Episode 16 · Module 5 · Authentication & Identity

Email Security for SaaS

18 May 2026 · 8:57 · Security for Legal SaaS

8:57 8:57

Email remains the primary attack vector for breaching organisations. Alice and Dan cover the SPF/DKIM/DMARC authentication triad, magic-link security risks and hardening, email-based account recovery attacks, BIMI brand indicators, MTA-STS transport security, and the architecture principle that email should notify but never transport sensitive data — especially privileged legal content.

Today’s Lesson

Security for Legal SaaS — Episode 16: Email Security for SaaS

The Weakest Link in Your Security Chain

Email remains the primary attack vector for breaching organisations. The FBI’s IC3 reported $2.9 billion in losses from business email compromise (BEC) in 2023 alone. For legal SaaS platforms that send privileged case updates, court deadline reminders, and magic-link authentication tokens via email, a compromised email channel is a direct path to privilege waiver.

Key stat: 74% of all breaches involve a human element — phishing, pretexting, or credential theft via email. Email is where social engineering meets technical exploitation.

The triad of SPF, DKIM, and DMARC forms the baseline defence for outbound email integrity. Without all three configured correctly, your platform’s emails can be spoofed, your magic links intercepted, and your clients phished using your own domain.

SPF, DKIM, and DMARC — The Authentication Triad

SPF (Sender Policy Framework)

SPF (RFC 7208) publishes a DNS TXT record — DNS being the internet’s address book that translates domain names into IP addresses — listing which IP addresses are authorised to send email on behalf of your domain. Receiving mail servers check the envelope sender against this list.

SPF Component	Purpose
`v=spf1`	Version identifier
`include:_spf.google.com`	Authorise Google Workspace IPs
`include:sendgrid.net`	Authorise transactional email provider
`-all`	Hard-fail everything else (reject, don’t softfail)

Critical for legal SaaS: Use -all (hard fail), not ~all (soft fail). Soft fail means spoofed emails from your domain still get delivered — just marked suspicious. Google’s email sender guidelines (2024) require SPF alignment for bulk senders.

DKIM (DomainKeys Identified Mail)

DKIM (RFC 6376) cryptographically signs email headers and body. The sending server attaches a signature using a private key; receivers verify against the public key in your DNS. This proves the email was not modified in transit and genuinely originated from your infrastructure.

For legal SaaS platforms sending transactional email through services like SendGrid, Postmark, or AWS SES, you must configure DKIM signing with your own domain key — not the provider’s default. Postmark’s DKIM guide details the DNS CNAME setup.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC (RFC 7489) ties SPF and DKIM together with a policy declaration and reporting mechanism.

DMARC Tag	Recommended Value	Meaning
`p=reject`	Production policy	Reject emails failing both SPF and DKIM
`rua=mailto:dmarc@yourdomain.com`	Aggregate reports	Receive daily XML reports of authentication results
`ruf=mailto:forensics@yourdomain.com`	Forensic reports	Receive per-failure reports (careful — may contain PII)
`pct=100`	Full enforcement	Apply policy to 100% of messages
`aspf=s`	Strict SPF alignment	Domain must exactly match (no subdomain)

Deployment warning: Go from p=none → p=quarantine → p=reject over 4–6 weeks while monitoring aggregate reports. Jumping straight to p=reject without monitoring will block legitimate email you forgot about — marketing tools, CRM integrations, legacy systems. DMARC.org recommends this graduated approach.

Magic-Link Authentication Risks

Magic links — one-time URLs sent via email for passwordless login — are increasingly popular in legal SaaS. But they inherit every vulnerability of the email channel.

Attack Scenarios

Attack	Mechanism	Impact
Email account compromise	Attacker with access to inbox clicks magic link	Full account takeover
Link interception (MitM)	Corporate email proxies, logging gateways	Token captured before user clicks
Link forwarding	User accidentally forwards email containing active link	Unintended third-party access
Prefetch/preview	Email security scanners follow links automatically	Token consumed before user can use it

Auth0’s security guidance on magic links recommends: single-use tokens, short expiry (10 minutes maximum), binding to the originating session, and requiring the user to complete login on the same device/browser that initiated the request.

Hardening Magic Links

Bind to session — The link only works in the browser session that requested it
Device fingerprint — Require the same IP range or device characteristics
Short TTL — 5–10 minutes maximum. OWASP recommends tokens expire within minutes, not hours
Rate limit — Maximum 3 magic link requests per email per hour
Notify on use — Send a separate notification when the link is consumed from a new device

Email-Based Account Recovery Attacks

Account recovery via email is the reset button that bypasses every other security control. If an attacker controls the email address associated with an account, they control the account.

