Services / Email & Messaging Security
Email Authentication Hardening Sprint
SPF, DKIM, DMARC to enforcement. All domains. No exceptions.
Email spoofing is trivially easy when DMARC isn't at enforcement. Most organizations have SPF configured and DMARC in monitoring mode — which means anyone can still send email that appears to come from your domain. This sprint takes every sending domain to p=reject, and keeps it there.
What's Included
- SPF record audit and correction across all sending domains
- DKIM key generation and configuration in Exchange Online
- DMARC record creation and staged rollout to p=reject
- MTA-STS policy configuration
- DANE setup (where DNS provider supports it)
- Third-party sender identification and SPF include review
- DMARC reporting setup (aggregate and forensic)
- Verification of all records across all domains
Engagement Details
Deliverable: All domains at DMARC p=reject with monitoring in place. SPF and DKIM correctly configured. MTA-STS deployed.
Duration: 2–3 weeks
Price: $2,500-$4,500
Notes: Tiered by domain count.