Small business email security checklist

Ten practical steps to protect your business — no IT department required to understand them.

Your 10-point checklist

  1. Run a free domain impersonation check
  2. Confirm SPF lists every tool that sends mail for you
  3. Enable DKIM in your email platform and publish DNS keys
  4. Publish DMARC — aim for quarantine or reject when ready
  5. Use a finance process for payment changes (call back on a known number)
  6. Train staff on urgent wire and invoice requests
  7. Turn on multi-factor authentication for all mailboxes
  8. Review who can edit DNS at your registrar
  9. Re-check DNS after changing marketing or CRM tools
  10. Re-run the domain check quarterly

When to get help

If your check shows grade D or F, forward the report to your IT consultant, MSP, or whoever sold you the domain. Ask them to close the specific gaps listed.

Frequently asked questions

We only have five employees — is this overkill?

Small teams are common targets because protections are often missing. A few DNS records dramatically reduce spoofing risk.

Start with a free check