Microsoft’s research on account takeover showed that Lapsus$ specifically targeted help desk staff to trigger email-based password resets. For legal SaaS:

Never rely solely on email for account recovery — Combine with identity verification (security questions, out-of-band confirmation, admin approval)
Notify all registered channels — When a recovery is initiated, alert via SMS, push notification, and the old email simultaneously
Cool-down period — After recovery, restrict sensitive operations (downloading documents, changing security settings) for 24 hours
Recovery audit trail — Log every recovery attempt with IP, user agent, and geolocation

BIMI — Brand Indicators for Message Identification

BIMI (Brand Indicators for Message Identification) displays your verified logo next to emails in supporting clients (Gmail, Apple Mail, Yahoo). It requires p=quarantine or p=reject DMARC policy and a Verified Mark Certificate (VMC) from DigiCert or Entrust.

For legal SaaS, BIMI serves a security purpose beyond branding: it trains recipients to expect your logo. Phishing emails spoofing your domain will not display the logo, providing a visual signal that something is wrong. Google’s BIMI requirements mandate DMARC enforcement as a prerequisite.

Secure Transactional Email Architecture

Layer	Control	Purpose
Sending infrastructure	Dedicated IP pool	Reputation isolation from marketing email
Authentication	SPF + DKIM + DMARC (`p=reject`)	Prevent spoofing
Transport	TLS enforcement (MTA-STS)	Prevent downgrade attacks
Content	No sensitive data in email body	Email is not a secure channel
Links	Tokenised, session-bound, short-lived	Prevent interception/replay
Monitoring	DMARC aggregate reports + alerting	Detect spoofing attempts
Fallback	MTA-STS + DANE	Prevent TLS stripping

MTA-STS (RFC 8461) publishes a policy requiring TLS for email delivery to your domain — preventing downgrade attacks where an attacker strips encryption from the SMTP (Simple Mail Transfer Protocol) connection.

Architecture principle: Email is a notification channel, never a data transport channel. Case updates should say “You have a new update — log in to view it” rather than including the actual privileged content. OWASP’s transaction authorisation guidance reinforces this: sensitive actions require authenticated confirmation, not email-borne tokens alone.

Legal SaaS-Specific Considerations

Court notification emails — If your platform sends court deadline reminders, a spoofed “deadline extended” email could cause a lawyer to miss a filing deadline. DMARC p=reject prevents this.
Client communication summaries — Never include privileged content in email notifications. A forwarded email or compromised inbox exposes privilege.
Multi-tenant sender isolation — Each law firm tenant should ideally send from their own subdomain (firmname.yourplatform.com) with dedicated SPF/DKIM, isolating reputation and preventing cross-tenant spoofing.
Regulatory email retention — Singapore’s PDPA requires organisations to protect personal data in electronic communications. Transactional emails containing client identifiers must be treated as personal data.

Conclusion

Email security for SaaS is not optional — it is foundational. The SPF/DKIM/DMARC triad prevents domain spoofing. Magic links must be session-bound and short-lived. Account recovery must not rely solely on email. And the architecture principle is simple: email notifies, it never transports sensitive data.

Configure DMARC at p=reject. Deploy BIMI. Enforce MTA-STS. Treat every email your platform sends as a potential attack vector if spoofed — because your adversaries already do.

Next episode: Password Hashing Done Right — why storing passwords “encrypted” is almost as bad as storing them in plaintext.

Alice: Welcome back to Security for Legal SaaS. I’m Alice.

Dan: And I’m Dan. Episode 16 — Email Security for SaaS. Alice, I feel like email is one of those things everybody uses but nobody thinks about securing properly.

Alice: Because it’s invisible infrastructure. Your legal SaaS platform sends hundreds of transactional emails daily — password resets, case update notifications, court deadline reminders, magic-link logins. And every single one of those is an attack vector if your email authentication isn’t locked down.

Dan: Give me the scale of the problem.

Alice: The FBI reported 2.9 billion dollars in business email compromise losses in 2023 alone. And Verizon’s DBIR — their annual Data Breach Investigations Report — consistently shows that 74% of all breaches involve a human element — predominantly phishing and pretexting via email. For legal tech, a spoofed court deadline email from your domain could cause a lawyer to miss a filing. That’s malpractice territory.

Dan: So how do you prove your emails are actually from you?

Alice: Three mechanisms that work together. SPF, DKIM, and DMARC. SPF — Sender Policy Framework — publishes a DNS record — DNS being the internet’s address book that translates domain names to IP addresses — listing which IP addresses can send email on behalf of your domain. When Gmail receives an email claiming to be from notifications@yourlegalplatform.com, it checks your SPF record. If the sending IP isn’t listed, the email fails authentication.

Dan: Simple enough. What about DKIM?

Alice: DKIM — DomainKeys Identified Mail — adds a cryptographic signature to every outgoing email. Your sending server signs the headers and body with a private key. The receiving server retrieves your public key from DNS and verifies the signature. This proves two things: the email genuinely came from your infrastructure, and it wasn’t modified in transit.

