Resource Library/
Security Brief(SPF/DKIM, Drive, Access Controls, Data Roles)
Security Brief(SPF/DKIM, Drive, Access Controls, Data Roles)

Security Brief(SPF/DKIM, Drive, Access Controls, Data Roles)

Audience
Professionals
Canonical URL
Category
Security & Organization
Index?
OG Image URL
Pinned
Pinned
Published URL
SEO Description
How client data stays in their cloud; our email/auth basics (SPF/DKIM/DMARC); what we can/can’t see; and each party’s role.
SEO Title
Security Brief: SPF/DKIM, Drive Access, Data Roles
Slug
security-brief-email-auth-drive-access-roles
Status
Published
Summary
How data stays in the client’s cloud, our email/auth basics, what we can/can’t see, and each party’s role.
Thumbnail
Gemini_Generated_Image_qizzy9qizzy9qizz.png
Updated
Sep 11, 2025 03:50 AM

Security Brief (SPF/DKIM, Drive, Access Controls, Data Roles) — For Professionals

Practical guidance for using Family Harbor with clients while keeping risk low and access clean.

Purpose

Give advisors and attorneys a concise, actionable security posture when collaborating through Family Harbor. The client keeps custody of their files in their own Google Drive or Dropbox; you work from links and lightweight summaries. This brief explains email authentication basics, recommended Drive/Dropbox settings, access control patterns, and who is responsible for what.

Threat model in one minute

Most issues are mundane, not cinematic: mis-addressed emails, over-broad link sharing, stale access that was never revoked, documents downloaded to an unencrypted laptop, or messages flagged as spam. Our controls aim to minimize those with least-privilege access, expiring links, and authenticated email.

Email authentication: SPF, DKIM, DMARC

What they are
  • SPF tells receiving mail servers which IPs are allowed to send mail for a domain.
  • DKIM cryptographically signs messages so recipients can verify they weren’t altered and truly came from that domain.
  • DMARC sets your domain’s policy for what receivers should do when SPF/DKIM fail and provides reporting.
Why professionals should care
  • Fewer lost or spoofed messages during handoffs and consents.
  • Better inbox placement for scheduling nudges and recap emails tied to Family Harbor.
How Family Harbor uses them
  • Family Harbor domains are configured with SPF and DKIM; DMARC is set to at least a monitoring or quarantine policy as appropriate.
  • You can tell clients: “Our emails are authenticated (SPF/DKIM) and follow DMARC policy to reduce spoofing; please add our address to contacts if a message lands in spam.”
Quick checks
  • In Gmail, open the message menu → “View original” to see “SPF: PASS, DKIM: PASS, DMARC: PASS.”
  • If a client says they didn’t get a nudge, confirm it isn’t in spam, ask them to add the sender to contacts, and avoid sending identical one-line test emails repeatedly.

Client storage model (Google Drive / Dropbox)

Defaults to request
  • Client creates or accepts a Family Harbor folder in their Google Drive or Dropbox.
  • Top-level sharing set to Restricted (no link-anyone).
  • Subfolders shared to named collaborators as Viewer or Commenter; Editor only if the client explicitly asks for it.
Security properties (at a glance)
  • Both Google Drive and Dropbox encrypt data in transit and at rest.
  • Fine-grained sharing can be applied at folder/file level; access can be revoked instantly.
  • Version history and activity logs aid basic auditing.
Operational guidance
  • Avoid email attachments. Share links that point to the client’s folder.
  • Do not download copies to local devices unless your policy requires it; if you must, use an encrypted device and remove local copies after use.
  • Keep sensitive numbers out of file names and checklist titles.

Access controls that actually work

Principles
  • Least privilege: Viewer or Commenter beats Editor.
  • Time-boxed: Add an access review date to every handoff.
  • Single link per recipient: Prevents drift and reduces wrong-file risk.
Recommended patterns
  • Use a dedicated /Handoffs/YYYY-MM-Client_to_Pro/ subfolder for each recipient.
  • Share to named emails only; avoid “anyone with link” unless the recipient’s system blocks external shares.
  • Add a calendar reminder to the Family Harbor checklist: “Review and prune access on [date].”
Revocation drill (90 seconds)
  • Open the handoff folder → Share → Remove the recipient (or switch to “Viewer”).
  • Replace any public links with restricted links.
  • Note the change in the Family Harbor checklist.

