Email Security Scan
Cybrium's Email Security scan is a first-class ScanType in the platform. It dispatches cymail — the same Rust CLI you can run from your laptop — against any domain and folds every finding into your standard Findings page. SPF/DKIM/DMARC posture is the floor; the ceiling is reputation, leak telemetry, DMARC aggregate (RUA) parsing, and email-header forensics.
What it checks (one pass)
| Surface | Signals |
|---|---|
| Posture (always) | SPF · DKIM · DMARC presence + policy, score 0-100 with a letter grade |
| Reputation (default) | DNSBL (Spamhaus DBL/SBL/Zen, SURBL, URIBL, Barracuda BRBL, DNSWL trust) · BIMI + VMC PKIX chain validation · DANE TLSA · DNSSEC · SPF lookup-count vs RFC 7208 §4.6.4 cap · DKIM key hygiene · MX provider fingerprint · Sender Score (BYO key) · Cisco Talos |
| Discover (opt-in) | crt.sh + DNS SOA + pattern guessing + SMTP RCPT-TO validation + EmailRep.io per-address reputation |
| Leak (opt-in) | HIBP domain breaches · GitHub code search · lookalike-domain enumeration + crt.sh cert-issuance check · CertStream real-time watch · DeHashed / IntelX / SnusBase (BYO key) |
| RUA (opt-in) | Parse DMARC aggregate XML/ZIP/GZ reports + per-source-IP rollup |
| Header (opt-in) | Single .eml forensics — Received-chain walk + ARC seal validation + DKIM body-hash recompute |
Launch from chat
email security cybrium.ai
Or from the scan launcher tile Email Security — enter the domain and submit.
Launch from API
curl -X POST https://app.cybrium.ai/api/scans/ \
-H "Content-Type: application/json" \
-b "$AUTH_COOKIE" \
-d '{
"scan_type": "email_security",
"target": "example.com",
"scope": {
"reputation": true,
"discover": false,
"leak": false
}
}'
Schedule daily / weekly
Email Security works with Scheduled Scans. One row gives you a domain checked every day at 02:00 UTC, with regressions flagged the next morning.
Settings → Scheduled Scans → New schedule
Name: Daily Email Security for example.com
Scan type: Email Security (cymail)
Target: example.com
Cadence: Daily
Enabled: ✓
Finding IDs
Every cymail finding lands in your Findings page with a rule_id from this catalogue (Sprint 99 added the last nine):
| Rule ID | Severity | When it fires |
|---|---|---|
cymail.dnsbl.listed | high | The domain or an MX IP appears on a public block-list |
cymail.spf.lookup_limit | high | SPF record uses more than 10 DNS lookups (RFC 7208 §4.6.4) |
cymail.dkim.weak_key | high / medium | DKIM RSA <2048 bits or deprecated algorithm |
cymail.dnssec.unsigned | low | Zone has no DNSKEY+DS — DKIM/DMARC/MX vulnerable to spoofing in transit |
cymail.bimi.vmc_invalid | high | BIMI VMC chain failed PKIX validation (subject mismatch, expired, wrong EKU OID, …) |
cymail.reputation.talos_blocked | high | Cisco Talos classifies the domain as low-reputation |
cymail.reputation.senderscore_low | medium | Validity Sender Score below 50 for one or more MX IPs |
cymail.leak.hibp_breach | high | Domain appears in a known breach via HIBP |
cymail.leak.github_code_hit | medium | Domain appears near `password |
cymail.leak.lookalike | high | Cert-bearing lookalike domain exists in the wild |
cymail.leak.commercial_feed | high / medium | DeHashed / IntelX / SnusBase per-record exposure |
cymail.dmarc.rua_misalignment | high / medium | Per-source-IP DMARC alignment failure summarised from RUA |
cymail.header.received_anomaly | high / medium | Backwards Received timestamps, loopback HELO, etc. |
cymail.header.arc_anomaly | high / medium | Gap in ARC chain, missing component, or final cv=fail |
cymail.header.dkim_body_mismatch | critical | DKIM body hash didn't recompute — body modified post-signing |
cymail.header.arc_seal_broken | high | Final ARC seal cv=fail — upstream chain validation failed |
cymail.discover.catch_all | low | Domain MX accepts catch-all (enables address enumeration) |
cymail.discover.flagged_address | high / medium | Discovered address flagged by EmailRep (blacklisted/malicious/breach) |
Adversary phase integration
Email Security is wired into the Adversary engine as a recon executor — MITRE techniques T1589.002 (Gather Victim Email Addresses) and T1598 (Phishing for Information) dispatch _run_email_security_scan and surface three adversary-narrative findings beyond the standard cymail set:
adversary.email.catch_all_enables_enumeration(medium)adversary.email.dnsbl_burned_reputation(medium)adversary.email.lookalike_phishing_infrastructure(high)
These tell the downstream kill-chain phases (phishing, password spray) what's actually viable against this target.
When to use it vs. cymail standalone
| Scenario | Where |
|---|---|
| Recurring per-tenant monitoring with alerts on regression | Platform scan + scheduled scan |
| One-off audit from your laptop | cymail scan --domain example.com — see cymail docs |
| CI/CD gate for an email domain change | cymail scan --format sarif in CI; platform for the ongoing monitoring |
| Adversary kill-chain context | Platform — Adversary engine dispatches cymail automatically |
| Auditor evidence pack | Platform — findings join your standard report exports |
Limits
- Cymail v0.6.5 does body-hash DKIM verification (catches in-flight tampering) but doesn't yet cryptographically verify the RSA/Ed25519 DKIM signature itself. Full crypto verify is on the roadmap.
- ARC seal validation is structural (instance gaps, component presence, final
cv=fail); full ARC cryptographic chain verification is on the roadmap. - Commercial leak feeds (DeHashed / IntelX / SnusBase) require operator-supplied API keys — they're never contacted otherwise.