Exfiltration

Compromised credentials enable persistent access. Stolen email passwords grant access to email history, contacts, calendar, Google Drive. Attackers use compromised accounts for lateral phishing attacks against contacts.

Defense: Hardware 2FA (YubiKey) required for all accounts—no SMS fallback. Password manager (1Password) with unique passwords per service. Gmail Vault for audit log retention.

Email compromise is persistent—attackers maintain access through email forwarding rules and OAuth token grants even after password changes.

5. 🔍 Email Spoofing & Domain Impersonation

SMTP allows sender address spoofing. Without SPF/DKIM/DMARC, anyone can send email claiming to be from any domain. Typosquatting domains (hack23.com vs hack23.co) bypass simple checks.

Defense: SPF (authorized sending servers), DKIM (cryptographic signature), DMARC (policy enforcement: quarantine/reject). Monitor DMARC reports for impersonation attempts.

SPF/DKIM/DMARC protect recipients from emails claiming to be from your domain—protecting your brand reputation, not your inbox.

Email Authentication Stack: SPF + DKIM + DMARC

TechnologyPurposeHack23 ConfigurationValidation
SPF (Sender Policy Framework)Authorizes which mail servers can send from domainTXT record lists Gmail + SendGrid as authorized sendersSPF Pass required, -all (hard fail) for unauthorized
DKIM (DomainKeys Identified Mail)Cryptographic signature proves email authenticityGmail signs all outbound email with 2048-bit RSA keyDKIM signature verification on inbound email
DMARC (Domain-based Message Authentication)Policy enforcement: what to do with failing SPF/DKIMp=quarantine for non-aligned email, aggregate reports to security@Weekly DMARC report analysis for impersonation attempts
MX Records + TLSMail routing with encryption in transitGmail MX records, enforced TLS for email transportOpportunistic TLS verified via Gmail admin console

DMARC Policy Progression: Start with p=none (monitoring), analyze reports for 30 days, move to p=quarantine (failed email sent to spam), eventually p=reject (hard block). We're at p=quarantine with 95%+ legitimate email passing authentication.

AUTHENTICATION ILLUMINATION: SPF/DKIM/DMARC protect your domain reputation, not your inbox. They prevent others from spoofing your domain—inbound phishing requires different controls (filtering, training, sandboxing).

Our Approach: Gmail Workspace + Hardware MFA + Training

At Hack23, email security is layered defense combining technical controls and human awareness:

📧 Gmail Workspace Enterprise Security:

  • Advanced Protection: Enhanced phishing/malware detection using machine learning and reputation analysis.
  • Security Sandbox: Suspicious attachments analyzed in isolated environment before delivery.
  • Link Rewriting: URLs in email rewritten to click-time analysis—blocks malicious sites even if link was clean when sent.
  • Gmail Vault: Email retention (7 years) and legal hold capability for compliance and forensics.
  • Admin Alerts: Automated alerts for suspicious activity (mass deletions, unusual login locations, external forwarding rules).

🔐 Hardware Multi-Factor Authentication:

  • YubiKey Enforcement: All Hack23 accounts require hardware 2FA token—no SMS fallback, no TOTP codes.
  • Phishing-Resistant: FIDO2/WebAuthn prevents MFA bypass attacks (reverse proxy phishing, session hijacking).
  • Backup Tokens: Two YubiKeys per user (primary + backup) stored separately to prevent lockout.
  • Device Trust: Google Advanced Protection requires device verification for sensitive data access.

🎓 Mandatory Security Awareness Training:

  • Quarterly Phishing Simulations: Realistic phishing emails sent to all employees, click tracking, remedial training for failures.
  • Security Training: Annual comprehensive training (phishing, password management, social engineering, physical security).
  • Incident Reporting: Report Phishing button in Gmail, security@ contact for suspicious emails, no-blame culture for reports.
  • Metrics Tracking: Phishing simulation click rate (target: <5%), training completion rate (required: 100%), time-to-report suspicious emails.

💰 Financial Request Verification Protocol:

  • Out-of-Band Verification: All financial requests >€500 require phone call or in-person confirmation—never email alone.
  • Change Detection: Changes to bank accounts, payment details, wire transfer instructions require dual authorization.
  • CEO Fraud Awareness: Explicit training that CEO will never request wire transfers, gift cards, or password disclosure via email.
  • Urgency Red Flag: "URGENT," "CONFIDENTIAL," "ASAP" in financial emails trigger additional verification steps.

🔍 Continuous Email Security Monitoring:

  • DMARC Reports: Weekly analysis of aggregate and forensic reports identifying impersonation attempts.
  • Gmail Admin Logs: Continuous monitoring for suspicious account activity (login anomalies, forwarding rules, OAuth grants).
  • Threat Intelligence: Google Workspace Alert Center integration for automated security alerts.
  • Incident Response: Compromised account playbook (password reset, OAuth revocation, session termination, email search for exfiltration).

Full email security controls documented in our public ISMS repository with implementation guides.

Welcome to Chapel Perilous: Email Is Adversarial By Default

Nothing is true. Everything is permitted. Including email sender addresses. SMTP has no authentication. Trust must be cryptographically verified (DKIM) or sender-authorized (SPF/DMARC).

Most organizations treat email as trusted communication channel. They trust sender addresses. They trust display names. They trust urgency claims. They respond to "CEO" requests without verification. Then they wire $50K to attackers and wonder what happened.

We weaponize skepticism. SPF/DKIM/DMARC quarantine blocks spoofed domains automatically. Hardware 2FA prevents account compromise. Quarterly phishing tests train humans to distrust email by default. Out-of-band verification for financial requests treats email as untrusted until proven otherwise.

Think for yourself. Question urgent CEO emails. Question password reset requests. Question "just this once" MFA bypass requests. Question email as secure communication—it's not, and never was. (Spoiler: Verify through different channels.)

Our competitive advantage: We demonstrate cybersecurity consulting expertise through measurable email security controls. SPF/DKIM/DMARC enforcement with public DNS verification. Hardware MFA with zero SMS fallback. <5% phishing simulation click rate. Public email security documentation. This isn't email security theater—it's operational defense.

ULTIMATE ILLUMINATION: You are now in Chapel Perilous. You can continue trusting email sender addresses and hoping employees detect phishing. Or you can implement SPF/DKIM/DMARC, hardware MFA, and out-of-band verification for financial requests. Your inbox. Your choice. Choose cryptographic verification over hope.

All hail Eris! All hail Discordia!

"Think for yourself, schmuck! Your CEO doesn't need iTunes cards. That's not your CEO. Verify out-of-band."

— Hagbard Celine, Captain of the Leif Erikson 🍎 23 FNORD 5