How to Secure Your Email Domain (SPF, DKIM, DMARC) and Reduce Phishing Risk

April 21, 2026|Stonebridge MSP|
Back to All Posts
dmarc security

Secure Your Email Domain

If your business is using Microsoft 365 or Google Workspace, there’s a good chance your email is working — but not fully secured. With the recent increase in phishing and impersonation attacks, properly configuring your email domain is no longer optional. Many of the scams we’re seeing today are succeeding not just because of user interaction, but because email security has become more complex as attack methods have evolved. Settings that were once considered sufficient often need to be revisited and strengthened to keep up with current threats. This guide will explain what matters, why it matters, and what should be in place to reduce your risk.

The Core Issue: Email Spoofing

One of the most common tactics attackers use today is sending emails that appear to come from your domain. These messages may look like they’re coming from you, your staff, or your organization, even though they are being sent from completely different servers. If your domain is not properly secured, email systems have no reliable way to verify whether a message is legitimate or not. That’s where SPF, DKIM, and DMARC come in.

SPF, DKIM, and DMARC (Simple Explanation)

SPF (Sender Policy Framework) tells receiving mail servers which systems are allowed to send email on behalf of your domain. Without it, anyone can attempt to send email pretending to be you. DKIM (DomainKeys Identified Mail) adds a digital signature to your emails, allowing receiving servers to verify that the message hasn’t been altered and that it actually came from your domain. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties everything together and tells receiving servers what to do if an email fails SPF or DKIM checks. This is what actually allows spoofed emails to be blocked or sent to spam. Without DMARC enforcement, your domain is essentially saying: “Even if this email fails verification, go ahead and deliver it anyway.”

Why This Matters More Now

Today’s attacks are different than they were even a year ago. Attackers are now:

  • Using AI to generate realistic, unique emails
  • Impersonating internal users and trusted contacts
  • Hosting phishing links on legitimate platforms like Microsoft or Google

This means both technical controls and user awareness are required.

User Awareness Is Still Critical

Even with proper email security in place, users remain the final line of defense. Many attacks are designed to look legitimate and rely on someone clicking a link or opening an attachment. Simple habits that make a difference include:

  • Verifying requests before taking action
  • Avoiding unexpected attachments or links
  • Reporting suspicious emails instead of deleting them

If you haven’t already, we recommend reviewing our guide here: How to Spot Modern Phishing Emails

Microsoft 365 and Google Workspace Default Settings Are Not Enough

Out of the box, Microsoft 365 and Google Workspace provide a baseline level of protection, but many important settings are either not configured or left in a less aggressive state. Depending on your licensing level, additional protections may be available, including:

  • Advanced anti-phishing policies
  • Safe Links and Safe Attachments (Microsoft 365)
  • Enhanced impersonation protection

However, even with these features, proper domain authentication (SPF, DKIM, DMARC) is still required.

DNS Configuration (Cloudflare Example)

These protections are implemented at the domain level through DNS. In most environments (including Cloudflare), this means adding or updating a small number of records that tell other mail systems how to verify your email. In practice, this typically includes:

  • An SPF record that defines which systems can send email on your behalf
  • DKIM records that enable email signing through your provider
  • A DMARC record that enforces how failed messages are handled (monitor, quarantine, or reject)

One of the most common issues we see is domains with DMARC set to “none,” which does not enforce protection. Moving to “quarantine” or “reject” is what actually reduces spoofing. Because these records directly affect email delivery, they need to be configured carefully — even small mistakes can cause legitimate emails to be flagged or blocked.

Additional Email Security (Optional)

For organizations that want an extra layer of protection, third-party email security services can provide:

  • Advanced phishing detection
  • URL rewriting and scanning
  • Attachment sandboxing
  • Impersonation and anomaly detection

These services typically cost around $5–$10 per user. Like any filtering system, there can occasionally be false positives, and some minor user training is required to manage quarantined messages. Historically, we haven’t strongly recommended these services for most clients due to the additional cost and complexity. However, with the recent increase in more advanced phishing attempts, that is quickly changing, and this level of protection may now be worth considering — or even necessary — for some organizations.

What This Means for Your Business

If your email domain is not fully configured with SPF, DKIM, and DMARC, your organization is more vulnerable to:

  • Email spoofing
  • Business Email Compromise (BEC)
  • Data theft attempts (W-2s, payroll, etc.)
  • Reputational damage

The good news is that this is usually a relatively quick process to review and correct.

Final Thoughts

Email security today requires a combination of proper configuration and user awareness. Most businesses already have the tools they need — they just aren’t fully implemented. If you’re unsure whether your domain is properly secured, or if you’ve seen an increase in suspicious emails, it’s worth taking a closer look. In most cases, we can review and properly configure these settings in about 30–60 minutes. If you’d like help reviewing or securing your setup, feel free to reach out — we’re happy to help.

Recent Posts