Email security: a complete guide for IT teams and MSPs

Email remains the most exploited attack vector in cybersecurity. It’s the entry point for phishing, business email compromise, malware delivery, and ransomware. Despite decades of awareness, it’s still where most successful attacks begin.

According to the 2026 Kaseya State of the MSP Report, 44% of MSPs report that at least 10% of their clients experienced a cyberattack in 2025, and phishing via email remains the most common initial access vector behind those incidents. The 2026 Kaseya INKY Email Security Report puts the scale in sharper context: 26% of all cybercrime complaints filed with the FBI are phishing-related, with $2.8 billion in reported Business Email Compromise losses alone. Download the MSP Report.

The reason email is so effective as an attack vector is straightforward: it’s essential, ubiquitous, and deeply trusted. People open emails. They click links. They act on requests from apparent authorities. The mechanisms that make email functional as a communication tool are the same ones attackers exploit. No technical control fully replaces human judgment, but the right email security stack dramatically reduces the volume of malicious content that reaches users, and limits the damage when some attacks get through.

This guide covers what a complete email security posture looks like, from foundational protocols to AI-powered detection, for IT teams and the MSPs managing email environments on behalf of clients.

Why email security requires multiple layers

No single email security control is sufficient because different attack types exploit different vulnerabilities.

Mass phishing exploits volume: a small percentage of recipients clicking a link still yields thousands of compromised accounts. Spear phishing exploits relevance: tailored messages bypass suspicion even in well-trained users. BEC exploits trust: messages from compromised or impersonated accounts bypass content-based filters entirely. Malware delivery exploits curiosity: malicious attachments and links rely on users opening content. Account takeover bypasses everything once credentials are obtained, because the attacker operates as a legitimate user.

Each of these requires different controls. A gateway filtering known malicious content doesn’t help against a BEC attack from a legitimate account. DMARC prevents domain spoofing but doesn’t block sophisticated impersonation from lookalike domains. Security awareness training reduces click rates but doesn’t eliminate them. The 2026 Kaseya INKY Email Security Report found that AI-generated phishing has now become the baseline, with attackers producing highly convincing messages at scale, and expanding to new attack surfaces like calendar invitations, protected documents, and callback phone numbers. Download the 2026 Email Security Report.

The effective answer is layered controls that each address a different part of the attack surface.

The foundation: email authentication protocols

Three foundational protocols address domain impersonation, the technique of sending email that falsely claims to originate from a legitimate domain.

SPF (Sender Policy Framework) specifies which mail servers are authorized to send email for a domain. When an email arrives claiming to be from your domain, the receiving server checks SPF records to verify the sending server is authorized.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound email that allows receiving servers to verify the message was sent by an authorized sender and hasn’t been modified in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM to tell receiving servers what to do when authentication fails — quarantine or reject unauthenticated email — and report back on what’s being sent that claims to come from your domain.

DMARC with a `p=reject` policy is the strongest configuration: it prevents any email that fails authentication from being delivered. Implementing it fully requires ensuring all legitimate mail streams are properly authenticated first, including third-party sending services, marketing platforms, and transactional email providers, so legitimate email isn’t caught in the reject policy.

Many organizations have SPF and DKIM configured but are missing DMARC enforcement, leaving the most important layer of the protection absent.

Anti-phishing and inbound filtering

Modern email security platforms use AI and machine learning to go well beyond blacklist-based filtering.

Content analysis examines message content, sender reputation, sending infrastructure, and metadata to identify phishing patterns, including patterns that don’t match any known campaign.

Link analysis evaluates embedded URLs against threat intelligence, reputation databases, and real-time scanning of the destination content. Time-of-click analysis rewrites links so they’re evaluated at the moment the user clicks, protecting against delayed phishing, where a link is safe at delivery but points to malicious content by the time the user acts on it.

AI-powered anomaly detection identifies messages that deviate from the established communication patterns of the apparent sender, flagging messages that behavioral analysis marks as suspicious even when content-based signals look clean.

INKY, Kaseya’s email security product available as a standalone or as part of Kaseya 365 User, takes a distinct approach to this problem. Rather than relying solely on pattern matching, INKY uses GenAI to read email text with genuine comprehension, recognizing meaning, intent, and subtle manipulation signals. Its computer vision analyzes emails the way a human would, detecting brand impersonation, logo manipulation, QR code threats, and blended text-plus-visual attacks that pattern matching misses entirely. It also analyzes sender relationships and writing patterns to uncover anomalies, compromised accounts, and subtle shifts in communication that signal phishing or account takeover attempts.

