Email security for small businesses: what you need and what you don’t

Email security advice for small businesses tends to arrive in one of two unhelpful forms: fear (a parade of statistics about how you are doomed) or a shopping list (a stack of products sized for a company fifty times yours). Neither answers the actual question, which is: with limited time and no IT department, what do I do, in what order?

Here is that answer. It is short, most of it is free, and it is honest about what a small business does not need yet.

What you genuinely need

1. Multi-factor authentication on every mailbox. Free. Do it first.

The single highest-value control available to you. A stolen or guessed password is the standard route to a compromised mailbox - and a compromised mailbox is the worst email incident a small business can have, because the criminal sends genuine mail from your genuine account. Microsoft 365 and Google Workspace both include multi-factor authentication at no cost; turning it on for every account, including the owner’s, outranks everything else on this list.

2. A payment-verification habit. Free.

Any email asking to change bank details or make an unusual payment gets verified by phone, on a number you already hold - not one in the email - before money moves. No exceptions for urgency or seniority; urgency and seniority are precisely what the fraud relies on. This one habit defeats the entire family of payment-diversion frauds described in Business email compromise: what UK firms need to know, including the variants no technology stops.

3. Email authentication on your domain: SPF, DKIM and DMARC. Free to implement.

If you send email from your own domain - and if customers see @yourbusiness.co.uk, you do - then your domain either restricts who can send as you, or it does not. Unprotected, anyone on earth can send email bearing your exact address to your customers, free, without touching your systems. The fix is three DNS records: SPF (your list of permitted senders), DKIM (a tamper-proof signature on your mail) and DMARC (the enforcement policy and reporting that ties them together - explained in What is DMARC?).

Beyond fraud prevention, this is also where deliverability lives: misconfigured authentication is the leading reason legitimate small-business email lands in spam folders (see Why your emails are going to spam) - and Google and Yahoo now require authentication outright from higher-volume senders. The records themselves cost nothing; the care is in setting them up without breaking your own mail, which is a staged process rather than a single afternoon.

4. Software updates and basic account hygiene. Free.

Keep devices and browsers updated; use a password manager so no password is reused. Unglamorous, foundational.

What you probably do not need yet

Equally important, because budget spent here is budget taken from the list above:

• Security appliances and enterprise filtering suites. Your mail provider’s built-in filtering (Microsoft’s or Google’s) is what billions of mailboxes rely on; a five-person firm gains little from a second layer costing thousands.
• BIMI - the verified-logo-in-the-inbox standard. It requires DMARC enforcement first and an annual certificate cost that runs to four figures; for a small business whose clients already know it, the arithmetic rarely works. Park it.
• 24/7 security monitoring services. Sized and priced for organisations with something to monitor around the clock.
• Cyber security consultancy engagements - at least until the free fundamentals above are done, because the first thing a good consultant would tell you to do is this list.

One genuine candidate for modest spend once the fundamentals are in place: Cyber Essentials certification, the UK government-backed baseline. Increasingly asked for in supply chains, and the self-assessed version is a few hundred pounds a year.

How to prioritise: this week, this month, this quarter

This week: turn on multi-factor authentication everywhere; agree the payment-verification rule with anyone who can move money; and find out what state your domain is actually in - which takes two minutes and costs nothing (below).

This month: fix what the domain check surfaces - typically an SPF record that needs tidying, DKIM signing that was never switched on, and a DMARC record that is absent or sitting inert at monitoring mode.

This quarter: walk DMARC to enforcement, guided by its reports, so that exact impersonation of your domain stops reaching anyone’s inbox. Staged, low-drama, and at the end your business name is no longer a free resource for fraudsters.

The free starting point

The honest pitch for the first step is that it requires no purchase from anyone, including us. SealedMail’s Free Domain Health Check audits your domain’s SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status and emails you a scored certificate in plain English - what is right, what is broken, what to fix first. No sign-up, no obligation, no sales call.

If you later decide you want the ongoing monitoring handled - the reports read weekly and explained in an email a business owner can act on - that is SealedMail’s service, at a flat £49 per domain per month with no contract. But the priority list above stands on its own, and most of it you can start today.