Quick Answer: Email security protects your business communications from phishing, malware, ransomware, and data breaches through technical controls (SPF, DMARC, DKIM), encryption (TLS, S/MIME), and user training. UK businesses must comply with GDPR, ICO guidelines, and NCSC recommendations. Over 90% of cyber attacks begin with a compromised email. For UK businesses, the stakes have never been higher.
According to the National Cyber Security Centre (NCSC), phishing attacks targeting UK organisations increased by 23% in 2024, with Business Email Compromise (BEC) fraud costing British businesses an estimated £479 million annually. The Information Commissioner’s Office (ICO) reported that 68% of data breaches in 2024 originated from email-based attacks, resulting in average GDPR fines of £2.4 million per breach.
Email remains the primary gateway for cyber threats despite the rise of collaboration tools. Email’s open protocol design allows anyone worldwide to contact your employees directly, bypassing firewalls and placing the burden of email security on your users.
This guide provides practical guidance on implementing robust email security for your UK business, covering email authentication protocols, UK regulatory requirements, threat prevention, incident response, and solution selection.
Table of Contents
The Modern Email Threat Landscape
Understanding current email threats is essential for building effective email security defences. The threat landscape has evolved from simple spam to sophisticated, targeted attacks exploiting human psychology and technical vulnerabilities.
Why Email Remains the Primary Attack Vector
Email operates as an open protocol by design. Unlike closed systems requiring authentication, email allows any sender worldwide to reach your employees’ inboxes directly. The NCSC’s 2024 Annual Review identified email as the initial access point in 87% of successful cyber attacks against UK organisations.
Business Email Compromise and Invoice Fraud
Business Email Compromise represents one of the most financially damaging email threats. Unlike traditional phishing, which relies on malicious links, BEC attacks use social engineering to manipulate employees into transferring funds or revealing sensitive information.
Criminals compromise or spoof executive email accounts and request urgent wire transfers. The 2024 evolution involves attackers using artificial intelligence to mimic the specific writing style of senior executives. UK businesses reported 14,000 BEC incidents to Action Fraud in 2024, with average losses of £34,000 per successful attack.
Invoice fraud targets accounts payable departments. Attackers intercept legitimate email threads between businesses and suppliers, then insert fraudulent invoices with altered payment details. Because emails arrive from compromised legitimate accounts, traditional email security filters often fail to detect.
AI-Generated Phishing Campaigns
Artificial intelligence has transformed phishing from generic mass campaigns into highly personalised attacks. Attackers use large language models to craft convincing phishing emails in perfect English, eliminating grammatical errors that previously served as warning signs. These AI-generated messages incorporate specific details gathered from LinkedIn profiles and company websites.
Supply Chain Account Takeover
Supply chain attacks exploit trust relationships between businesses and vendors. When attackers compromise a supplier’s email account, they gain access to ongoing conversations and insert themselves into legitimate business processes. These email security breaches are particularly dangerous because messages originate from genuinely trusted accounts.
Supply chain email compromises expose sensitive commercial information, intellectual property, and customer data. UK data protection regulations hold businesses responsible for suppliers’ data handling practices, meaning a supplier’s email security failure can result in GDPR penalties for your organisation.
Understanding Email Security Protocols
Email security relies on multiple layers of technical controls that verify sender identity, encrypt message content, and filter malicious threats. These protocols form the foundation of modern email security implementation.
How Email Authentication Works
Email authentication protocols solve a fundamental flaw in email’s original design. The Simple Mail Transfer Protocol (SMTP), created in the 1970s, includes no mechanism to verify that emails claiming to come from specific domains actually originated from authorised servers. This vulnerability enables email spoofing and phishing attacks.
Three complementary protocols address this gap: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance). SPF functions as a whitelist, allowing domain owners to specify authorised mail servers. DKIM adds cryptographic signatures to messages, enabling recipients to verify content hasn’t been modified. DMARC instructs receiving servers on how to handle messages that fail authentication checks.
