Fundamentals
Email Security Architecture for Analysts
How email security works from an analyst's perspective — SPF, DKIM, DMARC, email gateways, threat detection, and investigating malicious email traffic in the SOC.
View on Graph
The Email Architecture Every Analyst Must Know
Email security relies on multiple layers working together. Understanding this architecture helps analysts triage email threats faster and reduces false positive fatigue from misconfigured email controls.
Email Flow Through Security Controls
Sender → MTA → SPF Check → DKIM Verify → DMARC Policy
→ Email Gateway (anti-spam, anti-malware, URL filtering)
→ Sandbox (attachment detonation)
→ Recipient Inbox → Mimecast/Proofpoint/Defender link rewriteEach layer generates distinct log sources that analysts use during investigation:
| Layer | What It Does | Log Source | What Analysts Check |
|---|---|---|---|
| SPF | Verifies sender IP is authorized to send for the domain | DMARC reports, MTA logs | Did the email pass SPF? Was the sender IP in the SPF record? |
| DKIM | Verifies email integrity and authenticity via digital signature | DKIM headers, MTA logs | Did DKIM pass? Does the signing domain match the From header? |
| DMARC | Policy handler — tells receivers what to do with emails that fail SPF/DKIM | DMARC aggregate/forensic reports | What is the DMARC policy (none/quarantine/reject)? |
| Email gateway | Filters spam, malware, and malicious URLs | Gateway audit logs | Was the email flagged? What was the threat score? |
| Sandbox | Detonates attachments in isolated environment | Sandbox analysis report | Did the attachment exhibit malicious behavior? |
| Link rewrite | Rewrites URLs for post-delivery click protection | Click logs, threat status | Did the user click? Was the URL malicious at time of click? |
SPF — Sender Policy Framework
What SPF Does
SPF allows a domain owner to publish a DNS record listing the servers authorized to send email for that domain. When a receiving mail server gets an email, it checks the SPF record to see if the sender’s IP is in the authorized list.
SPF record example:
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all| Mechanism | Meaning |
|---|---|
ip4:192.0.2.0/24 | Servers in this IP range are authorized |
include:_spf.google.com | Include Google’s SPF record |
~all | Soft-fail — mark as suspicious but accept (recommended during migration) |
-all | Hard-fail — reject emails not matching the SPF record (strict policy) |
Why SPF Fails and What It Means
| SPF Result | Meaning | Investigation Action |
|---|---|---|
| Pass | Sender IP is authorized | Normal — no SPF issue |
| Fail | Sender IP is NOT authorized | Possible spoofing. Check the sending infrastructure. |
| SoftFail | Sender IP is weakly unauthorized | Usually a configuration issue — email is accepted but marked |
| Neutral | SPF record does not explicitly authorize or deny | The domain has no explicit SPF policy — common for small domains |
| None | No SPF record exists for the domain | Domain lacks email authentication entirely |
| TempError | DNS resolution failure | Transient — retry may succeed |
| PermError | SPF record is malformed | Domain misconfiguration — should be corrected by the domain owner |
SPF Limitations
SPF has a 10 DNS lookup limit — including lookups from include and redirect mechanisms. Domains that exceed this limit will have their SPF checks fail. This is a common configuration error in organizations that use multiple email providers.
DKIM — DomainKeys Identified Mail
What DKIM Does
DKIM adds a digital signature to email headers. The signature is created using the sending domain’s private key, and the receiving server verifies it using the public key published in the domain’s DNS.
DKIM signature header example:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector1;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
h=From:To:Subject:Date; b=ABC123...XYZ789| DKIM Parameter | Meaning |
|---|---|
v=1 | DKIM version |
a=rsa-sha256 | Signing algorithm |
d=example.com | Signing domain |
s=selector1 | DNS selector — determines where the public key is published |
bh= | Body hash — ensures body integrity |
h= | Signed headers — ensures header integrity |
b= | The digital signature itself |
Why DKIM Fails and What It Means
| DKIM Result | Meaning | Investigation Action |
|---|---|---|
| Pass | Signature verified | Normal — email integrity is intact |
| Fail | Signature does not match | Email was modified in transit, or the signature was forged |
| PermError | DKIM record is invalid | Domain misconfiguration |
| TempError | DNS lookup failed | Transient — retry may succeed |
DKIM and Forwarding
Email forwarding breaks DKIM. When an email is forwarded from one server to another, the forwarder may modify headers or the body, invalidating the original DKIM signature. This is why SPF and DMARC work together — DKIM failure from forwarding is expected, but SPF may still pass (with ARC or SRS).
