Skip to content
English
  • There are no suggestions because the search field is empty.

Insecure email configuration

Associated with

Domains

Underlying signals

Email SPF Not Configured (RS3), Email Weak SPF Configured (RS4), Email DMARC Not Configured (RS7), Email Weak DMARC Configured (RS8)

Reasonings

  • Observed domain, and
    • We infer domains from inboxes and aliases, however we do not infer domains from PSA integrations since there are often different contacts sometimes not associated with the company
  • RS3: DNS records do not include an SPF record, or
  • RS7: DNS records do not include a DMARC record, or
  • RS8: DNS record contains a valid DMARC record that contains one of:
    • Empty policy or policy set to none
    • Percentage less than 100%
    • Subdomain policy is set to none

Resolutions

  • Update or add an SPF DNS record with a strict qualifying mechanism
    • Cork prefers -all, however a soft fail ~all or pass +all is generally fine if there is a strong DMARC record also present
  • Update or add a DMARC DNS record that is considered strict:
    • Policy (p=) is set to reject or quarantine
    • Percentage (pct=) is set to 100, this specifies the percentage of emails subject to filtering
    • Set the subdomain policy (sp=) to reject as well, unless you have specific DMARC records on those subdomains

Additional Considerations

  • Cork does not consider the strictness of SPF configuration since it can be hardened with strictly configured DMARC
    • However we will raise a recommendation, but not an alert, if the SPF qualifying mechanism is not -all