Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.5.3. Email Security and DNS Filtering

šŸ’” First Principle: Email remains the top attack vector, and DNS is the backbone of all internet communication. Securing both dramatically reduces the organization's attack surface because nearly every attack involves one or both ā€” phishing relies on email delivery, and malware relies on DNS for command-and-control communication.

Email security protocols work together as a chain of verification:
  • SPF (Sender Policy Framework) ā€” DNS record listing authorized sending servers for a domain. Receiving servers check if the sender's IP is authorized. Prevents email spoofing from unauthorized servers. Limitation: doesn't validate the "From" header that users see.
  • DKIM (DomainKeys Identified Mail) ā€” adds a digital signature to outgoing email that receiving servers verify against a public key in DNS. Proves the email hasn't been modified in transit. Limitation: doesn't specify what to do when verification fails.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) ā€” builds on SPF and DKIM to tell receiving servers what to do when authentication fails (none, quarantine, reject) and provides reporting back to the domain owner. DMARC closes the gaps that SPF and DKIM leave individually.

Email gateway ā€” an appliance or service that inspects all inbound and outbound email for malware, phishing, spam, and data loss. Sits between the internet and the email server. Modern gateways use sandboxing to detonate suspicious attachments, URL rewriting to check links at click time, and machine learning to detect social engineering patterns.

DNS filtering ā€” blocking DNS resolution for known-malicious or policy-violating domains. If the DNS query for a malicious domain never resolves, the connection never happens. Effective because almost all malware and C2 communication relies on DNS. DNS filtering can be applied at the network level (DNS servers or firewalls) or at the endpoint level (DNS agents).

āš ļø Exam Trap: SPF, DKIM, and DMARC work together. SPF validates the sending server. DKIM validates message integrity. DMARC tells receivers what to do when SPF or DKIM fails and provides reporting. All three should be implemented together for effective email authentication.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications