Add email security posture skill

Author: JERVS Auditor

index.yaml

@@ -5,8 +5,8 @@
 
 meta:
   version: "1.0.0"
-  last_updated: "2026-03-05"
-  skill_count: 45
+  last_updated: "2026-06-05"
+  skill_count: 46
   role_count: 5
 
 tag_vocabulary:
@@ -517,6 +517,18 @@ skills:
     file: skills/network/dns-security/SKILL.md
     compatible_tools: [claude-code, gemini-cli, cursor, codex-cli, openclaw, kiro]
 
+  - id: email-security
+    name: "Email Security Posture Review"
+    tags: [network, email, spf, dkim, dmarc, mta-sts, tls-rpt]
+    role: [security-engineer, vciso]
+    phase: [operate, assess]
+    activity: [review, audit, assess]
+    frameworks: [RFC-9989, RFC-9990, RFC-9991, RFC-7208, RFC-6376, RFC-8461, RFC-8460, CISA-BOD-18-01]
+    difficulty: intermediate
+    time_estimate: "45-90min"
+    file: skills/network/email-security/SKILL.md
+    compatible_tools: [claude-code, gemini-cli, cursor, codex-cli, openclaw, kiro]
+
   # -- DevSecOps ------------------------------------------------------------
   - id: pipeline-security
     name: "CI/CD Pipeline Security Review"

skills/network/email-security/SKILL.md

@@ -0,0 +1,29 @@
+---
+case: aligned-m365-dmarc-reject
+expected: benign
+finding_ids: []
+---
+
+# Benign: Inventoried Microsoft 365 Sender With Strict DMARC
+
+```dns
+example.com. MX 0 example-com.mail.protection.outlook.com.
+example.com. TXT "v=spf1 include:spf.protection.outlook.com -all"
+selector1._domainkey.example.com. CNAME selector1-example-com._domainkey.example.onmicrosoft.com.
+selector2._domainkey.example.com. CNAME selector2-example-com._domainkey.example.onmicrosoft.com.
+_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@example.com; adkim=s; aspf=s"
+```
+
+```yaml
+header_evidence:
+  spf_result: pass
+  dkim_result: pass
+  dmarc_result: pass
+  from_domain_aligned: true
+reporting:
+  aggregate_reports_received: true
+  owner: messaging-security
+confidence: strong
+```
+
+Expected review: pass strict DMARC posture when sender inventory, header alignment, and report monitoring are evidenced.

skills/network/email-security/tests/benign/aligned-m365-dmarc-reject.md

@@ -0,0 +1,29 @@
+---
+case: monitored-dmarc-rollout-pnone
+expected: benign
+finding_ids: []
+---
+
+# Benign: Monitored DMARC Rollout in p=none
+
+```dns
+example.org. TXT "v=spf1 include:_spf.google.com include:sendgrid.net -all"
+_dmarc.example.org. TXT "v=DMARC1; p=none; rua=mailto:dmarc-aggregate@example.org; adkim=r; aspf=r"
+```
+
+```yaml
+rollout_state:
+  owner: messaging-security
+  aggregate_reports_received: true
+  unknown_sources_triaged: weekly
+  aligned_senders_percent: 96
+  target_policy: quarantine
+  target_date: 2026-07-15
+  open_sender_backlog:
+    - ticket: MAIL-1842
+      sender: billing-saas
+      issue: DKIM alignment pending
+confidence: partial
+```
+
+Expected review: do not escalate solely because policy is `p=none`; record as controlled rollout if reports, owner, backlog, and enforcement plan are present.

skills/network/email-security/tests/benign/monitored-dmarc-rollout-pnone.md

@@ -0,0 +1,23 @@
+---
+case: non-sending-domain-no-send
+expected: benign
+finding_ids: []
+---
+
+# Benign: Non-Sending Domain With Explicit No-Send Posture
+
+```dns
+example.net. MX 0 .
+example.net. TXT "v=spf1 -all"
+_dmarc.example.net. TXT "v=DMARC1; p=reject"
+```
+
+```yaml
+classification: non-sending
+owner: brand-protection
+last_review: 2026-06-01
+header_evidence_required: false
+confidence: strong
+```
+
+Expected review: do not require DKIM or sender headers for a confirmed non-sending domain with null MX, SPF fail-all, DMARC reject, and owner evidence.

skills/network/email-security/tests/benign/non-sending-domain-no-send.md

@@ -0,0 +1,23 @@
+---
+case: cross-domain-rua-no-authorization
+expected: vulnerable
+finding_ids:
+  - EMAIL-DMARC-05
+  - EMAIL-RPT-02
+---
+
+# Vulnerable: Cross-Domain DMARC Reporting Without Authorization Evidence
+
+```dns
+_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@vendor.example"
+```
+
+```yaml
+report_authorization:
+  destination_domain: vendor.example
+  authorization_record_found: false
+  report_owner: unknown
+  last_review: unknown
+```
+
+Expected review: do not fail strict DMARC policy only because the report destination is external, but require external reporting authorization and report ownership evidence.

skills/network/email-security/tests/vulnerable/cross-domain-rua-no-authorization.md

@@ -0,0 +1,18 @@
+---
+case: overbroad-spf-dmarc-none
+expected: vulnerable
+finding_ids:
+  - EMAIL-INV-01
+  - EMAIL-SPF-02
+  - EMAIL-DMARC-02
+  - EMAIL-DMARC-04
+---
+
+# Vulnerable: Overbroad SPF and Unmonitored DMARC
+
+```dns
+example.com. TXT "v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:spf.protection.outlook.com include:_spf.salesforce.com ~all"
+_dmarc.example.com. TXT "v=DMARC1; p=none"
+```
+
+Expected review: require sender inventory, SPF include ownership, aggregate reporting, owner, report review cadence, and an enforcement plan before treating this as controlled.

skills/network/email-security/tests/vulnerable/overbroad-spf-dmarc-none.md

@@ -0,0 +1,32 @@
+---
+case: stale-mta-sts-policy
+expected: vulnerable
+finding_ids:
+  - EMAIL-TLS-01
+  - EMAIL-TLS-02
+  - EMAIL-TLS-03
+---
+
+# Vulnerable: Stale MTA-STS Policy
+
+```dns
+example.com. MX 10 mx1.current-mail.example.
+_mta-sts.example.com. TXT "v=STSv1; id=2026060101"
+```
+
+```txt
+https://mta-sts.example.com/.well-known/mta-sts.txt
+
+version: STSv1
+mode: enforce
+mx: mx1.old-mail.example
+max_age: 604800
+```
+
+```yaml
+tls_rpt_record: missing
+mx_matches_policy: false
+rollback_plan: unknown
+```
+
+Expected review: flag stale MX policy in enforce mode, especially when TLS-RPT is missing and rollback evidence is unknown.