Insecure email configuration
Last updated: November 26, 2025
Associated with
Domains
Underlying signals
Email SPF Not Configured (RS3), Email Weak SPF Configured (RS4), Email DMARC Not Configured (RS7), Email Weak DMARC Configured (RS8)
Reasonings
- Observed domain, and
- We infer domains from inboxes and aliases, however we do not infer domains from PSA integrations since there are often different contacts sometimes not associated with the company
- RS3: DNS records do not include an SPF record, or
- RS7: DNS records do not include a DMARC record, or
- RS8: DNS record contains a valid DMARC record that contains one of:
- Empty policy or policy set to none
- Percentage less than 100%
- Subdomain policy is set to none
Resolutions
- Update or add an SPF DNS record with a strict qualifying mechanism
- Cork prefers
-all, however a soft fail~allor pass+allis generally fine if there is a strong DMARC record also present
- Cork prefers
- Update or add a DMARC DNS record that is considered strict:
- Policy (
p=) is set to reject or quarantine - Percentage (
pct=) is set to 100, this specifies the percentage of emails subject to filtering - Set the subdomain policy (
sp=) to reject as well, unless you have specific DMARC records on those subdomains
- Policy (
Additional Considerations
- Cork does not consider the strictness of SPF configuration since it can be hardened with strictly configured DMARC
- However we will raise a recommendation, but not an alert, if the SPF qualifying mechanism is not
-all
- However we will raise a recommendation, but not an alert, if the SPF qualifying mechanism is not