Skip to content
Intro
9 min
Anchor Article

Email Security Fundamentals: Protect Your Primary Business Channel

SPF, DKIM, DMARC explained in business terms. Learn which email security controls actually prevent impersonation and which are just checkbox compliance.

Last updated: January 26, 2026

Pro-Owner perspective: This document frames your systems as a technical estate — an asset to be stewarded, documented, and bequeathed. Treat these steps as craftsmanship: protect the continuity, auditability, and transferability of your digital legacy.

Email Security Fundamentals

The 60-second version

Email security boils down to: Can people fake emails from your domain? SPF, DKIM, and DMARC are the three technical controls that make impersonation much harder. This article explains what each does, how to implement them without breaking email delivery, and why all three matter (not just one or two).

What this solves (in real business terms)

Scenario: Your CFO receives an email that looks like it came from your CEO asking for an urgent wire transfer. The email address looks right. The signature looks right. The tone sounds right. But it's fake.

Without email authentication (SPF/DKIM/DMARC), attackers can send emails that appear to come from anyone@yourcompany.com. Your customers receive fake invoices. Your employees receive fake HR messages. Your reputation tanks.

Protection layers:

  1. SPF: Tells the world which systems can send email for your domain
  2. DKIM: Cryptographically signs your emails (proves they weren't tampered with)
  3. DMARC: Tells other email systems what to do with emails that fail SPF/DKIM

What it costs (honest ranges)

Time investment:

  • Initial setup (SPF + DKIM + DMARC): 2-4 hours
  • Monitoring first month: 30 minutes weekly
  • Maintenance: 15 minutes quarterly

Financial cost: $0-200/year

  • DNS hosting (already have): $0
  • DMARC monitoring service (optional): $0-100/year
  • Email authentication consultant (one-time): $500-1500 if complex

Hidden costs:

  • Email delivery disruption if configured wrong (test thoroughly)
  • Time investigating DMARC reports (automated tools help)

What can go wrong

1. Implementing SPF too strictly "We listed only our mail system, tightened it up..."

  • Result: Legitimate emails from your CRM, helpdesk, newsletter tool get blocked.
  • Prevention: Audit all services that send email on your behalf. Include them in SPF.

2. Setting DMARC to reject before monitoring "We went straight to p=reject for maximum security..."

  • Result: Half your legitimate emails get quarantined. Customer complaints flood in.
  • Prevention: Start with p=none (monitor only). Watch reports for 2-4 weeks. Then p=quarantine. Then p=reject.

3. Forgetting about third-party senders "We set up DMARC but forgot our invoice system sends emails..."

  • Result: Customer invoices get marked as spam or rejected.
  • Prevention: Document all email-sending services before implementing DMARC.

Vendor questions (copy/paste)

  1. "Does your service send email from our domain? If yes, what SPF record do we need?"
  2. "Do you support DKIM signing? If yes, how do we set it up?"
  3. "How will we know if our DMARC policy is blocking legitimate email?"
  4. "Can you show us a sample DMARC report and explain what it means?"
  5. "What happens if we don't implement email authentication?"

Minimum viable implementation

Week 1: Audit email senders

  • [ ] List all services that send email from your domain
    • Email system (Microsoft 365, Google Workspace, etc.)
    • CRM (Salesforce, HubSpot, etc.)
    • Support desk (Zendesk, Freshdesk, etc.)
    • Newsletter tool (Mailchimp, SendGrid, etc.)
    • Invoicing system
    • Automated alerts
  • [ ] For each service, find their SPF record requirement
  • [ ] Document current DNS records

Week 2: Implement SPF

  • [ ] Create SPF record listing all authorized senders
  • [ ] Add to your domain's DNS (TXT record)
  • [ ] Verify with SPF checker tool
  • [ ] Test: Send emails from each service, check they pass SPF

Week 3: Implement DKIM

  • [ ] Enable DKIM in your email provider
  • [ ] Add DKIM public key to DNS (usually a CNAME or TXT record)
  • [ ] Verify DKIM signature on sent emails
  • [ ] Test with external recipients

Week 4: Implement DMARC (monitor mode)

  • [ ] Create DMARC policy: v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com
  • [ ] Add to DNS as TXT record for _dmarc.yourcompany.com
  • [ ] Set up email address to receive DMARC reports
  • [ ] Review reports weekly for 4 weeks
  • [ ] After monitoring, upgrade to p=quarantine then p=reject

When to hire help

DIY-friendly if:

  • Single email service (Microsoft 365 or Google Workspace only)
  • No third-party services sending email from your domain
  • Under 50 employees
  • Basic DNS knowledge

Get professional help if:

  • Multiple domains with different email needs
  • Complex email routing (on-prem + cloud)
  • Many third-party integrations
  • Previous email deliverability issues
  • No one on staff comfortable editing DNS

Warning signs:

  • You can't explain what SPF, DKIM, and DMARC do
  • You're already experiencing email impersonation
  • Customers report receiving fake emails from your domain
  • Regulated industry with email security requirements

Related Reading

5 minIntro

Business Email Compromise Bec Explained

5 minIntro

How Email Impersonation Actually Works

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch