Clarify security assumptions for email as an authentication channel

[jeremyrayjewell]

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• [ X ] All the markdown files do not raise any validation policy violation, see the policy.
• [ X ] All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• [ X ] Any references to websites have been formatted as [TEXT](URL)
• [ X ] You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #<REPLACE WITH ISSUE NUMBER>.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

• [ X ] I have NOT used any AI tool to generate the contents of this PR.
• I have used AI tools to generate the contents of this PR. I have verified
  the contents and I affirm the results. The LLM used is [llm name and version]
  and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

[jmanico]

I would prefer to split out email security into a different cheatsheet, are you open to that? The AuthN cheatsheet is just too damn big.

[jeremyrayjewell]

I would prefer to split out email security into a different cheatsheet, are you open to that? The AuthN cheatsheet is just too damn big.

Yes, I’m very open to that. I actually agree that email security is its own surface area and probably deserves a dedicated cheat sheet rather than being embedded inside AuthN.

Would you prefer this to become a new “Email Authentication Security Cheat Sheet,” or something broader like “Email Security Cheat Sheet” that covers SPF, DKIM, DMARC, and identity workflows together?

Once I understand the intended scope and naming, I’m happy to restructure the PR accordingly.

[jmanico]

I vote just "email security cheatsheet" and you can talk about AuthN issues there. Then link to this CS from the AuthN one. Smaller cheatsheets win the day. Does that work for you?

[jeremyrayjewell]

That works for me. I’ve moved the email security content into a separate cheat sheet and replaced the section here with a link to it. I’ll flesh out the new Email Security Cheat Sheet next.

[jeremyrayjewell]

It looks like the required GitHub Actions checks are currently blocked with “3 workflows awaiting approval.”
Could a maintainer approve the workflows so CI can run on this PR? Thanks.

[bad-antics]

Great contribution! This will be helpful for the community. 🔥

[jmanico]

small lint error:

cheatsheets/Email_Security_Cheat_Sheet.md:8 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "- Email messages are delivered..."]

[jeremyrayjewell]

The markdown lint issue has been fixed and CI is now green.
When convenient, I’d appreciate another code owner review to move this PR toward merge. Thank you. :)

[jmanico]

Since this is a new cheatsheet we need several other reviewers. I am just the first gate. And I want to set expectations this may take a little time. Please hold tight we are on it!

[jmanico]

Please carefully add your new cheatsheet here in this PR.

https://github.com/OWASP/CheatSheetSeries/blob/master/Index.md

[jeremyrayjewell]

The new Email Security Cheat Sheet has now been added to Index.md under section E, per your request. Ready for further review. Thank you!

[mackowski]

@jmanico I am not convinced if this needs a separate cheatsheet. This PR is not following our Contributing Guide
https://github.com/OWASP/CheatSheetSeries/blob/master/CONTRIBUTING.md

IMO we should close PR and open issue to discuss what we want to achieve here

[jmanico]

I am a fan of this cheatsheet because email is such a hard type of data to validate, it requires special validation and verification.

But I agree as-is this cheatsheet is weak. I am ok to drop for now it but I really do what to see this kind of cheatsheet talk about email validation and email verification flows since its often a part of identity. Dev's need to stay far from the RFC on email to get this right.

[jeremyrayjewell]

Thank you for the feedback. I agree the scope needs clearer definition and stronger alignment with the Contributing Guide.

I am happy to close this PR and open an issue to refine scope first.

Based on the discussion, a more focused cheat sheet around email validation and verification in identity systems may be more appropriate. I will draft an issue proposal outlining scope and structure for discussion before resubmitting.

Appreciate the guidance.

[jmanico]

Thank you for working with us! I'm a fan of the direction you are going in

[jeremyrayjewell]

Closing this PR in favor of opening a scoped proposal issue as discussed. I will draft that shortly.