Email Authentication & Anti-Spoofing Policy

1. Protocol Configuration

To protect the CheckTick brand and prevent phishing attacks against our partners (NHS Trusts), the following DNS records are maintained:

1.1 Sender Policy Framework (SPF)

  • Status: Active
  • Configuration: Includes all authorized IP ranges for Google Workspace and Mailgun.
  • Policy: Set to ~all (Softfail) or -all (Fail) to discourage unauthorized senders.

1.2 DomainKeys Identified Mail (DKIM)

  • Status: Active
  • Implementation: 2048-bit RSA keys generated by Mailgun and our corporate email provider.
  • Rotation: Keys are rotated if a provider is changed or a compromise is suspected.

1.3 DMARC (Domain-based Message Authentication)

  • Status: Active
  • Policy: Currently set to v=DMARC1; p=none; (Monitoring) or p=quarantine; (Enforcement).
  • Reporting: Aggregated reports (RUA) are sent to [Your Email] to monitor for spoofing attempts.
  • Policy v=DMARC1; p=quarantine; (Enforcement active)
  • Justification This ensures that unauthenticated emails claiming to be from checktick.uk are moved to the recipient's spam folder, protecting NHS partners from phishing.

2. Maintenance

  • Quarterly Review: During spot checks, the CTO verifies that no unauthorized services have been added to the SPF record.
  • Decommissioning: When a third-party service is no longer used, its entry is immediately removed from the SPF and DKIM records.

3. Inbound Email Security (Filtering)

To protect staff and the integrity of our internal systems, we utilize the following inbound controls:

3.1 Advanced Threat Protection

  • Solution: [Google Workspace Advanced Protection / Microsoft Defender for Office 365].
  • Attachment Scanning: All attachments are scanned for malware signatures and 'Zero-Day' patterns before being made available to the user.
  • Link Protection: URLs in emails are checked against real-time blocklists (Safe Browsing).

3.2 Inbound Authentication (DMARC Enforcement)

Our mail system is configured to perform the following checks on every incoming email:

  1. SPF Check: Does the sending IP match the sender's SPF record?
  2. DKIM Check: Does the cryptographic signature match the sender's public key?
  3. DMARC Action: If either check fails, we follow the sender's published DMARC policy (p=none, quarantine, or reject).

3.3 Quarterly Review

The CTO reviews the 'Spam/Phishing' dashboard of our email provider quarterly to identify if the organization is being targeted by specific campaigns.