Skip links
Published on: Uncategorized

Five Practical Steps to Protect Your Email  

Author: Mike Neve

Could criminals be sending fake emails that look like they come from your business?

If you run a small or medium-sized business, you may have heard terms like “SPF”, “DKIM” and “DMARC” when email security comes up. For many business owners, they sound technical, confusing and easy to ignore.

But these controls play an important role in protecting your business. They help stop criminals from using your domain name to send convincing fake emails to your customers, suppliers or staff. Without the right protection, those emails could be used to trick people into paying fraudulent invoices, sharing passwords or clicking dangerous links.

The good news is that protecting your email domain does not need to be complicated. With a clear, step-by-step approach, you can reduce the risk of email impersonation and build stronger trust in the messages your business sends.

Step 1: Understand What DMARC Is For

DMARC is an email security control that helps protect your domain name from being used in fake emails.

In simple terms, it helps receiving email systems answer three key questions:

  • Did this email really come from someone authorised to send email for your business?
  • Has the email passed checks that show it is genuine?
  • If it fails those checks, should it be allowed through, treated as suspicious or rejected?

DMARC works with two other controls:

  • SPF – a list of services allowed to send email for your domain
  • DKIM – a digital signature that proves emails have not been altered

Think of it like this: SPF and DKIM are the checks. DMARC is the rulebook that tells email systems what to do when those checks fail.

Without DMARC, criminals may find it easier to send emails that appear to come from your domain. With it properly set up, that becomes much harder.

Step 2: Find Out Who Sends Email for Your Business

Before changing any settings, start with a simple question:

“Who sends email using our domain name?”

For many SMEs, this includes more systems than expected:

  • Microsoft 365 or Google Workspace
  • Your website contact forms
  • Invoicing or accounting software
  • Marketing or CRM platforms
  • Helpdesk or ticketing systems
  • Booking or appointment tools
  • Payroll or HR systems
  • Third-party suppliers sending on your behalf

This step matters because moving too quickly can break legitimate email.

Create a simple list (a spreadsheet works well) showing:

  • System or supplier name
  • What emails it sends
  • Who owns it internally
  • Whether it is still in use
  • Whether email security is configured correctly

The goal is visibility, not perfection.

Step 3: Start with Monitoring

DMARC has different levels of protection. The safest starting point is monitoring mode.

This does not block emails. Instead, it sends reports showing:

  • Who is sending email using your domain
  • Which emails pass authentication checks
  • Which services are misconfigured
  • Whether your domain is being impersonated

In plain terms, this setting says:

“We are using DMARC. Do not block anything yet—just show us what is happening.”

Reports can look technical, so many businesses use tools to make them easier to understand.

Step 4: Fix Genuine Senders

Once reports are coming in, group your email activity into three types:

  • Genuine emails passing checks
  • Genuine emails failing checks
  • Unknown or suspicious emails

Focus first on genuine emails that are failing.

Common causes include:

  • Suppliers not properly authorised
  • Marketing platforms missing correct settings
  • Old website plugins still sending email
  • Multiple systems with inconsistent configurations
  • Third parties using your domain incorrectly

Work through these carefully. Fix configurations or remove services you no longer use.

Good security often comes from cleaning up what has built up over time.

Step 5: Move to Stronger Protection

Once legitimate email is working properly, you can increase protection.

The typical progression is:

  1. Start with monitoring
  2. Identify all senders
  3. Fix configuration issues
  4. Move to quarantine (send suspicious emails to spam)
  5. Review the impact
  6. Move to reject (block failing emails completely)

This staged approach reduces risk without disrupting business operations.

Turning Email Security into Business Protection

DMARC is not just a technical setting—it protects trust in your business.

If someone successfully impersonates your domain, the consequences can include:

  • Fraudulent payments
  • Data breaches
  • Reputational damage
  • Difficult conversations with customers and suppliers

A well-managed setup reduces that risk and gives you better visibility of your email environment.

Simple approach for SMEs

  1. List who sends email for your domain
  2. Start with monitoring
  3. Review reports
  4. Fix legitimate senders
  5. Gradually move to full protection

You do not need to become an expert. But you do need to understand who is sending email as your business—and what should happen when something is not legitimate.

If you need help reviewing your setup, configuring SPF, DKIM and DMARC, or moving safely to enforcement, Cybersec Solutions can support you with a practical, business-focused approach.