Email Security Guide: How to Identify Phishing and Protect Your Business

Email security and phishing protection for businesses

Email is the highest-value attack surface in any business — the source of most ransomware, business email compromise (BEC), and credential theft. This guide focuses on the technical controls every business should have on top of user-side phishing awareness: SPF, DKIM, DMARC, sandboxing gateways, impersonation detection, and the configuration mistakes that leave even well-intentioned organizations exposed.

Email security icons and shield over inbox
Email security is layered: protocol authentication, gateway filtering, in-mailbox protections, and user awareness — each catches a different category of threat.

The 5 Layers of Email Security

LayerWhat It DoesWhat It Catches
1. Protocol authentication (SPF, DKIM, DMARC)Verifies senders cryptographicallyDomain spoofing
2. Email security gatewayFilters before delivery; sandboxes attachments and URLs~95% of bulk phishing and malware
3. In-mailbox protectionsExternal-sender banner, impersonation detectionBEC and lookalike-domain attacks
4. User awarenessTraining and phishing simulationTargeted spear-phishing that gets through filters
5. Post-delivery responseEDR, conditional access, ZAP (zero-hour auto purge)Threats discovered after delivery

SPF, DKIM, and DMARC — The Authentication Trio

  • SPF (Sender Policy Framework): DNS record listing which IP addresses are authorized to send for your domain. Most domains have this; few have it correctly scoped.
  • DKIM (DomainKeys Identified Mail): Cryptographic signature on outbound messages. Microsoft 365, Google Workspace, Mailgun, SendGrid, and HubSpot each need their own DKIM key configured.
  • DMARC (Domain-based Message Authentication): Policy that tells receivers what to do with mail that fails SPF or DKIM. p=none is monitor-only; p=quarantine sends failures to spam; p=reject drops them.
DNS records and email authentication configuration interface
DMARC at p=quarantine or p=reject is the single highest-leverage email security improvement most organizations have not made yet.

The Email Security Gateway Layer

VendorBest ForNotes
Microsoft Defender for Office 365 P2M365-stack businessesBundled with E5; sandboxing, URL rewrite, attack simulator included
ProofpointMid-market and enterpriseStrong impersonation and BEC detection
MimecastEstablished mid-marketLong history; strong continuity features
Abnormal SecurityBEC-focused mid-marketAI-driven; strong on impersonation
Avanan / Check Point HarmonyCloud-native organizationsAPI-based instead of MX-record-based

Configuration Mistakes That Leave You Exposed

Email administrator reviewing security settings and DMARC reports
Most organizations have a gateway in place but the policy still set to monitor-only.
  • DMARC stuck at p=none. Monitor-only policy that does not actually block anything.
  • SPF too permissive. +all or overly broad include statements neutralize the protection.
  • Missing DKIM keys for legitimate senders. Marketing automation, transactional providers, third-party CRMs all need to be added.
  • External-sender banner disabled. Easy quick win; one click in Defender / Workspace admin.
  • Impersonation protection not configured. Add executive names, custom domains, lookalikes to the watch list.
  • Anti-phishing policies set to default. Strict policies catch substantially more than default policies.
  • Attachment sandboxing limited to known-bad file types. Modern attacks use HTML, OneNote, ZIP-with-LNK, ISO files.
  • Auto-forward to external addresses still allowed. The most common BEC persistence mechanism.

30-Day Email Security Hardening Plan

  1. Day 1–3: Audit DNS — confirm SPF, DKIM, and DMARC records exist on every domain you own and every legitimate third-party sender.
  2. Day 4–7: Move DMARC to p=quarantine after 7 days of monitoring with p=none.
  3. Day 8–14: Enable strict anti-phishing and impersonation protection policies; add executive names and lookalike domains.
  4. Day 15–21: Enable safe attachments (sandboxing) and safe links (URL rewrite). Block auto-forwarding to external addresses.
  5. Day 22–28: Roll out external-sender banner; deploy phish-report button.
  6. Day 29–30: Move DMARC to p=reject after 30 days of clean reports.

Frequently Asked Questions

What is the single highest-impact email security improvement?

Moving DMARC to p=reject on every owned domain. It is free, blocks domain spoofing entirely, and dramatically reduces phishing volume.

Do we need a third-party gateway if we have M365 E5?

Defender for Office 365 P2 is competent for most SMBs. Mid-market and regulated firms often layer Proofpoint or Abnormal on top for BEC detection.

What about email encryption?

Use TLS for transport (default in M365 and Workspace), and add S/MIME or message-level encryption (Microsoft Purview, Virtru) for healthcare and legal use cases where PHI or privileged content travels by email.

Bottom Line

Most organizations have email security tools deployed but configured at the default level. A 30-day hardening pass — DMARC at reject, strict policies, sandboxing, external banner, no external auto-forward — closes 80% of the configuration gaps.

Need help hardening your email security stack? ACS configures and manages email security for U.S.-based SMBs and mid-market firms. Contact us.

Related articles

Partner with Us for Comprehensive IT

We're happy to answer any questions you may have and help you determine which of our services best fit your needs.

Call us at: 1-650-300-7557

Your benefits:

Client-oriented approach
Proven results and reliability
Industry-leading technology
Transparent pricing, no surprises

What happens next?

1We schedule a call at your convenience
2We do a discovery and consulting meeting
3We prepare a proposal tailored to your needs

Schedule a Free Consultation

Fill out the form and we'll be in touch soon.