SPF: Sender Policy Framework
SPF allows you to publish authorised mail server lists in your domain’s DNS records. When recipient email servers receive messages claiming to come from your domain, they query DNS to retrieve your SPF record and verify the sending server appears in your authorised list, strengthening email security.
Properly configured SPF records specify all legitimate email sources, including primary email services, marketing platforms, CRM systems, and transactional email services. Records conclude with policy directives telling recipients how to handle messages from unauthorised servers. The NCSC recommends using the “-all” directive for email security, instructing recipients to reject unauthorised messages.
DKIM: DomainKeys Identified Mail
DKIM adds cryptographic signatures to every outgoing email using private keys held by mail servers. You publish corresponding public keys in DNS, allowing recipients to verify signatures and confirm messages haven’t been altered during transmission. This verification ensures both message authenticity and integrity for email security.
DKIM signatures survive forwarding and mailing list processing, making them more reliable than SPF for messages passing through intermediate servers. Modern email security systems rely on DKIM’s cryptographic assurance to distinguish legitimate messages from sophisticated spoofing attempts.
DMARC: Policy and Reporting
DMARC coordinates SPF and DKIM checks whilst providing policy enforcement and reporting capabilities. Your DMARC record specifies what recipients should do when messages fail authentication: monitor (p=none), quarantine (p=quarantine), or reject (p=reject). DMARC enables you to receive daily aggregate reports showing which servers send email using your domain.
Progressive DMARC deployment begins with monitoring-only mode (p=none) whilst identifying all legitimate email sources. After verifying authorised email passes authentication, progress to quarantine mode, where failed messages go to spam folders. The final email security enforcement stage (p=reject) blocks failed messages entirely.
Transport Layer Security and Email Encryption
Transport Layer Security (TLS) encrypts email messages during transmission between mail servers. Most modern email providers support opportunistic TLS, which encrypts connections when both servers support it. However, opportunistic TLS falls back to unencrypted transmission if recipient servers don’t support encryption.
For sensitive communications requiring guaranteed encryption, organisations implement mandatory TLS policies refusing to send email to servers without encrypted connections. The NCSC recommends mandatory TLS for all UK government email.
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides end-to-end encryption where only senders and recipients can decrypt message content. Unlike TLS, which encrypts only transmission between servers, S/MIME ensures messages remain encrypted at rest in mailboxes. This email security protection level is essential for highly confidential communications in legal, financial, and healthcare sectors.
Configuring Email Security: Step-by-Step Implementation
Implementing email security protocols requires careful planning and systematic deployment. This section provides detailed configuration guidance for UK businesses using common email platforms.
Setting Up SPF Records
Before creating SPF records, identify every system sending email using your domain. This audit should include primary email services (Microsoft 365, Google Workspace, or self-hosted mail servers), marketing platforms, CRM systems, transactional email services, and helpdesk software.
For organisations using Microsoft 365, basic SPF records include: v=spf1 include:spf.protection.outlook.com -all. Google Workspace users require: v=spf1 include:_spf.google.com -all. Most organisations need additional include statements for third-party services. Companies using Microsoft 365 for primary email, Mailchimp for marketing, and Salesforce for CRM would use: v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:_spf.salesforce.com -all.
Publish SPF records by creating TXT records in the domain DNS settings. Record names should be your root domain (represented as @ or left blank, depending on DNS providers). Set TTL to 3600 seconds and enter SPF strings as values. After publication, verify email security configuration using tools like MXToolbox or NCSC Mail Check service.
Implementing DKIM Signatures
DKIM implementation varies by email provider. Microsoft 365 users should log in to the Microsoft 365 Admin Centre, navigate to Settings > Domains, select their domain, and click “Protect Domain” followed by “Set up DKIM”. Microsoft provides two CNAME records requiring addition to the DNS configuration for email security.
