hello@wpfoss.com +254 709 384 200 Book Free AI Audit to
SecurityEmailOperationsDMARC

Email security: the quiet risk most SMEs ignore

DMARC at 'none', no DKIM on subdomains, and a team that clicks anything. Email is still where most breaches start. Here is what we audit, what we fix, and why this matters more than it sounds.

By WPfoss Team

Email security is not exciting. There is no AI angle. No big product to ship. The work is invisible when it is done right.

It is also the single highest-leverage security investment most SMEs can make. Most breaches we read about in the news start with email. Most invoice fraud starts with email. Most “your customer received a strange message from your domain” stories start with email.

This piece explains what is actually at risk, what we audit, what we fix, and what it looks like to have email security done properly.

What goes wrong, in plain English

Three categories. Each is common. Each is fixable.

Spoofing

Someone, anywhere in the world, sends an email that says it is from your domain. Your customer receives it. The “from” address looks legitimate (accounts@yourdomain.com) because email, by default, does not verify the sender.

The scammer’s email asks the customer to pay an invoice to a new bank account. The customer pays. You get a panicked call two weeks later asking where the goods are. You did not send the invoice. You have lost a customer. You may also have lost legal exposure.

The fix is DMARC (with SPF and DKIM correctly set up underneath). Properly configured DMARC tells receiving mail servers: “If an email claims to be from my domain and was not actually sent through my approved infrastructure, reject it.” Most SMEs we audit have DMARC at p=none, which is monitor-only, not enforcing. Spoofers love p=none.

Deliverability

Your sales emails land in spam. Your invoices land in spam. Your password resets land in spam. Customers think you are unresponsive. You think your email is broken.

The cause is almost always missing or misconfigured authentication, often on subdomains. The transactional emails your invoicing tool sends from billing.yourdomain.com have no DKIM signature, so Gmail flags them. Your marketing platform sends from mail.yourdomain.com with a half-valid SPF record, so Outlook sends them to junk.

The fix is straightforward, but tedious: audit every sending service, set up SPF, DKIM, and DMARC properly per service, and monitor the results.

Account compromise and phishing

Someone on your team clicks a link in an email that looks like a real internal message. They enter their password on the page that loads. Now an attacker has access to that mailbox. They quietly read it for a few weeks. They learn your invoicing patterns, your supplier names, your tone. Then they send a perfectly worded request to your finance team, asking them to update the bank details for one of your suppliers. Finance updates the details. The next invoice is paid to the attacker.

This is BEC (Business Email Compromise). It is the single most expensive type of breach for SMEs. The fix is partly technical (2FA enforcement, login alerts, OAuth scope review, AI-based threat filtering) and partly cultural (training, phishing simulations, a clear escalation path for “this email looks weird”).

What we actually audit

A proper email security audit covers every domain, subdomain, and sending service. Specifically:

  • SPF. Is every legitimate sender listed? Are there too many lookups? Are deprecated senders still in there?
  • DKIM. Is the key signing every outbound message? Is the key length adequate (2048-bit)? Are subdomains signed?
  • DMARC. What is the policy (none, quarantine, reject)? Are reports being collected? Is alignment correct?
  • BIMI. Is your logo set up to display next to authenticated emails? Do you have a Verified Mark Certificate where it improves deliverability?
  • MX records. Are they pointing where you think? Are there leftovers from a previous provider?
  • Blacklists. Are any of your sending IPs on Spamhaus, SORBS, or similar?
  • OAuth review. Which third-party apps have read access to your mailbox? Which ones did your team approve and forget?
  • Admin policies. 2FA enforced? Login alerts on? Old accounts disabled? Recovery options sensible?

We deliver a one-page risk score and a prioritised fix list.

The fix sequence

The work follows the same order on almost every engagement.

Step 1, Inventory and authenticate. Every sending service identified. SPF cleaned up. DKIM configured per service. DMARC turned on in monitor mode so we can see who is actually sending mail in your name.

Step 2, Read the DMARC reports. For two to four weeks, we read the aggregate reports. Legitimate senders we missed get added to SPF. Spoofers get noted. Unrecognised senders get investigated.

