5 email security basics for every type of business

Email security can be hard. While making sure your business infrastructure is protected from threats like phishing attacks, business email compromise and ransomware hits is a must, knowing how to lay the foundations for your email security framework isn’t as easy as it might sound.

Just one quick Google search for the ‘best email protection’ will highlight the amalgam of offers out there, all aimed at securing your posture in an ever-growing threat landscape. There are masses of products on the market, a sea of solutions to choose from, and reams of ‘best-practice’ advice. 

But stripping it all back, what essential building blocks should make up the foundation of your business’ email security posture? In this blog, we’ll cover the 5 email security measures every business should have in place.

1. Secure Cloud-Based Email Hosting 

In its simplest form, cloud-based email gives businesses the tools they need to send, receive, and store messages via the internet. Whereas in the past, email client software was installed on computers to send and receive email, cloud-based hosting enables this to be done via a browser. 

This means that businesses and users can access their email from anywhere, aren’t weighed down by servers, can easily recover lost data in an emergency, and scale up or down in line with their business. 

From a security standpoint, cloud email hosting is the way forward. Not just because of the ease of use it offers, but because most cloud-based solutions offer maintenance and essential security like DMARC, 2FA, and good spam filtering as part of the package. 

Two of the most popular cloud-based email vendors are Microsoft M365 and Google Workspace.

2. DMARC policy in p=reject

If your business uses email in any capacity to communicate with customers, employees, or suppliers (let’s face it, this is most businesses), then it’s absolutely essential that your DMARC policy is configured at p=reject.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, and it’s a globally standardized protocol which was founded in 2012. When configured correctly in p=reject, it protects your domain against exact impersonation using existing security protocols SPF and DKIM. This means that no bad actors can send fraudulent or phishing emails while pretending to be you by impersonating your domain.

By implementing DMARC, you’re protecting your customers, employees, supply chain and brand reputation from the often devastating effects of phishing scams, spear phishing, business email compromise, ransomware attacks, and more. You’re also contributing to the improved security of the wider email ecosystem. 

But there are other more business-based benefits of implementing DMARC too, such as improved deliverability and better inbox placement. This is because by implementing DMARC, you’re telling recipient servers that your emails are coming from a valid source. Then there’s Brand Indicators for Message Identification, or BIMI for short. Perhaps one of the most beneficial rewards for marketers, BIMI lets businesses attach their registered logo to any DMARC-authenticated emails they send. Not only does this boost brand impressions, but we found that showing a logo on an email positively impacts how the recipient interacts with it too.

As mentioned above, if you’re using a cloud vendor like Microsoft M365 or Google Workspace then good news, you’ll already have DMARC in place. But if not, then correct DMARC configuration is a must-do, both for the security and marketing benefits it provides. But we won’t lie, whiteknuckling the DMARC journey alone isn’t advised. It can be very difficult, and if done incorrectly, it can actually lead to more issues to do with deliverability. But that’s where our award-winning product OnDMARC comes into play, making DMARC configuration quick, easy and painless for everyone. 

Find out more

3. 2 Factor Authentication 

2 Factor Authentication (2FA) is essentially the practice of setting up an added layer of security to your email logins. It works by allowing an application to link your user to an authentication mechanism (i.e. an authenticator app). Each time it’s used, a unique verification code is generated and recognized by the application to confirm that your login is valid. 

2FA is an essential component in the quest to keep email accounts throughout your organization secure. This is because it protects from account takeover, especially if and when passwords are reused and leaked.

4. Password Management 

There’s a password for everything nowadays. And while it’s never a good idea to reuse or share passwords across devices, having a different one for every application and simultaneously conjuring any one of these up in your mind in your moment of need can be really challenging. 

So, a password manager does exactly what it says on the tin, securely storing the different passwords for your various accounts across the internet in one easy-to-access place. (That is of course, unless you forget your master password for that too).

We’ll admit, it’s not the most intuitive or high-tech solution to this seemingly universal problem. But until there’s a better approach, a Password Manager can be a useful way to ensure your passwords are secure and accessible. However, it’s worth remembering that while having a password manager is recommended, it’s never a substitute for 2FA. 

Google Chrome offers a free password manager, but there are also more advanced options like LastPass too. 

5. Spam Detection and File Scanning

While putting the right outbound email protection in place is vital, most businesses will also want to rest assured knowing there’s a sufficient layer of security identifying, mitigating and solving inbound email threats too.

That’s where Spam Detection and File Scanning solutions come in, examining inbound emails and attachments for all manner of threats. Most cloud-based vendors and more traditional SEGs offer these as part of their service. But if you’re not using one of these, it’s still an important extra layer to add to your foundational email security setup.  

Take the first step towards more secure email today

We hope this blog is useful in offering a straightforward run-down of the measures most essential for your business’ email security. To make a start on one of the most important steps today, sign up for your free OnDMARC trial below!


Sabrina Evans

5 Aug. 2021



Recent Posts


Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more

Red Sift ASM & Red Sift Certificates: the missing link in your…

Billy McDiarmid

According to Gartner, Attack Surface Management (ASM) refers to the “processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures which include misconfigured public cloud services and servers.” This broad category of tooling is used within Continuous Threat Exposure Management (CTEM) programs, with many vendors within it having…

Read more

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more