Google Workspace administrators access DKIM configuration through Admin Console under Apps, Google Workspace, Gmail, and Authenticate Email. Google generates DKIM TXT records for addition to DNS. Record names include domains and selectors, whilst values contain public keys for email security verification.
After adding DKIM DNS records, return to the email provider admin interfaces to enable DKIM signing. Allow 24 to 48 hours for DNS propagation, then test by sending emails to Gmail accounts and examining the full headers (click the three dots, select “Show original”, and verify that DKIM shows “PASS”).
DMARC Configuration and Progressive Enforcement
Begin DMARC deployment in monitoring mode to collect data without affecting email delivery. Create TXT records named _dmarc.yourdomain.co.uk with value: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1. This configuration instructs recipients to monitor authentication results and send aggregate reports.
DMARC aggregate reports arrive daily in XML format. Several free services parse these reports into readable formats, including NCSC Mail Check (available to UK public sector organisations), DMARCian’s free tier, and Postmark DMARC Digests. Review reports for four to eight weeks, paying attention to legitimate email sources failing authentication and requiring SPF or DKIM configuration adjustments for proper email security.
Once confident all legitimate email passes authentication, progress to quarantine mode by updating DMARC records: v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]. Monitor for false positives over two to four weeks. If no legitimate email is incorrectly quarantined, move to final enforcement: v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; aspf=s; adkim=s.
The NCSC Cyber Essentials scheme requires DMARC policies of p=quarantine or p=reject for certification. Organisations remaining at p=none fail email security requirements.
Common Configuration Mistakes
The most frequent SPF error involves publishing multiple SPF records. DNS standards permit only one SPF TXT record per domain, and multiple records cause email security authentication failures. If you need to authorise many email sources, use include mechanisms to reference other domains’ SPF records.
Another common mistake is exceeding SPF’s 10 DNS lookup limit. Each include statement counts as one lookup, and some third-party services perform multiple lookups internally. Organisations using numerous email services may need to consolidate services or implement SPF flattening.
For DMARC, the primary error is remaining indefinitely at p=none. Whilst monitoring provides visibility, it offers no email security protection against domain spoofing. Progress to enforcement within 12 weeks at the latest. Additionally, configure DMARC for commonly used subdomains as root domain policies don’t automatically apply to subdomains.
Email Security Best Practices for UK Businesses
Technical protocols form the foundation of email security, but comprehensive protection requires operational practices and user awareness training. These best practices significantly reduce successful attack rates.
Multi-Factor Authentication Implementation
Multi-factor authentication (MFA) prevents account compromises even when attackers obtain user passwords. MFA requires users to provide two or more verification factors: something they know (such as a password), something they have (like a smartphone or hardware token), or something they are (like biometric data), significantly strengthening email security.
Microsoft 365 and Google Workspace both include MFA capabilities. Microsoft’s implementation supports Authenticator app, SMS codes, phone calls, and FIDO2 security keys. Google Workspace offers similar options through Google Authenticator, physical security keys, and prompt-based authentication.
Enforce MFA for all user accounts, especially administrators and executives representing high-value targets. Configure conditional access policies requiring MFA for all logins. The NCSC considers MFA mandatory for Cyber Essentials certification and recommends hardware security keys for administrators.
Security Awareness Training
Traditional security awareness training often fails because it relies on annual presentations that employees forget within weeks. Effective email security training incorporates regular phishing simulations, immediate feedback, and positive reinforcement.
Modern approaches include monthly simulated phishing campaigns with gradually increasing difficulty. When employees click simulated phishing links, they receive immediate micro-training explaining what made the emails suspicious. Organisations using this method report reductions of 70% to 80% in successful phishing click rates within six months.
Focus training on practical recognition techniques: scrutinising sender addresses for subtle misspellings, hovering over links before clicking to reveal true destinations, questioning unexpected attachments from known contacts, and verifying unusual requests through alternative communication channels.
