What is email security?

Email is the front door to most organizations. It’s how business gets done, how contracts move and how invoices get paid. It’s also the No. 1 way attackers get in.

According to the 2025 Verizon Data Breach Investigations Report, the human element contributed to 60% of breaches, with phishing the leading tactic behind social engineering incidents. And while attackers have more tools than ever, the entry point is still, almost always, the inbox.

Understanding what email security is, what it covers and why it matters is the starting point for building a defense that holds up. INKY, Kaseya’s email security software, helps MSPs and IT teams protect inboxes across their entire client base, which is why we see firsthand where protections succeed and where they break down.

What is email security?

Email security is the set of policies, controls and technologies used to protect email accounts, content and communications from unauthorized access, data loss and attack.

It covers three core areas: preventing malicious messages from reaching users, protecting accounts from being compromised and securing the contents of email in transit and at rest. Those three areas interact. A phishing email that reaches an inbox can lead to account takeover. A compromised account can be used to send internal messages that bypass gateway filters. A poorly encrypted email can expose regulated data and trigger a compliance investigation. Email security must address all three because attackers move across all three.

How secure is email?

Not very, by design. Email was built for reach, not security. When the protocol was developed, authentication, encryption and sender verification were not priorities and that legacy is still visible today.

Any server can technically claim to send mail from any domain. Messages travel through multiple relays before reaching a recipient. Content filtering works on known patterns, which means new attack variants slip through until detection catches up. The core protocol has no built-in mechanism to verify whether the person sending an email is who they say they are.

Standards like SPF, DKIM and DMARC have added meaningful sender verification over time and TLS has made message interception harder in transit. But these controls require deliberate configuration and many organizations have gaps. Even with all three authentication protocols correctly deployed, a sophisticated attacker using a convincing lookalike domain or a compromised account can still reach users. Email is more secure than it was 20 years ago, but it remains one of the most reliably exploited attack surfaces in cybersecurity.

Pourquoi la sécurité des e-mails est-elle importante ?

The simplest answer: because email is where most attacks start.

Email is identified as the attack vector in 27% of breaches, making it the second most common entry point after web applications, according to the 2025 Verizon DBIR. Business email compromise (BEC) alone caused $2.8 billion in losses in 2024, according to the FBI’s 2024 Internet Crime Report. And those are only the incidents that get reported.

For MSPs managing dozens or hundreds of clients, the exposure scales fast. An MSP managing 50 clients might oversee tens of thousands of inboxes. Each one is a potential entry point and it only takes one click to give an attacker a foothold in a client environment.

There are also regulatory and compliance dimensions. Many frameworks, including HIPAA, GDPR and cyber insurance requirements, mandate specific controls around email. A breach that originates from a phishing email can trigger reporting obligations, audits and coverage disputes. Strong email security is not just a technical decision; it’s a business continuity and compliance decision.

The cost of getting this wrong is real. IBM’s 2025 Cost of a Data Breach Report put the average cost of a phishing-related breach at $4.88 million. That figure includes recovery costs, lost business, regulatory fines and reputational damage and it is not a number most SMBs or their MSPs can absorb.

Common email security threats

Understanding what attackers actually do through email makes it easier to evaluate which defenses matter and where gaps are most likely to appear.

Hameçonnage

Phishing is the attempt to trick a user into revealing credentials, clicking a malicious link, or opening a dangerous attachment. Modern phishing has moved well beyond obvious scams. Attackers now use AI to generate highly convincing messages at scale, produce content that mimics trusted vendors or internal colleagues and route links through legitimate services to avoid detection.

Spear-phishing adds targeting. Instead of blasting thousands of generic messages, attackers research a specific person, their role, their colleagues and their tools, then craft a message tailored to that context. According to KnowBe4’s 2025 Phishing Threat Trends Report, 82.6% of phishing emails analyzed between September 2024 and February 2025 contained AI-generated content. These attacks have significantly higher success rates than generic campaigns and are considerably harder for users to spot.

Usurpation d'identité par e-mail (BEC)

BEC is a category of its own. Rather than delivering malware, BEC attacks manipulate people into taking action, typically a wire transfer, a change to payment details, or a credential handover. They often involve no malicious attachment or link at all, which means traditional filtering provides little protection.

