Email Security: The Top 10 Controls That Actually Matter
Email security is not just about buying another tool. SPF, DKIM, DMARC, domain reputation, impersonation protection, and proper configuration matter more than most vendors admit.
Email Security: The Top 10 Controls That Actually Matter
Email security has become noisy.
Every vendor has another gateway, add-on, banner, dashboard, or AI-powered feature promising to stop email threats.
Some are useful. Some are not. Most only work if they are actually configured.
That is the part many businesses miss.
A product being “deployed” does not mean it is protecting you. If mail is flowing, but SPF, DKIM, DMARC, spoofing controls, impersonation rules, quarantine policies, and alerting are not tuned, the tool may be doing far less than leadership assumes.
The Reality
| What leadership thinks | What is often true |
|---|---|
| “We bought email security.” | The product is licensed, but barely configured. |
| “Mail is flowing through it.” | Mail flow does not equal protection. |
| “Microsoft 365 spam filtering does not work.” | It may still be running mostly default settings. |
| “We have Proofpoint, Mimecast, or Barracuda.” | Great, but only if the policies are actually tuned. |
| “Our domain is protected.” | Not unless SPF, DKIM, and DMARC are configured correctly. |
Email is still one of the most common ways attackers get into businesses. It deserves regular review, not a one-time setup.
The Top 10 Email Security Controls That Matter
1. SPF: Define Who Can Send for Your Domain
SPF tells receiving mail systems which servers are authorized to send email for your domain.
This should include:
- Microsoft 365
- Marketing platforms
- Billing systems
- Ticketing systems
- Website forms
- Scanners and copiers
- Line-of-business applications
A bad SPF record can block legitimate email or allow unauthorized systems to send as your domain.
2. DKIM: Prove the Message Was Authorized
DKIM adds a digital signature to outbound email.
That signature helps prove the message came from an authorized sender and was not modified in transit.
For Microsoft 365, DKIM should be enabled on every accepted domain. Third-party platforms should use DKIM whenever they support it.
3. DMARC: Tell the World What to Do with Spoofed Mail
DMARC builds on SPF and DKIM.
It tells receiving systems what to do when a message fails authentication.
| DMARC Policy | What It Means |
|---|---|
p=none |
Monitor only. No enforcement. |
p=quarantine |
Send failing messages to spam or quarantine. |
p=reject |
Reject failing messages outright. |
This is where domain protection gets real.
Without DMARC enforcement, attackers may still be able to send messages that appear to come from your domain.
4. Domain Reputation: Protect More Than Your Inbox
Most companies focus on inbound email protection.
That matters, but your outbound identity matters too.
If attackers spoof your domain, they can target:
- Customers
- Vendors
- Employees
- Partners
- Finance teams
- Executives
The damage can include payment fraud, credential theft, brand damage, and poor email deliverability.
Your domain is part of your reputation. Treat it like an asset.
5. Third-Party Senders: Know Every System Sending as You
This is where environments get messy.
CRMs, payroll systems, marketing tools, websites, help desk platforms, accounting systems, and business applications may all send email as your company.
Every sender should be:
- Documented
- Authenticated
- Reviewed
- Removed if no longer needed
If you do not know who is sending as your domain, you do not fully control your domain.
6. Inbound Filtering: Tune the Product You Already Own
Microsoft Defender, Barracuda, Proofpoint, Mimecast, and other platforms can all be effective.
They can also all be ineffective.
The difference is configuration.
Settings that need review include:
- Spam thresholds
- Bulk email handling
- Phishing protection
- Malware policies
- Safe links
- Safe attachments
- Spoof intelligence
- Allow and block lists
- Quarantine actions
- Alert routing
Default settings are not a security strategy.
7. Impersonation Protection: Protect the People Attackers Pretend to Be
Attackers love pretending to be executives, finance staff, HR, vendors, and trusted partners.
Impersonation protection should cover:
| Protection Area | Example |
|---|---|
| Executive impersonation | CEO/CFO display name spoofing |
| Finance impersonation | Fake invoice or payment change requests |
| HR impersonation | Fake payroll or benefits messages |
| Vendor impersonation | Lookalike domains or fake sender names |
| Internal spoofing | Messages pretending to be from your own users |
This is one of the most common gaps I see.
The license exists. The product is active. But the actual protected users and domains were never added.
8. Quarantine and Reporting: Create a Feedback Loop
Email security is not just about blocking messages.
Users need a simple way to report suspicious email. IT needs a process to review submissions, release false positives, tune policies, and identify patterns.
A healthy process looks like this:
- User reports suspicious email.
- IT or security team reviews it.
- Similar messages are searched across the tenant.
- Malicious messages are removed.
- Policies are adjusted if needed.
- Users are educated when appropriate.
Quarantine should not be a black hole.
If nobody reviews what is being blocked or reported, the system is not being managed.
9. Mail Flow Rules and Connectors: Clean Up Hidden Risk
Old mail flow rules, connectors, trusted IP addresses, relay exceptions, and bypass rules can quietly weaken email security.
This is especially common after:
- Microsoft 365 migrations
- Acquisitions
- Vendor changes
- MSP transitions
- Old scanner or application setups
- Previous troubleshooting work
A single old bypass rule can undo a lot of expensive security tooling.
10. Legacy Protocols: Reduce Easy Attack Paths
Older protocols can create unnecessary risk.
These should be reviewed carefully:
| Protocol | Why It Matters |
|---|---|
| POP | Often unnecessary and harder to secure. |
| IMAP | Commonly abused when left open. |
| SMTP AUTH | Useful in some cases, risky if broadly enabled. |
| ActiveSync | Should be controlled with modern policies. |
| Basic Authentication | Should be blocked wherever possible. |
Modern authentication, MFA, conditional access, and controlled SMTP relay should be the standard.
The Quick Executive Checklist
If you only ask 10 questions, ask these:
- Is SPF accurate?
- Is DKIM enabled?
- Is DMARC monitored and enforced?
- Do we know every system sending as our domain?
- Are inbound spam and phishing policies tuned?
- Are executives and finance users protected from impersonation?
- Are users able to report suspicious email?
- Is quarantine reviewed?
- Are old mail flow bypasses cleaned up?
- Are legacy protocols disabled or restricted?
The Bottom Line
Email security is not about buying the most expensive product.
It is about getting the fundamentals right.
SPF, DKIM, and DMARC protect your domain.
Inbound filtering protects your users.
Impersonation protection protects leadership and finance teams.
Quarantine review and user reporting keep the system improving.
The best email security tool in the world will not help much if nobody configures it.
Buying email security is easy.
Making it work is the part that matters.