Advanced Email Filtering Solutions
Built-in email security features in Microsoft 365 and Google Workspace provide baseline protection, but many organisations enhance security with third-party email filtering services offering advanced threat detection capabilities, including sandbox analysis, URL rewriting, and machine learning-based anomaly detection.
Mimecast charges £2.50 to £5.00 per user per month (prices exclude VAT) for email security with archiving features. Proofpoint’s email security offerings range from £3.00 to £7.00 per user per month (excluding VAT), with advanced threat protection included.
Barracuda Email Security Gateway pricing starts at £1.80 per user per month (excluding VAT) for SMEs, offering spam filtering, virus scanning, and phishing protection. Hornetsecurity’s Advanced Threat Protection begins at £1.20 per user per month (excluding VAT), providing spam filtering, malware protection, and basic threat detection for email security.
Mobile Device Management for Email
Employees accessing email on personal smartphones and tablets create additional security risks for email. Mobile Device Management (MDM) solutions enforce security policies on devices accessing corporate email, including requiring device encryption, enforcing screen locks, enabling remote wipe capabilities, and restricting email forwarding.
Microsoft Intune, included with Microsoft 365 Business Premium (£19.70 per user per month excluding VAT), provides comprehensive MDM capabilities. Google Workspace’s Enterprise editions (£16.20 per user per month, excluding VAT) include endpoint management features.
Configure MDM policies to require biometric authentication or a six-digit PIN, automatic device encryption, and prohibit email access from jailbroken or rooted devices. Implement conditional access rules preventing email synchronisation to devices failing minimum email security requirements.
UK Email Security Compliance and Regulations
UK businesses face specific regulatory requirements for email security extending beyond general cybersecurity best practices. Understanding these requirements protects organisations from both cyber threats and regulatory penalties.
GDPR Requirements for Email Systems
The General Data Protection Regulation applies to email systems because they regularly process personal data. Article 32 requires organisations to implement appropriate technical and organisational measures to ensure email security that is commensurate with the risk. This includes the encryption of messages containing personal data, access controls that limit who can read sensitive emails, and retention policies that ensure automated deletion.
When email security breaches expose personal data, Article 33 requires notification to the Information Commissioner’s Office within 72 hours of becoming aware of breaches. Notifications must describe the nature of the breach, categories and approximate numbers of affected individuals, likely consequences, and measures taken. Failure to report within 72 hours can result in fines up to £8.7 million or 2% of annual global turnover.
Organisations must also notify affected individuals without undue delay when breaches pose high risk. The ICO provides an online breach reporting portal at report.ico.org.uk where organisations submit notifications electronically.
NCSC Cyber Essentials Requirements
Cyber Essentials represents the UK government’s baseline cybersecurity certification scheme. Many public sector contracts require suppliers to hold a valid Cyber Essentials certification, and cyber insurance providers increasingly offer premium discounts for certified organisations.
The scheme’s email security requirements include multi-factor authentication on all email accounts, malware scanning of attachments, deployment of DMARC at p=quarantine or p=reject, Transport Layer Security encryption for messages, and automatic security updates for email clients.
Cyber Essentials certification costs £300 for organisations with one to nine employees, £500 for 10 to 49 employees, and £1,000 for larger organisations. Certification remains valid for 12 months and requires annual reassessment.
Industry-Specific Email Requirements
Financial services firms regulated by the Financial Conduct Authority must maintain email archives for a minimum of seven years. Communications monitoring requirements apply to detect market abuse, requiring email security systems to capture and retain all business communications.
Healthcare organisations handling patient data must comply with NHS Digital’s Data Security and Protection Toolkit, which mandates encryption for all emails containing patient-identifiable information. NHS Mail provides secure email services meeting these requirements.
Legal sector organisations must maintain client confidentiality through end-to-end encryption for privileged communications. The Solicitors Regulation Authority requires law firms to implement appropriate email security measures to protect client information.
