Email security best practices and how to implement them

Most security incidents that start with email don’t start with a sophisticated attack. They start with one user who didn’t recognize a phishing message, clicked a link and handed an attacker a way in. The technical controls existed. The gap was in how they were configured, maintained and supported by trained users.

That’s the practical reality INKY, Kaseya’s email security software, is built to address and it’s why the practices below focus on what actually reduces risk rather than what looks good on a compliance checklist.

Why email security requires ongoing attention

A one-time configuration is not a security posture. Threat tactics shift faster than most organizations update their defenses. Attackers adapt to whatever filters are in place, find the gaps and use them.

The 2025 Verizon Data Breach Investigations Report found that the human element contributed to 60% of breaches, with phishing the dominant social engineering method. Financially motivated attacks increasingly rely on business email compromise (BEC), which produces no malicious attachment or link for a filter to catch. It just looks like a trusted colleague or vendor making a reasonable request.

That means the practices below are not install-and-forget steps. They require the right tools, consistent execution and a user base that knows what to do when something looks wrong.

How poor email security costs businesses

The financial case for investing in email security is straightforward: the cost of a breach consistently exceeds the cost of prevention by a significant margin.

According to IBM’s 2025 Cost of a Data Breach Report, the average phishing-related breach costs an organization $4.88 million. That figure covers incident response, legal and notification costs, regulatory fines, lost business and reputational damage. For most SMBs, a breach of that scale is not recoverable.

BEC attacks are particularly damaging because there’s often no technical artifact to detect and no moment where a user clearly did something wrong. An employee who transferred funds based on a convincing email from what appeared to be the CFO did exactly what they were asked to do. The FBI’s 2024 Internet Crime Report recorded $2.77 billion in BEC losses across more than 21,000 complaints. Given that many incidents go unreported, the true figure is almost certainly higher.

Beyond direct financial loss, the downstream costs compound quickly. Regulatory penalties under HIPAA, GDPR and PCI DSS can follow a breach that started with an unprotected inbox. Cyber insurance claims tied to email incidents can drive up premiums or trigger coverage disputes if baseline controls weren’t in place. And the reputational damage from a publicly disclosed breach can cost customer relationships that took years to build.

10 best practices for email security

Strong email security comes down to layering the right controls and maintaining them consistently. The following ten practices address the most significant risk areas, from authentication and filtering to user behavior and account monitoring.

1. Enforce multifactor authentication (MFA)

Multifactor authentication is the most effective single control against unauthorized account access. A stolen password is the most common credential attack vector and without MFA, it’s all an attacker needs to take over an inbox, access internal communications and set up forwarding rules that persist long after the initial compromise is detected.

Enforce MFA organization-wide, without exceptions for executives or service accounts. These are often the highest-value targets, so they need stronger protection, not less scrutiny. Use an authenticator app rather than SMS where possible, since SIM-swapping attacks can intercept text-based codes.

MFA enforcement is also increasingly a requirement for cyber insurance eligibility and regulatory compliance. Getting it in place proactively is far easier than retrofitting it after a breach and most cyber insurers now treat it as a baseline control rather than a nice-to-have.

2. Deploy SPF, DKIM and DMARC

Three DNS-based authentication protocols form the technical foundation of sender verification:

• SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of a domain. Any message sent from an unlisted server fails the SPF check.
• DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound messages. Receiving servers verify the signature against a public key in the sending domain’s DNS, confirming the message was not altered in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do with messages that fail SPF and DKIM checks: accept them, quarantine them, or reject them. It also generates reports showing who is sending mail claiming to come from your domain.

Publishing these records is straightforward. The important step most organizations skip is moving DMARC from a monitoring policy (p=none) to an enforcement policy (p=quarantine or p=reject). Without enforcement, failed messages still reach inboxes and the authentication controls provide no real protection.

DMARC reporting also surfaces unauthorized use of your domain in campaigns targeting your own users or partners — useful intelligence you don’t get without it.

3. Add a dedicated email security layer

Microsoft 365 and Google Workspace include built-in filtering and it’s a reasonable baseline against known spam and some categories of malware. It’s not designed to catch sophisticated, targeted threats. BEC attacks carry no payload to scan. AI-generated phishing messages have none of the language patterns that older filters were trained to flag. Lookalike domains pass authentication checks because they’re technically legitimate.

