Attack Readiness

Email is the primary attack vector.
Is yours protected?

Technical review and phishing simulation of your email security posture. SPF, DKIM, DMARC, gateway effectiveness, and user resilience. All tested.

Request an assessment 24/7 Incident Hotline

What is an email security risk assessment?

You know email is how most attacks begin. You have DNS records, a mail gateway, and users who click links. You get a complete picture of your email security: from DNS configuration to gateway effectiveness to user behaviour under simulated phishing. The assessment tests both the technical controls that should stop malicious email and the human layer that handles what gets through.

About this service

Email Security Risk Assessment: the full picture

Email remains the primary attack vector for targeted attacks on organisations. Phishing, business email compromise, and CEO fraud all start with email. An email security risk assessment evaluates how well your email infrastructure is protected against these threats.

The team examines both the technical configuration (SPF, DKIM, DMARC, mail gateway) and operational resilience. Are DNS records correctly configured? Are spoofing attempts blocked? How effective is the mail gateway at filtering phishing and malware? And what happens when a phishing email does get through?

In addition to the technical assessment, the team tests actual effectiveness with simulated attacks. Emails with phishing indicators, suspicious attachments, and social engineering techniques are sent to observe what filters allow through and how the organisation responds. The result is a complete picture of your email security from DNS configuration to user awareness.

Why this matters

Three email security gaps that attackers exploit daily

  • Missing or unenforced DMARC allows domain spoofing

    Without a DMARC reject policy, attackers can send emails that appear to come from your domain to your customers, partners, and employees. The damage to trust and security is immediate.

  • Gateways miss sophisticated phishing

    Advanced phishing campaigns use legitimate cloud services, typosquat domains, and zero-day techniques that signature-based gateways do not catch. Only a live simulation reveals what actually gets through.

  • BEC attacks bypass all technical controls

    Business email compromise uses socially engineered emails from legitimate or look-alike accounts. No technical filter stops a convincing email asking finance to redirect a payment to a new account.

What gets tested

Scope of the email security risk assessment

DNS records: SPF, DKIM, DMARC configuration and enforcement
Mail gateway effectiveness (anti-spam, anti-phishing, anti-malware)
Email authentication and encryption (TLS, S/MIME)
Inbound filter effectiveness (phishing simulation)
Outbound security (DLP, encryption)
Mailserver configuration and hardening
Auto-forwarding and delegation rules
O365/Google Workspace security configuration
Incident response procedures for email incidents
Methodology

How DEFION conducts an email security risk assessment

01

Scoping

Inventory of email domains, mail infrastructure, and existing security measures.

02

Technical analysis

Review of DNS records, mailserver configuration, and gateway settings.

03

Phishing simulation

Sending simulated phishing emails with varying techniques to test filter effectiveness.

04

Configuration review

Assessment of O365/Google Workspace security settings, forwarding rules, and DLP policies.

05

Reporting

Report with findings, risk assessment, and step-by-step improvement plan.

06

Debrief

Walkthrough of results with your team including prioritised remediation guidance.

What you receive

Deliverables

  • Executive summary
  • Technical report with configuration assessments
  • DMARC/SPF/DKIM compliance overview
  • Phishing simulation results
  • Improvement plan with prioritisation
  • Report debrief
Target audience

Who is an email security risk assessment for?

Any organisation that relies on email for business communication faces email-based attack risk. The question is not whether attackers will try, but whether your defences are ready.

  • Organisations that have experienced phishing or BEC attacks
  • Companies that want to implement or strengthen their DMARC policy
  • IT teams that want to validate the effectiveness of their email security
  • Organisations in regulated sectors where email security is mandatory
Frequently asked questions

FAQ

Is DMARC alone not enough?
DMARC protects against spoofing of your domain but does not protect against lookalike domains, compromised accounts of partners, or advanced phishing that does not use spoofing. A full assessment looks at the complete picture.
Is real phishing sent to our employees?
That is agreed in advance. The phishing simulation can be limited to testing technical filters, or extended to user awareness. Scope and approach are determined together.
How quickly can we set DMARC to enforcement?
That depends on your current configuration. The team advises a phased approach: monitoring (p=none), quarantine, then reject. Each phase is monitored to prevent legitimate email from being blocked.
Can this be combined with security awareness training?
Yes. The results of the email assessment are excellent material for targeted awareness training. It makes the threat concrete for employees.
What if we have multiple email domains?
All domains are included in scope. Each domain has its own DNS configuration and risk profile. The report covers each domain separately.
External Pentest

Learn more →
Vendor Security Assessment

Learn more →
Red Teaming

Learn more →

Ready to assess your email security?

Tell us your email infrastructure and domains. We start the assessment within days.

Request an assessment 24/7 Incident Response