Common Email Threats and Prevention
Understanding specific email threats and prevention methods helps organisations build comprehensive email security defences. This section examines the most prevalent threats facing UK businesses.
Phishing and Spear Phishing Prevention
Phishing attacks attempt to steal credentials or install malware by impersonating trusted entities. Generic phishing campaigns target thousands of recipients with identical messages, whilst spear phishing targets specific individuals using personalised information, representing significant email security challenges.
Technical defences against phishing include SPF, DKIM, and DMARC authentication, blocking spoofed emails, URL filtering, identifying malicious links, and sandbox analysis, detonating suspicious attachments in isolated environments. Microsoft Defender for Office 365 (£4.20 per user per month excluding VAT) and Google Workspace’s security features provide these capabilities.
User training remains crucial because sophisticated phishing attacks bypass technical controls. Train employees to verify sender addresses carefully, question urgent requests for credentials or payments, and report suspicious emails to IT teams immediately.
Malware and Ransomware in Email
Email-borne malware typically arrives as attachments or links to compromised websites. Ransomware, which encrypts files and demands payment for the decryption key, frequently spreads through email attachments. The NCSC reported that 68% of ransomware infections in UK organisations originated from email in 2024.
Prevent malware infections by disabling macros in Microsoft Office documents by default, blocking executable file attachments (.exe, .bat, .vbs, .js), implementing real-time scanning of email attachments, and maintaining offline backups that ransomware cannot encrypt.
Email security gateways scan attachments using multiple antivirus engines and sandboxing technology. Suspicious files execute in isolated virtual environments where security systems observe behaviour before delivering to recipients. Files exhibiting malicious behaviour are blocked automatically.
Business Email Compromise Detection
Business Email Compromise attacks bypass traditional email security controls because they don’t contain malware or malicious links. Instead, attackers use social engineering and compromised accounts to manipulate employees into transferring funds or revealing sensitive information.
Implement financial controls that require multi-person approval for wire transfers, out-of-band verification of payment instruction changes via phone calls to known numbers, and flagging of emails from external domains that appear similar to internal addresses. These operational email security controls prevent most BEC attempts.
Advanced email security platforms offer BEC-specific detection using machine learning to analyse email metadata, sender behaviour patterns, and content anomalies. Abnormal Security (£3.60 per user per month excluding VAT) and Darktrace Email (£4.80 per user per month excluding VAT) specialise in detecting sophisticated BEC attacks.
Email Security Incident Response
Despite preventive measures, email security incidents will occur. Organisations need structured response procedures to minimise damage and meet regulatory reporting requirements.
Immediate Containment Actions
When users report suspicious emails or security teams detect potential email security compromises, immediate containment prevents further damage. Disable compromised user accounts immediately to prevent attackers from sending additional emails or accessing sensitive information.
Remove malicious emails from all mailboxes using email platform search and delete capabilities. Microsoft 365 and Google Workspace offer tools to search all mailboxes for specific sender addresses, subject lines, or attachment names, and delete matching messages, thereby preventing additional users from clicking on malicious links.
Reset passwords for compromised accounts and require multi-factor authentication before restoring access. Review account activity logs to identify what information attackers accessed and whether they created forwarding rules to maintain access after password changes.
Investigation and Analysis
A comprehensive email security incident investigation determines the scope of the attack, the entry method, and the extent of data exposure. Examine email headers to identify true sender addresses and routing information. Headers reveal whether emails passed SPF, DKIM, and DMARC checks, helping identify authentication gaps.
Review email server logs to identify all recipients of malicious messages and whether they clicked links or opened attachments. Modern email security platforms provide detailed reporting on user interactions with suspicious emails.
Determine whether incidents qualify as personal data breaches under GDPR. If attackers accessed personal data, assess the risk to individuals’ rights and freedoms. High-risk breaches require notification to the ICO within 72 hours and potentially to affected individuals.
