Email Protection for Business: Layers of Defence Explained

Why single-layer email protection fails

Email is the most targeted communication channel in any business. It carries financial instructions, sensitive client data, access credentials and internal strategy — making it attractive to attackers at every level of sophistication. A single filtering product, however capable, will never catch every threat because attackers continuously adapt their techniques to evade whatever is most widely deployed.

Defence in depth — multiple overlapping layers of protection, each addressing different threat vectors — is the principle that security architects apply to email. When one layer fails or is bypassed, the next catches what the previous layer missed. Understanding what each layer does helps you identify the gaps in your current setup.

Layer 1: Email authentication (SPF, DKIM, DMARC)

Authentication protocols operate at the DNS level and verify whether an email claiming to come from your domain was actually sent by an authorised source.

• SPF (Sender Policy Framework): Publishes a list of IP addresses authorised to send email on behalf of your domain. Receiving servers check inbound email against this list.
• DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to outbound messages that receiving servers can verify, confirming the email was not tampered with in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance): Instructs receiving servers on what to do when SPF or DKIM checks fail — and provides reporting back to the domain owner about authentication results.

These protocols are foundational. Without them, your domain can be spoofed freely by anyone wanting to send phishing emails that appear to come from you, and your own staff are less protected against spoofed inbound email.

Layer 2: Email security gateway

A gateway scans every inbound and outbound message before it reaches the inbox. Modern gateways use a combination of signature-based detection, machine learning, and sandboxing (detonating suspicious attachments in an isolated environment to observe their behaviour) to identify threats.

Microsoft Defender for Office 365, Mimecast, Proofpoint and similar products sit in this space. They provide:

• Anti-spam and anti-malware scanning
• Anti-phishing policies including impersonation detection
• URL filtering and safe links (re-checking URLs at the time of click, not just at delivery)
• Attachment sandboxing
• Outbound data loss prevention (DLP)

Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, providing a solid gateway layer. Organisations handling particularly sensitive data may layer a third-party gateway in front for additional filtering depth.

Layer 3: Endpoint and identity protection

Even the best gateway will occasionally allow a malicious message through — sophisticated zero-day attacks, or social engineering with no malicious payloads at all. The next layer of protection operates at the endpoint and identity level.

Multi-factor authentication on email accounts means that even if credentials are phished, the attacker cannot access the account without the second factor. This is the single most impactful individual control for reducing the success rate of credential phishing.

Endpoint protection that scans documents and URLs when they are opened — rather than at delivery — catches threats that were not detectable at the gateway. Microsoft Defender for Endpoint and commercial EDR solutions from vendors such as CrowdStrike, SentinelOne and Sophos Intercept X all operate in this layer.

Layer 4: Email encryption

Encryption protects the content of email messages from interception in transit and in storage. Most inter-server email is now encrypted in transit using TLS automatically. End-to-end encryption — where only sender and recipient can read the message — requires additional configuration.

For organisations handling particularly sensitive information, Microsoft 365 Message Encryption (OME), S/MIME certificates, or a secure file sharing portal for sensitive documents provide the appropriate level of protection. Legal firms, healthcare organisations and financial services businesses are most likely to need formal email encryption policies.

Layer 5: Email backup and archiving

Email backup serves a different function from security filtering — it ensures you can recover from data loss, accidental deletion, or a malicious actor with admin credentials deleting data. Microsoft 365 includes Exchange Online archiving and retention policies, but these are not independent backups. A third-party backup solution provides point-in-time recovery independent of Microsoft's own infrastructure and is the standard recommendation for business continuity.

Layer 6: User awareness

All technical controls can be bypassed if an employee chooses to act on a phishing email. Regular security awareness training — including simulated phishing exercises — builds the critical thinking habits that complement technical controls. The NCSC's guidance is clear that user education is not a substitute for technical controls, but neither are technical controls a substitute for user awareness.

AMVIA designs and implements complete email protection stacks for UK SMEs, from DNS authentication configuration through to gateway deployment, endpoint integration and staff training programmes.