A Complete Outside-In Audit of Vendor Email Security
Attackers check a vendor's public email-domain footprint before impersonating a vendor in an invoice or payment workflow. We assess it from the outside and give you the evidence.
The 4 Pillars of Vendor Security
The engine runs 42 rules across 6 categories. The report then summarizes those results into 4 scored pillars: Spoofing, Identity, Transport Maturity, and Infrastructure.
DKIM selector checks, registration context, and selected external corroboration findings still appear in detailed results and can influence vendor-level scoring, but they are not shown as separate top-level scorecard pillars because DKIM selector discovery is best-effort and reputation signals are corroborative.
1. Spoofing
Can unauthorized email claiming to be this vendor reach inboxes more easily? DMARC enforcement is the primary receiver-side control against visible From spoofing.
- VRD-DMARC-004DMARC p=none (monitoring only)
- VRD-DMARC-005DMARC policy strength: quarantine vs. reject
- VRD-DMARC-007Subdomain policy missing while parent is p=none
- VRD-DMARC-043Explicit subdomain policy weaker than parent enforcement
2. Identity
Are authorized senders defined clearly enough to reduce sender-integrity drift and fail-open behavior? SPF is the main identity pillar in the scorecard, while DKIM findings appear in the detailed results.
- VRD-SPF-012SPF terminal policy weaker than secure baseline (-all preferred)
- VRD-SPF-013SPF lookup count appears to exceed 10-lookup limit
- VRD-SPF-016Invalid SPF syntax / mechanisms (permerror risk)
- VRD-DKIM-027Weak DKIM key length inferred from discovered selector
3. Transport Maturity
Is mail better protected in transit, and are reporting signals present when transport controls are deployed? MTA-STS absence is treated as maturity context; broken or weak deployments are more actionable.
- VRD-ADV-020MTA-STS absence / deployment maturity
- VRD-ADV-019TLS-RPT reporting telemetry
- VRD-ADV-021MTA-STS policy-file quality when deployed
- VRD-ADV-033MTA-STS mode strength when deployed
4. Infrastructure
Do mail-routing and DNS hygiene signals suggest weaker operational maturity? Infrastructure findings are supporting controls, not peers to DMARC enforcement.
- VRD-INFRA-022No MX detected (may be legitimate if the domain does not receive mail)
- VRD-INFRA-024DNSSEC absent (secondary hardening)
- VRD-INFRA-034MX points to IP (RFC violation)
- VRD-INFRA-036CAA certificate-issuance hardening signal
See It In Action
Our engine runs all 42 rules against each vendor domain in a few minutes, depending on the domain count and report tier. No questionnaires. Just observable evidence and buyer-safe reporting.
Sample Rules Explained
The report explains what each finding means and how to fix it.
Policy Enforcement
Flags DMARC policy set to p=none, where the domain is not instructing receivers to quarantine or reject unauthenticated mail under DMARC.
Young Domain + Weak-Auth Context
Flags a recently registered domain only when it appears alongside weak email-authentication posture or other risk context.
RFC Violation
Flags MX records that point directly to IP addresses instead of hostnames, which violates RFC 5321.
MTA-STS Absence / Deployment
Flags MTA-STS absence as a transport-maturity gap; broken or partial deployment is more actionable than simple non-adoption.
External Corroboration Signal
Checks whether the domain currently appears to trigger a selected external corroboration signal. Treat this as outside-in corroborative context that should be confirmed with additional evidence, not as proof of compromise by itself.
Subdomain Policy Weaker Than Parent
Flags an explicit DMARC subdomain policy that weakens the parent domain's enforcement posture. This matters because subdomains can still be abused even when the root domain looks stronger.
See Which Rules Your Vendors Fail
Scan your first vendor free — no credit card for the free scan, no commitment. Results are delivered in a few minutes.