SECURITY PROGRAM // ACTIVE ENGAGEMENT

Email Security & DMARC

2026-03-18 // V1.0

IMPL
IMPLEMENTATION_RECORD

Email Security & DMARC

DMARC enforcement at reject policy with SPF and DKIM alignment. External forwarding rules blocked. Material Security enrolled for advanced email protection.

QUICKSTARTDEPLOYED // STABLEIaC // TERRAFORM
SERVICEEmail Security & DMARC
PACKAGEQUICKSTART
DEPLOYED2026-03-18
STATUSDEPLOYED // STABLE
THREAT_VECTOR //

Email impersonation and domain spoofing are primary vectors for business email compromise — this control prevents unauthorized parties from sending email as your domain.

DEPLOYMENT_CHECKLIST

DMARC policy set to rejectPASS
SPF record aligned and validPASS
DKIM signing enabled for all domainsPASS
External forwarding rules blockedPASS
Material Security enrolledPASS

CONFIGURATION

SETTINGVALUE
DMARC Policyp=reject; rua=mailto:dmarc@threatunknown.com
SPF Recordv=spf1 include:_spf.google.com ~all
DKIMEnabled (2048-bit RSA)
Forwarding RulesBlocked via policy

FRAMEWORK_MAPPING

SOC_2_READINESSTRUST SERVICES CRITERIA SATISFIED
CC6.7Controls restricting unauthorized transmission or movement of information
CC6.8Controls preventing introduction of unauthorized or malicious software

These controls form part of the evidence base for your SOC 2 Type II audit.

NIST_CSFSECURITY FRAMEWORK FUNCTION
ProtectImplement safeguards to limit the impact of potential events
DetectIdentify when security events occur

BASELINE_DELTA

BEFORE // BASELINE STATE
  • No DMARC record — anyone could send email impersonating your domain
  • No SPF alignment verification
  • DKIM not configured
  • External forwarding rules permitted
  • No inbox-level threat protection
AFTER // CURRENT STATE
  • DMARC policy at reject — unauthorised senders blocked by receiving mail servers
  • SPF record published and validated
  • DKIM signing enabled (2048-bit RSA)
  • External forwarding rules blocked at admin level
  • Material Security enrolled on all 18 mailboxes

CURRENT_HEALTH

DMARC_PASS_RATE98.7%TARGET: >98%
DMARC_POLICYrejectTARGET: reject
EXTERNAL_FORWARDING_RULES0TARGET: 0
DATA_SOURCE // MONTHLY SECURITY REPORT // MARCH 2026

CONTROL_HISTORY

March 2026MONTHLYEngineering Progress & Risk Mitigation Report
VIEW →
January 2026MONTHLYEngineering Progress & Risk Mitigation Report
VIEW →
February 2026MONTHLYEngineering Progress & Risk Mitigation Report
VIEW →
2026-04-02QUARTERLYDMARC Aggregate Report Review — Q1 2026
VIEW →

EVIDENCE_REFERENCES

ARTIFACTTYPELOCATIONREFDATEWHAT THIS PROVES
DMARC Q1 Aggregate ReportCONFIG EXPORTdmarciandmarc-aggregate-q1-2026.html2026-04-02Confirms DMARC policy advanced to reject based on aggregate report analysis — identifies the unauthorised Mailchimp sending source that was remediatedVIEW
DNS Record VerificationCONFIG EXPORTCloudflare Dashboarddns-verification-2026-03-18.txt2026-03-18Proves SPF, DKIM, and DMARC records are correctly published and aligned — direct evidence for CC6.7 email transmission controlsVIEW
Material Security EnrollmentSCREENSHOTMaterial Securitymaterial-security-enrolled-2026-03-18.svg2026-03-18Proves inbox-level threat protection is active for all mailboxes at implementation dateVIEW
Terraform Plan OutputTERRAFORMhttps://github.com/ThreatUnknown/meridian-security-baselinepr-17-terraform-plan.txt2026-03-18Confirms DNS changes were deployed via code with full change historyVIEW