Back to Engineering
Engineering Case Study

Email Security and Anti-Phishing Architecture

How SPF, DKIM and DMARC, gateway filtering, business-email-compromise defenses, and awareness training combine into a layered anti-phishing architecture for a professional-services firm.

SPF / DKIM / DMARCBIMISecure email gatewayDMARC aggregate reportingMFA / phishing-resistant authURL rewriting & sandboxingDNS managementSecurity awareness training
PyramidLedger Engineering10 min read

Why email is still the primary attack vector

For a professional-services firm — a practice built on trusted correspondence about money, contracts, and confidential client matters — email is simultaneously the most business-critical channel and the softest attack surface. Decades of layered defenses have not dethroned it, because email's fundamental design trusts the sender's claimed identity far more than it should, and because the target is ultimately a human being reading a message under time pressure. The most damaging attacks are not the crude spam of a generation ago; they are precise, well-researched impersonations aimed at a specific person authorized to move money or release data.

The threats worth designing against fall into a few clear classes. Domain spoofing sends mail that appears to come from the firm's own domain, trading on its reputation to fool clients or staff. Business email compromise (BEC) impersonates a partner, a CEO, or a known supplier to redirect a payment or an invoice — and is characteristically low-tech, carrying no malware for a scanner to catch, just a plausible request in plausible language. Credential phishing lures a user to a fake login page to harvest a password. Malware delivery hides a payload in an attachment or behind a link. These require different defenses, which is the first honest observation: there is no single control that stops phishing, and any vendor claiming one is selling one layer of several.

The design goal, then, is layered: make it hard to impersonate the firm's domain, filter the obviously malicious before it reaches a human, blunt the impact of the messages that inevitably slip through, and make the human at the end more resilient — while accepting that none of these layers is individually complete.

Authenticating the firm's own domain: SPF, DKIM, DMARC

The foundation is email authentication, and it protects the firm's domain from being spoofed by others — which is as much about protecting clients and reputation as protecting inboxes. Three standards work together. SPF (Sender Policy Framework) is a DNS record listing which servers are permitted to send mail for the domain, so a receiver can check whether a message came from an authorized source. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outbound mail, letting a receiver verify the message genuinely came from the domain and was not altered in transit. DMARC ties the two together: it tells receivers what to do when a message fails these checks — monitor, quarantine, or reject — and, critically, it provides a reporting channel that shows who is sending mail claiming to be the firm.

The deployment discipline matters more than the records themselves. DMARC is rolled out in stages: begin in monitoring mode (a 'none' policy that changes nothing but collects aggregate reports), use those reports to discover every legitimate sending source — the mail platform, the CRM, the invoicing tool, the marketing service, the helpdesk — bring each of those into SPF and DKIM alignment, and only then tighten the policy toward quarantine and finally reject. Rushing straight to an enforcing policy is the classic self-inflicted wound: legitimate mail from a forgotten third-party sender starts silently failing, invoices and client messages vanish, and the business blames security. The staged approach exists precisely to avoid that.

The honest limitation is fundamental: SPF, DKIM and DMARC authenticate the domain, not the intent. They make it hard to spoof the firm's exact domain, but they do nothing about a BEC attack sent from a convincing look-alike domain the attacker legitimately registered and correctly authenticated, or from a free webmail account using the partner's display name. Authentication is necessary and it is not sufficient — a point worth making plainly to any client who thinks turning on DMARC 'solves phishing.'

Gateway filtering and the messages that slip through

The second layer is the secure email gateway, which inspects inbound mail before it reaches users. Reputation and signature filtering removes the high-volume obvious junk. Content and attachment analysis, including detonating suspicious attachments in a sandbox, catches malware-bearing mail. URL handling rewrites links so they can be checked at click-time — important because a link that is benign when the mail is delivered can be weaponized hours later. Impersonation and anomaly detection flags mail where the display name mimics an executive, or where a supplier the firm regularly deals with suddenly writes from a subtly different address.

The architectural point is that the gateway is a probabilistic filter, not a wall. It will have false negatives — sophisticated, targeted, text-only BEC messages are specifically the kind that carry nothing for a scanner to detect — and false positives that quarantine legitimate mail, which in a client-facing firm is its own real cost when a genuine client message gets held. Tuning that balance is an ongoing operational task, not a one-time install, and the right aggressiveness depends on the firm's tolerance for a delayed legitimate email versus a delivered malicious one.

