CASE 107 · FORAGER · 2024
Transactional email that lands, and that nobody can spoof.
A B2B SaaS company sent transactional email through SES with DKIM half-configured and no DMARC policy. Phishing emails impersonating their domain had hit two enterprise customers. We rolled out full DKIM + DMARC enforcement at p=reject, with a careful warm-up.
B2B SaaS
SECURITY
2024
RESULTS
What changed, by the numbers.
DMARC POLICY
p=reject
DELIVERABILITY
+12%
PHISHING REPORTS
0
BIMI ENABLED
YES
HOW IT WENT
The phishing emails had been good — well-formatted, plausible context, the company’s logo. The two customers who had reported them had been technical enough to check the headers and notice the missing DKIM signature. Most customers wouldn’t have.
We aligned SPF to permit only AWS SES IPs and the marketing platform, set up DKIM signing on every sending identity, and rolled out DMARC at `p=quarantine` for two weeks before stepping to `p=reject`. Aggregate DMARC reports landed via Firehose to S3 and surfaced one legitimate sender we hadn’t known about (a forgotten CRM integration). We fixed it before the step to reject.
Deliverability to enterprise inboxes went up 12% as receiving servers saw the cleanly authenticated mail. Phishing reports against the domain dropped to zero in the 90 days following rollout. BIMI enabled the brand logo in Gmail and Apple Mail — a bonus customers actively complimented.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.