Skip to main content

Email Security & Hardening

Email security hardening protects our organization from email fraud, phishing attacks, and ensures your legitimate emails are delivered successfully.

This guide explains the essential email security standards that protect our domains and how they work together to keep our email safe.

What is Email Hardening?

Email hardening is the process of implementing security standards that verify your emails are legitimate and protect our domains from being used for spam or phishing attacks. Think of it like adding security measures to your mailbox—it prevents others from sending fake mail that appears to come from your address.

Benefits:

  • ✅ Prevents email fraud and impersonation
  • ✅ Improves email deliverability (your emails reach the inbox)
  • ✅ Protects our brand reputation
  • ✅ Reduces spam and phishing attempts

Email Security Standards Overview

Our email security uses six key standards that work together to protect your domain:

StandardPurposeStatus
SPFLists authorized email servers✅ Active
DKIMCryptographically signs emails✅ Active
DMARCPolicy for handling failed emails✅ Active
BIMIDisplays brand logo in inbox✅ Active
MTA-STSEnforces secure email delivery✅ Active
TLS RPTMonitors secure email transport✅ Active

SPF (Sender Policy Framework)

What it does: SPF is like a guest list for your email. It tells other email servers which servers are allowed to send emails on behalf of our domain.

Simple explanation: When someone receives an email from @gfshomeloans.com, their email server checks our SPF record to see if the email came from an authorized server. If it didn't, the email might be rejected or marked as suspicious.

Technical Details

SPF records are published in DNS as TXT records. They contain a list of IP addresses and hostnames that are authorized to send email for your domain. When an email is received, the receiving server performs an SPF check by looking up the SPF record and verifying the sending server's IP address against the authorized list.

Common SPF mechanisms:

  • include: - Authorizes another domain's SPF record
  • ip4: / ip6: - Authorizes specific IP addresses
  • a: / mx: - Authorizes hosts from A or MX records
  • ~all / -all - Policy for unauthorized senders (softfail vs hardfail)

DKIM (DomainKeys Identified Mail)

What it does: DKIM adds a digital signature to every email you send. This signature proves the email actually came from your domain and hasn't been tampered with.

Simple explanation: Think of DKIM like a wax seal on a letter. Each email gets a unique signature that can be verified by the recipient's email server. If the signature doesn't match or is missing, the email is likely fake.

Technical Details

DKIM uses public-key cryptography. The sending server signs each email with a private key, and publishes the corresponding public key in DNS. Receiving servers verify the signature using the public key. DKIM records are published as TXT records in DNS under a selector (e.g., selector1._domainkey.gfshomeloans.com).

Key components:

  • Private key: Kept secret on the email server, used to sign emails
  • Public key: Published in DNS, used by recipients to verify signatures
  • Selector: Identifies which key pair to use (allows multiple keys)
  • Signature header: Added to each email with cryptographic signature

DKIM signatures survive forwarding and provide cryptographic proof of authenticity.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: DMARC is the policy that tells other email servers what to do when an email fails SPF or DKIM checks. It also provides reports so you can monitor who's trying to send emails from your domain.

Simple explanation: DMARC is like a security guard with instructions. If an email fails authentication (SPF or DKIM), DMARC tells the receiving server whether to reject it, quarantine it, or let it through. You also get reports showing who's trying to send emails from our domains.

Technical Details

DMARC policies are published in DNS as TXT records at _dmarc.gfshomeloans.com. The policy specifies:

Policy actions:

  • none - Monitor only, take no action (used for initial setup)
  • quarantine - Deliver to spam/junk folder
  • reject - Reject the email completely

Alignment:

  • spf=strict / spf=relaxed - How SPF alignment is checked
  • dkim=strict / dkim=relaxed - How DKIM alignment is checked

Reporting:

  • rua= - Aggregate reports (sent daily)
  • ruf= - Forensic reports (sent in real-time for failures)

DMARC requires either SPF or DKIM to pass AND align with the domain in the From header.

BIMI (Brand Indicators for Message Identification)

What it does: BIMI displays your company logo next to emails in supported email clients, similar to verified checkmarks on social media.

Simple explanation: When recipients see your logo next to emails from @gfshomeloans.com, they can immediately recognize it's legitimate. This builds trust and helps prevent phishing attacks.

Technical Details

BIMI requires:

  1. DMARC policy set to quarantine or reject
  2. BIMI DNS record pointing to a Verified Mark Certificate (VMC) or SVG logo
  3. SVG logo hosted on a web server (for basic BIMI) or VMC from a Certificate Authority (for Verified BIMI)

BIMI records are published as TXT records in DNS. The logo must meet specific requirements (SVG format, size constraints, etc.). Verified BIMI with a VMC provides the highest level of brand protection and is displayed in more email clients.

