Compliance crosswalk · SOC 2
SOC 2 (AICPA Trust Services Criteria 2017) - email + domain controls, mapped to Wiredepth
Framework version: TSC 2017 with 2022 Points of Focus clarifications
Who this is for. SaaS, cloud platforms, B2B-software vendors, and any service organization generating an attestation report (Type I or Type II) for customer-facing diligence. SOC 2 is voluntary in the statutory sense but a hard prerequisite for enterprise sales conversations.
Where email + domain controls fit. The AICPA framework is principles-based - it tells you to address risk, not exactly which controls to implement. Email auth shows up under CC6 (logical access), CC7 (system operations + monitoring), and CC9 (vendor management). Auditors look for evidence the organization understands its outbound-mail surface as part of the broader logical-access boundary.
Clause-by-clause mapping
Each row maps a specific SOC 2requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
CC6.1 Authentication | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events. Outbound email is one of those surfaces. | DMARC analyzer + spoofability checker score the authentication posture. SPF flattener prevents PermError which silently breaks SPF auth. |
CC6.6 Transport | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. Transmission security for ePHI / customer data / financial info in transit. | MTA-STS + TLS-RPT checker validates enforce-mode policy. TLS checker covers the web-side encryption story. |
CC6.7 Transport | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes. By extension - which third parties can send mail as the entity. | Vendor consolidation audit produces the inventory of authorized senders + a blast-radius rating per vendor. |
CC7.1 Monitoring | The entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities. Includes DNS / SPF / DKIM changes. | Wiredepth Pro continuous monitoring tracks DMARC / SPF / DKIM / MTA-STS posture and alerts on regressions. Change-history snapshots for audit-log purposes. |
CC7.2 Monitoring | The entity monitors system components for anomalies. DMARC aggregate reports are the canonical anomaly source for outbound mail. | DMARC report viewer turns RUA XML into a readable monitoring artifact. Wiredepth Pro can host the RUA endpoint + aggregate trends across reporting periods. |
CC9.1 Inventory | The entity identifies, evaluates, and selects vendors and business partners with appropriate consideration of risk. Email-sending vendors are part of the vendor universe. | Vendor-scoring tool batch-grades vendors for the diligence step. Vendor consolidation report inventories what you have today. |
CC9.2 Inventory | The entity establishes risk mitigation activities, including the development of risk responses, for vendor and business partner relationships. | De-authorization guides at /docs/deauthorize cover the specific DNS edits to remove a vendor when the risk-response decision is "drop the vendor". Pairs with the audit trail. |
What auditors actually look at
What a SOC 2 auditor (CPA firm) actually checks when email and domain posture come up in the Trust Services review:
- Documented vendor inventoryaligned with what's in DNS. A SendGrid in your SPF that isn't in your vendor register is a gap; a vendor in your register that isn't in DNS is a housekeeping flag.
- Change history spanning the audit window (Type II reports span 6-12 months). The DMARC policy change in month 4 needs to show up in the change log; a regression has to show it was identified + remediated.
- Operating-effectiveness sampling. Type II auditors sample tickets / changes / monitoring alerts. Continuous-monitoring alerts that show detection + response are exactly the artifacts sampled.
- Scope clarity.What systems are in scope, what aren't. Mail-sending domains aligned with the in-scope production tenants get more attention than marketing subdomains.
- Independent verification.An auditor can revisit a Wiredepth-watermarked scorecard URL to confirm the data wasn't manufactured at attestation time.
Generate a SOC 2-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a SOC 2 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.