GGovDirect MailEmail platform for govdirect.org
Security

Security posture for GovDirect Mail

Keep authentication tight, publish the right DNS records, and separate public web hosting from the mail host.

Authentication

Strong passwords, session expiration, optional 2FA, and admin-only reset controls.

Mail protection

SPF, DKIM, DMARC, TLS, rate limiting, spam filtering, and abuse monitoring.

Operations

Backups, audit trails, system alerts, quota monitoring, and incident response procedures.

Recommended policies

  • Separate admin and end-user accounts
  • Restrict admin access where possible
  • Use rate limits on outbound sending
  • Monitor failed logins and risky attachments
  • Back up configuration and mailbox data daily

DNS checklist

  • A record for mail.govdirect.org set to DNS only
  • MX records pointing to the mail host
  • SPF policy for authorized senders
  • DKIM public key record
  • DMARC policy with reporting mailbox
Important: Keep the website and the actual mail host separate. Do not place SMTP or IMAP behind a reverse proxy that breaks mail protocols.