--- name: email-communications-infrastructure description: Manage email and corporate communications infrastructure including mail servers, spam filtering, email security, deliverability, migration, and compliance. Use when configuring email servers, managing spam/antivirus filtering, improving email deliverability, implementing email encryption, planning email migration, handling email security incidents, or managing communications platforms. Triggers on phrases like "email infrastructure", "mail server", "email security", "spam filtering", "email deliverability", "DKIM SPF DMARC", "email migration", "exchange server", "communications platform", "email archiving". --- # Email & Communications Infrastructure Manage corporate email systems, security, deliverability, and communications platforms. ## Workflow 1. Assess current email infrastructure: platform, architecture, user count, storage, integrations. 2. Implement email security stack: spam filtering, antivirus, antiphishing, encryption, DLP. 3. Configure DNS authentication records: SPF, DKIM, DMARC for deliverability and spoofing prevention. 4. Set up email archiving and compliance: retain emails per regulatory requirements (7 years typical). 5. Monitor email health: deliverability rates, spam scores, quarantine statistics, uptime. 6. Manage email flow: routing, load balancing, failover, queue management. 7. Implement business communication platforms: instant messaging, video conferencing, collaboration. 8. Plan and execute migrations: on-prem to cloud, platform changes, domain changes. 9. Handle email incidents: breaches, spam outbreaks, deliverability issues, outages. 10. Conduct quarterly reviews: security posture, cost optimization, user satisfaction. ## Email Infrastructure Architecture ``` EMAIL PLATFORM OPTIONS ======================== Cloud Email Platforms: Microsoft 365 (Exchange Online): Pricing: $4–$57 per user/month (license tiers) Mailbox size: 50 GB standard, 100 GB with compliance add-on Features: anti-spam, anti-malware, DLP, encryption, archiving, eDiscovery Integrations: Teams, SharePoint, OneDrive, Outlook, Power Platform Uptime SLA: 99.9% Best for: organizations already invested in Microsoft ecosystem Google Workspace (Gmail): Pricing: $6–$18 per user/month Mailbox size: 30 GB–unlimited (depending on tier) Features: anti-phishing, sandboxing, DLP, Vault (eDiscovery), BSS (binary attachment scanning) Integrations: Google Drive, Meet, Chat, Docs, Sheets Uptime SLA: 99.9% Best for: organizations using Google productivity suite Other cloud platforms: Zoho Mail: $1–$6 per user/month (budget option) ProtonMail: encrypted email, Swiss-based, $4–$24 per user/month Rackspace Email: $3–$5 per user/month (infrastructure provider) On-Premises Options: Microsoft Exchange Server: $35–$100+ per user CAL; requires server infrastructure Mozilla Thunderbird + IMAP: free, lightweight, limited enterprise features Open source: Postfix + Dovecot + spamassassin (free, requires expertise) Best for: strict data residency, air-gapped environments, compliance requirements Hybrid Architecture: - Exchange On-Prem + Exchange Online coexistence - Mail flow: on-prem → cloud or cloud → on-prem (depends on migration phase) - Directory sync: Azure AD Connect for on-prem AD to cloud - Migration period: 3–12 months (gradual mailbox migration) - Typical for: large enterprises transitioning from on-prem to cloud Email infrastructure components: 1. Mail Transfer Agents (MTA): - Send and receive email between servers - SMTP protocol (port 25 for relay, 587 for submission, 465/993 for encrypted) - Cloud: handled by provider; On-prem: Postfix, Exchange, Sendmail 2. Spam/Security Gateway: - Pre-filter before mail reaches mailbox - Cloud: Microsoft Defender for Office 365, Google Secureworks - Third-party: Mimecast, Proofpoint, Barracuda, Abacus (now Telstra) 3. Mailbox Servers: - Store user mailboxes - IMAP/POP3 access for clients - Cloud: hosted by provider; On-prem: Exchange database, Dovecot 4. Archiving and Compliance: - Store all emails for retention period - Legal hold for litigation - eDiscovery for search and export - Solutions: Mimecast Vault, Proofpoint Archive, Microsoft Online Archiving 5. Collaboration: - Calendar, contacts, tasks - Instant messaging (Teams, Chat) - Video conferencing (Teams Meetings, Google Meet) - Document collaboration (SharePoint, Google Drive) ``` ## Email Security ``` EMAIL SECURITY FRAMEWORK ========================== Layer 1: Spam and Phishing Prevention Cloud-native protection (M365 / G Suite): - Bulk complaint level (BCL) filtering - Impersonation protection (CEO, internal domains) - Safe