Question 1

What is an email security audit?

Accepted Answer

An email security audit assesses how well your domain is protected against email-based attacks — spoofing, phishing, business email compromise, and interception. We check the three core email authentication protocols (SPF, DKIM, DMARC), test whether attackers can send emails impersonating your domain, review your mail server security, and assess your email filtering effectiveness. The result is a clear picture of your email security posture with actionable steps to close gaps.

Question 2

How much does an email security audit cost?

Accepted Answer

Our Email Security Audit is $300 AUD. This includes SPF, DKIM, and DMARC analysis for your primary domain, domain spoofing simulation testing, mail server hardening review, a phishing resilience assessment, a detailed report with corrected DNS records, and a DMARC enforcement roadmap. Additional domains can be added for $100 each. The audit is also included in our Full Business Security Assessment at $1,200.

Question 3

What are SPF, DKIM, and DMARC?

Accepted Answer

SPF (Sender Policy Framework) specifies which servers can send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature proving emails have not been tampered with. DMARC (Domain-based Message Authentication, Reporting & Conformance) ties them together and tells receiving servers what to do with emails that fail authentication. Together, they prevent attackers from sending emails that appear to come from your domain — but only if all three are correctly configured and enforced.

Question 4

Can someone really send emails as our company?

Accepted Answer

If your DMARC policy is set to p=none (or missing entirely), the answer is likely yes. Without enforcement, anyone can send an email that appears to come from your domain — to your clients, suppliers, or employees. This is called domain spoofing and it is the foundation of Business Email Compromise (BEC) attacks, which cost Australian organisations millions annually. Our spoofing simulation test demonstrates exactly what an attacker can do today.

Question 5

We use Microsoft 365 / Google Workspace — are we already protected?

Accepted Answer

Microsoft 365 and Google Workspace provide excellent built-in spam filtering, but neither automatically configures SPF, DKIM, or DMARC enforcement for your custom domain. We frequently find organisations using these platforms with p=none DMARC policies, weak SPF records, or DKIM not enabled for third-party senders. The platform protects your inbox; our audit ensures your domain cannot be impersonated outbound.

Question 6

What is Business Email Compromise (BEC)?

Accepted Answer

BEC is a targeted attack where criminals impersonate a trusted person — usually a CEO, CFO, supplier, or solicitor — via email to trick employees into transferring funds, sharing credentials, or disclosing sensitive information. BEC attacks cost Australian businesses $2.7 million per incident on average. They rely on domain spoofing (sending from your actual domain) or lookalike domains (yourdomain.com vs yourdoma1n.com). Our audit tests both vectors.

Question 7

How long does the email security audit take?

Accepted Answer

The full audit takes 3-4 business days from start to report delivery. Day one covers configuration discovery and DNS analysis. Days two and three involve spoofing simulation, phishing resilience testing, and mail server review. The report is delivered by day four, followed by a findings walkthrough call at your convenience. If urgent issues are found (e.g., completely missing DMARC), we notify you immediately.

Question 8

Will the audit affect our email delivery?

Accepted Answer

No. Our testing is non-invasive. Spoofing simulation emails are sent from external infrastructure (not through your mail servers) to test whether receiving servers honour your authentication policies. We never modify your DNS records, mail server configuration, or email filtering rules. The audit observes and tests — it does not change anything.

Question 9

What is a DMARC enforcement roadmap?

Accepted Answer

Moving from p=none (monitor only) to p=reject (block spoofed emails) requires careful planning to avoid accidentally blocking legitimate email. Our roadmap guides you through the process: first enabling DMARC reporting to identify all legitimate senders, then ensuring each sender has valid SPF and DKIM, then moving to p=quarantine, and finally to p=reject. We include timeline estimates and checkpoint criteria for each stage.

Question 10

Do you check our email filtering and anti-spam settings?

Accepted Answer

Yes. We review your email gateway or cloud filtering configuration — checking whether dangerous attachment types are blocked, URL rewriting and sandboxing are enabled, external email warning banners are displayed, and advanced threat protection features are active. We also test filter effectiveness by sending controlled test emails with common phishing characteristics to see what gets through.

Question 11

Our domain already has DMARC — do we still need an audit?

Accepted Answer

Having a DMARC record is only the first step. Many organisations have DMARC set to p=none (which only monitors, does not block), have misconfigured alignment settings, or have SPF records that exceed the 10-lookup limit (causing silent failures). Our audit validates that your configuration actually works in practice — not just that the DNS records exist. We frequently find "green-tick" configurations that still allow spoofing.

Question 12

Can you help us implement the fixes, or just report them?

Accepted Answer

Our standard $300 audit includes a report with corrected DNS records that your IT administrator can copy-paste into your DNS provider. For organisations without internal IT resources, we offer a hands-on implementation add-on where our team configures SPF, DKIM, and DMARC directly in your DNS and email platform — ensuring everything is set up correctly and monitored through the enforcement journey.

Email Security Audit

Why Email Security Matters for Your Business

Attacks Start Here

BEC Loss Average

Domains Unprotected

Affordable Protection

What Our Email Security Audit Covers

SPF Configuration Analysis

DKIM Signing Verification

DMARC Policy Assessment

Domain Spoofing Simulation

Phishing Resilience Assessment

Mail Server Hardening Review

See How AI Can Transform Your Operations

Email Security Audit Process

Configuration Discovery

Testing & Simulation

Reporting & Remediation Roadmap

Email Security Audit FAQs

Stop Attackers Impersonating Your Domain