Email security — enforced, not just configured.
SPF, DKIM, DMARC enforcement, MTA-STS, TLS-RPT, BIMI maturity, anti-phishing, anti-impersonation. The work isn't publishing a record — it's getting to p=reject without breaking legitimate mail.
Email security program scope
SPF / DKIM / DMARC audit + enforcement rollout
Inventory every legitimate sender (newsletters, transactional, internal). Author records that align. Move from p=none → p=quarantine → p=reject with measured failure rates.
MTA-STS + TLS-RPT
Policy file published, mode=enforce after validation period. TLS reporting endpoint configured to catch handshake failures before recipients notice.
BIMI + VMC
Verified Mark Certificate evaluation, BIMI record publication once DMARC is at p=reject. Brand recognition in supporting mailboxes.
Anti-phishing + anti-impersonation
Defender for Office 365 / Proofpoint / Mimecast tuning. Lookalike-domain detection, VIP impersonation rules, attachment sandboxing.
Monthly aggregate report digest
DMARC aggregate (rua) reports parsed, summarized, anomalies flagged. New sender alerts. Failure-rate trending over time.
Inbound vendor onboarding checklist
When a new tool needs to send mail (Salesforce, Mailchimp, Stripe, etc.), we add it to your DNS without breaking your DMARC posture.
Standard versions should be verified from the official source before contractual reliance.
Questions before we start.
We tried DMARC and broke our payroll provider's emails. Can you fix this?
Yes. That's the common pattern — DMARC published before sender inventory is complete. The fix is a 14-day audit phase where rua reports show every legitimate sender, then SPF/DKIM authorizations are added before enforcement ramps.
How long does it take to get to p=reject?
Typical timeline: 30 days at p=none gathering aggregate reports, 30 days at p=quarantine with pct=25 ramp, 30 days at p=quarantine pct=100, then p=reject. About 90 days for most organizations, longer if there's a long tail of unknown senders.
Will BIMI actually display our logo?
In Gmail, Apple Mail, Yahoo, and a growing set of mailboxes — yes, once DMARC is at p=reject and a Verified Mark Certificate is issued by a recognized CA. We handle the VMC process.
Start with your domain.
Free passive external assessment. 60 seconds. No signup to start.