Attackers either compromise a legitimate account and use it directly, or they spoof a trusted identity convincingly enough that the recipient doesn’t look closer. The finance team gets a message from what looks like the CFO asking for an urgent transfer. The accounts payable manager receives what appears to be an updated bank account from a known vendor. By the time anyone realizes, the funds are gone.

BEC accounted for 58% of financially motivated phishing breaches in 2025, according to the Verizon DBIR and caused $2.8 billion in FBI-reported losses in 2024 alone.

Malware and ransomware

Email attachments remain a primary delivery mechanism for malware. Attackers embed malicious code in documents that appear routine, such as PDFs, spreadsheets, or Word files with macros enabled. Many ransomware infections in recent years trace their origin to a single opened attachment.

Delivery methods are also evolving. Attackers increasingly use password-protected archives, QR codes embedded in email bodies and links to legitimate file-sharing platforms to bypass attachment scanning. The payload is the same; the packaging keeps changing.

Domain spoofing and impersonation

When an attacker wants to impersonate a trusted sender, they have several options: spoofing the exact sending domain, registering a lookalike domain that resembles the real one at a glance, or using display name manipulation where the visible sender name looks legitimate even if the underlying address doesn’t.

Without proper authentication controls, most users have no reliable way to tell the difference between a genuine message from a supplier and a convincing impersonation. Even with authentication in place, lookalike domains fall outside the scope of SPF and DKIM, which is why behavioral detection matters alongside protocol-level controls.

Spam and graymail

Not all unwanted email is dangerous, but high volumes of spam increase the risk that malicious messages get buried and missed. Graymail, including newsletters, marketing content and automated notifications the user technically opted into at some point, adds further noise that makes inbox management harder and attention more fragmented.

Spam is also a delivery mechanism. A high-volume spam campaign can mask a smaller number of targeted malicious messages, or serve as a distraction while a more targeted attack unfolds elsewhere.

How email security works

Email security is not a linear process. There is no single point where a message gets checked and either cleared or blocked. Instead, multiple layers of defense work simultaneously and independently, each catching different categories of threat.

Think of it like airport security: The metal detector, the X-ray scanner, the passport check and the gate agent all run in parallel, not in sequence. A message might pass one layer and get caught by another. A sophisticated attack might evade all automated layers and still be caught by a trained user. Here’s how each layer contributes:

• Filtering and scanning inspects inbound and outbound messages for known malicious content, suspicious links, dangerous attachments and behavioral signals that suggest a message is not what it claims to be.
• Authentication uses protocol-level checks (SPF, DKIM, DMARC) to verify that an email actually comes from the domain it claims to represent. This addresses spoofing at the infrastructure level rather than at the content level.
• Encryption protects the contents of messages so that interception between sender and recipient does not expose sensitive data.
• User awareness acknowledges that filters are not perfect and that some malicious messages will reach inboxes. Training users to recognize phishing attempts is an important layer of defense, not a replacement for technical controls.
• Account protection focuses on preventing and detecting account compromise, covering multifactor authentication (MFA), anomalous login monitoring and rapid response to unauthorized access.

No single layer is sufficient on its own. A gateway that blocks known malicious content provides no protection against a BEC attack sent from a legitimate but compromised account. DMARC prevents domain spoofing but doesn’t stop impersonation from a lookalike domain. User training reduces click rates but doesn’t eliminate them. Email security works as a stack, not a single tool.

Key components of an email security strategy

A complete email security strategy is not a single product. It’s a set of complementary controls that address different parts of the threat surface. Some of these controls operate at the infrastructure level, some at the message level and some at the human level. Together, they reduce both the likelihood that a threat reaches a user and the damage that occurs when one does.

Secure email gateway (SEG)

A secure email gateway sits between the mail server and the outside world, scanning inbound and outbound messages before they reach the inbox or leave the organization. Traditional gateways rely on signature-based detection and reputation blocklists, flagging messages that match known bad patterns or come from known bad senders. More recent implementations layer behavioral analysis and machine learning on top, catching threats that don’t match known patterns because they’re new, or because the attacker is deliberately avoiding detection signatures. For organizations relying on native Microsoft 365 or Google Workspace filtering alone, adding a dedicated gateway is typically the first meaningful improvement.

Anti-phishing detection

Purpose-built anti-phishing tools go deeper than gateway filtering. They analyze message content, sender reputation, link destinations, header data and the relationship history between sender and recipient to identify phishing attempts that slip past standard filters. Advanced solutions use computer vision to detect brand impersonation in images, not just text, catching a growing category of attacks that embed malicious intent in visuals that automated scanners can’t read.

Email authentication: SPF, DKIM and DMARC

Three DNS-based protocols form the baseline of sender verification. SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of a domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound messages that receiving servers can verify. DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on both, letting domain owners specify what happens to messages that fail authentication and providing reporting on who is sending mail claiming to come from their domain. Together, these three protocols significantly reduce the viability of direct domain spoofing. Getting all three deployed and set to an enforcement policy takes some configuration work, but it’s one of the highest-leverage steps any organization can take.

Email encryption

Transport Layer Security (TLS) encrypts messages in transit between mail servers, preventing interception on the network. End-to-end encryption using protocols like S/MIME goes further, protecting message contents from the sending client to the receiving client so that even the email provider cannot read the content. For organizations handling regulated data, financial information, or sensitive client communications, encryption is often a compliance requirement as much as a security control.

Prévention des pertes de données (DLP)

DLP tools inspect outbound email to prevent sensitive data, regulated information, or confidential files from leaving the organization through the inbox. This matters both for insider threat scenarios and for situations where an account has been compromised and an attacker is using it to exfiltrate data. DLP rules can flag or block messages containing patterns like credit card numbers, Social Security numbers, or specific document types before they leave the environment.

formation de sensibilisation à la sécurité

Technical controls reduce exposure but don’t eliminate it. Users who can recognize a phishing attempt, report it quickly and avoid clicking while the IT team investigates are a meaningful last layer of defense. According to KnowBe4’s 2025 benchmarking data, organizations running consistent security awareness training reduce phishing susceptibility to under 5% from an industry baseline of around 33%. That’s a significant reduction in click rate, though not zero, which is why training works alongside, not instead of, technical controls.

Protection contre la prise de contrôle de compte

Monitoring for unusual login behavior, unauthorized access attempts and post-compromise activity, such as forwarding rules being created or bulk email being sent from an account, helps detect and contain account takeover before attackers can cause significant damage. Many account takeover attacks go undetected for weeks because the attacker behaves subtly, gathering information or positioning themselves rather than acting immediately. Behavioral monitoring narrows that detection window.

Email archiving and backup

Archiving ensures that email records are retained for compliance and legal hold purposes. Backup protects against accidental deletion, ransomware and outages in cloud email platforms. Organizations running Microsoft 365 or Google Workspace often assume their provider handles backup, but native retention policies are not the same as a dedicated backup. If a ransomware attack or accidental deletion affects mailbox data, a separate backup means recovery is straightforward rather than dependent on what the provider’s own retention covers.

Email security best practices

Getting the technical controls right is necessary but not sufficient. How an organization configures, maintains and uses those controls matters as much as the tools themselves. The following practices form the foundation of a strong email security posture:

• Enforce MFA on all mailboxes. Multifactor authentication is the single most effective control for preventing unauthorized account access. Without it, a stolen password is all an attacker needs to take over an inbox.
• Deploy and enforce SPF, DKIM and DMARC. Configuring all three authentication protocols and setting DMARC to a reject or quarantine policy significantly reduces the risk of your domain being spoofed in attacks against your own users or partners.
• Use a dedicated email security layer beyond native filtering. Microsoft 365 and Google Workspace provide a baseline, but they’re not built to catch sophisticated, targeted attacks. A dedicated anti-phishing solution adds the behavioral and AI-driven detection that native tools lack.
• Run regular phishing simulations. Simulated phishing campaigns measure real susceptibility, identify users who need additional training and build the habit of skepticism without waiting for a live attack.
• Keep security awareness training current. Threat tactics evolve and training content should too. Quarterly training cycles tied to current attack trends are more effective than annual one-size-fits-all sessions.
• Apply least privilege to email access. Limit who can access shared mailboxes, distribution lists and admin functions. The smaller the blast radius of a compromised account, the less damage an attacker can do.
• Encrypt sensitive communications. Use TLS for messages in transit as a baseline and consider end-to-end encryption for communications that regularly contain regulated or highly sensitive data.
• Implement DLP on outbound email. Outbound scanning catches accidental data exposure and limits what an attacker can exfiltrate through a compromised account.
• Establish a clear process for reporting suspicious messages. Users who spot something suspicious need a fast, frictionless way to report it. The quicker a threat is escalated, the sooner detection rules can be updated and similar messages pulled from other inboxes.
• Monitor for account compromise signals. Unusual login locations, new mail forwarding rules and unexpected bulk sending activity are often early signs of account takeover. Monitoring for these signals and having a defined response process limits the window of exposure.