When INKY identifies a threat, it doesn’t just quarantine silently. It places a clear, color-coded coaching banner directly in the inbox, explaining what was detected and why, so users learn in real time rather than just being shielded. Independent research by Secure Mentem found that users who saw INKY banners were significantly more accurate at identifying phishing messages and far less likely to engage with malicious emails.

Attachment and link protection

Attachments and links are the two primary malware delivery mechanisms in email.

Sandboxing opens attachments in an isolated environment before delivering them to users, executing any embedded code and observing its behavior. Malicious attachments that trigger malware execution in the sandbox are blocked before reaching the inbox.

URL rewriting and time-of-click protection modifies links in delivered email so they route through a protection service at click time. If a link was safe at delivery but becomes malicious afterward, time-of-click protection catches it.

File type blocking prevents delivery of file types commonly used for malware delivery, including executables, macro-enabled Office documents, and JavaScript files, where those types have no legitimate business use in the environment.

Account takeover protection

Once an attacker has email credentials, whether through phishing, credential stuffing, or a data breach, they operate as a legitimate user. Technical email filtering doesn’t stop email sent from a legitimate, authenticated account.

Account takeover protection requires several controls working together.

MFA on all email accounts ensures credential theft alone isn’t sufficient to gain access. MFA is the primary control and the highest-impact single step most organizations can take.

Anomalous login detection flags access from unusual locations, unusual devices, or unusual hours for alerts or step-up authentication.

Inbox rule monitoring catches one of the most common post-compromise behaviors: attackers who access email accounts often create inbox rules to forward copies to an external address or delete incoming security notifications. Monitoring for unexpected inbox rule creation is an early indicator of compromise.

Dark web monitoring identifies credentials that have appeared in breach dumps from third-party services, triggering immediate password resets before credential stuffing attacks can succeed. INKY analyzes sender relationships and communication patterns to surface account takeover attempts; dark web monitoring for compromised credentials is available through Kaseya 365 User’s broader user security stack.

Outbound email security

Outbound email security protects both the organization’s data and its sending reputation.

DLP (Data Loss Prevention) scans outbound email for content that shouldn’t leave the organization: sensitive data patterns like payment card numbers, patient information, or confidential documents.

Encryption for outbound sensitive email ensures content that requires protection in transit is protected.

Sending reputation management monitors bounce rates, spam complaints, and blacklist status for sending domains. A compromised account using your domain to send spam can degrade your email infrastructure’s deliverability, affecting legitimate business communications.

Email security for MSPs

For MSPs managing email environments for clients, a few additional considerations apply.

DMARC implementation across the client portfolio is a high-value, scalable service. Many clients have SPF and DKIM in place but DMARC missing, or DMARC configured in monitoring mode without enforcement. Moving clients to full DMARC enforcement materially reduces their exposure to domain impersonation and produces a measurable, reportable security improvement.

Centralized multi-tenant management across clients provides both operational efficiency and the data needed for client reporting. INKY’s multi-tenant dashboard lets admins adjust banner behavior, refine detection policies, and manage security across every client mailbox from a single interface, with the company’s case study data showing it manages 1,000 mailboxes with under one hour of effort per month.

User-reported phishing workflows that route user-reported suspicious emails to review, close the loop with the reporter, and feed intelligence back into detection rules. INKY’s built-in investigation tools and automation support this workflow, reducing the manual triage overhead that user-reported phishing typically creates.

Explore INKY and Kaseya 365 User for MSP email security.

Beyond email: when the inbox is just the entry point

Email security tools are designed to stop threats at the inbox. But the most damaging attacks use email as initial access and then move laterally through systems, escalating privileges and exfiltrating data in ways that inbox-level controls can’t detect or contain.

Kaseya SIEM extends visibility beyond the inbox, unifying email telemetry alongside endpoint, network, cloud, and identity signals, correlating across more than 60 data sources to detect the full attack chain: from the initial phishing email through credential theft, lateral movement, and data exfiltration. Automated response contains threats in minutes, acting across systems rather than just quarantining a single message.

For organizations where email is the primary attack surface, the combination of INKY at the inbox and Kaseya SIEM across the broader environment provides layered coverage that neither delivers alone.