A dedicated anti-phishing solution adds the behavioral detection that native tools lack: sender relationship analysis, tone and urgency signals, link destination inspection, computer vision for brand impersonation in images and detection of QR codes used to deliver phishing links. These capabilities are the difference between catching a well-crafted spear-phishing email and letting it land in a senior manager’s inbox unmarked.

INKY applies GenAI-driven analysis to inbound, outbound and internal mail, flagging threats that signature-based systems miss and surfacing warning banners to users directly in the inbox so they understand what triggered the flag and what to do.

4. Run phishing simulations regularly

Phishing simulations measure what training alone cannot: actual user behavior under realistic conditions. An organization can complete all its annual training modules and still have a significant portion of users who will click a well-crafted phishing link under time pressure.

Regular simulations, run at least quarterly with scenarios that reflect current attack trends, identify who needs additional support and build the habit of skepticism over time. Crucially, they work best when they’re not punitive. Users who click a simulated phishing link should see an immediate, contextual explanation of what they missed and why, then be directed to a short remediation module.

BullPhish ID, Kaseya’s security awareness training tool, includes a library of phishing simulation campaign kits updated monthly to reflect current threats. Campaigns can be scheduled to send at random times across a specified window, which prevents users from alerting colleagues that a simulation is running and gives a more accurate picture of true susceptibility.

5. Keep email security awareness training current

Annual security training is better than none, but it’s not enough. Attack techniques change faster than a once-a-year refresher can track. A user who completed training in January has little recollection of it by October and no context at all for threats that emerged after the training was recorded.

Short, frequent training sessions tied to current attack trends are more effective. Monthly modules covering recent threat types, emerging phishing techniques and updated social engineering tactics maintain awareness without creating training fatigue. The goal is building a security culture where employees think about threat recognition as part of their routine, not a compliance box to check.

The 2025 Verizon DBIR found that phishing susceptibility drops significantly in organizations with consistent training programs, with well-trained teams reaching susceptibility rates under 5% compared to the industry average of around 33%.

BullPhish ID’s bite-sized video modules, online quizzes and automated remedial training workflows make it practical to run regular training across an organization without creating a management burden for the team running it.

6. Encrypt sensitive email communications

Transport Layer Security (TLS) encrypts messages in transit between mail servers, which protects against network-level interception. For most organizations, ensuring TLS is enforced on outbound mail to key partners and clients is the practical starting point.

For communications that regularly carry regulated data, financial information, or sensitive client materials, end-to-end encryption using S/MIME or PGP provides stronger protection. With S/MIME, the message is encrypted from the sender’s client to the recipient’s client, meaning even the email provider cannot read the content.

For organizations in healthcare, financial services, or legal services, encryption is often a compliance requirement, not just a security recommendation. Identifying which communications regularly carry regulated data and ensuring appropriate encryption is in place is a straightforward way to reduce both breach risk and regulatory exposure.

7. Implement data loss prevention (DLP)

Most email security attention focuses on inbound threats, but outbound email is also a significant risk surface. Accidental exposure of sensitive data, an employee forwarding confidential information to a personal account, or an attacker using a compromised mailbox to exfiltrate data can all create serious compliance and reputational problems.

DLP tools scan outbound email for patterns associated with regulated or sensitive data: credit card numbers, Social Security numbers, medical record identifiers and specific document types. When a message matches a defined policy, it can be flagged, quarantined, or blocked before it leaves the environment.

For businesses subject to HIPAA, PCI DSS, GDPR, or similar frameworks, DLP on outbound email is typically a compliance requirement. Even outside regulated industries, DLP policies provide a meaningful safeguard against accidental data exposure and the reputational and legal consequences that follow.

8. Apply least privilege to email access

Not every employee needs access to every shared mailbox, distribution list, or email admin function. Over-provisioned access creates unnecessary blast radius when any one account is compromised.

Review and audit email access permissions on a regular basis. Shared mailboxes should have only the users who need them. Admin access to email configuration should be limited to the people who manage email infrastructure. Distribution lists should be locked so only authorized senders can email them.

When an employee leaves or changes roles, email access should be updated as part of the offboarding or role-change process, not left in place indefinitely. Stale permissions are one of the most common ways attackers maintain access long after an initial compromise is detected.

9. Create a process for reporting suspicious messages

Users who spot something unusual need a fast, low-friction way to report it. If reporting means navigating a multi-step ticketing process or sending an email to an address that takes days to respond, users will stop bothering. That removes a valuable detection signal from the IT team and leaves other users exposed to the same message.

