The cheapest class of finding to close, and the one most likely to lose you a customer.
A focused engagement on the SPF / DKIM / DMARC / MTA-STS / TLS-RPT / BIMI posture of your sending and receiving infrastructure. Most of the work happens in DNS — most of the value lands the day a phishing campaign aimed at your customers gets quarantined instead of inboxed.
Six surfaces of email & domain posture.
Active spoofing demonstration is performed only with explicit authorisation and only against your own users. The educational content here covers detection and remediation; reproduction details are reserved for the delivered report.
- ·Record presence and validity
- ·All-mechanism strength (-all preferred over ~all)
- ·DNS lookup count vs the RFC limit of 10
- ·Recursive include resolution and depth
- ·Permerror / temperror analysis
- ·Selector enumeration (~70 common selectors probed)
- ·Key length audit (1024-bit deprecated since 2018)
- ·Key rotation cadence and gap detection
- ·Algorithm review (RFC 8301 forbids SHA-1)
- ·Public key syntax & DNS publication hygiene
- ·Record presence and policy strength (none / quarantine / reject)
- ·Aggregate-report (rua=) and forensic-report (ruf=) endpoints
- ·Subdomain policy alignment (sp=)
- ·Percentage rollout (pct=) tuning
- ·Alignment mode (relaxed vs strict)
- ·MTA-STS (RFC 8461) policy publication and TLSA
- ·TLS-RPT (RFC 8460) reporting endpoint
- ·DANE / TLSA records on MX hosts (RFC 7672)
- ·MX certificate hygiene
- ·BIMI record (Brand Indicators for Message Identification) & VMC eligibility
- ·Logo SVG conformance for verified-logo display in Gmail / Yahoo / Apple Mail
- ·Spoofing test against your own users to evidence policy effectiveness
- ·DKIM replay analysis
- ·Header-injection abuse paths
$2.9B in business email compromise losses in 2024 alone.
FBI IC3 figure — most enabled by exactly the misconfigurations covered here. The fix path is short and almost always cheaper than a single fraud incident.
- Class of damage
Outbound impersonation
Attacker writes to your customer with a wallet-rotation / banking-detail-change / invoice. Without DMARC enforcement the message lands in inbox. Customer pays the attacker. Liability sits with you.
- Class of damage
Inbound MITM during transit
Without MTA-STS / TLS-RPT, downgrade attacks against incoming mail succeed silently. Your customers' confidential replies travel in plaintext to whoever is in path.
- Class of damage
DKIM-key compromise blast radius
Stale 1024-bit DKIM keys still in use in 2026 are factorisable. Once factored, every outbound message you ever signed becomes spoofable until you rotate.
- Class of damage
Reputation drag
Without BIMI / verified-logo display, your legitimate mail competes for trust with the spoofed mail in your customer's inbox — both get the same generic avatar.
Five-day engagement, mostly DNS edits.
Send us the apex domain and the third-party services that send mail on your behalf (marketing, transactional, support). We come back with a quote and a phased rollout plan.