01 / SPF
SPF record — strict
The exact list of servers allowed to send for your domain. Anything else fails authentication at the receiver.
SPF guide →
Email security
SPF, DKIM, DMARC enforced. MTA-STS and TLS-RPT live. Open-records compliant.
Email is how a $425,000 wire transfer left Smithville, TN. Without SPF + DKIM + DMARC at p=reject, anyone on the internet can send mail “from” mayor@yourtown.gov — and your residents, vendors, and bank can’t tell which message is real. YesGov configures the full stack and monitors it in production.
What we configure
Five records, two reporting endpoints, one archived audit trail.
Each control is checked nightly against the same baseline our open-data scanner runs against every U.S. government domain.
02 / DKIM
DKIM signing
Outbound mail cryptographically signed with a private key only you control. The receiver verifies via DNS public key.
DKIM guide →03 / DMARC
DMARC at p=reject
Receivers reject unauthenticated mail outright — not quarantine, not none. Aggregate reports flow to a monitored endpoint.
DMARC guide →04 / MTA-STS
MTA-STS enforce mode
Inbound mail can’t be downgraded from TLS by an attacker between mail servers. Strip attempts are refused.
MTA-STS guide →05 / TLS-RPT
TLS-RPT reporting
Receivers send daily reports when mail TLS fails — you find out about a problem before residents do.
TLS-RPT guide →06 / Records
Litigation hold & retention
Archiving and retention configured for state open-records statutes. Subpoena-ready exports on request.
Open-records guide →
Why it matters
The attacks email security stops — documented in the last 24 months.
Spoofed-from wire transfer
Without DMARC at p=reject, anyone can send “from” mayor@yourtown.gov. Smithville, TN lost $425K to exactly this.
Blocked by: SPF + DKIM + DMARC p=reject
Inbound TLS downgrade
An attacker between mail servers strips TLS and reads or alters messages in transit — invisible to staff.
Blocked by: MTA-STS (enforce) + TLS-RPT
Lookalike-from impersonation
Resident receives an “official” email demanding a fee. Without enforcement, your domain is the brand the attacker borrows.
Blocked by: DMARC enforcement at receivers
Missing audit trail
Open-records request comes in — you can’t produce the message, the metadata, or the chain of custody.
Blocked by: archiving + retention + litigation hold
Learn more
Free guides for every email-layer control.
SPF
The list of servers allowed to send for your domain — how it’s evaluated, and what 10-lookup limit catches break.
DKIM
Cryptographic signing for outbound mail — key rotation, selectors, and what receivers check.
DMARC
Alignment, policy modes (none / quarantine / reject), and aggregate-report parsing.
MTA-STS
Stop TLS downgrade between mail servers — enforce mode, policy file, and DNS record.
TLS-RPT
Receive daily JSON reports when mail TLS fails for your domain.
Next step
Lock email down. Walk into the next council meeting with the report.
YesGov configures all five records, sets up the reporting endpoints, monitors the aggregate reports, and hands you a compliance document your insurer will accept.