Links (URL rewriting and real-time checking) - Safe Attachments (sandboxed file analysis) - Zero-hour auto purge (ZAP): retroactively remove delivered malware Third-party security gateway (recommended for enterprise): Mimecast: $3–$7 per user/month - Multi-engine spam filtering (10+ spam engines) - URL filtering and rewriting - Attachment sandboxing (Cylance, BlackBerry, ThreatGrid) - Business Email Compromise (BEC) detection - Email continuity (local cache during outages) - Retention and archiving Proofpoint Essentials/TAP: $4–$10 per user/month - TAUS (Threat Analysis and Understanding System) - O365 protection with additional intelligence - Anti-phishing with deep packet inspection - Data Loss Prevention (DLP) Effectiveness metrics: - Spam block rate: target > 99.5% - Phishing block rate: target > 99% - False positive rate: target < 0.1% (legitimate emails blocked) - Mean time to block new threat: < 15 minutes - User-reported phishing: < 5 per 1000 users/month (after training) Layer 2: Encryption Transport encryption (TLS): - All email in transit encrypted via TLS 1.2+ - Opportunistic TLS between servers (STARTTLS) - Strict TLS: only deliver via TLS or bounce (configured per domain) - MTA-STS: DNS-based policy for strict TLS enforcement - TLS-RPT: reporting for TLS delivery failures End-to-end encryption (for sensitive content): - Microsoft Purview Message Encryption: per-message encryption for external recipients - OpenPGP/GPG: client-level encryption (Thunderbird, Outlook with plugins) - S/MIME: certificate-based encryption (requires PKI infrastructure) - Self-destructing messages: SecureMessage, Hushmail, Virtru Data Loss Prevention (DLP): - Scan outbound emails for sensitive data (PII, credit cards, SSN, IP) - Block or quarantine emails containing sensitive data - Encrypt emails automatically based on content classification - Custom rules for industry-specific data (HIPAA PHI, PCI card data) - Integration with Microsoft 365 Compliance Center or Google DLP Layer 3: Authentication and Anti-Spoofing SPF (Sender Policy Framework): - DNS TXT record listing authorized sending IPs - Example: v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all - Mechanisms: + (allow), - (deny), ~ (soft fail), ? (neutral) - Limit: 10 DNS lookups maximum (use include: sparingly) - Monitoring: SPF survey tools (mxtoolbox.com, app.mailtester.com) DKIM (DomainKeys Identified Mail): - Cryptographic signature on email headers - DNS TXT record with public key - Selector: multiple selectors for key rotation - M365: two 1024-bit keys (selector1, selector2) - Google: 2048-bit key (single selector, rotate annually) - Testing: dkim-record.com, app.klyqnt.com DMARC (Domain-based Message Authentication, Reporting, and Conformance): - Policy: none (monitor), quarantine (spam folder), reject (bounce) - Alignment: strict (spf) or relaxed (~spf) for SPF; same for DKIM - Reporting: rua (aggregate), ruf (forensic) email addresses for reports - Example: v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@company.com; fo=1; adkim=s; aspf=s DMARC implementation roadmap: Phase 1 (Month 1–3): p=none; collect reports; analyze alignment Phase 2 (Month 4–6): p=quarantine; pct=10 (10% of non-compliant quarantined) Phase 3 (Month 7–9): p=quarantine; pct=100 Phase 4 (Month 10+): p=reject; pct=100; continuous monitoring BIMI (Brand Indicators for Message Identification): - Display brand logo in inbox (Gmail, Apple Mail, Yahoo) - Requires: DMARC at p=reject + Verified Mark Certificate (VMC) - VMC cost: $200–$1,000/year (DigiCert, Entrust, GoDaddy) - DNS record: default._bimi domain with VMCS URL ``` ## Email Deliverability ``` EMAIL DELIVERABILITY FRAMEWORK =============================== Deliverability metrics: Metric Target Monitor Frequency ──────────────────────────── ──────────── ───────────────── Inbox placement rate > 95% Daily Bounce rate < 2% Daily Spam complaint rate < 0.1% Daily Authentication pass rate > 99% Weekly DNS resolution success > 99.9% Continuous SMTP acceptance rate > 98% Daily Blacklist status Clean Daily monitoring IP and domain reputation: IP reputation factors: - Sending volume consistency (sudden spikes hurt reputation) - Engagement rate (opens, clicks — low engagement = spam signal) - Complaint rate (< 0.1% target) - Bounce rate (< 2% target) - Spam trap hits (avoid at all costs — purchased lists contain spam traps) - Authentication (SPF, DKIM, DMARC all passing) - TLS usage (> 95% of mail sent over TLS) Domain reputation factors: - Age of domain (newer domains start with neutral/unknown reputation) - Historical sending patterns - DMARC policy strength (reject = trust