A well-designed reporting process includes a one-click report mechanism available directly in the email client, an acknowledgment to the user so they know the report was received and a defined response time for reviewing flagged messages. When a reported message is confirmed malicious, the IT team should be able to pull similar messages from other inboxes and update detection rules quickly.

This feedback loop between users and the IT team is one of the most underbuilt parts of most email security setups. Warning banners that explain why a message looks suspicious and prompt users to report it significantly increase the volume and quality of threat reports the security team receives.

10. Monitor for email account compromise signals

Technical controls and user training reduce the likelihood of account compromise, but they don’t eliminate it. When an account is taken over, the window between initial compromise and detection determines how much damage the attacker can do.

Several behavioral signals often precede or immediately follow account compromise:

• New mail forwarding rules created, particularly rules that forward to external addresses
• Unusual login activity: New geographic locations, concurrent sessions from different countries, logins at unusual hours
• Bulk email sending from an account not normally used for bulk sends
• Changes to mailbox delegation or permissions
• Password changes not initiated by the account owner

Monitoring for these signals and having a defined response process, including forcing a password reset and revoking active sessions when suspicious activity is detected, limits the window of exposure significantly. Many account takeover attacks go undetected for weeks because no one is watching for these signals until the attacker does something visible.

How these practices work together

Each practice addresses a different part of the risk surface and none of them works in isolation. MFA stops credential theft from becoming account takeover. Authentication protocols stop domain spoofing. Dedicated email security catches the threats that pass authentication. Phishing simulations measure and build user resilience. DLP and access controls limit what an attacker can do with a compromised account. Reporting processes and compromise monitoring close the loop.

The organizations that get this wrong usually have some controls in place but gaps between them. MFA deployed on most mailboxes but not service accounts. DMARC published at p=none and never moved to enforcement. Training completed once a year but not reinforced with simulations. One weak link in this chain is all an attacker needs.

Maintaining that posture consistently, across users, devices and over time, is where most organizations struggle. It’s less about which tools you have and more about whether they’re configured correctly, kept current and supported by users who know what to do when something looks wrong.

Common mistakes that undercut email security

Understanding what not to do is as useful as the best-practice list itself. These are the gaps that come up most often in environments that have had a security incident trace back to email:

• Treating MFA as optional for senior users: Executives are priority targets for BEC attacks. Removing or bypassing MFA for convenience is one of the most common ways organizations create their highest-risk accounts.
• Leaving DMARC at p=none indefinitely: Publishing DMARC records without moving to a reject or quarantine policy provides no protection. It only shows you’re monitoring. An attacker spoofing your domain will succeed as long as enforcement is off.
• Relying on native Microsoft 365 or Google Workspace filtering alone: Native filtering handles known, high-volume threats well. It is not designed for AI-generated phishing, targeted BEC, or lookalike domain attacks. Treating it as sufficient leaves a significant detection gap.
• Running phishing simulations without follow-through: A simulation that catches users who click but offers no immediate coaching has limited value. The learning happens in the moment, not in a month-end report.
• Ignoring outbound email: Focusing entirely on inbound threats misses data exfiltration, compromised account activity and accidental exposure of sensitive data through outbound sends.
• Not reviewing access permissions after role changes: Employees who change roles or leave often retain email access for months. Audit access as part of the offboarding process, not as a periodic security task.

Strengthen email security with Kaseya

INKY is Kaseya’s email security software. It uses GenAI-driven analysis to detect phishing and other threats across inbound, outbound and internal mail and it surfaces interactive warning banners in the inbox that explain to users why a message was flagged and what action to take. That in-the-moment coaching reinforces security awareness without requiring separate training sessions.

BullPhish ID is Kaseya’s security awareness training and phishing simulation software. It combines engaging, bite-sized training modules with a regularly updated library of phishing simulation kits and automated remedial training for users who need additional support.

Both are available as part of Kaseya 365 User, which delivers a complete set of tools for protecting against, responding to and recovering from user-targeted threats. The suite includes INKY, BullPhish ID, Dark Web ID for credential monitoring, SaaS Alerts for cloud detection and response and Datto SaaS Protection for Microsoft 365 and Google Workspace backup.

For businesses managing email security in-house, Kaseya 365 User brings the key controls together in one place, reducing the complexity of managing multiple point solutions. For MSPs, the multi-tenant architecture means the same tools can be deployed and managed across an entire client base from a single interface, with consistent policies and reporting across every environment.