Email is the front door of your organization — and unfortunately, it's also the most common way attackers try to get in. The good news is that a few basic practices can dramatically reduce your risk.

At Infinitech, email security is part of every Microsoft 365 deployment we manage. Here are five things every small organization should know.

1. Most Attacks Come Through Email

Phishing emails — messages designed to trick you into clicking a link, opening an attachment, or sharing credentials — account for the vast majority of security incidents. They're getting more sophisticated every year, and small organizations are frequent targets precisely because they often lack dedicated security staff.

What to do: Train your team to pause before clicking. If an email feels urgent, unexpected, or too good to be true, verify through another channel before taking action.

2. SPF, DKIM, and DMARC Are Not Optional

These three DNS records work together to prevent attackers from sending email that appears to come from your domain. Without them, anyone in the world can forge an email that looks like it came from your organization.

  • SPF — Specifies which servers are authorized to send email for your domain
  • DKIM — Adds a cryptographic signature proving the email wasn't tampered with
  • DMARC — Tells receiving servers what to do when SPF or DKIM checks fail

What to do: Ask your IT provider to verify these records are properly configured. If they're not sure what you're asking about, that's a red flag.

3. Multi-Factor Authentication Is the Single Best Protection

If an attacker gets your password — through phishing, a data breach, or guessing — multi-factor authentication (MFA) is the last line of defense. With MFA enabled, a stolen password alone isn't enough to access your account.

What to do: Enable MFA on every account that supports it, starting with email. Use an authenticator app rather than SMS when possible.

4. Scam Emails Are Getting Smarter

Gone are the days of obvious Nigerian prince emails. Modern scams impersonate trusted brands — McAfee, Norton, Amazon, banks — and create fake urgency about expiring subscriptions, suspicious activity, or overdue invoices. We've seen these in real client mailboxes, sometimes sitting unopened for weeks.

What to do: Never call a phone number from an unexpected email. Go directly to the company's website and find their real contact information. If you receive something suspicious, forward it to us — we specialize in identifying and investigating potential threats.

5. Your Old Accounts Are a Liability

Inactive email accounts — from former employees, old projects, or forgotten shared mailboxes — are easy targets. They often have weak passwords, no MFA, and no one monitoring them.

What to do: Audit your email accounts regularly. Disable accounts for people who have left. Convert unused personal mailboxes to shared mailboxes (which don't require a license in Microsoft 365 — saving you money and closing a security gap at the same time).

Need Help?

Email security doesn't have to be complicated, but it does need to be done right. Infinitech configures email security as part of every Microsoft 365 deployment — and we're happy to audit your existing setup. Get in touch to find out where you stand.