SOC2 CC6.6 Made Easy: Automating Logical Access Evidence

Regő Botond Ronyecz Posted on May 30 SOC2 CC6.6 Made Easy: Automating Logical Access Evidence # soc2 # dns # email # zerohook Your SOC2 audit window opens in three months. Your DMARC policy is p=none . Your auditor is going to flag it. Not because p=none is wrong as a starting point — it's the standard way to begin DMARC rollout. But p=none at the start of a SOC2 audit period means that for the entire months it was in place, you had zero enforcement on a logical access control that CC6.6 explicitly requires. You cannot retroactively fix those months. You can only fix what comes next. This is the most common CC6.6 failure mode: organizations that have technically correct configurations but arrive at the audit with the wrong policy value, at the wrong time, with no continuous evidence to show it was ever in the right state. This guide covers exactly what CC6.6 requires for DNS and email security, what evidence auditors look for, and how to build a configuration that generates audit evidence automatically — rather than manually assembling it the week before the audit. What CC6.6 Actually Covers SOC2 is organized around Trust Services Criteria (TSC). CC6.6 sits inside the CC6 — Logical and Physical Access Controls category and specifically addresses: "The entity implements logical access security measures to protect against threats from sources outside its system boundaries." In practice, CC6.6 covers controls that prevent unauthorized external access to your systems. For most SaaS companies, the auditor's DNS and email security review under CC6.6 focuses on three threat vectors: Email domain spoofing — an attacker sending email that appears to come from your domain. If your domain can be spoofed, phishing attacks can impersonate your company to your own customers. This is an external threat to your system boundary that email authentication controls address directly. DNS record tampering — an attacker modifying your DNS records to redirect traffic. An unprotected DNS zo