signal) - Brand recognition (known brands benefit from trust) - Blacklist status (monitor all major blacklists) Blacklist monitoring: - Major blacklists: Spamhaus ZEN, Spamcop, Barracuda, SURBL, URIBL - Monitoring tools: mxtoolbox.com, multirbl.valli.org, abuseipdb.com - Action if listed: identify cause, remediate, submit delisting request - Prevention: never buy email lists; implement double opt-in; honor unsubscribe promptly Deliverability best practices: 1. Separate IPs for transactional and marketing email 2. Warm up new IPs gradually (100 emails/day → 10,000/day over 4 weeks) 3. Implement double opt-in for all marketing subscriptions 4. Clean email lists quarterly (remove inactive subscribers) 5. Honor unsubscribe requests within 24 hours (legal requirement) 6. Send at consistent times and volumes 7. Monitor sender score (sender_score.pioneeers.com) 8. Use dedicated IP for volumes > 10,000 emails/day ``` ## Email Migration ``` EMAIL MIGRATION PLAYBOOK ========================== Scenario: On-Premises Exchange → Microsoft 365 Pre-migration planning (4–8 weeks before): Assessment: - Inventory: mailbox count, total data size, public folders, shared mailboxes - Dependencies: third-party integrations, transport rules, connectors - Custom configurations: retention policies, journaling, archiving - User readiness: training needs, communication plan - Network readiness: bandwidth for data transfer (estimate: total mailbox size ÷ bandwidth) Infrastructure preparation: - Azure AD Connect: install and configure directory synchronization - Exchange hybrid configuration wizard: set up hybrid topology - DNS: update MX records (keep on-prem during migration) - Licensing: assign Microsoft 365 licenses to all users - Network: ensure sufficient bandwidth (1 Gbps recommended for > 500 users) Migration approaches: Cutover migration (small organizations, < 2,000 mailboxes): - Single migration batch; all users moved at once - Downtime: 4–8 hours (maintenance window) - Process: final sync → MX record switch → users redirected to cloud - Best for: simple environments, minimal dependencies Staged migration (medium organizations, 2,000–5,000 mailboxes): - Multiple batches over weeks/months - Each batch: create migration batch → sync → cut over batch - Coexistence: on-prem and cloud operate simultaneously - Downtime per batch: 1–2 hours (scheduled during off-hours) - Best for: gradual transition, business continuity Hybrid migration (large organizations, 5,000+ mailboxes): - Exchange hybrid topology (full coexistence) - Move requests: mailbox-by-mailbox or batch migration - Autodiscover: redirected to cloud for migrated users - Shared mailbox access across on-prem and cloud - Timeline: 3–12 months depending on organization size - Best for: enterprises with complex requirements Migration execution (per batch): T-7 days: - Notify affected users (migration date, expected downtime, preparation steps) - Freeze mailbox changes (no new mailboxes, rules, or configurations) - Pre-stage migration batch (initial sync in background) T-1 day: - Final pre-sync (sync changes since initial sync) - Verify mailbox data integrity (compare item counts) - Prepare rollback plan T-0 (migration day): - Complete final sync - MX record update (or mail flow redirection in hybrid) - Autodiscover record update (redirect to cloud) - Test: send/receive test for sample mailboxes - User communication: "migration complete, use Outlook/OWA as normal" T+1 day: - Monitor for issues (delivery problems, calendar issues, rules) - Support hotline for migration-related issues - Resolve remaining issues within 48 hours Post-migration: - Decommission on-prem Exchange (after 30–60 day validation period) - Clean up DNS records (old MX, Autodiscover) - Retire on-prem servers (data wiped, hardware recycled) - Document lessons learned - User training follow-up (new features, OWA vs. Outlook) Migration data sizing estimation: Average mailbox size: 2–10 GB per user Total data: mailbox count × average size Transfer time: total data ÷ network bandwidth Example: 500 users × 5 GB = 2,500 GB at 100 Mbps ≈ 5.5 hours Common migration issues: - Autodiscover not redirecting: DNS TTL too long; wait for propagation or update immediately - Calendar sharing broken: shared mailbox permissions not migrated; re-assign - Rules not migrated: some transport rules need manual recreation - Public folders: require separate migration project (public folder to SharePoint/Online PF) - Large mailboxes (> 50 GB): slower migration; consider pre-staging via AVD ``` ## Integration Points - **Microsoft 365** (Exchange Online, Teams, SharePoint): Complete email and collaboration platform; admin center for management; PowerShell for automation - **Google Workspace Admin Console**: Email management, security settings, migration tools; Google Vault for archiving - **Mimecast**: Cloud email security gateway; archiving; continuity; reporting; integrates with M365 and Google - **Proofpoint**: Email security; TAP (Threat Analysis Platform); DLP; archiving; integrates with major platforms - **Barracuda Email Protection**: Spam filtering; encryption; archiving; compliance; cloud or on-prem deployment - **MailWizz / SendGrid / Amazon SES**: Transactional email services; high deliverability; API integration; $0.10–$0.80 per 1,000 emails - **DMARC reporting** (dmarcian, Valimail, Postmark): DMARC report aggregation and analysis; visualization; recommendations - **Email monitoring** (EmailonAcid, GlockApps, Mail-Tester): Deliverability testing; inbox placement monitoring; spam score analysis ## Edge Cases - **Bulk/transactional email at scale** (e-commerce, SaaS sending 100K+ emails/day): Dedicated IP pool (10–50 IPs); IP warm-up process (4–8 weeks); dedicated sending domains/subdomains (mail.company.com, newsletter.company.com); real-time reputation monitoring; automatic IP rotation on reputation drop; bounce and complaint processing within 1 hour - Service selection: Amazon SES ($0.10/1,000), SendGrid ($15–$300/month), Mailgun ($35–$2,500/month), Postmark ($15–$3,000/month) - Compliance: CAN-SPAM (US), GDPR (EU), CASL (Canada) — all require unsubscribe mechanism, physical address, honest headers - Deliverability rate: target > 98% inbox placement; < 0.1% complaint rate - **Email during security breach** (compromised account sending malicious emails): Immediate account lock; revoke all active sessions and tokens; review sent items for last 72 hours; notify recipients of compromised emails; reset credentials; enable MFA if not already active; review forwarding rules (common persistence mechanism); scan all devices for malware - Detection: user reports, DMARC reports, security team alert, unusual sending volume - Containment: disable account within 5 minutes of detection - Investigation: review OAuth app permissions (remove unknown apps); check inbox rules; review forwarded messages - Recovery: clean account, reset passwords, re-enable with MFA, monitor for 7 days - **Email continuity during outage** (cloud provider goes down): Email continuity service (Mimecast, Proofpoint) caches emails locally during outage; processes when service restored; for on-prem: backup mail server with local queue; communication via backup channel (SMS, Slack, phone tree) - RTO target: < 15 minutes for continuity service activation - Email queue: process backlog within 1 hour of service restoration - Communication plan: pre-defined backup channels for internal communication - **Multi-domain email management** (acquisitions, rebrands, multiple brands): Each domain needs separate SPF, DKIM, DMARC records; manage sending reputation per domain; consider branded inboxes (BIMI logos per brand); migrate users gradually during rebrand; maintain old domain for receiving (forwarding) for 12–24 months post-rebrand - DMARC monitoring: per-domain aggregate and forensic reports - Sender reputation: domain-specific; new domains need warm-up - Legal: maintain email records for old domain per retention requirements - **Regulatory email compliance** (financial services, healthcare, legal): FINRA requires 6-year retention with 1-year accessibility; HIPAA requires 6-year retention; SOX requires 7-year retention for communications; GDPR requires data minimization and right to erasure (conflicts with retention — use legal hold exceptions); implement automatic classification and retention policies - Archiving solution: must be tamper-proof (WORM storage); searchable; exportable for legal requests - Cost: $2–$10 per user/month for compliant archiving - Legal hold: freeze deletion for specific users/custodians during litigation - eDiscovery: search across all archived content; export in EML/PST/PDF format - **Email migration with custom integrations** (CRM, ERP, ticketing systems connected to email): Inventory all email integrations before migration; test each integration in staging; update SMTP settings and API endpoints; verify OAuth credentials; test end-to-end email workflows; plan for API changes (M365 Graph API vs. EWS deprecation) - EWS deprecation: Microsoft retiring Exchange Web Services; migrate to Microsoft Graph API by 2026 - Testing: create integration test checklist; validate before go-live - Timeline: add 2–4 weeks for integration testing during migration planning