Email Security Standard

How we secure corporate and client-facing email, from phishing protection to DLP and compliance.

Email Security

This doc covers how we secure our two main email systems:

System	Platform	Purpose
Corporate Email	Google Workspace (`@wealthy.in`)	Internal and business communication.
Client/Partner Email	AWS SES (via Skynet)	Customer notifications, OTPs, reports, and marketing.

Security for our @wealthy.in accounts.

All three DNS records are required for email authentication:

Record	Purpose	Target State
SPF	Authorizes sending IPs	`v=spf1 include:_spf.google.com include:amazonses.com -all`
DKIM	Signs outbound emails	2048-bit keys for both Google and AWS SES
DMARC	Enforces policy	`p=reject` (after monitoring and quarantine phases)

The SRE team conducts quarterly audits to verify these records.

MFA: Google 2-Step Verification is required for everyone in the organization.
OAuth Apps: Only approved third-party apps can access Google Workspace data.
Session Control: We enforce session timeouts (12 hours for web, 7 days for mobile) and limit concurrent sessions.
Mobile Devices: Mobile access requires Google Endpoint Management, a screen lock, and remote wipe capability.

We have rules in Google Workspace to detect and flag sensitive information:

Rule	Pattern	Action
PAN Number	`[A-Z]{5}[0-9]{4}[A-Z]{1}`	Flag and copy to `security@wealthy.in`
Aadhaar Number	`\b[2-9]{1}[0-9]{3}\s?[0-9]{4}\s?[0-9]{4}\b`	Flag and copy to `security@wealthy.in`
API Keys/Secrets	Common secret patterns	Flag and copy to `security@wealthy.in`

Recommendation: We should upgrade the action for outbound PII from monitor to reject or quarantine to prevent leaks.

We use Google Workspace’s built-in controls, which are all active:

Our incident response SLA for phishing is:

We block potentially malicious attachments, including:

Password-protected archives are quarantined for manual review.

This covers transactional and marketing emails sent via our internal tools, Skynet and Skynet-Go.

Application (e.g., Falcon) → Skynet/Skynet-Go → AWS SES (Dedicated IP) → Client Inbox

Skynet-Go is our current multi-channel communication platform, handling email, SMS, push notifications, and more, using AWS SQS for queuing.

Skynet services use IAM roles with least-privilege permissions, not long-lived access keys.

We monitor delivery health closely:

Metric	Threshold	Action
Hard Bounce Rate	> 5%	Immediate review, pause sending if needed.
Complaint Rate	> 0.1%	Review content and check list hygiene.

Monitoring is done via CloudWatch, SNS, and our internal Skynet-Go dashboard.

Templates: All emails use approved, version-controlled templates. No freeform composition is allowed.
PII Handling: We mask sensitive data like PAN and account numbers. Aadhaar numbers are never included in emails. OTPs are sent separately from other PII.
Anti-Spoofing: All client-facing emails are authenticated with SPF, DKIM, and DMARC.

Phishing Simulations: We run half-yearly phishing exercises (plus ad-hoc campaigns). Our goal is a click rate below 5% and a report rate above 50%. Cadence is raised if either target is breached, per POL-025.
Security Training: Email security is covered in the annual Security Training Programme (T1) and in new-joiner onboarding, per POL-025 Security Awareness Training Policy.

The security and operations teams perform a quarterly audit covering:

For any email security incidents or questions, contact the security team at security@wealthy.in.