Email security — enforced, not just configured.
SPF, DKIM, DMARC enforcement, MTA-STS, TLS-RPT, BIMI maturity, anti-phishing, anti-impersonation. The work isn't publishing a record — it's getting to p=reject without breaking legitimate mail.
Companies whose business runs on email — accounts payable, sales operations, broker desks, executive communications. Especially urgent if SPF/DKIM/DMARC are unconfigured or sitting at p=none, or if recent business-email-compromise attempts have been observed in inbound mail.
Email security program scope
SPF / DKIM / DMARC audit + enforcement rollout
Inventory every legitimate sender (newsletters, transactional, internal). Author records that align. Move from p=none → p=quarantine → p=reject with measured failure rates.
MTA-STS + TLS-RPT
Policy file published, mode=enforce after validation period. TLS reporting endpoint configured to catch handshake failures before recipients notice.
BIMI + VMC
Verified Mark Certificate evaluation, BIMI record publication once DMARC is at p=reject. Brand recognition in supporting mailboxes.
Anti-phishing + anti-impersonation
Defender for Office 365 / Proofpoint / Mimecast tuning. Lookalike-domain detection, VIP impersonation rules, attachment sandboxing.
Monthly aggregate report digest
DMARC aggregate (rua) reports parsed, summarized, anomalies flagged. New sender alerts. Failure-rate trending over time.
Inbound vendor onboarding checklist
When a new tool needs to send mail (Salesforce, Mailchimp, Stripe, etc.), we add it to your DNS without breaking your DMARC posture.
Items below sit outside the scope of this service. Some are handled by separate EFROS engagements; others belong with your existing partners or in-house team.
- Inbound spam filtering replacement (we tune what Microsoft 365 or Google Workspace already ships)
- Mailbox migration between platforms
- Custom mail-routing infrastructure (M365 + Defender + Proofpoint covers the standard cases)
- Legal review or breach notification — coordinated separately under the IR engagement
Moves the domain from 'spoofable from anywhere on the internet' to 'authenticated, monitored, enforced'. The DMARC visibility-to-reject path takes about three months and closes the most-exploited social-engineering vector for mid-market companies.
DMARC enforcement is increasingly listed as a required control on cyber-insurance questionnaires and in SOC 2 CC6 (logical access) plus PCI-DSS v4.0.1 §5.4. NIST SP 800-177r1 documents the full email-authentication baseline this engagement aligns to.
Standard versions should be verified from the official source before contractual reliance.
Questions before we start.
We tried DMARC and broke our payroll provider's emails. Can you fix this?
Yes. That's the common pattern — DMARC published before sender inventory is complete. The fix is a 14-day audit phase where rua reports show every legitimate sender, then SPF/DKIM authorizations are added before enforcement ramps.
How long does it take to get to p=reject?
Typical timeline: 30 days at p=none gathering aggregate reports, 30 days at p=quarantine with pct=25 ramp, 30 days at p=quarantine pct=100, then p=reject. About 90 days for most organizations, longer if there's a long tail of unknown senders.
Will BIMI actually display our logo?
In Gmail, Apple Mail, Yahoo, and a growing set of mailboxes — yes, once DMARC is at p=reject and a Verified Mark Certificate is issued by a recognized CA. We handle the VMC process.
Start with your domain.
Free passive external assessment. 60 seconds. No signup to start.