Email is one of the highest-risk services in most small businesses: it carries sensitive data, is the primary vector for phishing and malware, and is often administered with inconsistent controls—this post explains how to run a thorough technical email service review mapped to the Compliance Framework (ECC – 2 : 2024) Control 2-4-4, with concrete tools, tests, and the evidence you should collect.
What the review needs to achieve (Objectives)
The primary objective under Compliance Framework Control 2-4-4 is to verify that email services are configured to provide authentication, confidentiality, integrity, logging and monitoring, and appropriate access controls. The technical review should confirm SPF/DKIM/DMARC are present and aligned, TLS for SMTP is enforced where possible, the service is not an open relay, administrative access is controlled and logged, and anti-malware/anti-phishing controls are active. For small businesses this often means assessing a hosted provider (Google Workspace, Microsoft 365) or a single on-premises MTA (Postfix/Exim) and ensuring compensating controls when advanced features are not available.
Tools and quick command-line tests
Use a combination of free online services and command-line tools to get repeatable evidence. Recommended tools: MXToolbox, CheckTLS, DMARCian, dmarcian.com, OpenSSL, swaks, dig/nslookup, opendkim tools, and log aggregation (Splunk/ELK/CloudWatch). Example commands you should run and capture as evidence:
- Check MX and basic DNS: dig MX example.com +short; dig txt example.com +short
- Verify SPF string: nslookup -type=TXT example.com (capture the TXT record showing v=spf1 …)
- Test DKIM signing (send test email to a validator) or run opendkim-testkey -d example.com -s default -k /path/to/dkim.private (on-prem).
- Test DMARC: dig TXT _dmarc.example.com +short and validate the policy (p=reject/quarantine/none).
- Test TLS and certificate: openssl s_client -starttls smtp -connect smtp.example.com:587 -crlf and inspect the certificate chain and negotiated protocol/cipher (capture the output showing TLSv1.2/1.3 and cert details).
- Send a controlled message to verify headers and bounce behavior: swaks --to auditor@example.com --server smtp.example.com --from test@example.com --auth LOGIN --auth-user user --auth-password 'Pa$$' --header "Subject: ECC Review Test" and collect the raw headers from the receiver.
Specific tests for common providers
For Microsoft 365: use Exchange Online PowerShell (Get-DkimSigningConfig, Get-TransportRule, Get-MailflowReport) and the Security & Compliance Center to export mail flow and ATP (Advanced Threat Protection) logs. For Google Workspace: use Admin Console → Apps → Google Workspace → Gmail → Authenticate Email (SPF/DKIM) and capture screenshots or export reports. For on-prem Postfix: check main.cf for smtpd_tls_security_level = may|encrypt, smtpd_recipient_restrictions to ensure relay control, and /var/log/maillog for authentication events and anti-virus/anti-spam (Amavis, SpamAssassin) interactions.
Tests for authentication, anti-abuse, and message processing
Authentication: verify SPF results in headers (Received-SPF), DKIM-Signature header exists and validates, and DMARC aligns (p=reject preferred). Anti-abuse: perform an open-relay test (attempt to send from an external host to an external recipient through your MTA—if it accepts and relays, it’s an open relay). Anti-malware: send harmless EICAR test attachments through the system to ensure scanning detects and blocks them (use lab environment or test recipient). Phishing controls: test URL rewriting, Safe Links (M365), or Google click-time protections by sending controlled URLs known to be benign but labeled in test rules and verify they are rewritten/scanned.
Logging, monitoring, and evidence collection
Compliance Framework requires retained, tamper-evident evidence. Collect and store: DNS TXT/MX query outputs, certificate and TLS negotiation logs, raw email headers and full SMTP transcripts (from swaks/openssl), MTA logs showing authenticated sessions (with timestamps and IP addresses), DMARC aggregate (rua) reports for at least 30–90 days, and screenshots/exported reports from provider consoles. For on-prem servers, archive /var/log/maillog or the Exchange transport logs to your SIEM. Evidence should be timestamped, associated with the review ticket, and saved in an evidence repository with checksums.
Implementation guidance and small-business scenarios
Scenario A — Fully hosted (Google/Microsoft): Ensure SPF includes only third-party senders, enable DKIM via provider admin console, publish DMARC with p=quarantine initially then move to p=reject after monitoring; enable safe attachments and advanced anti-phish where available. Evidence: exported admin settings, PowerShell/Get reports, DMARC aggregate file exports, and periodic screenshots. Scenario B — Small on-prem MTA: enforce TLS with smtpd_tls_security_level = encrypt, configure opendkim with rotation of keys and secure key storage, ensure Amavis/ClamAV/SpamAssassin are in the mail flow and log detection events. Evidence: config files (main.cf, master.cf), opendkim.conf, signature public TXT records, and quarantine logs.
Risks if you do not implement the controls
Failure to implement these controls increases the risk of account compromise, successful phishing or BEC (business email compromise), data exfiltration, brand/domain spoofing, regulatory fines from data breaches, and increased incident response costs. An open relay or missing SPF/DKIM/DMARC allows attackers to spoof your domain, while a lack of TLS or weak ciphers exposes message contents to interception. Without logging and monitoring, detection and forensic analysis after an incident are slow or impossible—non-compliance findings are also likely during audits.
Practical compliance tips and best practices
Run this technical review quarterly or after any major change (provider migration, DNS change, certificate renewal). Maintain a checklist: DNS records, TLS test, DKIM signing and rotation, DMARC policy and reporting, anti-malware integration, open-relay test, admin account MFA, and mail flow rule reviews. Automate where possible: daily DMARC aggregate processing, weekly TLS scans, and SIEM alerts for unusual outbound volumes. Document owner, review date, findings, remediation tickets, and evidence links in your Compliance Framework artifact repository.
In summary, a technical email service review under ECC – 2 : 2024 Control 2-4-4 is a focused, repeatable process: use command-line tools and provider consoles to validate SPF/DKIM/DMARC, TLS and cipher strength, anti-abuse and anti-malware configurations, and comprehensive logging; collect reproducible evidence (DNS outputs, SMTP transcripts, logs, admin exports); and schedule regular reviews with remediation tracking so your small business remains secure and demonstrably compliant.