Step 3, Ramp DMARC enforcement. Move from p=none to p=quarantine (sends spoofs to junk) to p=reject (refuses spoofs outright). We do this in measured steps with monitoring at each level. Done carelessly, this breaks legitimate email; done carefully, nobody notices anything except spoofers.

Step 4, BIMI and logo verification. If you have a registered trademark and want your logo next to your emails in Gmail and Apple Mail, we set up the VMC and the DNS record.

Step 5, Workspace hardening. 2FA enforced for every account. Login alerts on. OAuth apps reviewed and culled. Retention policies set. Recovery options verified.

Step 6, Threat filtering. An AI-based filtering layer on top of Google Workspace or Microsoft 365 catches the BEC, lookalike-domain, and payload-light attacks that slip past the defaults. We deploy and tune.

Step 7, Training and simulation. A short, useful training session for your team. Then a controlled phishing simulation a few weeks later. The people who click need a different kind of training. We repeat quarterly.

A concrete scenario: the agency invoice fraud near-miss

A 25-person agency we worked with received a call from one of their suppliers asking why a payment had not gone through. The supplier insisted the invoice had been sent and the bank details updated. The agency had no record of the invoice and the bank details on file had not been touched.

It turned out a spoofed email had been sent to the supplier (not the agency) two weeks earlier, claiming to be from the agency’s accounts manager, asking for “updated bank details for our records”. The supplier replied with the new account number. The supplier was the target. The agency’s brand was the weapon.

The agency was lucky: the supplier called before paying. Many do not.

After the engagement: DMARC at p=reject, BIMI live, AI threat filtering active, quarterly training and simulation in place. Six months later, no incidents. More importantly, the agency could prove their posture to a new enterprise customer who required it as a vendor security checkpoint. That contract was worth more than the engagement cost ten times over.

Why this matters more than it sounds

The cost of getting email security wrong is asymmetric:

  • One invoice fraud incident can wipe out a quarter of profit.
  • One spoofing campaign can damage your brand for months.
  • One compromised mailbox can leak years of customer data.
  • One missing DMARC record can keep your real sales emails in junk for years.

The cost of getting it right is a one-time engagement, plus a small ongoing retainer for monitoring and quarterly training. The ROI is not in dollars saved; it is in the breach that did not happen, which you will never see.

Frequently asked questions

Is this not what Google or Microsoft already does?

They do a lot. But the defaults leak. DMARC at p=none by default. No DKIM on most third-party senders out of the box. OAuth scopes are wide open until you tighten them. The platforms give you the tools; they do not configure them for you.

Will turning on DMARC break my email?

Only if done carelessly. We always start in monitor mode, find every legitimate sender (yours and your vendors’), fix authentication, then ramp policy in steps. Zero deliverability surprises.

What about transactional and marketing email?

We audit your sending services (Postmark, SendGrid, Mailchimp, ZeptoMail, Brevo, etc.) and align each one with SPF/DKIM/DMARC so they authenticate and deliver cleanly.

How does this protect me from invoice fraud?

BEC almost always involves either a spoofed sender or a hijacked account. DMARC stops spoofing. Account-security policies and AI threat filtering reduce hijacks. Training reduces the last 10%. Together they collapse the attack surface.

Is this a one-off or ongoing?

Set-up is a project, typically 3 to 6 weeks. Monitoring DMARC reports, watching for new sending services as your team adds them, and quarterly training are ongoing. Most clients fold the ongoing work into our Managed AI Operations retainer because we are already watching the rest of their stack.

What does this cost?

A standard email security engagement runs $4k to $9k for the setup work. Ongoing monitoring and quarterly training adds $500 to $1.5k per month. Compared to the cost of one BEC incident, the ROI is overwhelming.

Can you do this for Microsoft 365 as well as Google Workspace?

Yes. We have done both many times. The DNS work is identical; the platform hardening is different but well-mapped.

The honest pitch

Email security is the most boring AI-agency-adjacent service we offer, and one of the most important. If you do nothing else this year, do this.

Order an email security engagement or book a free call and we will start with the audit.

Get Started

Ready to put AI to work in your business?

Order any service directly through our contact form and our team will be in touch within one business day. Prefer to talk it through first? Book a free 30-minute strategy call.

Order a Service Or Book a Free Call
Chat on WhatsApp