Most email attacks do not start with sophisticated hacking. They start with a message that looks like it came from Microsoft, your bank, or a vendor you work with — and someone on your team clicks a link without thinking. Email is still the most common entry point for security incidents. The good news is that the basic defenses are well established and not particularly expensive.
SPF, DKIM, and DMARC
These three are DNS-level settings that define how your email is supposed to behave. They are not visible to your team or your clients. They work quietly in the background.
SPF (Sender Policy Framework) defines which servers are allowed to send email on behalf of your domain. If someone tries to send a message pretending to be you, receiving mail servers can check whether it came from an authorized source.
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing messages. It confirms that an email actually originated from your domain and was not tampered with in transit.
DMARC ties the two together and tells receiving servers what to do when something does not match — deliver it, quarantine it, or reject it. It also gives you reporting on what is being sent in your name.
If your domain does not have these configured correctly, it is not difficult for someone to send convincing email that appears to come from your business. That is a problem both for clients receiving fake messages and for your own team being targeted.
Checking your current configuration takes a few minutes with any free DNS lookup tool. Fixing it is a one-time task that most IT providers can handle quickly.
Multi-factor authentication on every account
Passwords get stolen. It happens through phishing, through data breaches at other services where people reused a password, and through automated attacks that run at scale. The password alone is no longer a reliable gate.
Multi-factor authentication requires a second verification step at login. Even if someone has your password, they cannot get in without that second step. This applies to every email account in your organization — not just the owner, not just the people with access to sensitive information, but all of them. A single compromised account can be used to send messages from a trusted address, access shared files, or redirect payments.
Microsoft 365 and Google Workspace both support MFA and can enforce it across the whole organization from the admin panel. If it is not turned on, that is the first thing to address.
Filtering that catches what users miss
Even careful people click things they should not. Email filtering adds a layer that stops malicious links and attachments before they reach the inbox.
Most business email platforms include some filtering by default, but the default settings are not always sufficient. Microsoft Defender for Business and Google Workspace security features both offer stronger options — scanning links at the moment they are clicked, quarantining suspicious attachments, and flagging messages that impersonate known contacts.
This is not about replacing good judgment. It is about not depending entirely on it. A filter that catches something before it reaches an inbox is far cheaper than dealing with the aftermath of one that got through.
If any of this feels familiar, we can take a quick look at your setup and tell you what is actually worth fixing.