DMARC — Domain-Based Message Authentication, Reporting, and Conformance
What DMARC Does
DMARC tells receiving servers what to do with emails that fail both SPF and DKIM. It also provides reporting so domain owners can see who is sending email on their behalf.
DMARC record example:
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100; sp=reject"| Tag | Meaning | Values |
|---|---|---|
p | Policy for the domain | none (monitor only), quarantine (mark as spam), reject (block email) |
sp | Policy for subdomains | Same as p values |
rua | Aggregate report address | Where daily XML reports are sent |
ruf | Forensic report address | Where individual failure reports are sent |
pct | Percentage of emails to apply the policy to | 1-100 |
adkim | DKIM alignment | r (relaxed — domain match), s (strict — exact match) |
aspf | SPF alignment | r (relaxed), s (strict) |
DMARC Policy Progression
Organizations typically progress through these DMARC policies:
p=none → p=quarantine → p=reject
↑ Monitor ↑ Mark spam ↑ BlockAnalysts should know that a DMARC p=reject policy does not mean all email from that domain is safe — it means the domain has good email authentication posture. Legitimate services that send email on the domain’s behalf must be properly configured in SPF, DKIM, or both.
Email Gateway Analysis — Investigating Malicious Email
Key Email Headers for Investigation
| Header | What It Tells You | How to Access |
|---|---|---|
| Received | The full relay path — each server that handled the email | First Received header at the bottom = origin |
| Return-Path | Where bounces go — different from From | Any email client |
| Authentication-Results | SPF, DKIM, and DMARC results from the receiving server | Email headers |
| X-Mailer | The email client used to send | Header analysis |
| Message-ID | Unique identifier — useful for cross-referencing across systems | Any email client |
| DKIM-Signature | DKIM verification information | Email headers |
| ARC-Seal/ARC-Message-Signature | Authentication chain for forwarded email | Email headers |
Analyzing a Suspicious Email — Step-by-Step
- Check SPF/DKIM/DMARC results in the
Authentication-Resultsheader. If all three pass, the sender identity is authentic. If any fail, the email is spoofed or forwarded. - Examine the
Receivedheaders from bottom to top. The bottommostReceivedheader is the original sender’s server. Look for IP addresses and reverse DNS hostnames that don’t match the claimed sender. - Check the
Reply-Toheader. IfReply-Todiffers fromFrom, this is a social engineering red flag — the attacker wants replies to go to a different address. - Inspect URLs without clicking. Hover over links to see the actual destination URL. Use a URL scanner (VirusTotal, URLScan.io) to check the domain.
- Analyze attachments — check file extension, hash the attachment, and query threat intelligence feeds (VirusTotal, Hybrid Analysis). Do not open attachments on your workstation.
KQL query — find emails from suspicious domains:
EmailEvents
| where Timestamp > ago(7d)
| where AuthenticationResults !contains "dmarc=pass" or AuthenticationResults contains "spf=fail"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AuthenticationResults, ThreatTypes
| order by Timestamp descCommon Email Security Issues Analysts See
| Issue | Cause | How to Diagnose |
|---|---|---|
| Legitimate email marked as spam | SPF failure due to forwarding, DKIM breakage, or misconfigured DMARC | Check Authentication-Results — SPF/DKIM failures from forwarding are normal |
| Phishing email that passed authentication | Legitimate domain was compromised, or the attacker used a look-alike domain | Check the domain carefully — rnicrosoft.com vs microsoft.com |
| DMARC aggregate report shows unknown senders | Shadow IT, marketing tools, or malicious senders using the domain | Investigate each unknown source IP against known vendors and tools |
| DKIM signature breakage from mailing lists | Mailing list modifies headers or content | ARC seals can preserve the authentication chain |
| SPF permerror (too many DNS lookups) | Organization uses multiple email providers | Use SPF macros or reduce the number of include statements |
Related
- SPF and DKIM — detection and response for T1566 techniques
- Phishing — detection and response for T1566 techniques
- Phishing Triage — detection and response for T1566 techniques
- Business Email Compromise Response — detection and response for T1566, T1114, T1098, T1586 techniques
- Indicators: IoC, IoA, and TTP — covers the indicators: ioc, ioa, and ttp concepts