Brokenhouse
Back to Startup playbook
AI

Email

Useful for

StartupExternal presenceSecurityAgentic delivery

Introduction

Email is part of company credibility and security. SPF, DKIM, DMARC and approved sender management should be treated as early trust controls rather than later marketing polish.

Knowledge scope

This is startup-specific guidance in the public playbook. It is framed around the Day Zero -> Company Ready decision point and the practical trade-offs a small company faces while moving from idea to Production.

Why it matters

Weak email authentication increases impersonation risk, harms deliverability and creates avoidable findings in future security reviews. Every service that sends as the company becomes part of the trust boundary.

How it fits the playbook

This reference supports the Day Zero -> Company Ready stage of the startup CTO playbook. It gives the public context for the decision without exposing the deeper assessment method behind the agentic operating model.

Design considerations

  • Configure SPF, DKIM and DMARC deliberately.
  • Use DMARC monitoring early, then move toward enforcement when senders are understood.
  • Record approved email-sending services and who owns them.
  • Include CRM, support, marketing, payment and website email senders in the trust model.
  • Review email authentication changes as critical DNS changes.

What good looks like

The company knows who can send mail for the domain and can detect spoofing, misconfiguration and unmanaged senders.

How Brokenhouse helps

Turn this into a practical plan.

I help technology teams turn this guidance into decisions, implementation plans, governance evidence and production-ready operating models.

Talk through your situation

Next guidance

Related decisions to work through

Ops

Is the company ready?

The first few months of a software business are not just about building the product. They are about creating the conditions that allow the product to be built, deployed, governed and supported without the company tripping over its own foundations.

AI

Agentic software delivery governance

Agents used by the delivery team need a different governance model from AI models embedded in the product. Delivery agents may not sit in the customer-facing service, but they can still read code, write code, inspect logs, summarise documents, generate infrastructure changes or draft customer-facing material.

Data

AI model governance

AI models used by the product need their own governance model. They sit close to customer workflows, user data, automatic processing and contractual promises, so they need stronger control than delivery agents used internally.