Securing campaign email accounts

The silent killer of outbound campaigns isn't bad copy—it's poor inbox deliverability with no fall-back. Most SaaS companies operate with a single sending domain, creating a single point of failure for their entire pipeline. Here's what the top 10% of outbound teams implement: 1. Primary domain (used for most company communications) 2. Secondary domains (warmed 2-6 weeks before campaign use) - Different IP and domains than primary - SPF/DKIM/DMARC records - Routine inbox placement + blacklist monitoring  3. Tertiary backup domains (fully warmed but unused) - Complete isolation from domains 1 & 2 - Ready for immediate deployment if needed This three-domain architecture creates redundancy. It'll protect against deliverability disasters when algorithms change. It takes about a month to fully prepare—but it's insurance against the most common outbound failure: sudden email reputation collapse. The companies that use this architecture survive even in the roughest of times.

I almost gave hackers access to millions in client Google Ads accounts yesterday. Here's the phishing attack that nearly destroyed my agency: Contact form submission: "$120k/month spend, need audit ASAP, want to hire immediately." This was Red flag #1. (But I missed it because we all love fast-moving prospects.) Two hours later: "Google Ads invitation" hits my inbox. Perfect Google logo. Official formatting. Real customer ID. Looked completely legitimate. I clicked "Accept." Then I saw the sender: adssolutionnoreply@googlemail.com Not @google.com. @googlemail.com. I'd already entered my credentials on their fake login page. Emergency response: ✔Changed password twice ✔Forced logout on all devices ✔Removed email from MCC immediately ✔Audited access logs on client accounts ✔Reviewed all recent account changes This could have been catastrophic. Client budgets, campaign data, payment methods - everything was at risk. The contact came from someone using the name "Lewis Ingall" (found on LinkedIn: Lewis Ingall). I'm sharing this publicly so other agencies can avoid this scammer. 🚨 Red flags I should have caught: ✔Sender domain not @google.com ✔High-spend prospect demanding immediate action ✔Fake invite requiring password re-entry ✔No actual account access after clicking Accept I've attached screenshots of the fake email and phishing page so you can see exactly what this looks like. Study these images - this scam is incredibly convincing. Critical reminder: Google will NEVER ask you to re-enter your password through an email link. If you manage Google Ads, you're a target. These attacks are getting more sophisticated every week. Have you encountered similar phishing attempts? What's your security protocol for protecting client accounts?

It doesn’t come with a red warning. Just a friendly subject line. A payment reminder. A meeting request. A shared file. But behind that one innocent-looking email? Could be the start of a breach. Your inbox is the most exploited entry point for cyberattacks today. Phishing. Business Email Compromise. Social engineering. These aren't rare events—they're routine tactics, designed to fool even your smartest team members. But you can protect your inbox. 🔹 𝐓𝐫𝐚𝐢𝐧 𝐲𝐨𝐮𝐫 𝐭𝐞𝐚𝐦 like it’s the front line—because it is. Teach them to spot red flags: urgency, vague requests, mismatched URLs. 🔹 𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭 𝐞𝐦𝐚𝐢𝐥 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐨𝐨𝐥𝐬. Use filters, link scanners, DMARC, SPF, and DKIM to catch spoofed or malicious emails before they hit the inbox. 🔹 𝐑𝐮𝐧 𝐫𝐞𝐠𝐮𝐥𝐚𝐫 𝐬𝐢𝐦𝐮𝐥𝐚𝐭𝐢𝐨𝐧𝐬. Test your team's response to fake phishing attempts. Awareness fades fast—practice keeps it sharp. 💡 Security doesn’t start with firewalls. 𝘐𝘵 𝘴𝘵𝘢𝘳𝘵𝘴 𝘸𝘪𝘵𝘩 𝘱𝘦𝘰𝘱𝘭𝘦. What’s the most convincing phishing attempt you or your team has seen lately? Drop it down in the comments below. #CyberSecurity #EmailSecurity #Phishing

Many claim email deliverability is about engagement. But it's not. You can apply all the best sending practices, but if a threat actor sends 10x your regular volume in phishing emails from your accounts, whether through hijacked credentials or because DMARC is sitting at p=none - none of those practices actually matter. If there's no security foundation in place and your domain & associated IPs end up on Spamhaus, SURBL, etc, your emails won't make it through. Foundation first, surface-level stuff later. DKIM, SPF, and DMARC are a great starting point, but first ensure #DMARC is at p=reject, DNS records are locked, MFA is enabled, and API keys are rotated and monitored. Security isn't a deliverability add-on. It's the engine. Nobody builds a car by starting with the body. You do the internal work first, then put the shell on top. #EmailDeliverability #EmailSecurity

