Cybersecurity › Email Security

Business email security.
SPF, DKIM, DMARC, BIMI and MTA-STS.

Over 90% of cyber attacks begin with an email. Phishing, spoofing and Business Email Compromise (BEC) exploit domains that lack proper authentication. SPF, DKIM, DMARC, BIMI, MTA-STS and TLS-RPT form a layered defence that verifies every message, blocks forgeries and gives you full visibility into who sends email on your behalf.

Request a consultationHow it works

Why email authentication is essential

Email was designed without built-in authentication: anyone can send a message claiming to come from your domain. Email authentication protocols (SPF, DKIM, DMARC) fix this by letting receiving servers verify the legitimacy of every message. Without them, your domain is exposed to phishing, spoofing and reputation damage.

90%+

More than 90% of successful cyber attacks start with a phishing email. Business Email Compromise (BEC) alone caused over $2.9 billion in losses in 2023 according to the FBI IC3 report. Email authentication is the first line of defence.

DMARC p=reject

Only a DMARC policy set to reject actually blocks spoofed emails. Many organisations stop at p=none (monitoring only), leaving their domain unprotected. We guide you to full enforcement with zero disruption to legitimate mail flows.

Compliance

Email authentication is a requirement for NIS2, ISO/IEC 27001, 27017, 27018 and ISO 9001. Google and Yahoo now require SPF, DKIM and DMARC for bulk senders. Non-compliance means delivery failures and security gaps.

How we secure your email domain

We don't just publish DNS records: we design, implement and monitor a complete email authentication architecture tailored to your domain, your sending sources and your compliance requirements.

1. Audit

We analyse your current SPF, DKIM and DMARC configuration, identify all legitimate sending sources (mail servers, marketing platforms, CRM, ticketing systems) and map the gaps.

2. Implementation

We configure SPF with correct include mechanisms, DKIM signing for every sending source, DMARC with aggregate and forensic reporting, MTA-STS for transport encryption and TLS-RPT for delivery monitoring.

3. Enforcement

We progressively tighten DMARC policy from none to quarantine to reject, monitoring reports at every stage to ensure zero impact on legitimate email. Once at reject, we add BIMI for brand visibility in inboxes.

Email authentication protocols

The six pillars of email security

A complete email authentication stack that protects your domain from phishing, ensures message integrity, enforces transport encryption and gives you full visibility into your email ecosystem.

SPF (Sender Policy Framework)

SPF lets you declare which servers are authorised to send email for your domain. Receiving servers check the sending IP against your SPF record and reject unauthorised sources. We optimise your SPF record to stay within the 10-lookup limit and cover all legitimate senders.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email, proving the message was not altered in transit and genuinely comes from your domain. We configure DKIM signing for every sending source -- mail server, marketing platform, CRM -- with proper key rotation and 2048-bit keys.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do with messages that fail authentication: monitor (none), quarantine or reject. We manage the full journey to p=reject, analysing aggregate reports to identify issues before tightening the policy.

BIMI (Brand Indicators for Message Identification)

BIMI displays your verified logo next to your emails in supported inboxes (Gmail, Apple Mail, Yahoo). It requires DMARC at p=quarantine or p=reject and a Verified Mark Certificate (VMC). We handle the full setup: SVG logo preparation, VMC procurement and DNS record publication.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS forces sending servers to use encrypted TLS connections when delivering email to your domain, preventing man-in-the-middle downgrade attacks. Without MTA-STS, an attacker can intercept email in transit even if both servers support TLS. We configure the policy file and DNS records.

TLS-RPT (TLS Reporting)

TLS-RPT provides daily reports on TLS connection failures when other servers deliver email to your domain. It reveals certificate errors, policy mismatches and downgrade attempts that would otherwise go unnoticed. We configure reporting and monitor results to ensure transport encryption works reliably.

Why buying a solution is not enough

Misconfigured records are worse than none

A broken SPF record that exceeds the 10-lookup limit silently fails open, letting spoofed emails through. A DMARC policy stuck at p=none gives you reports but blocks nothing. Misconfiguration creates a false sense of security that is more dangerous than having no authentication at all.

Email ecosystems change constantly

New sending sources are added (marketing tools, ticketing systems, CRM), employees forward email through third-party services, vendors change their sending infrastructure. Without continuous monitoring of DMARC and TLS-RPT reports, legitimate email breaks and spoofed email slips through.

Compliance requires evidence, not just records

NIS2 and ISO/IEC 27001, 27017, 27018 and ISO 9001 auditors want to see documented policies, monitoring processes and evidence of enforcement -- not just DNS records. We provide the governance layer: documented procedures, regular report reviews and policy lifecycle management.
Active protection

Beyond authentication: Email Security Gateway

DNS authentication protects your domain from spoofing. But to block phishing, malware and targeted attacks reaching your mailboxes, you need a second layer: a security gateway that analyses every inbound and outbound message.

Libraesva EmailSecurity

Independent email gateway with 14 levels of analysis, Avira and Bitdefender engines, proprietary URLSand and QuickSand technologies. 99.99% catch rate (Virus Bulletin since 2010). BEC (Business Email Compromise) protection and behavioural attachment analysis. AtWorkStudio is a Certified Partner of Libraesva. The service is ACN qualified.

Microsoft Defender for Office 365

Native protection for Microsoft 365 environments: Safe Attachments analyses files in a sandbox, Safe Links rewrites and verifies URLs in real time, anti-phishing with machine learning detects impersonation attempts.

Two layers, one strategy

DNS authentication (SPF, DKIM, DMARC) and the email gateway are complementary: the first prevents anyone from sending emails pretending to be your domain, the second protects your mailboxes from everything that comes from outside. We configure and manage both layers.

Protect your domain from phishing and email spoofing

Contact us for an email security audit: we analyse your current SPF, DKIM and DMARC configuration and build a roadmap to full enforcement. You can also check your domain right now with our DNS management tools.

Contact usDNS management