Email Security Basics Every Small Business Should Have in Place

Email is the primary attack vector for cyber incidents affecting small businesses. Phishing, malware delivery, business email compromise, invoice fraud — the majority of successful attacks on small organisations begin with an email. If you can secure one thing, secure email first.

This post covers the technical email security controls that every small business should have in place, what they actually do, and the staff-level awareness that technology cannot replace.

The Three Email Authentication Standards

SPF, DKIM, and DMARC are email authentication standards that work together to prevent domain spoofing — attackers sending emails that appear to come from your domain. They are configured in your domain's DNS records and require no software installation. If you are not sure whether these are configured for your domain, your IT provider or whoever manages your DNS records can check in minutes.

SPF (Sender Policy Framework)

An SPF record tells the world which mail servers are authorised to send email on behalf of your domain. When a recipient's mail server receives an email claiming to be from your domain, it checks the SPF record to verify that the email was sent from an authorised server. Email sent from an unauthorised server — such as an attacker's server spoofing your domain — fails the SPF check and can be treated as suspicious or rejected.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The recipient's mail server verifies the signature against a public key published in your DNS records. A valid signature confirms that the email was sent by an authorised sender and has not been modified in transit. Emails that fail DKIM verification may have been tampered with or forged.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC builds on SPF and DKIM by specifying what recipient mail servers should do when an email fails authentication: nothing (monitor only), quarantine it (move to spam), or reject it outright. DMARC also provides reporting — email reports from recipient servers that show you who is sending email using your domain, including potential spoofing attempts.

The DMARC policy setting is the critical one for protection. A policy of p=none (monitor only) means spoofed emails can still reach recipients — it provides visibility but not protection. A policy of p=quarantine or p=reject actively prevents spoofed emails from reaching your clients and partners. Moving to reject is the goal, though it requires care: a misconfigured SPF or DKIM record combined with a reject policy can cause legitimate emails to be rejected. Work through the transition from none to quarantine to reject with IT support.

Email Filtering and Anti-Phishing

Every major email platform — Microsoft 365, Google Workspace — includes spam and malware filtering by default. These filters catch a significant proportion of malicious emails before they reach staff. However, the default filtering configuration is not the most protective configuration available.

For Microsoft 365 users on Business Premium (or those who have licensed Defender for Office 365), Safe Attachments and Safe Links provide significant additional protection. Safe Attachments detonates email attachments in a sandboxed environment before delivery, catching malicious documents that evade signature-based detection. Safe Links rewrites URLs in emails and documents and checks them at click-time, blocking links to malicious sites even if the link was benign at delivery.

Anti-impersonation protection — which detects emails impersonating known senders, including your own domain and key staff names — is configured in Defender for Office 365's anti-phishing policies and should be enabled and tuned for your senior staff and your domain.

What to Actually Train Staff to Spot

Technical controls reduce the volume of malicious email that reaches staff but do not eliminate it. Staff awareness of phishing techniques remains important. The specific things that are worth training:

• Check the sending domain, not the display name. An email from "HMRC Compliance Team" is sent from a display name, not a verified identity. The actual sending address — visible by clicking or hovering on the display name — is what matters. compliance@hmrc.gov.uk is very different from compliance@hmrc-compliance.org.
• Hover before clicking. Before clicking any link, hover over it to see the actual URL. A link that displays as "click here to verify your account" but points to an IP address or an unrelated domain is suspicious. On mobile, press and hold to see the URL before tapping.
• Unexpected urgency and authority are social engineering signals. Emails that create time pressure, threaten consequences for inaction, invoke senior authority, or request secrecy are using techniques specifically designed to bypass careful thinking. Slow down when an email pressures you to act quickly.
• When in doubt, call back on a known number. An email requesting a payment change, a credential reset, or urgent action from a known contact? Call the sender on a number you already have for them — not one provided in the email — before acting.

Secure Email Practices for Business

Beyond filtering and awareness, several email practices reduce the risk of email-borne incidents:

• Enable MFA on all email accounts. A compromised email account is the master key to most other accounts. MFA is the most effective control against credential phishing — if an attacker obtains your password, they still can't access your email without the MFA token.
• Review mailbox forwarding rules periodically. Attackers who gain access to an email account frequently create forwarding rules to maintain visibility into the inbox even after the password is changed. A periodic review of forwarding rules on business email accounts catches this persistence mechanism.
• Be cautious with email attachments from any source. Malicious attachments can come from compromised legitimate accounts. An unexpected attachment from a known contact — particularly a document that asks you to enable macros — warrants a call to confirm before opening.
• Maintain an email backup. As discussed in the backups post, Microsoft 365 and Google Workspace retention policies are compliance tools, not backup tools. A third-party email backup service provides genuine point-in-time recovery of email data.