Email Security for Houston Businesses: The Complete Protection Guide for 2026

These three protocols prevent attackers from impersonating your domain — sending email that appears to come from @yourdomain.com when it doesn't.

SPF (Sender Policy Framework)

A DNS record listing every server authorized to send email from your domain. If a server not on the list tries to send as your domain, the receiving server knows it's unauthorized. Check yours: dig TXT yourdomain.com — look for the v=spf1 record.

DKIM (DomainKeys Identified Mail)

Cryptographic signatures added to every outbound email. The receiving server verifies the signature against your public key in DNS, confirming the email wasn't altered in transit and was sent by an authorized system. Enable in M365: Security → Email & Collaboration → DKIM.

DMARC (The One Everyone Skips)

DMARC tells receiving servers what to do when email fails SPF or DKIM. Three enforcement levels:

• p=none — Monitor only. Reports delivered, but no action taken. This provides zero protection.
• p=quarantine — Failed emails go to spam. Better, but not complete.
• p=reject — Failed emails are blocked entirely. This is the target.

Most Houston businesses have SPF configured but DMARC at p=none — meaning attackers can still spoof their domain with no consequences. The path: deploy at p=none, review aggregate reports for 30 days to ensure legitimate senders are authorized, then move to p=quarantine, then p=reject.

Even with perfect email authentication, attackers can still send phishing from their own domains (look-alike domains like layerl0gix.com). Anti-phishing adds behavioral detection:

• Impersonation protection: Detects emails impersonating your executives (CEO, CFO) even from external domains
• Mailbox intelligence: Learns normal communication patterns — alerts when a sender/recipient combination is unusual
• External sender indicators: Banner at the top of external emails: "This message is from outside your organization"
• First contact safety tips: Warning when a user receives email from someone they've never communicated with before

• Safe Links: Rewrites URLs in email and Teams to scan them at click-time. Catches links that were safe when delivered but became malicious later (time-of-click protection)
• Safe Attachments: Opens attachments in a sandbox before delivering them. Catches zero-day malware that signature-based scanning misses
• File type filtering: Block executable attachments (.exe, .bat, .ps1, .vbs, .js) — these should never arrive via email in a business context

For businesses handling sensitive data — healthcare (PHI), financial (PII), legal (privileged communications) — email encryption ensures data is protected in transit and at rest:

• TLS enforcement: Require TLS for email transmission — reject connections that don't support encryption
• Microsoft 365 Message Encryption: Encrypt individual messages so only the intended recipient can read them, even if forwarded
• Sensitivity labels: Classify email as Confidential, Internal Only, or Highly Confidential — with automatic encryption and forwarding restrictions based on classification

When attackers compromise an email account, their first action is creating inbox rules that hide their activity:

• Rules that forward all email to an external address (data exfiltration)
• Rules that delete security alerts or password reset notifications
• Rules that move replies from attackers' messages to hidden folders

These rules persist after password resets. Regular auditing with Get-Mailbox | Get-InboxRule and alerting on new forwarding rules is essential.

Get an email security assessment. We'll check your SPF, DKIM, DMARC, anti-phishing policies, and inbox rules — and tell you exactly where the gaps are. Call 713-571-2390.

Related: DMARC Compliance | BEC Prevention Guide | M365 Security Hardening