Dan: And DMARC ties them together?

Alice: DMARC — Domain-based Message Authentication, Reporting, and Conformance — does three things. First, it tells receiving servers what to do when SPF and DKIM both fail — none, quarantine, or reject. Second, it requires domain alignment — the domain in the From header must match the domains used in SPF and DKIM checks. Third, it sends you aggregate reports showing who’s attempting to send email as your domain.

Dan: What policy should a legal SaaS platform use?

Alice: The goal is p=reject — meaning any email that fails both SPF and DKIM authentication gets rejected outright, never delivered. But you don’t jump there on day one. Start with p=none to collect reports without affecting delivery. Monitor for two weeks. You’ll discover forgotten systems — that old marketing tool, the CRM integration, the legacy notification server. Add them to your SPF record and configure DKIM. Move to p=quarantine for two weeks. Then p=reject. Google now requires SPF, DKIM, and DMARC for bulk senders as of 2024.

Dan: What about magic links? Passwordless login seems elegant but I’m guessing it has risks.

Alice: Magic links are a single-use URL sent to your email that logs you in when clicked. They’re popular because they eliminate password management. But they inherit every vulnerability of the email channel. If an attacker has access to your inbox — even temporarily — they click the link and they’re in. If your corporate email proxy prefetches URLs for security scanning, it might consume the token before you can use it. If you forward the email, you’ve forwarded your login.

Dan: How do you harden them?

Alice: Five controls. One — bind the magic link to the browser session that requested it. The link only works in the same browser. Two — short time-to-live. Five to ten minutes maximum, not hours. Three — single use, obviously, but also rate-limit requests — maximum three per email per hour. Four — device fingerprinting. If the link is clicked from a completely different IP range or device, require additional verification. Five — notify on consumption. When the link is used, especially from a new device, send a separate alert.

Dan: What about account recovery? That’s basically the master key to everything.

Alice: Account recovery via email is the nuclear option that bypasses every other security control you’ve built. Multi-factor authentication — MFA, where you need a second proof of identity beyond just your password — strong passwords, session management — all meaningless if an attacker can trigger a password reset and intercept the email. Lapsus$ specifically targeted help desk staff to initiate email-based resets for their victims. For legal SaaS, never rely solely on email for recovery. Combine with out-of-band verification — a phone call, an admin approval workflow, identity questions. And after any recovery event, impose a cool-down period — no downloading documents or changing security settings for 24 hours.

Dan: I want to talk about something I’ve seen in Gmail recently — brand logos next to emails. That’s BIMI?

Alice: BIMI — Brand Indicators for Message Identification. It displays your verified logo next to your emails in supporting clients like Gmail, Apple Mail, and Yahoo. It requires DMARC at p=quarantine or p=reject, plus a Verified Mark Certificate from DigiCert or Entrust. The security value is subtle but real — it trains recipients to expect your logo. A phishing email spoofing your domain won’t display it, creating a visual discrepancy that alert users will notice.

Dan: That makes sense. What’s the architectural principle here? What should email actually be used for in a legal SaaS platform?

Alice: Email is a notification channel. Never a data transport channel. Your case update email should say “You have a new update on Matter 2024-1234 — log in to view it.” Not “Here’s the full update: opposing counsel filed a motion to dismiss arguing...” The moment you put privileged content in an email body, you’ve lost control of it. It sits in inboxes, gets forwarded, gets backed up to systems you don’t control, gets indexed by email search tools.

Dan: And transport security?

Alice: MTA-STS — SMTP MTA Strict Transport Security. SMTP is Simple Mail Transfer Protocol — the standard way email servers send messages to each other. It publishes a policy requiring TLS for email delivery to your domain. Without it, an attacker performing a network-level attack can strip TLS from the SMTP connection and intercept emails in plaintext. MTA-STS prevents that downgrade attack. Combined with DANE — DNS-based Authentication of Named Entities — if your DNS supports DNSSEC — DNS Security Extensions, which cryptographically sign DNS responses — you get assurance that the receiving server’s TLS certificate is legitimate.

Dan: One last thing — multi-tenant considerations. If your platform serves multiple law firms, does each firm need its own email setup?

Alice: Ideally yes. Each tenant sends from their own subdomain — firmname.yourplatform.com — with dedicated SPF and DKIM records. This isolates sender reputation. If one tenant’s users report emails as spam, it doesn’t tank deliverability for all your other tenants. And it prevents a compromised tenant’s subdomain from being used to phish users of another tenant on your platform.

Dan: Next episode — Password Hashing Done Right. Why storing passwords “encrypted” is almost as bad as storing them in plaintext.

Alice: Until then, I’m Alice.

Dan: And I’m Dan.

Alice: Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.