👺 The recent Microsoft 365 #DirectSendAbuse phishing campaigns are a perfect example of how understanding email & DNS security has fallen by the wayside by many... It's just one of many vectors to bypass email security... 📧 From a #RedTeaming perspective, other common vulnerabilities beyond Direct Send that can be abused in social engineering engagements include SMTP smuggling, leveraging unauthenticated SMTP relays, using SPF break vulnerabilities with overly permissive SPF records that permit office WAN IPs or untrusted sources, and performing DNS poisoning on devices sending email via authenticated SMTP. 🛡️ All of those are reasons why security teams need to pay close attention to their SPF, DKIM, and DMARC configurations as well as implement DNSSEC, MTA-STS, and DANE. For those who might not be familiar, DNSSEC protects against DNS spoofing and cache poisoning attacks, ensuring that domain name requests are authenticated and tamper-proof. Without DNSSEC, attackers can manipulate DNS responses to redirect users to malicious websites or hijack email communications. MTA-STS enforces email encryption in transit, preventing downgrade attacks where attackers force email servers to communicate over unencrypted connections. DANE ensures the authenticity of TLS certificates used in email encryption, protecting against man-in-the-middle (MITM) attacks and rogue certificate authorities issuing fraudulent certificates. Both MTA-STS and DANE work in conjunction with DNSSEC, so you'll need DNSSEC set up first before moving on to the other two. Below are helpful configuration guides for folks; extra kudos to anyone who implements DNS cookies as well, haha. 📰 News: - https://lnkd.in/gpMwiQxx - https://lnkd.in/gAMU8utB 📚 Guides: - Disable Direct Send in Office 365 - https://lnkd.in/gDvqHeRM - Using Authenticated SMTP with Multi-function Printer Mailboxes - https://lnkd.in/grxDa9M2 - Configuring DKIM in Exchange Online & Defender for Office 365 - https://lnkd.in/gWAfFUFZ - How DNSSEC Works - https://lnkd.in/gMw4i2t4 - Configuring MTA-STS in Exchange Online & Defender for Office 365 - https://lnkd.in/gmmpYvPs - Configuring DANE in Exchange Online & Defender for Office 365 - https://lnkd.in/gZXfB3Tj

I am excited to share insights from our recent exploration into Email Security. As cybersecurity professionals, securing our email communications is critical to our perimeter defense. In this CCD module, I reinforced and implemented email security defenses to strengthen a domain’s integrity and protect against email-based threats. Here’s an overview of the steps taken and the lessons learned: Sender Policy Framework (SPF): Configuring SPF records to ensure that only authorized email servers can send emails on behalf of our domain. This step is foundational in preventing email spoofing and enhancing email integrity. DomainKeys Identified Mail (DKIM): Implemented DKIM to add a digital signature to emails, ensuring that the content remains unaltered during transit. By analyzing email headers, I gained a deeper understanding of how DKIM selectors function and their role in email authentication. Domain-based Message Authentication, Reporting & Conformance (DMARC): DMARC enabled me to define policies for handling emails that fail SPF or DKIM checks. I also utilized DMARC reports to monitor and analyze email activities, helping me identify any unauthorized attempts to use the domain. Brand Indicators for Message Identification (BIMI): I explored BIMI, which allows organizations to display their brand logos in recipients' inboxes. Implementing BIMI not only strengthens brand visibility but also instills greater trust among email recipients. Tools and Techniques Utilized: DNS Lookups: Employed tools like dig to query DNS records for SPF, DKIM, DMARC, and BIMI. Email Header Analysis: Inspected headers to verify authentication results and selectors. Online Services: Leveraged platforms like MXToolbox to streamline and validate our DNS queries. Key Takeaways: Email Authentication: Proper configuration of SPF, DKIM, and DMARC is essential to secure email communications and prevent phishing attacks. Regular Monitoring: Continuous analysis of DMARC reports is vital to detect and address unauthorized email activities. Brand Enhancement: Implementing BIMI can significantly improve brand recognition and trust in email communications. #EmailSecurity #CyberSecurity #SPF #DKIM #DMARC #BIMI #TechInsights #CyberDefenders

Before copy, before offers, before personalization… your emails need to land in the inbox If you're doing [X] - sending emails straight from a fresh domain without setup Switch to warming and proper infrastructure first, because inbox providers will flag you immediately. 1. Disable Tracking Links Tracking pixels and link tracking often trigger spam filters. They add extra redirects → suspicious behavior They signal “mass outreach tool” What works: Use plain links or no links at all in the first email. Focus on getting a reply, not a click. 2. Use Multiple Mailboxes per Domain One inbox blasting emails = high risk. Spread volume across 2–3 inboxes per domain Example: john@ mike@ Why it matters: Lower activity per inbox = more natural sending pattern. 3. Mix Google and Outlook Accounts Email providers watch patterns. If all your emails come from one ecosystem, it’s easier to detect. Better approach: 50% Google Workspace 50% Outlook This creates diversity and reduces risk signals. 4. Warm Up Your Domains (Minimum 2 Weeks) New domains have zero trust. If you're doing [X] sending emails immediately after setup - switch to warming first, because cold domains get flagged fast. Simple process: Start with 5–10 emails/day Gradually increase Use real conversations or warm-up tools Goal: build history that looks human. 5. Use Separate Domains for Outreach Never send cold emails from your main domain. Why: Protect your brand domain reputation Avoid affecting your core business emails Example: Main: yourcompany.com Outreach: yourcompany.co / getyourcompany.com 6. Set Up SPF, DKIM, and DMARC Properly Skip this and your emails won’t be trusted. These are your authentication signals: SPF → confirms sender DKIM → verifies message integrity DMARC → tells servers how to handle failures No setup = low deliverability, even with great copy 7. Keep Volume Low (Max ~20 Emails/Day per Inbox) More volume doesn’t mean more results. Among outbound campaigns, accounts sending lower daily volume tend to last longer and perform better. What works: 10–20 emails per inbox per day Scale by adding inboxes, not volume That's it!