MTA-STS (Mail Transfer Agent Strict Transport Security)

What it does: MTA-STS ensures emails sent to your domain are delivered over encrypted connections, preventing interception.

Simple explanation: MTA-STS is like requiring all mail carriers to use armored trucks. It ensures emails sent to @gfshomeloans.com can only be delivered using secure, encrypted connections.

Technical Details

MTA-STS consists of:

  1. Policy file hosted at https://mta-sts.gfshomeloans.com/.well-known/mta-sts.txt
  2. DNS TXT record at _mta-sts.gfshomeloans.com pointing to the policy

The policy specifies:

  • Which MX hosts are authorized
  • TLS requirements (must use TLS 1.2 or higher)
  • Mode: enforce, testing, or none

When a sending server connects to deliver email, it checks the MTA-STS policy and only accepts connections that meet the security requirements. This prevents downgrade attacks and man-in-the-middle interception.

TLS RPT (SMTP TLS Reporting)

What it does: TLS RPT provides reports about email delivery attempts, showing which connections succeeded or failed and why.

Simple explanation: TLS RPT is like a delivery receipt system. It tells you when emails are successfully delivered securely and alerts you if there are any security issues with email delivery to your domain.

Technical Details

TLS RPT is configured via a DNS TXT record at _smtp._tls.gfshomeloans.com. The record specifies where to send TLS reports (typically an email address or HTTPS endpoint).

Report contents:

  • Successful TLS connections
  • Failed TLS connection attempts
  • Policy validation failures
  • Certificate validation issues

Reports are sent in JSON format, typically daily. This allows monitoring of email delivery security and identification of potential issues or attacks.

GFS Home Loans Email Security Configuration

The following table shows how gfshomeloans.com is configured with all email security standards:

StandardDNS RecordStatusPolicy/Value
SPFgfshomeloans.com (TXT)✅ Activev=spf1 include:spf.protection.outlook.com ~all
DKIMselector1._domainkey.gfshomeloans.com (TXT)✅ ActivePublic key configured
DKIMselector2._domainkey.gfshomeloans.com (TXT)✅ ActivePublic key configured
DMARC_dmarc.gfshomeloans.com (TXT)✅ Activev=DMARC1; p=reject; sp=reject; pct=100; fo=1; ri=3600; rua=mailto:dmarc@gfshomeloans.com;
BIMIdefault._bimi.gfshomeloans.com (TXT)✅ ActiveLogo displayed in supported clients
MTA-STS_mta-sts.gfshomeloans.com (TXT)✅ ActivePolicy enforced
TLS RPT_smtp._tls.gfshomeloans.com (TXT)✅ ActiveReports sent to monitoring address
note

Need the actual configuration? If you need to verify or update these records, contact IT Support. The actual DNS values may differ from the examples shown above.

How These Standards Work Together

These security standards work as a layered defense:

  1. SPF verifies the sending server is authorized
  2. DKIM provides cryptographic proof the email is authentic
  3. DMARC enforces the policy when SPF/DKIM fail
  4. BIMI displays your logo for brand recognition
  5. MTA-STS ensures secure delivery to your domain
  6. TLS RPT monitors delivery security

When all standards are properly configured, your emails are:

  • ✅ Authenticated and verified
  • ✅ Protected from interception
  • ✅ Delivered to the inbox
  • ✅ Recognizable by your brand logo

Common Questions

Why do I need all of these standards?

Each standard protects against different threats:

  • SPF prevents unauthorized servers from sending as your domain
  • DKIM proves emails haven't been tampered with
  • DMARC enforces policies and provides monitoring
  • BIMI builds trust with recipients
  • MTA-STS prevents email interception
  • TLS RPT helps identify delivery issues

Together, they provide comprehensive email security.

Will these settings affect my ability to send emails?

No. These settings only improve email security and deliverability. If you're sending from authorized servers (like Microsoft 365), your emails will continue to work normally. In fact, properly configured security standards improve the chances your emails reach the recipient's inbox instead of spam.

What happens if someone tries to send fake emails from our domain?

With DMARC set to quarantine or reject, fake emails will either be:

  • Sent to the spam folder (quarantine)
  • Rejected completely (reject)

IT will receive DMARC reports showing who attempted to send emails, helping identify potential threats.

Need Help?

If you have questions about email security or need assistance: