Email security guide

Vendor Evaluation Guide

Questions to ask email platforms, marketing tools, and SaaS vendors.

Authentication support

Ask whether the vendor supports SPF alignment, DKIM signing, custom domains, and clear setup documentation.

Operational clarity

A good vendor can explain exactly what DNS records are needed and what happens when they change infrastructure.

Exit cleanup

When a vendor is retired, remove its DNS records and update the sender inventory.

Practical context

How to use this guidance

Email vendors should make authentication easy to understand, test, and maintain. If a vendor cannot explain its sending model, the risk lands on your domain.

A practical example

Imagine a team reviewing vendor evaluation guide after a new software vendor starts sending customer-facing mail. The immediate question is not whether the setup uses the right acronym; it is whether the business can explain the sender, prove that it is authorized, and spot problems before customers or employees lose trust.

That review usually starts with authentication support. From there, the team should compare the intended workflow with real message samples, provider settings, and any reporting data that shows how receivers are treating the mail. This turns the topic from an abstract security idea into a manageable operating task.

Action checklist

  • Ask for SPF, DKIM, DMARC, bounce, and custom-domain details before purchase.
  • Request sample headers or implementation documentation.
  • Confirm who manages DNS changes and renewals.
  • Record cleanup steps for offboarding.

Common traps

  • Approving a vendor before understanding its sending domain requirements.
  • Letting vendors share generic sending identities for important mail.
  • Forgetting to remove records after cancellation.

Questions to ask internally

  • Does this vendor support aligned authentication?
  • How will we test before production?
  • What happens if the vendor changes infrastructure?

Evidence to gather

Good decisions are easier when the team works from evidence instead of memory. For this topic, collect enough detail to connect technical records with the business process they support.

  • A recent sample message from each important sending path.
  • The DNS records or provider settings connected to the sender.
  • The business owner who can confirm whether the sender is still needed.
  • Any recent support tickets, delivery problems, or suspicious-message reports.
  • The decision log for changes made after the review.

Review rhythm

Review this area whenever a new email platform is launched, a domain or subdomain is added, a vendor is retired, or a suspicious message is reported. For stable environments, a quarterly review is usually enough to catch drift before it becomes an urgent delivery or impersonation problem.

Keep the review lightweight. The useful output is a short list of confirmed senders, open questions, owner names, and next actions. If that list is understandable to IT, finance, marketing, and leadership, the email security program is much easier to maintain.

What good looks like

A good vendor evaluation prevents rushed DNS changes and gives the business a clean path from onboarding through offboarding.

Where Lappu AI fits

Teams that want help turning these ideas into a working DMARC, DKIM, and SPF plan can review the email security work at Lappu AI.

Further reading

Useful resources