The breach started with a single compromised email account. An employee clicked a phishing link, entered their credentials, and attackers had access. From there, they sent invoices to customers with updated payment details. By the time anyone noticed, $200,000 had been redirected to accounts the attackers controlled.
The company had email. They didn't have email security.
Email security isn't a single configuration—it's layers of protection that work together. Authentication prevents spoofing. Encryption protects content in transit. Access controls limit who can send and receive. Monitoring catches anomalies before they become breaches.
This checklist provides a systematic approach to auditing your email security posture.
Authentication audit
SPF record is published with -all. Check that your SPF record exists, is syntactically valid, and ends with -all (hard fail) rather than ~all (soft fail). Verify you're under the 10-lookup limit. Use MXToolbox or similar to validate.
All legitimate senders are in SPF. Audit every service that sends email as your domain. Marketing automation, transactional email, CRM, support desk, internal applications—each must be authorized in your SPF record. Missing senders cause authentication failures; unauthorized senders indicate potential compromise.
DKIM keys are published and valid. Verify DKIM public keys are in DNS for all sending domains and selectors. Check that keys are at least 1024 bits (2048 preferred). Confirm keys haven't expired if you're using key rotation.
DKIM signing is active. Send test emails and verify the DKIM-Signature header is present and valid. Check that the signing domain aligns with your From domain for DMARC purposes.
DMARC policy is enforced. Verify your DMARC record exists with a policy of p=quarantine or p=reject. If still at p=none, create a plan to progress to enforcement. Check that rua and ruf tags are set to receive reports.
DMARC reports are being processed. Confirm you're receiving and reviewing DMARC aggregate reports. Use a DMARC analyzer service to make reports readable. Look for authentication failures from legitimate senders and unauthorized sending attempts.
BIMI is configured (optional but recommended). If you've achieved DMARC enforcement, consider implementing BIMI to display your logo in supporting email clients. This requires a Verified Mark Certificate for full support.
Encryption audit
TLS is required for sending. Verify your mail servers require TLS for outbound connections. Check that you're using TLS 1.2 or higher—older versions have known vulnerabilities.
TLS is required for receiving. Configure your mail servers to require TLS for inbound connections, or at minimum prefer TLS and log when connections fall back to unencrypted.
MTA-STS is published. MTA-STS tells sending servers to require TLS when delivering to your domain. Publish an MTA-STS policy and verify it's being honored. This prevents downgrade attacks where attackers force unencrypted delivery.
DANE records are published (if applicable). If you control your DNS and mail servers, DANE provides certificate pinning for email. It's more complex than MTA-STS but provides stronger guarantees.
Certificate is valid and properly chained. Check your mail server's TLS certificate for validity, expiration, and proper chain configuration. Use SSL Labs or CheckTLS to verify.
Cipher suites are secure. Audit the cipher suites your mail server supports. Disable weak ciphers (RC4, DES, export ciphers) and older protocols (SSLv3, TLS 1.0, TLS 1.1).
Access control audit
Admin access is restricted and logged. Limit who can administer email systems. Require strong authentication (MFA) for admin access. Log all administrative actions for audit trails.
User authentication is strong. Require strong passwords or, better, MFA for all email accounts. Disable legacy authentication protocols that don't support MFA.
Service accounts are inventoried. Document all service accounts that send email. Each should have a clear owner, defined purpose, and appropriate access limits. Remove unused service accounts.
API keys are secured. If using email APIs, audit API key management. Keys should be rotated regularly, scoped to minimum necessary permissions, and stored securely (not in code repositories).
Sending limits are configured. Set rate limits on email sending to contain damage from compromised accounts. Unusual sending volume should trigger alerts.
Forwarding rules are audited. Attackers often create forwarding rules to exfiltrate email. Regularly audit forwarding rules across all accounts. Alert on new forwarding rule creation.
Infrastructure audit
Mail servers are patched. Verify mail server software is current with security patches. Subscribe to security advisories for your mail server software.
Mail servers are hardened. Disable unnecessary services. Configure firewalls to allow only required ports. Follow hardening guides for your specific mail server software.
Open relay is disabled. Test that your mail server doesn't relay email from unauthorized sources. Open relays are quickly exploited for spam.
Backup MX is secured. If you have backup MX servers, ensure they have the same security configuration as primary servers. Attackers sometimes target less-secured backup infrastructure.
DNS is secured. Use DNSSEC to prevent DNS spoofing attacks. Secure your DNS provider account with strong authentication.
Monitoring audit
Authentication failures are monitored. Track SPF, DKIM, and DMARC failures. Investigate patterns—failures from legitimate senders need fixing; failures from unknown sources might indicate spoofing attempts.
Unusual sending patterns trigger alerts. Monitor for spikes in sending volume, sending at unusual times, or sending to unusual recipients. These patterns can indicate compromise.
Login anomalies are detected. Monitor for logins from unusual locations, multiple failed login attempts, and successful logins after failures. These patterns suggest credential attacks.
Blacklist status is monitored. Check major blacklists regularly. Being listed indicates a problem—either compromise, misconfiguration, or reputation issues.
Bounce rates are tracked. Sudden increases in bounce rates can indicate list poisoning, compromised sending, or deliverability problems.
Incident response preparation
Incident response plan exists. Document what to do when email security incidents occur. Who is notified? What systems are isolated? How is communication handled?
Compromise indicators are defined. Know what signs indicate email compromise: unusual forwarding rules, unexpected sent items, authentication from unknown locations, reports of spoofed emails.
Recovery procedures are documented. Know how to revoke compromised credentials, remove malicious rules, and restore normal operations. Test these procedures before you need them.
Communication templates are prepared. If you need to notify customers or partners of email-related incidents, have templates ready. Crisis communication is hard; preparation helps.
Conducting the audit
Work through this checklist systematically, documenting findings as you go. For each item:
- —Pass: Configuration is correct and verified
- —Fail: Configuration is missing or incorrect—needs remediation
- —Partial: Some aspects are correct, others need work
- —N/A: Not applicable to your environment
Prioritize remediation based on risk. Authentication issues (SPF, DKIM, DMARC) are foundational—fix these first. Access control issues that could enable compromise are high priority. Monitoring gaps are important but less urgent than active vulnerabilities.
Schedule regular audits—quarterly at minimum, monthly for high-security environments. Email security isn't a one-time configuration; it requires ongoing attention.
Frequently asked questions
How often should I conduct email security audits?
Quarterly for most organizations. Monthly for high-security environments or after significant changes. Additionally, audit after any security incident, infrastructure change, or when adding new email-sending services.
What's the most critical item on this checklist?
DMARC enforcement (p=reject) is arguably the most impactful single control—it prevents domain spoofing, which is the foundation of most email-based attacks. But it requires SPF and DKIM to be correct first.
Should I hire a third party for email security audits?
External audits provide fresh perspective and catch blind spots. For compliance requirements (SOC 2, HIPAA, etc.), third-party audits may be required. For routine checks, internal audits using this checklist are sufficient.
What tools do I need for this audit?
MXToolbox for authentication and DNS checks. Your mail server's admin interface for configuration review. DMARC analyzer service for report processing. Vulnerability scanner for infrastructure assessment. Most checks can be done with free tools.