For a deeper look at implementing each of these practices across a client base or internal environment, see our dedicated guide on email security best practices.

The role of AI in email security

AI has changed email security on both sides of the equation. Attackers are using it to generate convincing phishing content at scale and defenders are using it to detect and respond to threats faster than traditional rule-based systems can.

On the attack side, the shift is significant. Large language models have reduced the time needed to produce a convincing phishing campaign from hours to minutes and the output no longer has the telltale grammar errors and awkward phrasing that once made phishing easier to spot. The Verizon 2025 DBIR noted a measurable increase in AI-assisted malicious emails over the past two years. KnowBe4’s 2025 Phishing Threat Trends Report found AI-generated content in 82.6% of analyzed phishing emails. Attackers are also expanding beyond the inbox, using AI to craft phishing content delivered through calendar invitations, collaboration platforms and SMS, extending the surface area that email security tools need to cover.

On the defense side, AI gives security tools capabilities that rule-based systems don’t have. Machine learning models trained on millions of real-world messages can recognize behavioral patterns that signal a threat, even when the message content is novel. Natural language processing lets tools analyze tone, urgency and context, picking up on social engineering signals that static filters miss. Computer vision enables detection of brand impersonation in images and QR codes, not just text. And because AI models can be updated continuously as new attack patterns emerge, they adapt faster than signature-based systems that require manual rule updates.

The practical implication for IT teams and MSPs is that AI-powered detection is no longer optional for high-threat environments. Attackers are using it; defenses need to match. A gateway built on static blocklists and signature matching will miss a growing share of modern threats, particularly the BEC and spear-phishing attacks that are specifically designed to avoid detection.

How to choose an email security provider

The right email security solution depends on the environment, the threat profile and the IT team’s capacity to manage it. For MSPs, multi-tenancy and deployment speed matter as much as detection capability.

Start with these questions:

• Does it go beyond signature-based detection to catch behavioral and AI-generated threats?
• Does it provide user-facing guidance at the point of risk, not just backend quarantine?
• How well does it support multi-tenant management for MSPs or IT teams managing multiple environments?
• Does it integrate cleanly with Microsoft 365 and Google Workspace and with existing identity and endpoint security tools?
• What reporting and alerting does it provide for compliance and incident response purposes?
• What does deployment look like? Can it be rolled out across a client base quickly, without requiring significant ongoing maintenance?

Native filtering in Microsoft 365 and Google Workspace provides a baseline but is not designed to catch sophisticated, targeted attacks. Most IT teams add a dedicated email security layer on top. The question is whether that layer is built for the threat environment they’re actually operating in, one where AI-generated content, BEC and multi-vector attacks are the norm rather than the exception.

MSPs managing security across multiple clients also need to think about operational overhead. A solution that generates high volumes of alerts requiring manual review is not sustainable at scale. Look for tools that prioritize signal quality, surface the right information to users at the point of risk and reduce the number of escalations that land on the IT team’s desk.

Improve email security with INKY

INKY is Kaseya’s email security software and it’s built to address the threat environment that exists today.

INKY uses GenAI-driven analysis to detect phishing and other email-based threats across inbound, outbound and internal mail. Rather than relying on static rules, it analyzes sender behavior, message content, relationships and delivery patterns to identify anomalies, including attacks that have never been seen before. When a suspicious message reaches a user’s inbox, INKY surfaces an interactive warning banner that explains why the message looks unusual, what signals triggered the flag and what the user should do. That in-the-moment coaching builds awareness over time and reduces repeat clicks without requiring separate training sessions.

For IT teams, INKY’s customizable dashboard gives admins control over banner behavior, detection policies and user guidance at the mailbox level. For MSPs, the multi-tenant architecture means the platform can be deployed and managed across an entire client base from a single interface, with fast deployment and minimal ongoing maintenance.

INKY is available as a standalone product and as part of Kaseya 365 User, which delivers a complete set of tools for preventing, responding to and recovering from user-targeted threats, including security awareness training, dark web monitoring, SaaS backup and more.