Email Security – PwnDefend

Email and Domain Security

Ok, this is a topic I’ve looked at for years, my views have been built up based on a range of things from the theory, the reality of what I find/see and the incidents I respond to and hear about.

I’ve used Claude largely for this because it’s meant as a quick snapshot in time and a high level thematic view. SPF, DMARC, MTA-STS and DNSSEC (and DNS/Domain management in general) are complex topics and there’s lots of nuance in things.

That said, who wants to see what ‘scanning’ 1 million domains looks like? Let’s take a look at what Claude has come up with:

Leadership

DNSSEC

‘You are totally compromised!’ because you don’t have DNSSEC configured on domain…..

The implication is that you’re one packet away from catastrophe. It’s alarming. It’s also, for the overwhelming majority of organisations, not true. I have been talking about this for years and years!

Here’s the quickest way to see through it. I scanned the Majestic Million – the top one million domains on the internet – for DNSSEC. About 6.75% were signed (around 8.2% if you only count domains that actually resolve). The .com zone, which is half the list, sits at 4.6%. And the unsigned set includes google.com, amazon.com and microsoft.com.

So if “no DNSSEC” means “totally compromised,” then the three most-attacked, best-defended companies on the planet are totally compromised, and have been for years, on purpose. They aren’t. The finding is measuring conformance to a checklist, not risk. Let’s understand why this is!