Recovery and Remediation
After containing email security incidents and completing investigations, implement remediation measures to prevent recurrence. Update email authentication records to address any SPF, DKIM, or DMARC failures that have allowed spoofed emails to pass through.
Conduct targeted security awareness training for affected employees, explaining what made attacks successful and how to recognise similar threats. Organisations that find multiple employees fell victim should conduct company-wide refresher training on email security.
Document lessons learned and update incident response procedures based on response effectiveness. Identify email security control gaps that allowed incidents and prioritise remediation efforts.
Choosing Email Security Solutions
Selecting appropriate email security solutions requires balancing security requirements, budget constraints, and operational complexity. This section examines options for businesses of various sizes in the UK.
Built-in Email Security Features
Microsoft 365 and Google Workspace include baseline email security features sufficient for many small businesses. Microsoft 365 Business Basic (£4.80 per user per month excluding VAT) includes Exchange Online Protection with anti-spam, anti-malware, and basic phishing protection. Google Workspace Business Starter (£4.60 per user per month, excluding VAT) provides similar capabilities.
Microsoft 365 Business Premium (£19.70 per user per month, excluding VAT) includes Microsoft Defender for Office 365 Plan 1, which provides features such as Safe Attachments, Safe Links, and anti-phishing policies. Google Workspace Business Plus (£13.80 per user per month, excluding VAT) includes enhanced email security with DLP and advanced phishing protection.
For most SMEs with fewer than 50 employees, built-in email security features provide adequate protection when properly configured. Ensure multi-factor authentication is enforced, DMARC is set to p=reject, and security defaults are enabled.
Third-Party Email Security Platforms
Organisations with heightened security requirements benefit from dedicated email security platforms offering advanced threat detection. These solutions sit between the internet and email servers, scanning all inbound and outbound messages for threats.
Proofpoint Email Protection (£3.00 per user per month excluding VAT) provides enterprise-grade email security, including advanced threat protection, URL defence, and attachment sandboxing. Mimecast Email Security (£2.50 per user per month excluding VAT) combines threat protection with archiving and continuity features.
Barracuda Email Security Gateway (£1.80 per user per month, excluding VAT) offers good value for SMEs needing enhanced protection. Sophos Email Advanced (£2.20 per user per mont,h excluding VAT) integrates with Sophos’ broader security ecosystem.
Selecting the Right Solution
Email security solution selection should consider organisation size, industry and regulatory requirements, technical capabilities of internal IT teams, and budget considerations, including both per-user licensing costs and administrative overhead.
Businesses with fewer than 25 employees often find built-in email security features sufficient, whilst larger organisations benefit from dedicated platforms. Financial services firms requiring seven-year email archiving need solutions with integrated archiving capabilities. Healthcare organisations handling patient data require encryption features that meet NHS Digital requirements.
Email security requires layered defences combining technical controls, user awareness, and robust incident response capabilities. UK businesses must implement email authentication protocols (SPF, DKIM, DMARC), enforce multi-factor authentication, deploy appropriate filtering solutions, and maintain compliance with GDPR and NCSC guidance.
The evolving threat landscape demands continuous improvement of email security measures. Artificial intelligence enables increasingly sophisticated phishing campaigns, whilst Business Email Compromise attacks exploit human trust. Organisations must regularly review and update email security controls to address emerging threats.
Compliance with UK regulations, including GDPR breach notification requirements, NCSC Cyber Essentials standards, and industry-specific requirements, protects organisations from both cyber threats and regulatory penalties. Proper email security implementation demonstrates due diligence and supports cyber insurance coverage.
Begin email security improvements by implementing SPF, DKIM, and DMARC authentication, enforcing multi-factor authentication on all accounts, and conducting regular security awareness training. These foundational measures significantly reduce successful attack rates whilst meeting core regulatory requirements for email security.