SOC2 CC6.6 Made Easy: Automating Logical Access Evidence

Your SOC2 audit window opens in three months. Your DMARC policy is p=none. Your auditor is going to flag it.

Not because p=none is wrong as a starting point — it's the standard way to begin DMARC rollout. But p=none at the start of a SOC2 audit period means that for the entire months it was in place, you had zero enforcement on a logical access control that CC6.6 explicitly requires. You cannot retroactively fix those months. You can only fix what comes next.

This is the most common CC6.6 failure mode: organizations that have technically correct configurations but arrive at the audit with the wrong policy value, at the wrong time, with no continuous evidence to show it was ever in the right state.

This guide covers exactly what CC6.6 requires for DNS and email security, what evidence auditors look for, and how to build a configuration that generates audit evidence automatically — rather than manually assembling it the week before the audit.

What CC6.6 Actually Covers