Small Business Email Security Baseline: MFA + SPF/DKIM/DMARC (The Stuff That Stops Real Phishing)

By PCRepair.us, LLC | January 7, 2026

If you run a small business, your email is the front door to your money. Invoices, password resets, vendor requests, payroll, customer data, everything flows through the inbox. That is why attackers love “business email compromise” and lookalike domain scams. They do not need Hollywood malware. They just need one login.

Here’s the practical baseline that blocks a huge percentage of real-world email attacks, without turning your company into a full-time IT project.

The 3 layers that matter

1) Protect logins with MFA that resists phishing

Turn on multi-factor authentication (MFA) everywhere, but prioritize methods that are harder to trick users into approving. CISA specifically recommends aiming for phishing-resistant MFA where possible.

Best options (in plain English):

  • Security keys (FIDO2/WebAuthn): the strongest, very hard to phish
  • Authenticator app with number matching: strong for most small businesses
  • Avoid SMS codes when you can: better than nothing, but easier to intercept or social-engineer

2) Stop spoofed email with SPF, DKIM, and DMARC

These three DNS settings help the rest of the internet verify that mail claiming to be “you” is actually sent by systems you authorize.

  • SPF tells the world which servers are allowed to send email for your domain. Microsoft describes SPF as a DNS TXT record that identifies valid sources of mail for your domain.
  • DMARC tells receiving systems what to do when messages fail SPF/DKIM checks, and it helps prevent spoofing used in phishing and business email compromise.

Also, Google has been tightening sender requirements. Their Workspace admin guidance states all senders must set up SPF or DKIM, and bulk senders (over 5,000 messages/day) must set up SPF, DKIM, and DMARC.

3) Make passwords less terrible (without annoying everyone)

NIST guidance pushes the burden onto systems, not humans. Their implementation notes emphasize allowing long passphrases and using a blocklist to prevent commonly used or compromised passwords, instead of forcing weird composition rules.

What works in practice:

  • Use a password manager
  • Use long passphrases (length beats complexity theater)
  • Block known-compromised passwords where your platform supports it

The “One Afternoon” checklist (most small businesses)

Step 1: Turn on MFA for everyone (especially admins)

Minimum target: email accounts, Microsoft 365/Google Workspace, banking, payroll, and any remote access tools.

Small business reality tip: start with owners, finance, and anyone who can approve payments. Then roll to everyone else.

Step 2: Inventory your outbound email senders

List everything that sends as your domain:

  • Microsoft 365 or Google Workspace
  • Website forms (WordPress plugins, SMTP relay)
  • Marketing platforms (Mailchimp, SendGrid, Constant Contact)
  • Ticketing/CRM tools
  • POS or accounting systems that email receipts/invoices

This matters because SPF and DMARC will break mail delivery if you forget a legitimate sender.

Step 3: Set up SPF

SPF is a DNS TXT record. Microsoft’s SPF documentation shows the general syntax and explains including authorized senders (like Microsoft 365) in your record.

Important practical note: if you use third-party senders, add them properly (often via include: entries). Also, keep in mind that multiple SPF records can cause problems. You generally want one SPF record per domain.

Step 4: Turn on DKIM signing

DKIM is usually enabled in your email platform admin portal, then you publish the DKIM records in DNS. (Exact steps vary by platform.)

Step 5: Set up DMARC in monitoring mode first

Microsoft notes DMARC is enabled via a DNS TXT record and is intended to help validate mail and prevent spoofing.

Recommended rollout path:

  1. Start DMARC policy at p=none (monitoring)
  2. Review reports, fix any legitimate senders that are failing
  3. Move to p=quarantine
  4. Eventually consider p=reject when confident

Google also advises ensuring SPF and DKIM are working before you turn on DMARC enforcement.

Step 6: Split “marketing” into a subdomain (optional but smart)

Microsoft’s SPF guidance recommends using a subdomain for bulk email services so problems there do not damage the reputation of your main business domain.

Example:

  • Main: yourcompany.com for employee email
  • Marketing: marketing.yourcompany.com for bulk campaigns

Quick wins for typical end users (the “stop getting owned” starter pack)

Even if you are not a business, these are the big-impact moves:

  • Turn on MFA for email first, then everything else
  • Use a password manager and stop reusing passwords
  • Treat “invoice attached” and “urgent request” emails like they are guilty until proven innocent
  • If an email requests payment changes, verify via a second method (call a known number, not the one in the email)

Need help implementing this without breaking email?

PCRepair.us can remotely:

  • Turn on MFA the right way (including safer methods than SMS)
  • Audit your outbound senders
  • Configure SPF/DKIM/DMARC with a safe rollout plan
  • Verify delivery so customers still get your invoices and replies

Posted in How-To