Data roles and responsibilities

Client (data owner/controller)
  • Owns originals in Drive/Dropbox and decides who sees what and for how long.
  • Can revoke access at any time.
Professional (independent controller for your practice)
  • You are responsible for any copies you download or notes you keep in your own systems, subject to your professional and regulatory obligations (e.g., GLBA for financial advisors, client-confidentiality for attorneys).
  • Keep your own retention and incident procedures.
Family Harbor (service provider/processor)
  • Provides structure (folder templates, checklists, reminders) and stores minimal operational metadata.
  • Does not take custody of client documents stored in Drive/Dropbox.
  • Not a law firm and does not provide legal or tax advice.
HIPAA and BAAs
  • Many planning files are not PHI. If you expect sustained handling of PHI under HIPAA, ensure your own systems and any vendors meet requirements and execute BAAs where applicable. Family Harbor itself is an organizational layer; clients should avoid storing medical diagnoses unless necessary for directives.

Handling PII without headaches

  • Prefer summary sheets (institution, account type, last 4) over full statements.
  • Redact SSNs and full account numbers in PDFs before sharing.
  • Keep PII out of email subject lines and file names.
  • In your CRM, store links to the client’s Drive path rather than uploading copies.

Device and account hygiene

  • Enforce MFA on your Google, Microsoft, Dropbox, and Family Harbor accounts.
  • Use a password manager; avoid password reuse.
  • Keep laptops encrypted; set auto-lock.
  • Separate personal and work profiles/browsers.

Incident response mini-plan

  • Wrong person has access: immediately remove from the shared folder, replace any link-anyone shares with restricted links, and notify the client.
  • Lost device with local copies: if encrypted and locked, risk is reduced; still rotate any cached share links and review what was downloaded.
  • Mis-sent email: recall if possible; follow your firm’s notification policy; switch to link-only shares.
Record a one-line note of the event and actions in the client’s Family Harbor checklist.

Compliance notes (you, not Family Harbor)

  • Attorneys: preserve confidentiality; no fee-splitting or quid-pro-quo referral compensation.
  • Advisors: mind GLBA, Reg S-P, and firm archiving rules; link-based access can reduce duplicate custody but does not replace required books and records.
  • Record retention: if your policy requires keeping copies, download only the minimum set, store in your controlled repository, and mark the location in the Family Harbor checklist for transparency.

Language you can reuse with clients

Security paragraph for engagement letters or emails
“Your documents will remain in your own Google Drive/Dropbox. We will access them via restricted links and will not email attachments unless necessary. Our email is authenticated (SPF/DKIM/DMARC) to reduce spoofing. You can revoke access at any time. We will keep only the minimum records required by law and our firm policy.”
Cover note footer for professional handoffs
“This folder link grants view/comment access and expires on [date]. Please avoid forwarding files; comment in place or request editor access if needed.”

Quick checklist for meetings

  • Client folder is in their Drive/Dropbox with restricted sharing.
  • You have Viewer or Commenter access only.
  • Handoff link is single-recipient and set to expire.
  • Email authentication passes (SPF/DKIM/DMARC) on your outbound messages.
  • No attachments sent; links only.
  • Access review date added to the Family Harbor checklist.

FAQ

Why did my message land in a client’s spam?
New domains, repeated short test emails, or a mismatch between sending infrastructure and SPF/DKIM can trigger filtering. Ask the client to add your address to contacts, send a properly formatted email, and avoid sending multiple near-identical tests in a row.
Can I keep copies for my file?
Yes if your policy requires it. Download the minimum, store in your secured repository, and note that location in the Family Harbor checklist. Leave originals in the client’s Drive.
Can I give my assistant access?
Yes, as a named Viewer/Commenter with an expiry date. Avoid “anyone with link.”
Does Family Harbor sign BAAs?
Family Harbor is an organizational layer that keeps documents in the client’s storage. If your use case requires handling PHI under HIPAA with a business associate, address that within your own systems and vendors; avoid uploading PHI to ancillary tools unless a BAA is in place.
Family Harbor helps you keep collaboration simple: the client owns their files; you work by link with the least access necessary, and email is authenticated to improve deliverability. The result is less duplication, cleaner audits, and fewer surprises.