Email remains the most common entry point for serious intrusions. The reasons are unchanged. Email is ubiquitous, the protocols are old, users will reliably interact with messages from strangers and the attackers have decades of operational practice. Hardening an email environment against modern threats means securing the servers themselves, the authentication mechanisms around them and the message flows that pass through them. Each of these layers needs attention.
Authentication Is The Foundation
SPF, DKIM and DMARC together provide the means to authenticate the origin of email. Each of them is widely supported, well documented and frequently misconfigured. SPF policies that end in softfail rather than hardfail, DKIM keys that have not rotated since the domain was registered and DMARC policies stuck in monitoring mode for years all create gaps that spoofing campaigns exploit. A focused external network pen testing engagement should validate the deployment of each of these protocols and flag the gaps.
Legacy Protocols Need To Go
IMAP and SMTP basic authentication remain in use long after better alternatives became available, frequently to support a single application that nobody has the budget to update. These legacy protocols bypass conditional access in cloud platforms and provide a clean route for credential stuffing attacks. Disable them tenant wide and migrate the holdouts to modern authentication on a deliberate schedule.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The most consistent finding across email environments I assess is that the SPF, DKIM and DMARC configurations look good on paper and fail open in practice. The records exist. They are technically correct. They permit so many sources that the policy is effectively meaningless. Tighten the records until receiving servers actually reject mail that does not come from your sanctioned infrastructure.
TLS Configuration Deserves A Periodic Review
Email server TLS configuration ages badly. Cipher suites that were strong five years ago are weak today. Certificates expire. Forward secrecy was not always required. Run a periodic review of the TLS posture on every mail server you operate, using freely available external scanning tools where appropriate. The configuration that ships from the vendor is rarely the configuration you want in production today. Worth keeping the mail server configuration under change control alongside the rest of the security infrastructure. Configuration drift in email is one of the more reliable ways to weaken the security posture quietly over time.
Inbox Rules And Compromised Account Cleanup
A compromised mailbox does not necessarily mean lost data. The follow-on attack often involves inbox rules that auto forward messages, delete responses from the legitimate user or move financial conversations to obscure folders. Detecting unusual inbox rules across your tenant is cheap and effective. Pair this with a regular best pen testing company that includes the email surface explicitly. Email is too central to the business to be left out of routine testing.
Email security is a discipline rather than a project. Every gain decays over time without active maintenance. Email security ages quickly. The configuration that worked two years ago is rarely adequate today. Worth the regular review. Network security has changed considerably over the last decade and the principles that survived the change tend to be the ones worth investing in. The fundamentals remain valuable even as the implementation details evolve around them.