Because some malicious mail will always reach a human, the architecture assumes breach at the inbox and adds controls that blunt the impact rather than trying to achieve perfect filtering. External-sender banners on mail from outside the organization make an impersonation of an internal colleague more conspicuous. Prominent, frictionless reporting — a one-click 'report phishing' button — turns users into sensors and feeds real reported attacks back into tuning. And crucially, the controls that limit what a successful phish can achieve live one layer over: phishing-resistant multi-factor authentication so a harvested password alone doesn't grant access, and out-of-band verification requirements for payment changes so a convincing email alone can never move money. These are the controls that convert a successful phish from a catastrophe into a near-miss.

Defending against business email compromise specifically

BEC deserves its own treatment because it defeats most technical controls by design: there is no malware, no malicious link, often no spoofed domain — just a well-written, well-timed request from what appears to be a trusted party. A message from 'the managing partner' asking a junior to urgently process a wire transfer, or from a known supplier announcing that their bank details have changed, is a fraud attempt that a content scanner cannot reliably distinguish from legitimate business correspondence, because linguistically it is legitimate business correspondence.

Because the technical layers are weak here, the defense is deliberately process and human-centric, and it is designed so that no single email can authorize an irreversible action. Payment and bank-detail changes require out-of-band verification — a call to a known, pre-established number, never a number or link supplied in the email itself. High-value or unusual transactions require dual authorization, so one compromised or deceived individual cannot complete them alone. Any change to supplier banking details triggers mandatory verification through an independent channel, because the fraudulent-invoice and changed-bank-details pattern is one of the most common and costly BEC variants. These controls deliberately introduce friction into exactly the moments an attacker is trying to rush, and that friction is the point.

The technical layers still contribute: display-name and look-alike-domain detection at the gateway, and internal DMARC enforcement so at least an attacker cannot use the firm's own exact domain against its own staff. But the honest framing for a client is that BEC is defended primarily through verification procedures for financial actions, not through email filtering — and a firm that has spent heavily on a gateway while leaving payment-change requests to be honored on the strength of a single email has protected the wrong layer.

The human layer, trade-offs, and what we would not do

Security awareness training is the layer that acknowledges the target is a person, but it has to be designed honestly, because done badly it produces a false sense of security or, worse, a culture of fear and blame. Effective training is continuous and realistic rather than an annual slideshow — role-relevant, so the people who handle payments get the scenarios that actually target them — and it is paired with simulated phishing used as a teaching tool, not as a trap to punish those who click. The metric that matters is not a click rate driven to an impressive-looking low number; it is whether reporting rates go up, because a workforce that reliably reports suspicious mail is a distributed detection network, and a workforce that has merely learned to fear the security team hides its mistakes.

The overriding trade-off across the whole architecture is security against friction. Every layer — DMARC enforcement, aggressive gateway filtering, out-of-band payment verification, MFA prompts — imposes some cost on legitimate work, and a professional-services firm lives on responsive client communication, so controls that are too heavy get worked around, which is worse than not having them. The engineering answer is to place the heaviest friction where the stakes are highest (moving money, changing bank details, privileged access) and keep the everyday path light, rather than spreading uniform friction that people learn to bypass.

What we would not do: we would not deploy DMARC straight to reject without a monitoring period, because breaking legitimate mail is how the whole program loses organizational trust on day one. We would not treat email authentication as anti-phishing complete, because it does nothing against look-alike domains or free-webmail display-name spoofing. We would not lean on the gateway as a wall, because targeted BEC is built to pass it. We would not run phishing simulations as gotchas, because a blame culture suppresses the reporting that is the most valuable human signal. And we would not let a single email authorize an irreversible financial action, because the entire economics of BEC collapses the moment a payment requires a second, out-of-band confirmation. The architecture works because it is layered and because it is honest about each layer's limits — no single control here is sufficient, and pretending otherwise is itself a vulnerability.

Building something like this?

We engineer secure, regulated, and AI-driven systems at this depth. Tell us what you are building and we will help you architect it.

Start Your Project