Cymail — Email Security Scanner
Cymail is a Rust CLI that goes far beyond a basic SPF/DKIM/DMARC checker. It unifies email posture analysis, address discovery, reputation, leak telemetry, DMARC aggregate (RUA) report parsing, and email-header forensics into a single signed binary.
| Language | Rust |
| License | Apache-2.0 |
| Source | github.com/cybrium-ai/cymail |
| Platforms | macOS · Linux · Windows |
| Signing | Windows: Authenticode (Cybrium Inc, Azure Trusted Signing) · macOS: Apple Developer ID notarised · Linux: Sigstore (cosign keyless) |
| Current version | See GitHub Releases |
What's new in v0.6
| Subcommand | What it does | Default |
|---|---|---|
scan | SPF / DKIM / DMARC posture + score (schema-locked for platform compat) | always |
discover | crt.sh + DNS SOA + pattern guessing + SMTP RCPT-TO + EmailRep.io reputation | opt-in |
reputation | DNSBL · BIMI + VMC PKIX chain validation · DANE · DNSSEC · SPF lookup count · DKIM key hygiene · MX provider fingerprint · Sender Score · Cisco Talos | opt-in |
leak | HIBP domain breaches · GitHub code search · lookalike-domain cert issuance · CertStream real-time --watch · DeHashed / IntelX / SnusBase (BYO key) | opt-in |
rua | DMARC aggregate (RUA) XML/ZIP/GZ → per-source-IP alignment rollup. Closes the dmarcian gap. | opt-in |
header | RFC 5322 forensics — Received-chain walk · ARC seal validation · DKIM body-hash recompute. Detects forged hops + body tampering. | opt-in |
attest | Hardware Root of Trust snapshot (TPM 2.0 · TPM 1.2 · Apple Secure Enclave). Same impl as cyweb attest. | opt-in |
serve | Embedded Cybrium-themed web UI for all the above. JS-free, single binary. | — |
update / upgrade | refresh threat-intel cache / self-update from signed GH Release | — |
What it does not do
- Cymail does not relay mail — it analyses, it doesn't deliver.
- It does not perform DKIM signature crypto-verification yet (only body-hash recompute, which catches in-flight tampering). Full RSA/Ed25519 verify is on the roadmap.
- It does not host or aggregate other tenants' DMARC reports —
cymail ruaruns locally against your own received reports.
When to use cymail vs. the Cybrium Platform
| Scenario | Recommendation |
|---|---|
| One-off domain audit from your laptop | cymail scan --domain example.com |
| Embed in a CI/CD pipeline gate | cymail scan --format sarif --domain example.com |
| Daily reputation + leak monitoring | Use the Cybrium Platform — it schedules + persists + alerts |
| Bulk M365 / Workspace posture review | Use the Cybrium Platform |
| One-shot DMARC RUA review | cymail rua aggregate --dir ./rua-mailbox --domain example.com |
| Investigate a single suspicious email | cymail header --file message.eml |
Output formats
Every subcommand supports --format json | sarif | csv | html:
json— pretty-printed, the default for piping to jq or shipping to a SIEMsarif— SARIF 2.1.0 minimal envelope, drops straight into the Cybrium Platform findings ingest pipelinecsv— flat CSV for spreadsheet pivothtml— standalone HTML report, Cybrium-themed, prints to PDF
Scoring (scan mode)
cymail scan produces a composite 0-100 score with a letter grade:
| Grade | Score | Meaning |
|---|---|---|
| A+ | 95-100 | All protections enforced with reporting |
| A | 85-94 | Strong posture, minor improvements available |
| B | 70-84 | Good baseline, missing some enforcement |
| C | 50-69 | Significant gaps in email security |
| D | 25-49 | Minimal protections, high spoofing risk |
| F | 0-24 | No meaningful email security controls |
Platform integration
The Cybrium Platform's cymail_runner.py consumes cymail directly. The
cymail scan JSON shape is schema-locked across v0.1 → v0.6.5 — your
backend image picks up cymail upgrades automatically without runner
changes.