Email Security Fundamentals: The Business Guide

The four pillars of email security

Email security is one of those areas where businesses often have something in place but are uncertain whether it is adequate. A Microsoft 365 subscription includes basic protection. A spam filter handles some of the obvious threats. But the gap between "something" and a properly configured email security posture can be substantial — and that gap is where most successful attacks occur.

Understanding the four fundamentals gives you a clear framework for assessing where you are and what you still need.

Pillar 1: Authentication — proving your email is genuinely from you

Email authentication addresses a fundamental weakness in how email was originally designed: anyone could claim to send email from any address. The three protocols that fix this work together:

SPF (Sender Policy Framework)

You publish a DNS record listing the mail servers authorised to send email on behalf of your domain. When another server receives an email claiming to be from you, it checks whether it came from an authorised source. If not, SPF fails. Many businesses have an SPF record but have not updated it to include all their legitimate sending services — transactional email platforms, CRM systems, and helpdesk tools often need to be added explicitly.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to every outbound message, created using a private key held by your mail server and verified by recipients using a public key published in your DNS. This confirms both the authenticity of the sending domain and that the message has not been modified in transit. DKIM should be enabled for every domain from which your organisation sends email.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is the policy layer that acts on SPF and DKIM results and tells receiving servers what to do when an email fails authentication — monitor only (p=none), send to junk (p=quarantine), or reject the message entirely (p=reject). A DMARC policy of p=reject provides the strongest protection against your domain being used in phishing campaigns. DMARC also sends aggregate reports back to you, giving visibility into all email being sent using your domain — including the legitimate sending sources you may have forgotten about.

The ideal progression is: deploy DMARC in p=none monitoring mode, use the reports to identify all legitimate sending sources, ensure they all pass SPF and DKIM, then advance to p=quarantine and eventually p=reject.

Pillar 2: Filtering — blocking malicious content

Authentication stops email being sent fraudulently from your domain, but it does not filter the content of inbound email. An email security gateway analyses every inbound message against multiple threat intelligence feeds and detection methods:

• Signature-based detection: Matches known malware samples in attachments and known malicious URLs against databases of confirmed threats
• Heuristic analysis: Identifies suspicious characteristics in new, unknown threats based on patterns that resemble known attacks
• Sandboxing: Opens attachments in an isolated environment to observe behaviour before allowing delivery
• Machine learning: Detects anomalous patterns in message content, headers and metadata that indicate phishing, even without matching known signatures

Microsoft 365 includes Exchange Online Protection (all plans) and Defender for Office 365 (Business Premium and above). Third-party gateways from Mimecast, Proofpoint and similar vendors add additional filtering depth for higher-risk environments.

Pillar 3: Encryption — protecting message content

Filtering protects your inbox; encryption protects the content of messages you send and receive. The three levels of email encryption are:

• Transport Layer Security (TLS): Encrypts email in transit between mail servers. Widely supported and automatic between major providers, but does not protect messages in storage or if a server is compromised
• Message-level encryption (e.g. Microsoft 365 Message Encryption): Encrypts message content so only the intended recipient can read it. Suitable for sending sensitive information to external recipients without requiring them to have their own certificates
• S/MIME or PGP: End-to-end encryption using digital certificates or key pairs. Provides the strongest protection but requires both sender and recipient to have the infrastructure in place, making it practical mainly for defined partner relationships

Pillar 4: User training — the human layer

Technical controls reduce the volume and impact of threats, but they cannot make zero mistakes. The human layer — staff who recognise suspicious emails and know what to do — is what catches the attacks that slip through filtering. Effective training is not a one-off event but a continuous programme that includes:

• Regular security awareness sessions covering current phishing tactics
• Simulated phishing exercises with immediate, contextual feedback
• Clear reporting procedures so staff can escalate suspicious emails quickly
• A culture where reporting a suspected phishing email is normal and encouraged, not embarrassing

The NCSC's Cyber Essentials scheme — widely supported by AMVIA for UK business clients — covers foundational technical controls including secure configuration, access control and malware protection, providing a recognised certification that complements the four-pillar approach.